Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/
Date: Sun, 28 Mar 2021 16:47:34
Message-Id: 1616950026.585d8fe6342e713eddbcdc7e560f51c3721532f8.whissi@gentoo
1 commit: 585d8fe6342e713eddbcdc7e560f51c3721532f8
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Sun Mar 28 16:47:06 2021 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Sun Mar 28 16:47:06 2021 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=585d8fe6
7
8 dev-libs/openssl: security cleanup
9
10 Bug: https://bugs.gentoo.org/777681
11 Package-Manager: Portage-3.0.17, Repoman-3.0.2
12 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
13
14 dev-libs/openssl/Manifest | 2 -
15 dev-libs/openssl/openssl-1.1.1i.ebuild | 326 ---------------------------------
16 dev-libs/openssl/openssl-1.1.1j.ebuild | 326 ---------------------------------
17 3 files changed, 654 deletions(-)
18
19 diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
20 index 99b5b012c20..18b48a6e844 100644
21 --- a/dev-libs/openssl/Manifest
22 +++ b/dev-libs/openssl/Manifest
23 @@ -2,6 +2,4 @@ DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab86433795
24 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
25 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
26 DIST openssl-1.1.1i-bindist-1.0.tar.xz 18124 BLAKE2B bcbce700676d1d61498ac98281b7ad06f9970d91afa6bfb2c259ab7462b2554be79a1c06759bc7aaeca9948c2f5276bac2c4f42dbc6822669f863444b9913ccd SHA512 1dbb81bcb4cf7e634bb363c7e2bb2590a1fe3fcb6c3b5e377cac3c5241abd116c2a89c516be8e5fd1799ab64375a58052a4df944eeadc87b0b7785da710906d8
27 -DIST openssl-1.1.1i.tar.gz 9808346 BLAKE2B ca98bab08e1874134da113dd0bda0583c133c7dce5b739f9601641ed2cf97894e5e13d901f0db9367aa5d7b78c552ac598aa0a3c2a3f0a438daae044e29f58d6 SHA512 fe12e0ab9e1688f24dd862ac633d0ab703b499c0f34b53c3560aa0d3879d81d647aa0678ed517dda5efb2711f669fcb1a1e0e24f6eac2efc2cf4eae6b62014d8
28 -DIST openssl-1.1.1j.tar.gz 9823161 BLAKE2B e5699abeca83acd82546e74a0645f2a765d51f22226f8c537d92285eb0b11e12b0a9476cbd3cb6a594e9840433d713be39884fb4dcd5c3968b36ad4f582ed23a SHA512 51e44995663b5258b0018bdc1e2b0e7e8e0cce111138ca1f80514456af920fce4e409a411ce117c0f3eb9190ac3e47c53a43f39b06acd35b7494e2bec4a607d5
29 DIST openssl-1.1.1k.tar.gz 9823400 BLAKE2B e9bd90f17bc819c4960d07bbee04346e8a7adb87a764a09d033ef76f1d638c67b180c4f2beb84ec25fbff54ccc9c14c13b9b16a27cac231a5dd22b02635d5cec SHA512 73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121
30
31 diff --git a/dev-libs/openssl/openssl-1.1.1i.ebuild b/dev-libs/openssl/openssl-1.1.1i.ebuild
32 deleted file mode 100644
33 index 6c86f655c99..00000000000
34 --- a/dev-libs/openssl/openssl-1.1.1i.ebuild
35 +++ /dev/null
36 @@ -1,326 +0,0 @@
37 -# Copyright 1999-2020 Gentoo Authors
38 -# Distributed under the terms of the GNU General Public License v2
39 -
40 -EAPI="7"
41 -
42 -inherit flag-o-matic toolchain-funcs multilib multilib-minimal
43 -
44 -MY_P=${P/_/-}
45 -
46 -# This patch set is based on the following files from Fedora 31,
47 -# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
48 -# for more details:
49 -# - hobble-openssl (SOURCE1)
50 -# - ec_curve.c (SOURCE12) -- MODIFIED
51 -# - ectest.c (SOURCE13)
52 -# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
53 -BINDIST_PATCH_SET="openssl-1.1.1i-bindist-1.0.tar.xz"
54 -
55 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
56 -HOMEPAGE="https://www.openssl.org/"
57 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
58 - bindist? (
59 - mirror://gentoo/${BINDIST_PATCH_SET}
60 - https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
61 - )"
62 -
63 -LICENSE="openssl"
64 -SLOT="0/1.1" # .so version of libssl/libcrypto
65 -[[ "${PV}" = *_pre* ]] || \
66 -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x86-linux"
67 -IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
68 -RESTRICT="!bindist? ( bindist )
69 - !test? ( test )"
70 -
71 -RDEPEND=">=app-misc/c_rehash-1.7-r1
72 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
73 -DEPEND="${RDEPEND}"
74 -BDEPEND="
75 - >=dev-lang/perl-5
76 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
77 - test? (
78 - sys-apps/diffutils
79 - sys-devel/bc
80 - sys-process/procps
81 - )"
82 -PDEPEND="app-misc/ca-certificates"
83 -
84 -PATCHES=(
85 - "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
86 - "${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
87 -)
88 -
89 -S="${WORKDIR}/${MY_P}"
90 -
91 -# force upgrade to prevent broken login, bug 696950
92 -RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
93 -
94 -MULTILIB_WRAPPED_HEADERS=(
95 - usr/include/openssl/opensslconf.h
96 -)
97 -
98 -pkg_setup() {
99 - [[ ${MERGE_TYPE} == binary ]] && return
100 -
101 - # must check in pkg_setup; sysctl don't work with userpriv!
102 - if has test ${FEATURES} && use sctp; then
103 - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
104 - # if sctp.auth_enable is not enabled.
105 - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
106 - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
107 - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
108 - fi
109 - fi
110 -}
111 -
112 -src_prepare() {
113 - # allow openssl to be cross-compiled
114 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
115 - chmod a+rx gentoo.config || die
116 -
117 - if use bindist; then
118 - mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
119 - bash "${WORKDIR}"/hobble-openssl || die
120 -
121 - cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
122 - cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
123 -
124 - eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
125 -
126 - local known_failing_test
127 - for known_failing_test in \
128 - 30-test_evp_extra.t \
129 - 80-test_ssl_new.t \
130 - ; do
131 - ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
132 - rm test/recipes/${known_failing_test} || die
133 - eend $?
134 - done
135 -
136 - # Also see the configure parts below:
137 - # enable-ec \
138 - # $(use_ssl !bindist ec2m) \
139 - fi
140 -
141 - # keep this in sync with app-misc/c_rehash
142 - SSL_CNF_DIR="/etc/ssl"
143 -
144 - # Make sure we only ever touch Makefile.org and avoid patching a file
145 - # that gets blown away anyways by the Configure script in src_configure
146 - rm -f Makefile
147 -
148 - if ! use vanilla ; then
149 - if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
150 - [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
151 - fi
152 - fi
153 -
154 - eapply_user #332661
155 -
156 - if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
157 - ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
158 - rm test/recipes/80-test_ssl_new.t || die
159 - eend $?
160 - fi
161 -
162 - # make sure the man pages are suffixed #302165
163 - # don't bother building man pages if they're disabled
164 - # Make DOCDIR Gentoo compliant
165 - sed -i \
166 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
167 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
168 - -e $(has noman FEATURES \
169 - && echo '/^install:/s:install_docs::' \
170 - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
171 - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
172 - Configurations/unix-Makefile.tmpl \
173 - || die
174 -
175 - # quiet out unknown driver argument warnings since openssl
176 - # doesn't have well-split CFLAGS and we're making it even worse
177 - # and 'make depend' uses -Werror for added fun (#417795 again)
178 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
179 -
180 - append-flags -fno-strict-aliasing
181 - append-flags $(test-flags-CC -Wa,--noexecstack)
182 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
183 -
184 - # Prefixify Configure shebang (#141906)
185 - sed \
186 - -e "1s,/usr/bin/env,${EPREFIX}&," \
187 - -i Configure || die
188 - # Remove test target when FEATURES=test isn't set
189 - if ! use test ; then
190 - sed \
191 - -e '/^$config{dirs}/s@ "test",@@' \
192 - -i Configure || die
193 - fi
194 - # The config script does stupid stuff to prompt the user. Kill it.
195 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
196 - ./config --test-sanity || die "I AM NOT SANE"
197 -
198 - multilib_copy_sources
199 -}
200 -
201 -multilib_src_configure() {
202 - unset APPS #197996
203 - unset SCRIPTS #312551
204 - unset CROSS_COMPILE #311473
205 -
206 - tc-export CC AR RANLIB RC
207 -
208 - # Clean out patent-or-otherwise-encumbered code
209 - # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
210 - # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
211 - # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
212 - # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
213 - # RC5: Expired https://en.wikipedia.org/wiki/RC5
214 -
215 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
216 - echoit() { echo "$@" ; "$@" ; }
217 -
218 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
219 -
220 - # See if our toolchain supports __uint128_t. If so, it's 64bit
221 - # friendly and can use the nicely optimized code paths. #460790
222 - local ec_nistp_64_gcc_128
223 - # Disable it for now though #469976
224 - #if ! use bindist ; then
225 - # echo "__uint128_t i;" > "${T}"/128.c
226 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
227 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
228 - # fi
229 - #fi
230 -
231 - local sslout=$(./gentoo.config)
232 - einfo "Use configuration ${sslout:-(openssl knows best)}"
233 - local config="Configure"
234 - [[ -z ${sslout} ]] && config="config"
235 -
236 - # Fedora hobbled-EC needs 'no-ec2m'
237 - # 'srp' was restricted until early 2017 as well.
238 - # "disable-deprecated" option breaks too many consumers.
239 - # Don't set it without thorough revdeps testing.
240 - # Make sure user flags don't get added *yet* to avoid duplicated
241 - # flags.
242 - CFLAGS= LDFLAGS= echoit \
243 - ./${config} \
244 - ${sslout} \
245 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
246 - enable-camellia \
247 - enable-ec \
248 - $(use_ssl !bindist ec2m) \
249 - $(use_ssl !bindist sm2) \
250 - enable-srp \
251 - $(use elibc_musl && echo "no-async") \
252 - ${ec_nistp_64_gcc_128} \
253 - enable-idea \
254 - enable-mdc2 \
255 - enable-rc5 \
256 - $(use_ssl sslv3 ssl3) \
257 - $(use_ssl sslv3 ssl3-method) \
258 - $(use_ssl asm) \
259 - $(use_ssl rfc3779) \
260 - $(use_ssl sctp) \
261 - $(use_ssl tls-heartbeat heartbeats) \
262 - $(use_ssl zlib) \
263 - --prefix="${EPREFIX}"/usr \
264 - --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
265 - --libdir=$(get_libdir) \
266 - shared threads \
267 - || die
268 -
269 - # Clean out hardcoded flags that openssl uses
270 - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
271 - -e 's:^CFLAGS=::' \
272 - -e 's:\(^\| \)-fomit-frame-pointer::g' \
273 - -e 's:\(^\| \)-O[^ ]*::g' \
274 - -e 's:\(^\| \)-march=[^ ]*::g' \
275 - -e 's:\(^\| \)-mcpu=[^ ]*::g' \
276 - -e 's:\(^\| \)-m[^ ]*::g' \
277 - -e 's:^ *::' \
278 - -e 's: *$::' \
279 - -e 's: \+: :g' \
280 - -e 's:\\:\\\\:g'
281 - )
282 -
283 - # Now insert clean default flags with user flags
284 - sed -i \
285 - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
286 - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
287 - Makefile || die
288 -}
289 -
290 -multilib_src_compile() {
291 - # depend is needed to use $confopts; it also doesn't matter
292 - # that it's -j1 as the code itself serializes subdirs
293 - emake -j1 depend
294 - emake all
295 -}
296 -
297 -multilib_src_test() {
298 - emake -j1 test
299 -}
300 -
301 -multilib_src_install() {
302 - # We need to create $ED/usr on our own to avoid a race condition #665130
303 - if [[ ! -d "${ED}/usr" ]]; then
304 - # We can only create this directory once
305 - mkdir "${ED}"/usr || die
306 - fi
307 -
308 - emake DESTDIR="${D}" install
309 -}
310 -
311 -multilib_src_install_all() {
312 - # openssl installs perl version of c_rehash by default, but
313 - # we provide a shell version via app-misc/c_rehash
314 - rm "${ED}"/usr/bin/c_rehash || die
315 -
316 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
317 -
318 - # This is crappy in that the static archives are still built even
319 - # when USE=static-libs. But this is due to a failing in the openssl
320 - # build system: the static archives are built as PIC all the time.
321 - # Only way around this would be to manually configure+compile openssl
322 - # twice; once with shared lib support enabled and once without.
323 - use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
324 -
325 - # create the certs directory
326 - keepdir ${SSL_CNF_DIR}/certs
327 -
328 - # Namespace openssl programs to prevent conflicts with other man pages
329 - cd "${ED}"/usr/share/man || die
330 - local m d s
331 - for m in $(find . -type f | xargs grep -L '#include') ; do
332 - d=${m%/*} ; d=${d#./} ; m=${m##*/}
333 - [[ ${m} == openssl.1* ]] && continue
334 - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
335 - mv ${d}/{,ssl-}${m}
336 - # fix up references to renamed man pages
337 - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
338 - ln -s ssl-${m} ${d}/openssl-${m}
339 - # locate any symlinks that point to this man page ... we assume
340 - # that any broken links are due to the above renaming
341 - for s in $(find -L ${d} -type l) ; do
342 - s=${s##*/}
343 - rm -f ${d}/${s}
344 - # We don't want to "|| die" here
345 - ln -s ssl-${m} ${d}/ssl-${s}
346 - ln -s ssl-${s} ${d}/openssl-${s}
347 - done
348 - done
349 - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
350 -
351 - dodir /etc/sandbox.d #254521
352 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
353 -
354 - diropts -m0700
355 - keepdir ${SSL_CNF_DIR}/private
356 -}
357 -
358 -pkg_postinst() {
359 - ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
360 - c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
361 - eend $?
362 -}
363
364 diff --git a/dev-libs/openssl/openssl-1.1.1j.ebuild b/dev-libs/openssl/openssl-1.1.1j.ebuild
365 deleted file mode 100644
366 index 2763945ae17..00000000000
367 --- a/dev-libs/openssl/openssl-1.1.1j.ebuild
368 +++ /dev/null
369 @@ -1,326 +0,0 @@
370 -# Copyright 1999-2021 Gentoo Authors
371 -# Distributed under the terms of the GNU General Public License v2
372 -
373 -EAPI="7"
374 -
375 -inherit flag-o-matic toolchain-funcs multilib multilib-minimal
376 -
377 -MY_P=${P/_/-}
378 -
379 -# This patch set is based on the following files from Fedora 31,
380 -# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
381 -# for more details:
382 -# - hobble-openssl (SOURCE1)
383 -# - ec_curve.c (SOURCE12) -- MODIFIED
384 -# - ectest.c (SOURCE13)
385 -# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
386 -BINDIST_PATCH_SET="openssl-1.1.1i-bindist-1.0.tar.xz"
387 -
388 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
389 -HOMEPAGE="https://www.openssl.org/"
390 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
391 - bindist? (
392 - mirror://gentoo/${BINDIST_PATCH_SET}
393 - https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
394 - )"
395 -
396 -LICENSE="openssl"
397 -SLOT="0/1.1" # .so version of libssl/libcrypto
398 -[[ "${PV}" = *_pre* ]] || \
399 -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x86-linux"
400 -IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
401 -RESTRICT="!bindist? ( bindist )
402 - !test? ( test )"
403 -
404 -RDEPEND=">=app-misc/c_rehash-1.7-r1
405 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
406 -DEPEND="${RDEPEND}"
407 -BDEPEND="
408 - >=dev-lang/perl-5
409 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
410 - test? (
411 - sys-apps/diffutils
412 - sys-devel/bc
413 - sys-process/procps
414 - )"
415 -PDEPEND="app-misc/ca-certificates"
416 -
417 -PATCHES=(
418 - "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
419 - "${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
420 -)
421 -
422 -S="${WORKDIR}/${MY_P}"
423 -
424 -# force upgrade to prevent broken login, bug 696950
425 -RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
426 -
427 -MULTILIB_WRAPPED_HEADERS=(
428 - usr/include/openssl/opensslconf.h
429 -)
430 -
431 -pkg_setup() {
432 - [[ ${MERGE_TYPE} == binary ]] && return
433 -
434 - # must check in pkg_setup; sysctl don't work with userpriv!
435 - if has test ${FEATURES} && use sctp; then
436 - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
437 - # if sctp.auth_enable is not enabled.
438 - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
439 - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
440 - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
441 - fi
442 - fi
443 -}
444 -
445 -src_prepare() {
446 - # allow openssl to be cross-compiled
447 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
448 - chmod a+rx gentoo.config || die
449 -
450 - if use bindist; then
451 - mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
452 - bash "${WORKDIR}"/hobble-openssl || die
453 -
454 - cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
455 - cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
456 -
457 - eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
458 -
459 - local known_failing_test
460 - for known_failing_test in \
461 - 30-test_evp_extra.t \
462 - 80-test_ssl_new.t \
463 - ; do
464 - ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
465 - rm test/recipes/${known_failing_test} || die
466 - eend $?
467 - done
468 -
469 - # Also see the configure parts below:
470 - # enable-ec \
471 - # $(use_ssl !bindist ec2m) \
472 - fi
473 -
474 - # keep this in sync with app-misc/c_rehash
475 - SSL_CNF_DIR="/etc/ssl"
476 -
477 - # Make sure we only ever touch Makefile.org and avoid patching a file
478 - # that gets blown away anyways by the Configure script in src_configure
479 - rm -f Makefile
480 -
481 - if ! use vanilla ; then
482 - if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
483 - [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
484 - fi
485 - fi
486 -
487 - eapply_user #332661
488 -
489 - if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
490 - ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
491 - rm test/recipes/80-test_ssl_new.t || die
492 - eend $?
493 - fi
494 -
495 - # make sure the man pages are suffixed #302165
496 - # don't bother building man pages if they're disabled
497 - # Make DOCDIR Gentoo compliant
498 - sed -i \
499 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
500 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
501 - -e $(has noman FEATURES \
502 - && echo '/^install:/s:install_docs::' \
503 - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
504 - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
505 - Configurations/unix-Makefile.tmpl \
506 - || die
507 -
508 - # quiet out unknown driver argument warnings since openssl
509 - # doesn't have well-split CFLAGS and we're making it even worse
510 - # and 'make depend' uses -Werror for added fun (#417795 again)
511 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
512 -
513 - append-flags -fno-strict-aliasing
514 - append-flags $(test-flags-CC -Wa,--noexecstack)
515 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
516 -
517 - # Prefixify Configure shebang (#141906)
518 - sed \
519 - -e "1s,/usr/bin/env,${EPREFIX}&," \
520 - -i Configure || die
521 - # Remove test target when FEATURES=test isn't set
522 - if ! use test ; then
523 - sed \
524 - -e '/^$config{dirs}/s@ "test",@@' \
525 - -i Configure || die
526 - fi
527 - # The config script does stupid stuff to prompt the user. Kill it.
528 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
529 - ./config --test-sanity || die "I AM NOT SANE"
530 -
531 - multilib_copy_sources
532 -}
533 -
534 -multilib_src_configure() {
535 - unset APPS #197996
536 - unset SCRIPTS #312551
537 - unset CROSS_COMPILE #311473
538 -
539 - tc-export CC AR RANLIB RC
540 -
541 - # Clean out patent-or-otherwise-encumbered code
542 - # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
543 - # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
544 - # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
545 - # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
546 - # RC5: Expired https://en.wikipedia.org/wiki/RC5
547 -
548 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
549 - echoit() { echo "$@" ; "$@" ; }
550 -
551 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
552 -
553 - # See if our toolchain supports __uint128_t. If so, it's 64bit
554 - # friendly and can use the nicely optimized code paths. #460790
555 - local ec_nistp_64_gcc_128
556 - # Disable it for now though #469976
557 - #if ! use bindist ; then
558 - # echo "__uint128_t i;" > "${T}"/128.c
559 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
560 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
561 - # fi
562 - #fi
563 -
564 - local sslout=$(./gentoo.config)
565 - einfo "Use configuration ${sslout:-(openssl knows best)}"
566 - local config="Configure"
567 - [[ -z ${sslout} ]] && config="config"
568 -
569 - # Fedora hobbled-EC needs 'no-ec2m'
570 - # 'srp' was restricted until early 2017 as well.
571 - # "disable-deprecated" option breaks too many consumers.
572 - # Don't set it without thorough revdeps testing.
573 - # Make sure user flags don't get added *yet* to avoid duplicated
574 - # flags.
575 - CFLAGS= LDFLAGS= echoit \
576 - ./${config} \
577 - ${sslout} \
578 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
579 - enable-camellia \
580 - enable-ec \
581 - $(use_ssl !bindist ec2m) \
582 - $(use_ssl !bindist sm2) \
583 - enable-srp \
584 - $(use elibc_musl && echo "no-async") \
585 - ${ec_nistp_64_gcc_128} \
586 - enable-idea \
587 - enable-mdc2 \
588 - enable-rc5 \
589 - $(use_ssl sslv3 ssl3) \
590 - $(use_ssl sslv3 ssl3-method) \
591 - $(use_ssl asm) \
592 - $(use_ssl rfc3779) \
593 - $(use_ssl sctp) \
594 - $(use_ssl tls-heartbeat heartbeats) \
595 - $(use_ssl zlib) \
596 - --prefix="${EPREFIX}"/usr \
597 - --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
598 - --libdir=$(get_libdir) \
599 - shared threads \
600 - || die
601 -
602 - # Clean out hardcoded flags that openssl uses
603 - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
604 - -e 's:^CFLAGS=::' \
605 - -e 's:\(^\| \)-fomit-frame-pointer::g' \
606 - -e 's:\(^\| \)-O[^ ]*::g' \
607 - -e 's:\(^\| \)-march=[^ ]*::g' \
608 - -e 's:\(^\| \)-mcpu=[^ ]*::g' \
609 - -e 's:\(^\| \)-m[^ ]*::g' \
610 - -e 's:^ *::' \
611 - -e 's: *$::' \
612 - -e 's: \+: :g' \
613 - -e 's:\\:\\\\:g'
614 - )
615 -
616 - # Now insert clean default flags with user flags
617 - sed -i \
618 - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
619 - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
620 - Makefile || die
621 -}
622 -
623 -multilib_src_compile() {
624 - # depend is needed to use $confopts; it also doesn't matter
625 - # that it's -j1 as the code itself serializes subdirs
626 - emake -j1 depend
627 - emake all
628 -}
629 -
630 -multilib_src_test() {
631 - emake -j1 test
632 -}
633 -
634 -multilib_src_install() {
635 - # We need to create $ED/usr on our own to avoid a race condition #665130
636 - if [[ ! -d "${ED}/usr" ]]; then
637 - # We can only create this directory once
638 - mkdir "${ED}"/usr || die
639 - fi
640 -
641 - emake DESTDIR="${D}" install
642 -}
643 -
644 -multilib_src_install_all() {
645 - # openssl installs perl version of c_rehash by default, but
646 - # we provide a shell version via app-misc/c_rehash
647 - rm "${ED}"/usr/bin/c_rehash || die
648 -
649 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
650 -
651 - # This is crappy in that the static archives are still built even
652 - # when USE=static-libs. But this is due to a failing in the openssl
653 - # build system: the static archives are built as PIC all the time.
654 - # Only way around this would be to manually configure+compile openssl
655 - # twice; once with shared lib support enabled and once without.
656 - use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
657 -
658 - # create the certs directory
659 - keepdir ${SSL_CNF_DIR}/certs
660 -
661 - # Namespace openssl programs to prevent conflicts with other man pages
662 - cd "${ED}"/usr/share/man || die
663 - local m d s
664 - for m in $(find . -type f | xargs grep -L '#include') ; do
665 - d=${m%/*} ; d=${d#./} ; m=${m##*/}
666 - [[ ${m} == openssl.1* ]] && continue
667 - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
668 - mv ${d}/{,ssl-}${m}
669 - # fix up references to renamed man pages
670 - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
671 - ln -s ssl-${m} ${d}/openssl-${m}
672 - # locate any symlinks that point to this man page ... we assume
673 - # that any broken links are due to the above renaming
674 - for s in $(find -L ${d} -type l) ; do
675 - s=${s##*/}
676 - rm -f ${d}/${s}
677 - # We don't want to "|| die" here
678 - ln -s ssl-${m} ${d}/ssl-${s}
679 - ln -s ssl-${s} ${d}/openssl-${s}
680 - done
681 - done
682 - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
683 -
684 - dodir /etc/sandbox.d #254521
685 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
686 -
687 - diropts -m0700
688 - keepdir ${SSL_CNF_DIR}/private
689 -}
690 -
691 -pkg_postinst() {
692 - ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
693 - c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
694 - eend $?
695 -}
Report Message
Find on MARC Find on Google Groups