[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/ - gentoo-commits

From:	"Robin H. Johnson" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/
Date:	Tue, 01 Nov 2022 15:48:10
Message-Id:	`1667317682.4c40f1c782a71d48b194236040145c171190a25f.robbat2@gentoo`

1

commit:     4c40f1c782a71d48b194236040145c171190a25f

2

Author:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

3

AuthorDate: Tue Nov  1 15:47:50 2022 +0000

4

Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

5

CommitDate: Tue Nov  1 15:48:02 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c40f1c7

7

8

dev-libs/openssl: security bump

9

10

Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>

11

Bug: https://bugs.gentoo.org/878269

12

13

 dev-libs/openssl/Manifest             |   2 +

14

 dev-libs/openssl/openssl-3.0.7.ebuild | 337 ++++++++++++++++++++++++++++++++++

15

 2 files changed, 339 insertions(+)

16

17

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest

18

index a411ae31d39e..f6ae5062d044 100644

19

--- a/dev-libs/openssl/Manifest

20

+++ b/dev-libs/openssl/Manifest

21

@@ -5,3 +5,5 @@ DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B fc8fd6a62dc291d0bda328a051e253175fb04

22

 DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6 SHA512 03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e

23

 DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B 7bf89e042417c003ef02a8bb1278590a52ce4a3d50f66795c66b750f90248840edb0d3352811caaaaff708c7e65b77384142e316916a6c311f1d2b4747f44816 SHA512 782b0df3d0252468aa696bd74a3b661810499819c0df849aa9698ba0e06a845820dc856aac650fced4be234f1271e576d4317ac3ab1406cf0ffe087d695d20fe

24

 DIST openssl-3.0.5.tar.gz.asc 862 BLAKE2B 24f1839227be7acec45eb6b748cea7be0b5e66b5cf745814861f7290670733936bf1af2c1dc9357439b31a2ca28f418880d63726d4be6fa994902ac95b51e401 SHA512 516da9ef291601400576adaba7271854af3caa23dc1d70116004360f580e4c28fe61d51e86477d341e4c5bf0ca5f98db8264581ed6cc2c8df124da83ad3e40be

25

+DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424

26

+DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1

27

28

diff --git a/dev-libs/openssl/openssl-3.0.7.ebuild b/dev-libs/openssl/openssl-3.0.7.ebuild

29

new file mode 100644

30

index 000000000000..518b44da5f56

31

--- /dev/null

32

+++ b/dev-libs/openssl/openssl-3.0.7.ebuild

33

@@ -0,0 +1,337 @@

34

+# Copyright 1999-2022 Gentoo Authors

35

+# Distributed under the terms of the GNU General Public License v2

36

+

37

+EAPI=7

38

+

39

+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc

40

+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig

41

+

42

+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"

43

+HOMEPAGE="https://www.openssl.org/"

44

+

45

+MY_P=${P/_/-}

46

+

47

+if [[ ${PV} == 9999 ]] ; then

48

+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"

49

+

50

+	inherit git-r3

51

+else

52

+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz

53

+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"

54

+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"

55

+fi

56

+

57

+S="${WORKDIR}"/${MY_P}

58

+

59

+LICENSE="Apache-2.0"

60

+SLOT="0/3" # .so version of libssl/libcrypto

61

+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"

62

+RESTRICT="!test? ( test )"

63

+

64

+COMMON_DEPEND="

65

+	>=app-misc/c_rehash-1.7-r1

66

+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )

67

+"

68

+BDEPEND="

69

+	>=dev-lang/perl-5

70

+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )

71

+	test? (

72

+		sys-apps/diffutils

73

+		sys-devel/bc

74

+		sys-process/procps

75

+	)

76

+	verify-sig? ( sec-keys/openpgp-keys-openssl )"

77

+

78

+DEPEND="${COMMON_DEPEND}"

79

+RDEPEND="${COMMON_DEPEND}"

80

+PDEPEND="app-misc/ca-certificates"

81

+

82

+MULTILIB_WRAPPED_HEADERS=(

83

+	/usr/include/openssl/configuration.h

84

+)

85

+

86

+PATCHES=(

87

+)

88

+

89

+pkg_setup() {

90

+	if use ktls ; then

91

+		if kernel_is -lt 4 18 ; then

92

+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"

93

+		else

94

+			CONFIG_CHECK="~TLS ~TLS_DEVICE"

95

+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"

96

+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"

97

+

98

+			linux-info_pkg_setup

99

+		fi

100

+	fi

101

+

102

+	[[ ${MERGE_TYPE} == binary ]] && return

103

+

104

+	# must check in pkg_setup; sysctl doesn't work with userpriv!

105

+	if use test && use sctp ; then

106

+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"

107

+		# if sctp.auth_enable is not enabled.

108

+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)

109

+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then

110

+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"

111

+		fi

112

+	fi

113

+}

114

+

115

+src_unpack() {

116

+	# Can delete this once test fix patch is dropped

117

+	if use verify-sig ; then

118

+		# Needed for downloaded patch (which is unsigned, which is fine)

119

+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}

120

+	fi

121

+

122

+	default

123

+}

124

+

125

+src_prepare() {

126

+	# Allow openssl to be cross-compiled

127

+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die

128

+	chmod a+rx gentoo.config || die

129

+

130

+	# Keep this in sync with app-misc/c_rehash

131

+	SSL_CNF_DIR="/etc/ssl"

132

+

133

+	# Make sure we only ever touch Makefile.org and avoid patching a file

134

+	# that gets blown away anyways by the Configure script in src_configure

135

+	rm -f Makefile

136

+

137

+	if ! use vanilla ; then

138

+		PATCHES+=(

139

+			# Add patches which are Gentoo-specific customisations here

140

+		)

141

+	fi

142

+

143

+	default

144

+

145

+	if use test && use sctp && has network-sandbox ${FEATURES} ; then

146

+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."

147

+		rm test/recipes/80-test_ssl_new.t || die

148

+	fi

149

+

150

+	# - Make sure the man pages are suffixed (bug #302165)

151

+	# - Don't bother building man pages if they're disabled

152

+	# - Make DOCDIR Gentoo compliant

153

+	sed -i \

154

+		-e '/^MANSUFFIX/s:=.*:=ssl:' \

155

+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \

156

+		-e $(has noman FEATURES \

157

+			&& echo '/^install:/s:install_docs::' \

158

+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \

159

+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \

160

+		Configurations/unix-Makefile.tmpl \

161

+		|| die

162

+

163

+	# Quiet out unknown driver argument warnings since openssl

164

+	# doesn't have well-split CFLAGS and we're making it even worse

165

+	# and 'make depend' uses -Werror for added fun (bug #417795 again)

166

+	tc-is-clang && append-flags -Qunused-arguments

167

+

168

+	# We really, really need to build OpenSSL w/ strict aliasing disabled.

169

+	# It's filled with violations and it *will* result in miscompiled

170

+	# code. This has been in the ebuild for > 10 years but even in 2022,

171

+	# it's still relevant:

172

+	# - https://github.com/llvm/llvm-project/issues/55255

173

+	# - https://github.com/openssl/openssl/issues/18225

174

+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057

175

+	# Don't remove the no strict aliasing bits below!

176

+	filter-flags -fstrict-aliasing

177

+	append-flags -fno-strict-aliasing

178

+

179

+	append-flags $(test-flags-CC -Wa,--noexecstack)

180

+

181

+	# Prefixify Configure shebang (bug #141906)

182

+	sed \

183

+		-e "1s,/usr/bin/env,${BROOT}&," \

184

+		-i Configure || die

185

+

186

+	# Remove test target when FEATURES=test isn't set

187

+	if ! use test ; then

188

+		sed \

189

+			-e '/^$config{dirs}/s@ "test",@@' \

190

+			-i Configure || die

191

+	fi

192

+

193

+	# The config script does stupid stuff to prompt the user. Kill it.

194

+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die

195

+	./config --test-sanity || die "I AM NOT SANE"

196

+

197

+	multilib_copy_sources

198

+}

199

+

200

+multilib_src_configure() {

201

+	# bug #197996

202

+	unset APPS

203

+	# bug #312551

204

+	unset SCRIPTS

205

+	# bug #311473

206

+	unset CROSS_COMPILE

207

+

208

+	tc-export AR CC CXX RANLIB RC

209

+

210

+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }

211

+

212

+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

213

+

214

+	# See if our toolchain supports __uint128_t.  If so, it's 64bit

215

+	# friendly and can use the nicely optimized code paths, bug #460790.

216

+	#local ec_nistp_64_gcc_128

217

+	#

218

+	# Disable it for now though (bug #469976)

219

+	# Do NOT re-enable without substantial discussion first!

220

+	#

221

+	#echo "__uint128_t i;" > "${T}"/128.c

222

+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then

223

+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"

224

+	#fi

225

+

226

+	local sslout=$(./gentoo.config)

227

+	einfo "Using configuration: ${sslout:-(openssl knows best)}"

228

+	local config="Configure"

229

+	[[ -z ${sslout} ]] && config="config"

230

+

231

+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features

232

+	local myeconfargs=(

233

+		${sslout}

234

+

235

+		$(use cpu_flags_x86_sse2 || echo "no-sse2")

236

+		enable-camellia

237

+		enable-ec

238

+		enable-ec2m

239

+		enable-sm2

240

+		enable-srp

241

+		$(use elibc_musl && echo "no-async")

242

+		enable-idea

243

+		enable-mdc2

244

+		enable-rc5

245

+		$(use fips && echo "enable-fips")

246

+		$(use_ssl asm)

247

+		$(use_ssl ktls)

248

+		$(use_ssl rfc3779)

249

+		$(use_ssl sctp)

250

+		$(use test || echo "no-tests")

251

+		$(use_ssl tls-compression zlib)

252

+		$(use_ssl weak-ssl-ciphers)

253

+

254

+		--prefix="${EPREFIX}"/usr

255

+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}

256

+		--libdir=$(get_libdir)

257

+

258

+		shared

259

+		threads

260

+	)

261

+

262

+	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"

263

+

264

+	# Clean out hardcoded flags that openssl uses

265

+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \

266

+		-e 's:^CFLAGS=::' \

267

+		-e 's:\(^\| \)-fomit-frame-pointer::g' \

268

+		-e 's:\(^\| \)-O[^ ]*::g' \

269

+		-e 's:\(^\| \)-march=[^ ]*::g' \

270

+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \

271

+		-e 's:\(^\| \)-m[^ ]*::g' \

272

+		-e 's:^ *::' \

273

+		-e 's: *$::' \

274

+		-e 's: \+: :g' \

275

+		-e 's:\\:\\\\:g'

276

+	)

277

+

278

+	# Now insert clean default flags with user flags

279

+	sed -i \

280

+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \

281

+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \

282

+		Makefile \

283

+		|| die

284

+}

285

+

286

+multilib_src_compile() {

287

+	# depend is needed to use $confopts; it also doesn't matter

288

+	# that it's -j1 as the code itself serializes subdirs

289

+	emake -j1 depend

290

+

291

+	emake all

292

+}

293

+

294

+multilib_src_test() {

295

+	# VFP = show subtests verbosely and show failed tests verbosely

296

+	# Normal V=1 would show everything verbosely but this slows things down.

297

+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test

298

+}

299

+

300

+multilib_src_install() {

301

+	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)

302

+	dodir /usr

303

+

304

+	emake DESTDIR="${D}" install

305

+

306

+	# This is crappy in that the static archives are still built even

307

+	# when USE=static-libs. But this is due to a failing in the openssl

308

+	# build system: the static archives are built as PIC all the time.

309

+	# Only way around this would be to manually configure+compile openssl

310

+	# twice; once with shared lib support enabled and once without.

311

+	if ! use static-libs ; then

312

+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die

313

+	fi

314

+}

315

+

316

+multilib_src_install_all() {

317

+	# openssl installs perl version of c_rehash by default, but

318

+	# we provide a shell version via app-misc/c_rehash

319

+	rm "${ED}"/usr/bin/c_rehash || die

320

+

321

+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el

322

+

323

+	# Create the certs directory

324

+	keepdir ${SSL_CNF_DIR}/certs

325

+

326

+	# Namespace openssl programs to prevent conflicts with other man pages

327

+	cd "${ED}"/usr/share/man || die

328

+	local m d s

329

+	for m in $(find . -type f | xargs grep -L '#include') ; do

330

+		d=${m%/*}

331

+		d=${d#./}

332

+		m=${m##*/}

333

+

334

+		[[ ${m} == openssl.1* ]] && continue

335

+

336

+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"

337

+

338

+		mv ${d}/{,ssl-}${m} || die

339

+

340

+		# Fix up references to renamed man pages

341

+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die

342

+		ln -s ssl-${m} ${d}/openssl-${m} || die

343

+

344

+		# Locate any symlinks that point to this man page

345

+		# We assume that any broken links are due to the above renaming

346

+		for s in $(find -L ${d} -type l) ; do

347

+			s=${s##*/}

348

+

349

+			rm -f ${d}/${s}

350

+

351

+			# We don't want to "|| die" here

352

+			ln -s ssl-${m} ${d}/ssl-${s}

353

+			ln -s ssl-${s} ${d}/openssl-${s}

354

+		done

355

+	done

356

+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

357

+

358

+	# bug #254521

359

+	dodir /etc/sandbox.d

360

+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

361

+

362

+	diropts -m0700

363

+	keepdir ${SSL_CNF_DIR}/private

364

+}

365

+

366

+pkg_postinst() {

367

+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"

368

+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null

369

+	eend $?

370

+}

1	commit: 4c40f1c782a71d48b194236040145c171190a25f
2	Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
3	AuthorDate: Tue Nov 1 15:47:50 2022 +0000
4	Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
5	CommitDate: Tue Nov 1 15:48:02 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c40f1c7
7
8	dev-libs/openssl: security bump
9
10	Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
11	Bug: https://bugs.gentoo.org/878269
12
13	dev-libs/openssl/Manifest \| 2 +
14	dev-libs/openssl/openssl-3.0.7.ebuild \| 337 ++++++++++++++++++++++++++++++++++
15	2 files changed, 339 insertions(+)
16
17	diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
18	index a411ae31d39e..f6ae5062d044 100644
19	--- a/dev-libs/openssl/Manifest
20	+++ b/dev-libs/openssl/Manifest
21	@@ -5,3 +5,5 @@ DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B fc8fd6a62dc291d0bda328a051e253175fb04
22	DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6 SHA512 03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e
23	DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B 7bf89e042417c003ef02a8bb1278590a52ce4a3d50f66795c66b750f90248840edb0d3352811caaaaff708c7e65b77384142e316916a6c311f1d2b4747f44816 SHA512 782b0df3d0252468aa696bd74a3b661810499819c0df849aa9698ba0e06a845820dc856aac650fced4be234f1271e576d4317ac3ab1406cf0ffe087d695d20fe
24	DIST openssl-3.0.5.tar.gz.asc 862 BLAKE2B 24f1839227be7acec45eb6b748cea7be0b5e66b5cf745814861f7290670733936bf1af2c1dc9357439b31a2ca28f418880d63726d4be6fa994902ac95b51e401 SHA512 516da9ef291601400576adaba7271854af3caa23dc1d70116004360f580e4c28fe61d51e86477d341e4c5bf0ca5f98db8264581ed6cc2c8df124da83ad3e40be
25	+DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424
26	+DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1
27
28	diff --git a/dev-libs/openssl/openssl-3.0.7.ebuild b/dev-libs/openssl/openssl-3.0.7.ebuild
29	new file mode 100644
30	index 000000000000..518b44da5f56
31	--- /dev/null
32	+++ b/dev-libs/openssl/openssl-3.0.7.ebuild
33	@@ -0,0 +1,337 @@
34	+# Copyright 1999-2022 Gentoo Authors
35	+# Distributed under the terms of the GNU General Public License v2
36	+
37	+EAPI=7
38	+
39	+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
40	+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
41	+
42	+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
43	+HOMEPAGE="https://www.openssl.org/"
44	+
45	+MY_P=${P/_/-}
46	+
47	+if [[ ${PV} == 9999 ]] ; then
48	+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
49	+
50	+ inherit git-r3
51	+else
52	+ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
53	+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
54	+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
55	+fi
56	+
57	+S="${WORKDIR}"/${MY_P}
58	+
59	+LICENSE="Apache-2.0"
60	+SLOT="0/3" # .so version of libssl/libcrypto
61	+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
62	+RESTRICT="!test? ( test )"
63	+
64	+COMMON_DEPEND="
65	+ >=app-misc/c_rehash-1.7-r1
66	+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
67	+"
68	+BDEPEND="
69	+ >=dev-lang/perl-5
70	+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
71	+ test? (
72	+ sys-apps/diffutils
73	+ sys-devel/bc
74	+ sys-process/procps
75	+ )
76	+ verify-sig? ( sec-keys/openpgp-keys-openssl )"
77	+
78	+DEPEND="${COMMON_DEPEND}"
79	+RDEPEND="${COMMON_DEPEND}"
80	+PDEPEND="app-misc/ca-certificates"
81	+
82	+MULTILIB_WRAPPED_HEADERS=(
83	+ /usr/include/openssl/configuration.h
84	+)
85	+
86	+PATCHES=(
87	+)
88	+
89	+pkg_setup() {
90	+ if use ktls ; then
91	+ if kernel_is -lt 4 18 ; then
92	+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
93	+ else
94	+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
95	+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
96	+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
97	+
98	+ linux-info_pkg_setup
99	+ fi
100	+ fi
101	+
102	+ [[ ${MERGE_TYPE} == binary ]] && return
103	+
104	+ # must check in pkg_setup; sysctl doesn't work with userpriv!
105	+ if use test && use sctp ; then
106	+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
107	+ # if sctp.auth_enable is not enabled.
108	+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
109	+ if [[ -z "${sctp_auth_status}" ]] \|\| [[ ${sctp_auth_status} != 1 ]] ; then
110	+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
111	+ fi
112	+ fi
113	+}
114	+
115	+src_unpack() {
116	+ # Can delete this once test fix patch is dropped
117	+ if use verify-sig ; then
118	+ # Needed for downloaded patch (which is unsigned, which is fine)
119	+ verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
120	+ fi
121	+
122	+ default
123	+}
124	+
125	+src_prepare() {
126	+ # Allow openssl to be cross-compiled
127	+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config \|\| die
128	+ chmod a+rx gentoo.config \|\| die
129	+
130	+ # Keep this in sync with app-misc/c_rehash
131	+ SSL_CNF_DIR="/etc/ssl"
132	+
133	+ # Make sure we only ever touch Makefile.org and avoid patching a file
134	+ # that gets blown away anyways by the Configure script in src_configure
135	+ rm -f Makefile
136	+
137	+ if ! use vanilla ; then
138	+ PATCHES+=(
139	+ # Add patches which are Gentoo-specific customisations here
140	+ )
141	+ fi
142	+
143	+ default
144	+
145	+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
146	+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
147	+ rm test/recipes/80-test_ssl_new.t \|\| die
148	+ fi
149	+
150	+ # - Make sure the man pages are suffixed (bug #302165)
151	+ # - Don't bother building man pages if they're disabled
152	+ # - Make DOCDIR Gentoo compliant
153	+ sed -i \
154	+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
155	+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
156	+ -e $(has noman FEATURES \
157	+ && echo '/^install:/s:install_docs::' \
158	+ \|\| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
159	+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
160	+ Configurations/unix-Makefile.tmpl \
161	+ \|\| die
162	+
163	+ # Quiet out unknown driver argument warnings since openssl
164	+ # doesn't have well-split CFLAGS and we're making it even worse
165	+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
166	+ tc-is-clang && append-flags -Qunused-arguments
167	+
168	+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
169	+ # It's filled with violations and it will result in miscompiled
170	+ # code. This has been in the ebuild for > 10 years but even in 2022,
171	+ # it's still relevant:
172	+ # - https://github.com/llvm/llvm-project/issues/55255
173	+ # - https://github.com/openssl/openssl/issues/18225
174	+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
175	+ # Don't remove the no strict aliasing bits below!
176	+ filter-flags -fstrict-aliasing
177	+ append-flags -fno-strict-aliasing
178	+
179	+ append-flags $(test-flags-CC -Wa,--noexecstack)
180	+
181	+ # Prefixify Configure shebang (bug #141906)
182	+ sed \
183	+ -e "1s,/usr/bin/env,${BROOT}&," \
184	+ -i Configure \|\| die
185	+
186	+ # Remove test target when FEATURES=test isn't set
187	+ if ! use test ; then
188	+ sed \
189	+ -e '/^$config{dirs}/s@ "test",@@' \
190	+ -i Configure \|\| die
191	+ fi
192	+
193	+ # The config script does stupid stuff to prompt the user. Kill it.
194	+ sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
195	+ ./config --test-sanity \|\| die "I AM NOT SANE"
196	+
197	+ multilib_copy_sources
198	+}
199	+
200	+multilib_src_configure() {
201	+ # bug #197996
202	+ unset APPS
203	+ # bug #312551
204	+ unset SCRIPTS
205	+ # bug #311473
206	+ unset CROSS_COMPILE
207	+
208	+ tc-export AR CC CXX RANLIB RC
209	+
210	+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
211	+
212	+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
213	+
214	+ # See if our toolchain supports __uint128_t. If so, it's 64bit
215	+ # friendly and can use the nicely optimized code paths, bug #460790.
216	+ #local ec_nistp_64_gcc_128
217	+ #
218	+ # Disable it for now though (bug #469976)
219	+ # Do NOT re-enable without substantial discussion first!
220	+ #
221	+ #echo "__uint128_t i;" > "${T}"/128.c
222	+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
223	+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
224	+ #fi
225	+
226	+ local sslout=$(./gentoo.config)
227	+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
228	+ local config="Configure"
229	+ [[ -z ${sslout} ]] && config="config"
230	+
231	+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
232	+ local myeconfargs=(
233	+ ${sslout}
234	+
235	+ $(use cpu_flags_x86_sse2 \|\| echo "no-sse2")
236	+ enable-camellia
237	+ enable-ec
238	+ enable-ec2m
239	+ enable-sm2
240	+ enable-srp
241	+ $(use elibc_musl && echo "no-async")
242	+ enable-idea
243	+ enable-mdc2
244	+ enable-rc5
245	+ $(use fips && echo "enable-fips")
246	+ $(use_ssl asm)
247	+ $(use_ssl ktls)
248	+ $(use_ssl rfc3779)
249	+ $(use_ssl sctp)
250	+ $(use test \|\| echo "no-tests")
251	+ $(use_ssl tls-compression zlib)
252	+ $(use_ssl weak-ssl-ciphers)
253	+
254	+ --prefix="${EPREFIX}"/usr
255	+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
256	+ --libdir=$(get_libdir)
257	+
258	+ shared
259	+ threads
260	+ )
261	+
262	+ CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
263	+
264	+ # Clean out hardcoded flags that openssl uses
265	+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile \| LC_ALL=C sed \
266	+ -e 's:^CFLAGS=::' \
267	+ -e 's:\(^\\| \)-fomit-frame-pointer::g' \
268	+ -e 's:\(^\\| \)-O[^ ]*::g' \
269	+ -e 's:\(^\\| \)-march=[^ ]*::g' \
270	+ -e 's:\(^\\| \)-mcpu=[^ ]*::g' \
271	+ -e 's:\(^\\| \)-m[^ ]*::g' \
272	+ -e 's:^ *::' \
273	+ -e 's: *$::' \
274	+ -e 's: \+: :g' \
275	+ -e 's:\\:\\\\:g'
276	+ )
277	+
278	+ # Now insert clean default flags with user flags
279	+ sed -i \
280	+ -e "/^CFLAGS=/s\|=.*\|=${DEFAULT_CFLAGS} ${CFLAGS}\|" \
281	+ -e "/^LDFLAGS=/s\|=[[:space:]]*$\|=${LDFLAGS}\|" \
282	+ Makefile \
283	+ \|\| die
284	+}
285	+
286	+multilib_src_compile() {
287	+ # depend is needed to use $confopts; it also doesn't matter
288	+ # that it's -j1 as the code itself serializes subdirs
289	+ emake -j1 depend
290	+
291	+ emake all
292	+}
293	+
294	+multilib_src_test() {
295	+ # VFP = show subtests verbosely and show failed tests verbosely
296	+ # Normal V=1 would show everything verbosely but this slows things down.
297	+ emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
298	+}
299	+
300	+multilib_src_install() {
301	+ # We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
302	+ dodir /usr
303	+
304	+ emake DESTDIR="${D}" install
305	+
306	+ # This is crappy in that the static archives are still built even
307	+ # when USE=static-libs. But this is due to a failing in the openssl
308	+ # build system: the static archives are built as PIC all the time.
309	+ # Only way around this would be to manually configure+compile openssl
310	+ # twice; once with shared lib support enabled and once without.
311	+ if ! use static-libs ; then
312	+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a \|\| die
313	+ fi
314	+}
315	+
316	+multilib_src_install_all() {
317	+ # openssl installs perl version of c_rehash by default, but
318	+ # we provide a shell version via app-misc/c_rehash
319	+ rm "${ED}"/usr/bin/c_rehash \|\| die
320	+
321	+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
322	+
323	+ # Create the certs directory
324	+ keepdir ${SSL_CNF_DIR}/certs
325	+
326	+ # Namespace openssl programs to prevent conflicts with other man pages
327	+ cd "${ED}"/usr/share/man \|\| die
328	+ local m d s
329	+ for m in $(find . -type f \| xargs grep -L '#include') ; do
330	+ d=${m%/*}
331	+ d=${d#./}
332	+ m=${m##*/}
333	+
334	+ [[ ${m} == openssl.1* ]] && continue
335	+
336	+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
337	+
338	+ mv ${d}/{,ssl-}${m} \|\| die
339	+
340	+ # Fix up references to renamed man pages
341	+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} \|\| die
342	+ ln -s ssl-${m} ${d}/openssl-${m} \|\| die
343	+
344	+ # Locate any symlinks that point to this man page
345	+ # We assume that any broken links are due to the above renaming
346	+ for s in $(find -L ${d} -type l) ; do
347	+ s=${s##*/}
348	+
349	+ rm -f ${d}/${s}
350	+
351	+ # We don't want to "\|\| die" here
352	+ ln -s ssl-${m} ${d}/ssl-${s}
353	+ ln -s ssl-${s} ${d}/openssl-${s}
354	+ done
355	+ done
356	+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
357	+
358	+ # bug #254521
359	+ dodir /etc/sandbox.d
360	+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
361	+
362	+ diropts -m0700
363	+ keepdir ${SSL_CNF_DIR}/private
364	+}
365	+
366	+pkg_postinst() {
367	+ ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"
368	+ c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
369	+ eend $?
370	+}

Gentoo Archives: gentoo-commits