[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/ - gentoo-commits

From:	Mikle Kolyada <zlogene@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/
Date:	Tue, 12 Mar 2019 16:34:08
Message-Id:	`1552408424.4b7f8b7a4a2b8ca439946c11990c2603a9bc7b62.zlogene@gentoo`

1

commit:     4b7f8b7a4a2b8ca439946c11990c2603a9bc7b62

2

Author:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>

3

AuthorDate: Tue Mar 12 16:33:44 2019 +0000

4

Commit:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>

5

CommitDate: Tue Mar 12 16:33:44 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b7f8b7a

7

8

dev-libs/openssl: Security cleanup

9

10

Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>

11

Package-Manager: Portage-2.3.62, Repoman-2.3.11

12

13

 dev-libs/openssl/Manifest              |   4 -

14

 dev-libs/openssl/openssl-1.0.2q.ebuild | 309 ---------------------------------

15

 2 files changed, 313 deletions(-)

16

17

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest

18

index dd125204215..2d49947a80c 100644

19

--- a/dev-libs/openssl/Manifest

20

+++ b/dev-libs/openssl/Manifest

21

@@ -1,9 +1,5 @@

22

 DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6

23

 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659

24

-DIST openssl-1.0.2q.tar.gz 5345604 BLAKE2B c03dd92de1cc8941a7f3e4d9f2fe6f8e4ea89eccc58743d7690491fc22cc54a9783311699b008aeb4a0d37cd3172154e67623c8ada6fc8dde57e80a5cd3c5fc1 SHA512 403e6cad42db3ba860c3fa4fa81c1b7b02f0b873259e5c19a7fc8e42de0854602555f1b1ca74f4e3a7737a4cbd3aac063061e628ec86534586500819fae7fec0

25

-DIST openssl-1.0.2q_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15

26

-DIST openssl-1.0.2q_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19

27

-DIST openssl-1.0.2q_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e

28

 DIST openssl-1.0.2r.tar.gz 5348369 BLAKE2B 9f9c2d2fe6eaf9acacab29b394a318f30c38e831a5f9c193b2da660f9d04acbf407d8b752274783765416c0f5ba557c24ee293ad7fb7d727771db289e6acc901 SHA512 6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235

29

 DIST openssl-1.0.2r_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15

30

 DIST openssl-1.0.2r_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19

31

32

diff --git a/dev-libs/openssl/openssl-1.0.2q.ebuild b/dev-libs/openssl/openssl-1.0.2q.ebuild

33

deleted file mode 100644

34

index 9b19234d960..00000000000

35

--- a/dev-libs/openssl/openssl-1.0.2q.ebuild

36

+++ /dev/null

37

@@ -1,309 +0,0 @@

38

-# Copyright 1999-2019 Gentoo Authors

39

-# Distributed under the terms of the GNU General Public License v2

40

-

41

-EAPI="6"

42

-

43

-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal

44

-

45

-# openssl-1.0.2-patches-1.6 contain additional CVE patches

46

-# which got fixed with this release.

47

-# Please use 1.7 version number when rolling a new tarball!

48

-PATCH_SET="openssl-1.0.2-patches-1.5"

49

-MY_P=${P/_/-}

50

-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"

51

-HOMEPAGE="https://www.openssl.org/"

52

-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz

53

-	!vanilla? (

54

-		mirror://gentoo/${PATCH_SET}.tar.xz

55

-		https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz

56

-		https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz

57

-		https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz

58

-	)"

59

-

60

-LICENSE="openssl"

61

-SLOT="0"

62

-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"

63

-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"

64

-RESTRICT="!bindist? ( bindist )"

65

-

66

-RDEPEND=">=app-misc/c_rehash-1.7-r1

67

-	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )

68

-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )

69

-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"

70

-DEPEND="${RDEPEND}

71

-	>=dev-lang/perl-5

72

-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )

73

-	test? (

74

-		sys-apps/diffutils

75

-		sys-devel/bc

76

-	)"

77

-PDEPEND="app-misc/ca-certificates"

78

-

79

-# This does not copy the entire Fedora patchset, but JUST the parts that

80

-# are needed to make it safe to use EC with RESTRICT=bindist.

81

-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN

82

-SOURCE1=hobble-openssl

83

-SOURCE12=ec_curve.c

84

-SOURCE13=ectest.c

85

-# These are ported instead

86

-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC

87

-#PATCH37=openssl-1.1.0-ec-curves.patch

88

-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'

89

-FEDORA_GIT_BRANCH='f25'

90

-FEDORA_SRC_URI=()

91

-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )

92

-FEDORA_PATCH=( $PATCH1 $PATCH37 )

93

-for i in "${FEDORA_SOURCE[@]}" ; do

94

-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )

95

-done

96

-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix

97

-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )

98

-done

99

-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"

100

-

101

-S="${WORKDIR}/${MY_P}"

102

-

103

-MULTILIB_WRAPPED_HEADERS=(

104

-	usr/include/openssl/opensslconf.h

105

-)

106

-

107

-src_prepare() {

108

-	if use bindist; then

109

-		# This just removes the prefix, and puts it into WORKDIR like the RPM.

110

-		for i in "${FEDORA_SOURCE[@]}" ; do

111

-			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die

112

-		done

113

-		# .spec %prep

114

-		bash "${WORKDIR}"/"${SOURCE1}" || die

115

-		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die

116

-		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1

117

-		for i in "${FEDORA_PATCH[@]}" ; do

118

-			eapply "${DISTDIR}"/"${i}"

119

-		done

120

-		eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch

121

-		# Also see the configure parts below:

122

-		# enable-ec \

123

-		# $(use_ssl !bindist ec2m) \

124

-		# $(use_ssl !bindist srp) \

125

-	fi

126

-

127

-	# keep this in sync with app-misc/c_rehash

128

-	SSL_CNF_DIR="/etc/ssl"

129

-

130

-	# Make sure we only ever touch Makefile.org and avoid patching a file

131

-	# that gets blown away anyways by the Configure script in src_configure

132

-	rm -f Makefile

133

-

134

-	if ! use vanilla ; then

135

-		eapply "${WORKDIR}"/patch/*.patch

136

-	fi

137

-

138

-	eapply_user

139

-

140

-	# disable fips in the build

141

-	# make sure the man pages are suffixed #302165

142

-	# don't bother building man pages if they're disabled

143

-	sed -i \

144

-		-e '/DIRS/s: fips : :g' \

145

-		-e '/^MANSUFFIX/s:=.*:=ssl:' \

146

-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \

147

-		-e $(has noman FEATURES \

148

-			&& echo '/^install:/s:install_docs::' \

149

-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \

150

-		Makefile.org \

151

-		|| die

152

-	# show the actual commands in the log

153

-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared

154

-

155

-	# since we're forcing $(CC) as makedep anyway, just fix

156

-	# the conditional as always-on

157

-	# helps clang (#417795), and versioned gcc (#499818)

158

-	# this breaks build with 1.0.2p, not sure if it is needed anymore

159

-	#sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die

160

-

161

-	# quiet out unknown driver argument warnings since openssl

162

-	# doesn't have well-split CFLAGS and we're making it even worse

163

-	# and 'make depend' uses -Werror for added fun (#417795 again)

164

-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments

165

-

166

-	# allow openssl to be cross-compiled

167

-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die

168

-	chmod a+rx gentoo.config || die

169

-

170

-	append-flags -fno-strict-aliasing

171

-	append-flags $(test-flags-CC -Wa,--noexecstack)

172

-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS

173

-

174

-	sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906

175

-	# The config script does stupid stuff to prompt the user.  Kill it.

176

-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die

177

-	./config --test-sanity || die "I AM NOT SANE"

178

-

179

-	multilib_copy_sources

180

-}

181

-

182

-multilib_src_configure() {

183

-	unset APPS #197996

184

-	unset SCRIPTS #312551

185

-	unset CROSS_COMPILE #311473

186

-

187

-	tc-export CC AR RANLIB RC

188

-

189

-	# Clean out patent-or-otherwise-encumbered code

190

-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)

191

-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm

192

-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography

193

-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2

194

-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5

195

-

196

-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }

197

-	echoit() { echo "$@" ; "$@" ; }

198

-

199

-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

200

-

201

-	# See if our toolchain supports __uint128_t.  If so, it's 64bit

202

-	# friendly and can use the nicely optimized code paths. #460790

203

-	local ec_nistp_64_gcc_128

204

-	# Disable it for now though #469976

205

-	#if ! use bindist ; then

206

-	#	echo "__uint128_t i;" > "${T}"/128.c

207

-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then

208

-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"

209

-	#	fi

210

-	#fi

211

-

212

-	# https://github.com/openssl/openssl/issues/2286

213

-	if use ia64 ; then

214

-		replace-flags -g3 -g2

215

-		replace-flags -ggdb3 -ggdb2

216

-	fi

217

-

218

-	local sslout=$(./gentoo.config)

219

-	einfo "Use configuration ${sslout:-(openssl knows best)}"

220

-	local config="Configure"

221

-	[[ -z ${sslout} ]] && config="config"

222

-

223

-	# Fedora hobbled-EC needs 'no-ec2m', 'no-srp'

224

-	echoit \

225

-	./${config} \

226

-		${sslout} \

227

-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \

228

-		enable-camellia \

229

-		enable-ec \

230

-		$(use_ssl !bindist ec2m) \

231

-		$(use_ssl !bindist srp) \

232

-		${ec_nistp_64_gcc_128} \

233

-		enable-idea \

234

-		enable-mdc2 \

235

-		enable-rc5 \

236

-		enable-tlsext \

237

-		$(use_ssl asm) \

238

-		$(use_ssl gmp gmp -lgmp) \

239

-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \

240

-		$(use_ssl rfc3779) \

241

-		$(use_ssl sctp) \

242

-		$(use_ssl sslv2 ssl2) \

243

-		$(use_ssl sslv3 ssl3) \

244

-		$(use_ssl tls-heartbeat heartbeats) \

245

-		$(use_ssl zlib) \

246

-		--prefix="${EPREFIX%/}"/usr \

247

-		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \

248

-		--libdir=$(get_libdir) \

249

-		shared threads \

250

-		|| die

251

-

252

-	# Clean out hardcoded flags that openssl uses

253

-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \

254

-		-e 's:^CFLAG=::' \

255

-		-e 's:-fomit-frame-pointer ::g' \

256

-		-e 's:-O[0-9] ::g' \

257

-		-e 's:-march=[-a-z0-9]* ::g' \

258

-		-e 's:-mcpu=[-a-z0-9]* ::g' \

259

-		-e 's:-m[a-z0-9]* ::g' \

260

-	)

261

-	sed -i \

262

-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \

263

-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \

264

-		Makefile || die

265

-}

266

-

267

-multilib_src_compile() {

268

-	# depend is needed to use $confopts; it also doesn't matter

269

-	# that it's -j1 as the code itself serializes subdirs

270

-	emake -j1 V=1 depend

271

-	emake all

272

-	# rehash is needed to prep the certs/ dir; do this

273

-	# separately to avoid parallel build issues.

274

-	emake rehash

275

-}

276

-

277

-multilib_src_test() {

278

-	emake -j1 test

279

-}

280

-

281

-multilib_src_install() {

282

-	# We need to create $ED/usr on our own to avoid a race condition #665130

283

-	if [[ ! -d "${ED%/}/usr" ]]; then

284

-		# We can only create this directory once

285

-		mkdir "${ED%/}"/usr || die

286

-	fi

287

-

288

-	emake INSTALL_PREFIX="${D%/}" install

289

-}

290

-

291

-multilib_src_install_all() {

292

-	# openssl installs perl version of c_rehash by default, but

293

-	# we provide a shell version via app-misc/c_rehash

294

-	rm "${ED%/}"/usr/bin/c_rehash || die

295

-

296

-	local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )

297

-	einstalldocs

298

-

299

-	use rfc3779 && dodoc engines/ccgost/README.gost

300

-

301

-	# This is crappy in that the static archives are still built even

302

-	# when USE=static-libs.  But this is due to a failing in the openssl

303

-	# build system: the static archives are built as PIC all the time.

304

-	# Only way around this would be to manually configure+compile openssl

305

-	# twice; once with shared lib support enabled and once without.

306

-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a

307

-

308

-	# create the certs directory

309

-	dodir ${SSL_CNF_DIR}/certs

310

-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die

311

-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}

312

-

313

-	# Namespace openssl programs to prevent conflicts with other man pages

314

-	cd "${ED}"/usr/share/man

315

-	local m d s

316

-	for m in $(find . -type f | xargs grep -L '#include') ; do

317

-		d=${m%/*} ; d=${d#./} ; m=${m##*/}

318

-		[[ ${m} == openssl.1* ]] && continue

319

-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"

320

-		mv ${d}/{,ssl-}${m}

321

-		# fix up references to renamed man pages

322

-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}

323

-		ln -s ssl-${m} ${d}/openssl-${m}

324

-		# locate any symlinks that point to this man page ... we assume

325

-		# that any broken links are due to the above renaming

326

-		for s in $(find -L ${d} -type l) ; do

327

-			s=${s##*/}

328

-			rm -f ${d}/${s}

329

-			ln -s ssl-${m} ${d}/ssl-${s}

330

-			ln -s ssl-${s} ${d}/openssl-${s}

331

-		done

332

-	done

333

-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

334

-

335

-	dodir /etc/sandbox.d #254521

336

-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

337

-

338

-	diropts -m0700

339

-	keepdir ${SSL_CNF_DIR}/private

340

-}

341

-

342

-pkg_postinst() {

343

-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"

344

-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null

345

-	eend $?

346

-}

1	commit: 4b7f8b7a4a2b8ca439946c11990c2603a9bc7b62
2	Author: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
3	AuthorDate: Tue Mar 12 16:33:44 2019 +0000
4	Commit: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
5	CommitDate: Tue Mar 12 16:33:44 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b7f8b7a
7
8	dev-libs/openssl: Security cleanup
9
10	Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>
11	Package-Manager: Portage-2.3.62, Repoman-2.3.11
12
13	dev-libs/openssl/Manifest \| 4 -
14	dev-libs/openssl/openssl-1.0.2q.ebuild \| 309 ---------------------------------
15	2 files changed, 313 deletions(-)
16
17	diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
18	index dd125204215..2d49947a80c 100644
19	--- a/dev-libs/openssl/Manifest
20	+++ b/dev-libs/openssl/Manifest
21	@@ -1,9 +1,5 @@
22	DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
23	DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
24	-DIST openssl-1.0.2q.tar.gz 5345604 BLAKE2B c03dd92de1cc8941a7f3e4d9f2fe6f8e4ea89eccc58743d7690491fc22cc54a9783311699b008aeb4a0d37cd3172154e67623c8ada6fc8dde57e80a5cd3c5fc1 SHA512 403e6cad42db3ba860c3fa4fa81c1b7b02f0b873259e5c19a7fc8e42de0854602555f1b1ca74f4e3a7737a4cbd3aac063061e628ec86534586500819fae7fec0
25	-DIST openssl-1.0.2q_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
26	-DIST openssl-1.0.2q_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
27	-DIST openssl-1.0.2q_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
28	DIST openssl-1.0.2r.tar.gz 5348369 BLAKE2B 9f9c2d2fe6eaf9acacab29b394a318f30c38e831a5f9c193b2da660f9d04acbf407d8b752274783765416c0f5ba557c24ee293ad7fb7d727771db289e6acc901 SHA512 6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235
29	DIST openssl-1.0.2r_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
30	DIST openssl-1.0.2r_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
31
32	diff --git a/dev-libs/openssl/openssl-1.0.2q.ebuild b/dev-libs/openssl/openssl-1.0.2q.ebuild
33	deleted file mode 100644
34	index 9b19234d960..00000000000
35	--- a/dev-libs/openssl/openssl-1.0.2q.ebuild
36	+++ /dev/null
37	@@ -1,309 +0,0 @@
38	-# Copyright 1999-2019 Gentoo Authors
39	-# Distributed under the terms of the GNU General Public License v2
40	-
41	-EAPI="6"
42	-
43	-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
44	-
45	-# openssl-1.0.2-patches-1.6 contain additional CVE patches
46	-# which got fixed with this release.
47	-# Please use 1.7 version number when rolling a new tarball!
48	-PATCH_SET="openssl-1.0.2-patches-1.5"
49	-MY_P=${P/_/-}
50	-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
51	-HOMEPAGE="https://www.openssl.org/"
52	-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
53	- !vanilla? (
54	- mirror://gentoo/${PATCH_SET}.tar.xz
55	- https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
56	- https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
57	- https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz
58	- )"
59	-
60	-LICENSE="openssl"
61	-SLOT="0"
62	-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
63	-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
64	-RESTRICT="!bindist? ( bindist )"
65	-
66	-RDEPEND=">=app-misc/c_rehash-1.7-r1
67	- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
68	- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
69	- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
70	-DEPEND="${RDEPEND}
71	- >=dev-lang/perl-5
72	- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
73	- test? (
74	- sys-apps/diffutils
75	- sys-devel/bc
76	- )"
77	-PDEPEND="app-misc/ca-certificates"
78	-
79	-# This does not copy the entire Fedora patchset, but JUST the parts that
80	-# are needed to make it safe to use EC with RESTRICT=bindist.
81	-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
82	-SOURCE1=hobble-openssl
83	-SOURCE12=ec_curve.c
84	-SOURCE13=ectest.c
85	-# These are ported instead
86	-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
87	-#PATCH37=openssl-1.1.0-ec-curves.patch
88	-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
89	-FEDORA_GIT_BRANCH='f25'
90	-FEDORA_SRC_URI=()
91	-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
92	-FEDORA_PATCH=( $PATCH1 $PATCH37 )
93	-for i in "${FEDORA_SOURCE[@]}" ; do
94	- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
95	-done
96	-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
97	- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
98	-done
99	-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
100	-
101	-S="${WORKDIR}/${MY_P}"
102	-
103	-MULTILIB_WRAPPED_HEADERS=(
104	- usr/include/openssl/opensslconf.h
105	-)
106	-
107	-src_prepare() {
108	- if use bindist; then
109	- # This just removes the prefix, and puts it into WORKDIR like the RPM.
110	- for i in "${FEDORA_SOURCE[@]}" ; do
111	- cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" \|\| die
112	- done
113	- # .spec %prep
114	- bash "${WORKDIR}"/"${SOURCE1}" \|\| die
115	- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ \|\| die
116	- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ \|\| die # Moves to test/ in OpenSSL-1.1
117	- for i in "${FEDORA_PATCH[@]}" ; do
118	- eapply "${DISTDIR}"/"${i}"
119	- done
120	- eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
121	- # Also see the configure parts below:
122	- # enable-ec \
123	- # $(use_ssl !bindist ec2m) \
124	- # $(use_ssl !bindist srp) \
125	- fi
126	-
127	- # keep this in sync with app-misc/c_rehash
128	- SSL_CNF_DIR="/etc/ssl"
129	-
130	- # Make sure we only ever touch Makefile.org and avoid patching a file
131	- # that gets blown away anyways by the Configure script in src_configure
132	- rm -f Makefile
133	-
134	- if ! use vanilla ; then
135	- eapply "${WORKDIR}"/patch/*.patch
136	- fi
137	-
138	- eapply_user
139	-
140	- # disable fips in the build
141	- # make sure the man pages are suffixed #302165
142	- # don't bother building man pages if they're disabled
143	- sed -i \
144	- -e '/DIRS/s: fips : :g' \
145	- -e '/^MANSUFFIX/s:=.*:=ssl:' \
146	- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
147	- -e $(has noman FEATURES \
148	- && echo '/^install:/s:install_docs::' \
149	- \|\| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
150	- Makefile.org \
151	- \|\| die
152	- # show the actual commands in the log
153	- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
154	-
155	- # since we're forcing $(CC) as makedep anyway, just fix
156	- # the conditional as always-on
157	- # helps clang (#417795), and versioned gcc (#499818)
158	- # this breaks build with 1.0.2p, not sure if it is needed anymore
159	- #sed -i 's/expr.MAKEDEPEND.;/true;/' util/domd \|\| die
160	-
161	- # quiet out unknown driver argument warnings since openssl
162	- # doesn't have well-split CFLAGS and we're making it even worse
163	- # and 'make depend' uses -Werror for added fun (#417795 again)
164	- [[ ${CC} == clang ]] && append-flags -Qunused-arguments
165	-
166	- # allow openssl to be cross-compiled
167	- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config \|\| die
168	- chmod a+rx gentoo.config \|\| die
169	-
170	- append-flags -fno-strict-aliasing
171	- append-flags $(test-flags-CC -Wa,--noexecstack)
172	- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
173	-
174	- sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906
175	- # The config script does stupid stuff to prompt the user. Kill it.
176	- sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
177	- ./config --test-sanity \|\| die "I AM NOT SANE"
178	-
179	- multilib_copy_sources
180	-}
181	-
182	-multilib_src_configure() {
183	- unset APPS #197996
184	- unset SCRIPTS #312551
185	- unset CROSS_COMPILE #311473
186	-
187	- tc-export CC AR RANLIB RC
188	-
189	- # Clean out patent-or-otherwise-encumbered code
190	- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
191	- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
192	- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
193	- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
194	- # RC5: Expired https://en.wikipedia.org/wiki/RC5
195	-
196	- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
197	- echoit() { echo "$@" ; "$@" ; }
198	-
199	- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
200	-
201	- # See if our toolchain supports __uint128_t. If so, it's 64bit
202	- # friendly and can use the nicely optimized code paths. #460790
203	- local ec_nistp_64_gcc_128
204	- # Disable it for now though #469976
205	- #if ! use bindist ; then
206	- # echo "__uint128_t i;" > "${T}"/128.c
207	- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
208	- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
209	- # fi
210	- #fi
211	-
212	- # https://github.com/openssl/openssl/issues/2286
213	- if use ia64 ; then
214	- replace-flags -g3 -g2
215	- replace-flags -ggdb3 -ggdb2
216	- fi
217	-
218	- local sslout=$(./gentoo.config)
219	- einfo "Use configuration ${sslout:-(openssl knows best)}"
220	- local config="Configure"
221	- [[ -z ${sslout} ]] && config="config"
222	-
223	- # Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
224	- echoit \
225	- ./${config} \
226	- ${sslout} \
227	- $(use cpu_flags_x86_sse2 \|\| echo "no-sse2") \
228	- enable-camellia \
229	- enable-ec \
230	- $(use_ssl !bindist ec2m) \
231	- $(use_ssl !bindist srp) \
232	- ${ec_nistp_64_gcc_128} \
233	- enable-idea \
234	- enable-mdc2 \
235	- enable-rc5 \
236	- enable-tlsext \
237	- $(use_ssl asm) \
238	- $(use_ssl gmp gmp -lgmp) \
239	- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
240	- $(use_ssl rfc3779) \
241	- $(use_ssl sctp) \
242	- $(use_ssl sslv2 ssl2) \
243	- $(use_ssl sslv3 ssl3) \
244	- $(use_ssl tls-heartbeat heartbeats) \
245	- $(use_ssl zlib) \
246	- --prefix="${EPREFIX%/}"/usr \
247	- --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
248	- --libdir=$(get_libdir) \
249	- shared threads \
250	- \|\| die
251	-
252	- # Clean out hardcoded flags that openssl uses
253	- local CFLAG=$(grep ^CFLAG= Makefile \| LC_ALL=C sed \
254	- -e 's:^CFLAG=::' \
255	- -e 's:-fomit-frame-pointer ::g' \
256	- -e 's:-O[0-9] ::g' \
257	- -e 's:-march=[-a-z0-9]* ::g' \
258	- -e 's:-mcpu=[-a-z0-9]* ::g' \
259	- -e 's:-m[a-z0-9]* ::g' \
260	- )
261	- sed -i \
262	- -e "/^CFLAG/s\|=.*\|=${CFLAG} ${CFLAGS}\|" \
263	- -e "/^SHARED_LDFLAGS=/s\|$\| ${LDFLAGS}\|" \
264	- Makefile \|\| die
265	-}
266	-
267	-multilib_src_compile() {
268	- # depend is needed to use $confopts; it also doesn't matter
269	- # that it's -j1 as the code itself serializes subdirs
270	- emake -j1 V=1 depend
271	- emake all
272	- # rehash is needed to prep the certs/ dir; do this
273	- # separately to avoid parallel build issues.
274	- emake rehash
275	-}
276	-
277	-multilib_src_test() {
278	- emake -j1 test
279	-}
280	-
281	-multilib_src_install() {
282	- # We need to create $ED/usr on our own to avoid a race condition #665130
283	- if [[ ! -d "${ED%/}/usr" ]]; then
284	- # We can only create this directory once
285	- mkdir "${ED%/}"/usr \|\| die
286	- fi
287	-
288	- emake INSTALL_PREFIX="${D%/}" install
289	-}
290	-
291	-multilib_src_install_all() {
292	- # openssl installs perl version of c_rehash by default, but
293	- # we provide a shell version via app-misc/c_rehash
294	- rm "${ED%/}"/usr/bin/c_rehash \|\| die
295	-
296	- local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
297	- einstalldocs
298	-
299	- use rfc3779 && dodoc engines/ccgost/README.gost
300	-
301	- # This is crappy in that the static archives are still built even
302	- # when USE=static-libs. But this is due to a failing in the openssl
303	- # build system: the static archives are built as PIC all the time.
304	- # Only way around this would be to manually configure+compile openssl
305	- # twice; once with shared lib support enabled and once without.
306	- use static-libs \|\| rm -f "${ED}"/usr/lib/lib.a
307	-
308	- # create the certs directory
309	- dodir ${SSL_CNF_DIR}/certs
310	- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ \|\| die
311	- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
312	-
313	- # Namespace openssl programs to prevent conflicts with other man pages
314	- cd "${ED}"/usr/share/man
315	- local m d s
316	- for m in $(find . -type f \| xargs grep -L '#include') ; do
317	- d=${m%/} ; d=${d#./} ; m=${m##/}
318	- [[ ${m} == openssl.1* ]] && continue
319	- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
320	- mv ${d}/{,ssl-}${m}
321	- # fix up references to renamed man pages
322	- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
323	- ln -s ssl-${m} ${d}/openssl-${m}
324	- # locate any symlinks that point to this man page ... we assume
325	- # that any broken links are due to the above renaming
326	- for s in $(find -L ${d} -type l) ; do
327	- s=${s##*/}
328	- rm -f ${d}/${s}
329	- ln -s ssl-${m} ${d}/ssl-${s}
330	- ln -s ssl-${s} ${d}/openssl-${s}
331	- done
332	- done
333	- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
334	-
335	- dodir /etc/sandbox.d #254521
336	- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
337	-
338	- diropts -m0700
339	- keepdir ${SSL_CNF_DIR}/private
340	-}
341	-
342	-pkg_postinst() {
343	- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
344	- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
345	- eend $?
346	-}

Gentoo Archives: gentoo-commits