[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/ - gentoo-commits

From:	"Robin H. Johnson" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/
Date:	Tue, 01 Nov 2022 19:19:54
Message-Id:	`1667330383.b44348a1402e57617265926dd257161f5d15c7c5.robbat2@gentoo`

1

commit:     b44348a1402e57617265926dd257161f5d15c7c5

2

Author:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

3

AuthorDate: Tue Nov  1 16:00:28 2022 +0000

4

Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

5

CommitDate: Tue Nov  1 19:19:43 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b44348a1

7

8

dev-libs/openssl: bump, non-security

9

10

Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>

11

12

 dev-libs/openssl/Manifest              |   2 +

13

 dev-libs/openssl/openssl-1.1.1s.ebuild | 339 +++++++++++++++++++++++++++++++++

14

 2 files changed, 341 insertions(+)

15

16

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest

17

index f6ae5062d044..a30619fa0e5b 100644

18

--- a/dev-libs/openssl/Manifest

19

+++ b/dev-libs/openssl/Manifest

20

@@ -3,6 +3,8 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1

21

 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32

22

 DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B fc8fd6a62dc291d0bda328a051e253175fb04442cc4b8f45d67c3a5027748a0fc5fb372d0483bc9024ae0bff119c4fac8f1e982a182612427696d6d09f5935f5 SHA512 cb9f184ec4974a3423ef59c8ec86b6bf523d5b887da2087ae58c217249da3246896fdd6966ee9c13aea9e6306783365239197e9f742c508a0e35e5744e3e085f

23

 DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6 SHA512 03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e

24

+DIST openssl-1.1.1s.tar.gz 9868981 BLAKE2B ecd19eaf84dbc80448b51651abe52a89cc0052f024537959c4ebe61528988f235d661244fce6967159a876dd038c817bad19df742e828ca1cbae97ce6a4124bb SHA512 2ef983f166b5e1bf456ca37938e7e39d58d4cd85e9fc4b5174a05f5c37cc5ad89c3a9af97a6919bcaab128a8a92e4bdc8a045e5d9156d90768da8f73ac67c5b9

25

+DIST openssl-1.1.1s.tar.gz.asc 858 BLAKE2B d95f0f80d460feac737f84ed629c45aaf5e453103ef202ec7d33cf33b89ad83a9007429433b10754b725d7963b1960e350b64e8bdfe569ad149e26bef462eeca SHA512 aa6e5e940448297a90c46ba162f8e6ee324c2e202a9283328c31f996dc2259dd9f5f981d94d1cf1dd3cc73c44647b473602dacb857b9719bf066931b43b899e6

26

 DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B 7bf89e042417c003ef02a8bb1278590a52ce4a3d50f66795c66b750f90248840edb0d3352811caaaaff708c7e65b77384142e316916a6c311f1d2b4747f44816 SHA512 782b0df3d0252468aa696bd74a3b661810499819c0df849aa9698ba0e06a845820dc856aac650fced4be234f1271e576d4317ac3ab1406cf0ffe087d695d20fe

27

 DIST openssl-3.0.5.tar.gz.asc 862 BLAKE2B 24f1839227be7acec45eb6b748cea7be0b5e66b5cf745814861f7290670733936bf1af2c1dc9357439b31a2ca28f418880d63726d4be6fa994902ac95b51e401 SHA512 516da9ef291601400576adaba7271854af3caa23dc1d70116004360f580e4c28fe61d51e86477d341e4c5bf0ca5f98db8264581ed6cc2c8df124da83ad3e40be

28

 DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424

29

30

diff --git a/dev-libs/openssl/openssl-1.1.1s.ebuild b/dev-libs/openssl/openssl-1.1.1s.ebuild

31

new file mode 100644

32

index 000000000000..5539a1b32d86

33

--- /dev/null

34

+++ b/dev-libs/openssl/openssl-1.1.1s.ebuild

35

@@ -0,0 +1,339 @@

36

+# Copyright 1999-2022 Gentoo Authors

37

+# Distributed under the terms of the GNU General Public License v2

38

+

39

+EAPI=8

40

+

41

+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc

42

+inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig

43

+

44

+MY_P=${P/_/-}

45

+DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"

46

+HOMEPAGE="https://www.openssl.org/"

47

+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz

48

+	verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"

49

+S="${WORKDIR}/${MY_P}"

50

+

51

+LICENSE="openssl"

52

+SLOT="0/1.1" # .so version of libssl/libcrypto

53

+if [[ ${PV} != *_pre* ]] ; then

54

+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"

55

+fi

56

+IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"

57

+RESTRICT="!test? ( test )"

58

+

59

+RDEPEND=">=app-misc/c_rehash-1.7-r1

60

+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"

61

+DEPEND="${RDEPEND}"

62

+BDEPEND="

63

+	>=dev-lang/perl-5

64

+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )

65

+	test? (

66

+		sys-apps/diffutils

67

+		sys-devel/bc

68

+		kernel_linux? ( sys-process/procps )

69

+	)

70

+	verify-sig? ( sec-keys/openpgp-keys-openssl )"

71

+PDEPEND="app-misc/ca-certificates"

72

+

73

+# force upgrade to prevent broken login, bug #696950

74

+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"

75

+

76

+MULTILIB_WRAPPED_HEADERS=(

77

+	usr/include/openssl/opensslconf.h

78

+)

79

+

80

+PATCHES=(

81

+	# General patches which are suitable to always apply

82

+	# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!

83

+	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602

84

+	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch

85

+)

86

+

87

+pkg_setup() {

88

+	[[ ${MERGE_TYPE} == binary ]] && return

89

+

90

+	# must check in pkg_setup; sysctl doesn't work with userpriv!

91

+	if use test && use sctp; then

92

+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"

93

+		# if sctp.auth_enable is not enabled.

94

+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)

95

+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then

96

+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"

97

+		fi

98

+	fi

99

+}

100

+

101

+src_unpack() {

102

+	# Can delete this once test fix patch is dropped

103

+	if use verify-sig ; then

104

+		# Needed for downloaded patch (which is unsigned, which is fine)

105

+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}

106

+	fi

107

+

108

+	default

109

+}

110

+

111

+src_prepare() {

112

+	# Allow openssl to be cross-compiled

113

+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die

114

+	chmod a+rx gentoo.config || die

115

+

116

+	# Keep this in sync with app-misc/c_rehash

117

+	SSL_CNF_DIR="/etc/ssl"

118

+

119

+	# Make sure we only ever touch Makefile.org and avoid patching a file

120

+	# that gets blown away anyways by the Configure script in src_configure

121

+	rm -f Makefile

122

+

123

+	if ! use vanilla ; then

124

+		PATCHES+=(

125

+			# Add patches which are Gentoo-specific customisations here

126

+		)

127

+	fi

128

+

129

+	default

130

+

131

+	if use test && use sctp && has network-sandbox ${FEATURES}; then

132

+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."

133

+		rm test/recipes/80-test_ssl_new.t || die

134

+	fi

135

+

136

+	# - Make sure the man pages are suffixed (bug #302165)

137

+	# - Don't bother building man pages if they're disabled

138

+	# - Make DOCDIR Gentoo compliant

139

+	sed -i \

140

+		-e '/^MANSUFFIX/s:=.*:=ssl:' \

141

+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \

142

+		-e $(has noman FEATURES \

143

+			&& echo '/^install:/s:install_docs::' \

144

+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \

145

+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \

146

+		Configurations/unix-Makefile.tmpl \

147

+		|| die

148

+

149

+	# Quiet out unknown driver argument warnings since openssl

150

+	# doesn't have well-split CFLAGS and we're making it even worse

151

+	# and 'make depend' uses -Werror for added fun (bug #417795 again)

152

+	tc-is-clang && append-flags -Qunused-arguments

153

+

154

+	# We really, really need to build OpenSSL w/ strict aliasing disabled.

155

+	# It's filled with violations and it *will* result in miscompiled

156

+	# code. This has been in the ebuild for > 10 years but even in 2022,

157

+	# it's still relevant:

158

+	# - https://github.com/llvm/llvm-project/issues/55255

159

+	# - https://github.com/openssl/openssl/issues/18225

160

+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057

161

+	# Don't remove the no strict aliasing bits below!

162

+	filter-flags -fstrict-aliasing

163

+	append-flags -fno-strict-aliasing

164

+

165

+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS

166

+

167

+	append-flags $(test-flags-CC -Wa,--noexecstack)

168

+

169

+	# Prefixify Configure shebang (bug #141906)

170

+	sed \

171

+		-e "1s,/usr/bin/env,${BROOT}&," \

172

+		-i Configure || die

173

+

174

+	# Remove test target when FEATURES=test isn't set

175

+	if ! use test ; then

176

+		sed \

177

+			-e '/^$config{dirs}/s@ "test",@@' \

178

+			-i Configure || die

179

+	fi

180

+

181

+	if use prefix && [[ ${CHOST} == *-solaris* ]] ; then

182

+		# use GNU ld full option, not to confuse it on Solaris

183

+		sed -i \

184

+			-e 's/-Wl,-M,/-Wl,--version-script=/' \

185

+			-e 's/-Wl,-h,/-Wl,--soname=/' \

186

+			Configurations/10-main.conf || die

187

+

188

+		# fix building on Solaris 10

189

+		# https://github.com/openssl/openssl/issues/6333

190

+		sed -i \

191

+			-e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \

192

+			Configurations/10-main.conf || die

193

+	fi

194

+

195

+	# The config script does stupid stuff to prompt the user.  Kill it.

196

+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die

197

+	./config --test-sanity || die "I AM NOT SANE"

198

+

199

+	multilib_copy_sources

200

+}

201

+

202

+multilib_src_configure() {

203

+	# bug #197996

204

+	unset APPS

205

+	# bug #312551

206

+	unset SCRIPTS

207

+	# bug #311473

208

+	unset CROSS_COMPILE

209

+

210

+	tc-export AR CC CXX RANLIB RC

211

+

212

+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }

213

+

214

+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

215

+

216

+	# See if our toolchain supports __uint128_t.  If so, it's 64bit

217

+	# friendly and can use the nicely optimized code paths, bug #460790.

218

+	#local ec_nistp_64_gcc_128

219

+	#

220

+	# Disable it for now though (bug #469976)

221

+	# Do NOT re-enable without substantial discussion first!

222

+	#

223

+	#echo "__uint128_t i;" > "${T}"/128.c

224

+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then

225

+	#	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"

226

+	#fi

227

+

228

+	local sslout=$(./gentoo.config)

229

+	einfo "Use configuration ${sslout:-(openssl knows best)}"

230

+	local config="Configure"

231

+	[[ -z ${sslout} ]] && config="config"

232

+

233

+	# "disable-deprecated" option breaks too many consumers.

234

+	# Don't set it without thorough revdeps testing.

235

+	# Make sure user flags don't get added *yet* to avoid duplicated

236

+	# flags.

237

+	local myeconfargs=(

238

+		${sslout}

239

+

240

+		$(use cpu_flags_x86_sse2 || echo "no-sse2")

241

+		enable-camellia

242

+		enable-ec

243

+		enable-ec2m

244

+		enable-sm2

245

+		enable-srp

246

+		$(use elibc_musl && echo "no-async")

247

+		${ec_nistp_64_gcc_128}

248

+		enable-idea

249

+		enable-mdc2

250

+		enable-rc5

251

+		$(use_ssl sslv3 ssl3)

252

+		$(use_ssl sslv3 ssl3-method)

253

+		$(use_ssl asm)

254

+		$(use_ssl rfc3779)

255

+		$(use_ssl sctp)

256

+		$(use test || echo "no-tests")

257

+		$(use_ssl tls-compression zlib)

258

+		$(use_ssl tls-heartbeat heartbeats)

259

+		$(use_ssl weak-ssl-ciphers)

260

+

261

+		--prefix="${EPREFIX}"/usr

262

+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}

263

+		--libdir=$(get_libdir)

264

+

265

+		shared

266

+		threads

267

+	)

268

+

269

+	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"

270

+

271

+	# Clean out hardcoded flags that openssl uses

272

+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \

273

+		-e 's:^CFLAGS=::' \

274

+		-e 's:\(^\| \)-fomit-frame-pointer::g' \

275

+		-e 's:\(^\| \)-O[^ ]*::g' \

276

+		-e 's:\(^\| \)-march=[^ ]*::g' \

277

+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \

278

+		-e 's:\(^\| \)-m[^ ]*::g' \

279

+		-e 's:^ *::' \

280

+		-e 's: *$::' \

281

+		-e 's: \+: :g' \

282

+		-e 's:\\:\\\\:g'

283

+	)

284

+

285

+	# Now insert clean default flags with user flags

286

+	sed -i \

287

+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \

288

+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \

289

+		Makefile || die

290

+}

291

+

292

+multilib_src_compile() {

293

+	# depend is needed to use $confopts; it also doesn't matter

294

+	# that it's -j1 as the code itself serializes subdirs

295

+	emake -j1 depend

296

+

297

+	emake all

298

+}

299

+

300

+multilib_src_test() {

301

+	emake -j1 test

302

+}

303

+

304

+multilib_src_install() {

305

+	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)

306

+	dodir /usr

307

+

308

+	emake DESTDIR="${D}" install

309

+

310

+	# This is crappy in that the static archives are still built even

311

+	# when USE=static-libs. But this is due to a failing in the openssl

312

+	# build system: the static archives are built as PIC all the time.

313

+	# Only way around this would be to manually configure+compile openssl

314

+	# twice; once with shared lib support enabled and once without.

315

+	if ! use static-libs; then

316

+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die

317

+	fi

318

+}

319

+

320

+multilib_src_install_all() {

321

+	# openssl installs perl version of c_rehash by default, but

322

+	# we provide a shell version via app-misc/c_rehash

323

+	rm "${ED}"/usr/bin/c_rehash || die

324

+

325

+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el

326

+

327

+	# Create the certs directory

328

+	keepdir ${SSL_CNF_DIR}/certs

329

+

330

+	# Namespace openssl programs to prevent conflicts with other man pages

331

+	cd "${ED}"/usr/share/man || die

332

+	local m d s

333

+	for m in $(find . -type f | xargs grep -L '#include') ; do

334

+		d=${m%/*}

335

+		d=${d#./}

336

+		m=${m##*/}

337

+

338

+		[[ ${m} == openssl.1* ]] && continue

339

+

340

+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"

341

+

342

+		mv ${d}/{,ssl-}${m} || die

343

+

344

+		# Fix up references to renamed man pages

345

+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die

346

+		ln -s ssl-${m} ${d}/openssl-${m}

347

+

348

+		# Locate any symlinks that point to this man page

349

+		# We assume that any broken links are due to the above renaming

350

+		for s in $(find -L ${d} -type l) ; do

351

+			s=${s##*/}

352

+

353

+			rm -f ${d}/${s}

354

+

355

+			# We don't want to "|| die" here

356

+			ln -s ssl-${m} ${d}/ssl-${s}

357

+			ln -s ssl-${s} ${d}/openssl-${s}

358

+		done

359

+	done

360

+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

361

+

362

+	# bug #254521

363

+	dodir /etc/sandbox.d

364

+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

365

+

366

+	diropts -m0700

367

+	keepdir ${SSL_CNF_DIR}/private

368

+}

369

+

370

+pkg_postinst() {

371

+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"

372

+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null

373

+	eend $?

374

+}

1	commit: b44348a1402e57617265926dd257161f5d15c7c5
2	Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
3	AuthorDate: Tue Nov 1 16:00:28 2022 +0000
4	Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
5	CommitDate: Tue Nov 1 19:19:43 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b44348a1
7
8	dev-libs/openssl: bump, non-security
9
10	Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
11
12	dev-libs/openssl/Manifest \| 2 +
13	dev-libs/openssl/openssl-1.1.1s.ebuild \| 339 +++++++++++++++++++++++++++++++++
14	2 files changed, 341 insertions(+)
15
16	diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
17	index f6ae5062d044..a30619fa0e5b 100644
18	--- a/dev-libs/openssl/Manifest
19	+++ b/dev-libs/openssl/Manifest
20	@@ -3,6 +3,8 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1
21	DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
22	DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B fc8fd6a62dc291d0bda328a051e253175fb04442cc4b8f45d67c3a5027748a0fc5fb372d0483bc9024ae0bff119c4fac8f1e982a182612427696d6d09f5935f5 SHA512 cb9f184ec4974a3423ef59c8ec86b6bf523d5b887da2087ae58c217249da3246896fdd6966ee9c13aea9e6306783365239197e9f742c508a0e35e5744e3e085f
23	DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6 SHA512 03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e
24	+DIST openssl-1.1.1s.tar.gz 9868981 BLAKE2B ecd19eaf84dbc80448b51651abe52a89cc0052f024537959c4ebe61528988f235d661244fce6967159a876dd038c817bad19df742e828ca1cbae97ce6a4124bb SHA512 2ef983f166b5e1bf456ca37938e7e39d58d4cd85e9fc4b5174a05f5c37cc5ad89c3a9af97a6919bcaab128a8a92e4bdc8a045e5d9156d90768da8f73ac67c5b9
25	+DIST openssl-1.1.1s.tar.gz.asc 858 BLAKE2B d95f0f80d460feac737f84ed629c45aaf5e453103ef202ec7d33cf33b89ad83a9007429433b10754b725d7963b1960e350b64e8bdfe569ad149e26bef462eeca SHA512 aa6e5e940448297a90c46ba162f8e6ee324c2e202a9283328c31f996dc2259dd9f5f981d94d1cf1dd3cc73c44647b473602dacb857b9719bf066931b43b899e6
26	DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B 7bf89e042417c003ef02a8bb1278590a52ce4a3d50f66795c66b750f90248840edb0d3352811caaaaff708c7e65b77384142e316916a6c311f1d2b4747f44816 SHA512 782b0df3d0252468aa696bd74a3b661810499819c0df849aa9698ba0e06a845820dc856aac650fced4be234f1271e576d4317ac3ab1406cf0ffe087d695d20fe
27	DIST openssl-3.0.5.tar.gz.asc 862 BLAKE2B 24f1839227be7acec45eb6b748cea7be0b5e66b5cf745814861f7290670733936bf1af2c1dc9357439b31a2ca28f418880d63726d4be6fa994902ac95b51e401 SHA512 516da9ef291601400576adaba7271854af3caa23dc1d70116004360f580e4c28fe61d51e86477d341e4c5bf0ca5f98db8264581ed6cc2c8df124da83ad3e40be
28	DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424
29
30	diff --git a/dev-libs/openssl/openssl-1.1.1s.ebuild b/dev-libs/openssl/openssl-1.1.1s.ebuild
31	new file mode 100644
32	index 000000000000..5539a1b32d86
33	--- /dev/null
34	+++ b/dev-libs/openssl/openssl-1.1.1s.ebuild
35	@@ -0,0 +1,339 @@
36	+# Copyright 1999-2022 Gentoo Authors
37	+# Distributed under the terms of the GNU General Public License v2
38	+
39	+EAPI=8
40	+
41	+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
42	+inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
43	+
44	+MY_P=${P/_/-}
45	+DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
46	+HOMEPAGE="https://www.openssl.org/"
47	+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
48	+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
49	+S="${WORKDIR}/${MY_P}"
50	+
51	+LICENSE="openssl"
52	+SLOT="0/1.1" # .so version of libssl/libcrypto
53	+if [[ ${PV} != _pre ]] ; then
54	+ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
55	+fi
56	+IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
57	+RESTRICT="!test? ( test )"
58	+
59	+RDEPEND=">=app-misc/c_rehash-1.7-r1
60	+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
61	+DEPEND="${RDEPEND}"
62	+BDEPEND="
63	+ >=dev-lang/perl-5
64	+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
65	+ test? (
66	+ sys-apps/diffutils
67	+ sys-devel/bc
68	+ kernel_linux? ( sys-process/procps )
69	+ )
70	+ verify-sig? ( sec-keys/openpgp-keys-openssl )"
71	+PDEPEND="app-misc/ca-certificates"
72	+
73	+# force upgrade to prevent broken login, bug #696950
74	+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
75	+
76	+MULTILIB_WRAPPED_HEADERS=(
77	+ usr/include/openssl/opensslconf.h
78	+)
79	+
80	+PATCHES=(
81	+ # General patches which are suitable to always apply
82	+ # If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
83	+ "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
84	+ "${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
85	+)
86	+
87	+pkg_setup() {
88	+ [[ ${MERGE_TYPE} == binary ]] && return
89	+
90	+ # must check in pkg_setup; sysctl doesn't work with userpriv!
91	+ if use test && use sctp; then
92	+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
93	+ # if sctp.auth_enable is not enabled.
94	+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
95	+ if [[ -z "${sctp_auth_status}" ]] \|\| [[ ${sctp_auth_status} != 1 ]]; then
96	+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
97	+ fi
98	+ fi
99	+}
100	+
101	+src_unpack() {
102	+ # Can delete this once test fix patch is dropped
103	+ if use verify-sig ; then
104	+ # Needed for downloaded patch (which is unsigned, which is fine)
105	+ verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
106	+ fi
107	+
108	+ default
109	+}
110	+
111	+src_prepare() {
112	+ # Allow openssl to be cross-compiled
113	+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config \|\| die
114	+ chmod a+rx gentoo.config \|\| die
115	+
116	+ # Keep this in sync with app-misc/c_rehash
117	+ SSL_CNF_DIR="/etc/ssl"
118	+
119	+ # Make sure we only ever touch Makefile.org and avoid patching a file
120	+ # that gets blown away anyways by the Configure script in src_configure
121	+ rm -f Makefile
122	+
123	+ if ! use vanilla ; then
124	+ PATCHES+=(
125	+ # Add patches which are Gentoo-specific customisations here
126	+ )
127	+ fi
128	+
129	+ default
130	+
131	+ if use test && use sctp && has network-sandbox ${FEATURES}; then
132	+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
133	+ rm test/recipes/80-test_ssl_new.t \|\| die
134	+ fi
135	+
136	+ # - Make sure the man pages are suffixed (bug #302165)
137	+ # - Don't bother building man pages if they're disabled
138	+ # - Make DOCDIR Gentoo compliant
139	+ sed -i \
140	+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
141	+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
142	+ -e $(has noman FEATURES \
143	+ && echo '/^install:/s:install_docs::' \
144	+ \|\| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
145	+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
146	+ Configurations/unix-Makefile.tmpl \
147	+ \|\| die
148	+
149	+ # Quiet out unknown driver argument warnings since openssl
150	+ # doesn't have well-split CFLAGS and we're making it even worse
151	+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
152	+ tc-is-clang && append-flags -Qunused-arguments
153	+
154	+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
155	+ # It's filled with violations and it will result in miscompiled
156	+ # code. This has been in the ebuild for > 10 years but even in 2022,
157	+ # it's still relevant:
158	+ # - https://github.com/llvm/llvm-project/issues/55255
159	+ # - https://github.com/openssl/openssl/issues/18225
160	+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
161	+ # Don't remove the no strict aliasing bits below!
162	+ filter-flags -fstrict-aliasing
163	+ append-flags -fno-strict-aliasing
164	+
165	+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
166	+
167	+ append-flags $(test-flags-CC -Wa,--noexecstack)
168	+
169	+ # Prefixify Configure shebang (bug #141906)
170	+ sed \
171	+ -e "1s,/usr/bin/env,${BROOT}&," \
172	+ -i Configure \|\| die
173	+
174	+ # Remove test target when FEATURES=test isn't set
175	+ if ! use test ; then
176	+ sed \
177	+ -e '/^$config{dirs}/s@ "test",@@' \
178	+ -i Configure \|\| die
179	+ fi
180	+
181	+ if use prefix && [[ ${CHOST} == -solaris ]] ; then
182	+ # use GNU ld full option, not to confuse it on Solaris
183	+ sed -i \
184	+ -e 's/-Wl,-M,/-Wl,--version-script=/' \
185	+ -e 's/-Wl,-h,/-Wl,--soname=/' \
186	+ Configurations/10-main.conf \|\| die
187	+
188	+ # fix building on Solaris 10
189	+ # https://github.com/openssl/openssl/issues/6333
190	+ sed -i \
191	+ -e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
192	+ Configurations/10-main.conf \|\| die
193	+ fi
194	+
195	+ # The config script does stupid stuff to prompt the user. Kill it.
196	+ sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
197	+ ./config --test-sanity \|\| die "I AM NOT SANE"
198	+
199	+ multilib_copy_sources
200	+}
201	+
202	+multilib_src_configure() {
203	+ # bug #197996
204	+ unset APPS
205	+ # bug #312551
206	+ unset SCRIPTS
207	+ # bug #311473
208	+ unset CROSS_COMPILE
209	+
210	+ tc-export AR CC CXX RANLIB RC
211	+
212	+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
213	+
214	+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
215	+
216	+ # See if our toolchain supports __uint128_t. If so, it's 64bit
217	+ # friendly and can use the nicely optimized code paths, bug #460790.
218	+ #local ec_nistp_64_gcc_128
219	+ #
220	+ # Disable it for now though (bug #469976)
221	+ # Do NOT re-enable without substantial discussion first!
222	+ #
223	+ #echo "__uint128_t i;" > "${T}"/128.c
224	+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
225	+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
226	+ #fi
227	+
228	+ local sslout=$(./gentoo.config)
229	+ einfo "Use configuration ${sslout:-(openssl knows best)}"
230	+ local config="Configure"
231	+ [[ -z ${sslout} ]] && config="config"
232	+
233	+ # "disable-deprecated" option breaks too many consumers.
234	+ # Don't set it without thorough revdeps testing.
235	+ # Make sure user flags don't get added yet to avoid duplicated
236	+ # flags.
237	+ local myeconfargs=(
238	+ ${sslout}
239	+
240	+ $(use cpu_flags_x86_sse2 \|\| echo "no-sse2")
241	+ enable-camellia
242	+ enable-ec
243	+ enable-ec2m
244	+ enable-sm2
245	+ enable-srp
246	+ $(use elibc_musl && echo "no-async")
247	+ ${ec_nistp_64_gcc_128}
248	+ enable-idea
249	+ enable-mdc2
250	+ enable-rc5
251	+ $(use_ssl sslv3 ssl3)
252	+ $(use_ssl sslv3 ssl3-method)
253	+ $(use_ssl asm)
254	+ $(use_ssl rfc3779)
255	+ $(use_ssl sctp)
256	+ $(use test \|\| echo "no-tests")
257	+ $(use_ssl tls-compression zlib)
258	+ $(use_ssl tls-heartbeat heartbeats)
259	+ $(use_ssl weak-ssl-ciphers)
260	+
261	+ --prefix="${EPREFIX}"/usr
262	+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
263	+ --libdir=$(get_libdir)
264	+
265	+ shared
266	+ threads
267	+ )
268	+
269	+ CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
270	+
271	+ # Clean out hardcoded flags that openssl uses
272	+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile \| LC_ALL=C sed \
273	+ -e 's:^CFLAGS=::' \
274	+ -e 's:\(^\\| \)-fomit-frame-pointer::g' \
275	+ -e 's:\(^\\| \)-O[^ ]*::g' \
276	+ -e 's:\(^\\| \)-march=[^ ]*::g' \
277	+ -e 's:\(^\\| \)-mcpu=[^ ]*::g' \
278	+ -e 's:\(^\\| \)-m[^ ]*::g' \
279	+ -e 's:^ *::' \
280	+ -e 's: *$::' \
281	+ -e 's: \+: :g' \
282	+ -e 's:\\:\\\\:g'
283	+ )
284	+
285	+ # Now insert clean default flags with user flags
286	+ sed -i \
287	+ -e "/^CFLAGS=/s\|=.*\|=${DEFAULT_CFLAGS} ${CFLAGS}\|" \
288	+ -e "/^LDFLAGS=/s\|=[[:space:]]*$\|=${LDFLAGS}\|" \
289	+ Makefile \|\| die
290	+}
291	+
292	+multilib_src_compile() {
293	+ # depend is needed to use $confopts; it also doesn't matter
294	+ # that it's -j1 as the code itself serializes subdirs
295	+ emake -j1 depend
296	+
297	+ emake all
298	+}
299	+
300	+multilib_src_test() {
301	+ emake -j1 test
302	+}
303	+
304	+multilib_src_install() {
305	+ # We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
306	+ dodir /usr
307	+
308	+ emake DESTDIR="${D}" install
309	+
310	+ # This is crappy in that the static archives are still built even
311	+ # when USE=static-libs. But this is due to a failing in the openssl
312	+ # build system: the static archives are built as PIC all the time.
313	+ # Only way around this would be to manually configure+compile openssl
314	+ # twice; once with shared lib support enabled and once without.
315	+ if ! use static-libs; then
316	+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a \|\| die
317	+ fi
318	+}
319	+
320	+multilib_src_install_all() {
321	+ # openssl installs perl version of c_rehash by default, but
322	+ # we provide a shell version via app-misc/c_rehash
323	+ rm "${ED}"/usr/bin/c_rehash \|\| die
324	+
325	+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
326	+
327	+ # Create the certs directory
328	+ keepdir ${SSL_CNF_DIR}/certs
329	+
330	+ # Namespace openssl programs to prevent conflicts with other man pages
331	+ cd "${ED}"/usr/share/man \|\| die
332	+ local m d s
333	+ for m in $(find . -type f \| xargs grep -L '#include') ; do
334	+ d=${m%/*}
335	+ d=${d#./}
336	+ m=${m##*/}
337	+
338	+ [[ ${m} == openssl.1* ]] && continue
339	+
340	+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
341	+
342	+ mv ${d}/{,ssl-}${m} \|\| die
343	+
344	+ # Fix up references to renamed man pages
345	+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} \|\| die
346	+ ln -s ssl-${m} ${d}/openssl-${m}
347	+
348	+ # Locate any symlinks that point to this man page
349	+ # We assume that any broken links are due to the above renaming
350	+ for s in $(find -L ${d} -type l) ; do
351	+ s=${s##*/}
352	+
353	+ rm -f ${d}/${s}
354	+
355	+ # We don't want to "\|\| die" here
356	+ ln -s ssl-${m} ${d}/ssl-${s}
357	+ ln -s ssl-${s} ${d}/openssl-${s}
358	+ done
359	+ done
360	+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
361	+
362	+ # bug #254521
363	+ dodir /etc/sandbox.d
364	+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
365	+
366	+ diropts -m0700
367	+ keepdir ${SSL_CNF_DIR}/private
368	+}
369	+
370	+pkg_postinst() {
371	+ ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"
372	+ c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
373	+ eend $?
374	+}

Gentoo Archives: gentoo-commits