1 |
commit: a1ced0de770abbc643d994378b9cd11a41605902 |
2 |
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Feb 26 15:12:11 2019 +0000 |
4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Feb 26 15:31:41 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1ced0de |
7 |
|
8 |
dev-libs/openssl: Removed old. |
9 |
|
10 |
Package-Manager: Portage-2.3.62, Repoman-2.3.12 |
11 |
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> |
12 |
|
13 |
dev-libs/openssl/Manifest | 4 - |
14 |
...-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch | 27 -- |
15 |
...ix-cert-with-rsa-instead-of-rsaEncryption.patch | 97 ----- |
16 |
...ix-some-SSL_export_keying_material-issues.patch | 420 --------------------- |
17 |
...a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch | 26 -- |
18 |
...ure-build_SYS_str_reasons_preserves_errno.patch | 68 ---- |
19 |
.../openssl-1.1.1a-preserve-errno-on-dlopen.patch | 51 --- |
20 |
...-system-error-number-in-a-few-more-places.patch | 57 --- |
21 |
...t-reduce-stack-usage-in-tls13_hkdf_expand.patch | 56 --- |
22 |
dev-libs/openssl/openssl-1.0.2q-r200.ebuild | 248 ------------ |
23 |
dev-libs/openssl/openssl-1.1.1a-r1.ebuild | 299 --------------- |
24 |
dev-libs/openssl/openssl-1.1.1a.ebuild | 288 -------------- |
25 |
12 files changed, 1641 deletions(-) |
26 |
|
27 |
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest |
28 |
index 3f3dd41c6a0..dd125204215 100644 |
29 |
--- a/dev-libs/openssl/Manifest |
30 |
+++ b/dev-libs/openssl/Manifest |
31 |
@@ -15,10 +15,6 @@ DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ec_curve.c 18401 BL |
32 |
DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b |
33 |
DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 |
34 |
DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3 SHA512 de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1 |
35 |
-DIST openssl-1.1.1a.tar.gz 8350547 BLAKE2B 71dae2f44ade3e31983599a491b5efe5da63bbe4f32a2336a8022b282f844a9d898f3b1c3fa825a5973cb16898e8e87fcd73d68e9b602b58f500c3f3e047b199 SHA512 1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34 |
36 |
-DIST openssl-1.1.1a_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415 |
37 |
-DIST openssl-1.1.1a_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef |
38 |
-DIST openssl-1.1.1a_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 |
39 |
DIST openssl-1.1.1b.tar.gz 8213737 BLAKE2B 7ad9da9548052e2a033a684038f97c420cfffd57994604bcb3fa12640796c8c0aea3d24fb05648ee4940fbec40b81462e81c353da5a41a2575c0585d9718eae8 SHA512 b54025fbb4fe264466f3b0d762aad4be45bd23cd48bdb26d901d4c41a40bfd776177e02230995ab181a695435039dbad313f4b9a563239a70807a2e19ecf045d |
40 |
DIST openssl-1.1.1b_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415 |
41 |
DIST openssl-1.1.1b_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef |
42 |
|
43 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch |
44 |
deleted file mode 100644 |
45 |
index 8014be130ab..00000000000 |
46 |
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch |
47 |
+++ /dev/null |
48 |
@@ -1,27 +0,0 @@ |
49 |
-From 3be71a31a1dda204bb95462a92cf7f247e64b939 Mon Sep 17 00:00:00 2001 |
50 |
-From: Bernd Edlinger <bernd.edlinger@×××××××.de> |
51 |
-Date: Sun, 16 Dec 2018 12:43:59 +0100 |
52 |
-Subject: [PATCH] Fix a minor nit in the hkdflabel size |
53 |
- |
54 |
-Reviewed-by: Paul Dale <paul.dale@××××××.com> |
55 |
-Reviewed-by: Matt Caswell <matt@×××××××.org> |
56 |
-(Merged from https://github.com/openssl/openssl/pull/7913) |
57 |
- |
58 |
-(cherry picked from commit 0b4233f5a4a181a6dcb7c511cd2663e500e659a4) |
59 |
---- |
60 |
- ssl/tls13_enc.c | 2 +- |
61 |
- 1 file changed, 1 insertion(+), 1 deletion(-) |
62 |
- |
63 |
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c |
64 |
-index c3021d18aa9..e36b7d3a066 100644 |
65 |
---- a/ssl/tls13_enc.c |
66 |
-+++ b/ssl/tls13_enc.c |
67 |
-@@ -41,7 +41,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
68 |
- * + bytes for the hash itself |
69 |
- */ |
70 |
- unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + |
71 |
-- + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN |
72 |
-+ + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN |
73 |
- + 1 + EVP_MAX_MD_SIZE]; |
74 |
- WPACKET pkt; |
75 |
- |
76 |
|
77 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch |
78 |
deleted file mode 100644 |
79 |
index 8f249e22a1d..00000000000 |
80 |
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch |
81 |
+++ /dev/null |
82 |
@@ -1,97 +0,0 @@ |
83 |
-From c25ae0fff78cb3cb784ef79167329d5cd55b62de Mon Sep 17 00:00:00 2001 |
84 |
-From: Bernd Edlinger <bernd.edlinger@×××××××.de> |
85 |
-Date: Thu, 27 Dec 2018 22:18:21 +0100 |
86 |
-Subject: [PATCH] Fix cert with rsa instead of rsaEncryption as public key |
87 |
- algorithm |
88 |
- |
89 |
-Reviewed-by: Kurt Roeckx <kurt@××××××.be> |
90 |
-(Merged from https://github.com/openssl/openssl/pull/7962) |
91 |
- |
92 |
-(cherry picked from commit 1f483a69bce11c940309edc437eee6e32294d5f2) |
93 |
---- |
94 |
- crypto/rsa/rsa_ameth.c | 9 ++++++--- |
95 |
- test/certs/root-cert-rsa2.pem | 18 ++++++++++++++++++ |
96 |
- test/recipes/25-test_verify.t | 4 +++- |
97 |
- 3 files changed, 27 insertions(+), 4 deletions(-) |
98 |
- create mode 100644 test/certs/root-cert-rsa2.pem |
99 |
- |
100 |
-diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c |
101 |
-index a6595aec054..75debb3e0a9 100644 |
102 |
---- a/crypto/rsa/rsa_ameth.c |
103 |
-+++ b/crypto/rsa/rsa_ameth.c |
104 |
-@@ -34,7 +34,7 @@ static int rsa_param_encode(const EVP_PKEY *pkey, |
105 |
- |
106 |
- *pstr = NULL; |
107 |
- /* If RSA it's just NULL type */ |
108 |
-- if (pkey->ameth->pkey_id == EVP_PKEY_RSA) { |
109 |
-+ if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { |
110 |
- *pstrtype = V_ASN1_NULL; |
111 |
- return 1; |
112 |
- } |
113 |
-@@ -58,7 +58,7 @@ static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) |
114 |
- int algptype; |
115 |
- |
116 |
- X509_ALGOR_get0(&algoid, &algptype, &algp, alg); |
117 |
-- if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA) |
118 |
-+ if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) |
119 |
- return 1; |
120 |
- if (algptype == V_ASN1_UNDEF) |
121 |
- return 1; |
122 |
-@@ -109,7 +109,10 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) |
123 |
- RSA_free(rsa); |
124 |
- return 0; |
125 |
- } |
126 |
-- EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); |
127 |
-+ if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { |
128 |
-+ RSA_free(rsa); |
129 |
-+ return 0; |
130 |
-+ } |
131 |
- return 1; |
132 |
- } |
133 |
- |
134 |
-diff --git a/test/certs/root-cert-rsa2.pem b/test/certs/root-cert-rsa2.pem |
135 |
-new file mode 100644 |
136 |
-index 00000000000..b817fdf3e5d |
137 |
---- /dev/null |
138 |
-+++ b/test/certs/root-cert-rsa2.pem |
139 |
-@@ -0,0 +1,18 @@ |
140 |
-+-----BEGIN CERTIFICATE----- |
141 |
-+MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 |
142 |
-+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD |
143 |
-+DAdSb290IENBMIIBHTAIBgRVCAEBBQADggEPADCCAQoCggEBAOHmAPUGvKBGOHkP |
144 |
-+Px5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3jIVyk |
145 |
-+7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcArVREX |
146 |
-+OjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI0YYq |
147 |
-+alUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt9gfN |
148 |
-+biuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337VoIkN+ |
149 |
-+ZiQjr8UCAwEAAaNQME4wHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8G |
150 |
-+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ |
151 |
-+KoZIhvcNAQELBQADggEBAJ0OIdog3uQ1pmsjv1Qtf1w4If1geOn5uK0EOj2wYBHt |
152 |
-+NxlFn7l8d9+51QMZFO+RlQJ0s3Webyo1ReuaL2dMn2LGJhWMoSBAwrMALAENU3lv |
153 |
-+8jioRbfO2OamsdpJpKxQUyUJYudNe+BoKNX/ry3rxezmsFsRr9nDMiJZpmBCXiMm |
154 |
-+mFFJOJkG0CheexBbMkua4kyStIOwO4rb5bSHszVso/9ucdGHBSC7oRcJXoWSDjBx |
155 |
-+PdQPPBK5g4yqL8Lz26ehgsmhRKL9k32eVyjDKcIzgpmgcPTfTqNbd1KHQJKx4ssb |
156 |
-+7nEpGKHalSo5Oq5L9s9qYrUv37kwBY4OpJFtmGaodoI= |
157 |
-+-----END CERTIFICATE----- |
158 |
-diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t |
159 |
-index 6c3deab7c67..b80a1cde3ed 100644 |
160 |
---- a/test/recipes/25-test_verify.t |
161 |
-+++ b/test/recipes/25-test_verify.t |
162 |
-@@ -27,7 +27,7 @@ sub verify { |
163 |
- run(app([@args])); |
164 |
- } |
165 |
- |
166 |
--plan tests => 134; |
167 |
-+plan tests => 135; |
168 |
- |
169 |
- # Canonical success |
170 |
- ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), |
171 |
-@@ -361,6 +361,8 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"] |
172 |
- "Not too many names and constraints to check (2)"); |
173 |
- ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ), |
174 |
- "Not too many names and constraints to check (3)"); |
175 |
-+ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"), |
176 |
-+ "Public Key Algorithm rsa instead of rsaEncryption"); |
177 |
- |
178 |
- SKIP: { |
179 |
- skip "Ed25519 is not supported by this OpenSSL build", 1 |
180 |
|
181 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch |
182 |
deleted file mode 100644 |
183 |
index 2db64d83e45..00000000000 |
184 |
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch |
185 |
+++ /dev/null |
186 |
@@ -1,420 +0,0 @@ |
187 |
-From 0fb2815b873304d145ed00283454fc9f3bd35e6b Mon Sep 17 00:00:00 2001 |
188 |
-From: Matt Caswell <matt@×××××××.org> |
189 |
-Date: Tue, 4 Dec 2018 08:37:04 +0000 |
190 |
-Subject: [PATCH] Fix some SSL_export_keying_material() issues |
191 |
- |
192 |
-Fix some issues in tls13_hkdf_expand() which impact the above function |
193 |
-for TLSv1.3. In particular test that we can use the maximum label length |
194 |
-in TLSv1.3. |
195 |
- |
196 |
-Reviewed-by: Tim Hudson <tjh@×××××××.org> |
197 |
-(Merged from https://github.com/openssl/openssl/pull/7755) |
198 |
---- |
199 |
- doc/man3/SSL_export_keying_material.pod | 3 +- |
200 |
- ssl/ssl_locl.h | 2 +- |
201 |
- ssl/statem/extensions.c | 2 +- |
202 |
- ssl/statem/statem_clnt.c | 2 +- |
203 |
- ssl/statem/statem_srvr.c | 2 +- |
204 |
- ssl/tls13_enc.c | 73 +++++++++++++++++-------- |
205 |
- test/sslapitest.c | 48 ++++++++++++---- |
206 |
- test/tls13secretstest.c | 2 +- |
207 |
- 8 files changed, 92 insertions(+), 42 deletions(-) |
208 |
- |
209 |
-diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod |
210 |
-index abebf911fc3..4c81a60ffbb 100644 |
211 |
---- a/doc/man3/SSL_export_keying_material.pod |
212 |
-+++ b/doc/man3/SSL_export_keying_material.pod |
213 |
-@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from |
214 |
- the IANA Exporter Label Registry |
215 |
- (L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>). |
216 |
- Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard |
217 |
--to be used without registration. |
218 |
-+to be used without registration. TLSv1.3 imposes a maximum label length of |
219 |
-+249 bytes. |
220 |
- |
221 |
- Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and |
222 |
- above. Attempting to use it in SSLv3 will result in an error. |
223 |
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h |
224 |
-index 70e5a1740f9..307131de93a 100644 |
225 |
---- a/ssl/ssl_locl.h |
226 |
-+++ b/ssl/ssl_locl.h |
227 |
-@@ -2461,7 +2461,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md, |
228 |
- const unsigned char *secret, |
229 |
- const unsigned char *label, size_t labellen, |
230 |
- const unsigned char *data, size_t datalen, |
231 |
-- unsigned char *out, size_t outlen); |
232 |
-+ unsigned char *out, size_t outlen, int fatal); |
233 |
- __owur int tls13_derive_key(SSL *s, const EVP_MD *md, |
234 |
- const unsigned char *secret, unsigned char *key, |
235 |
- size_t keylen); |
236 |
-diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c |
237 |
-index 63e61c6184a..716d6d23e08 100644 |
238 |
---- a/ssl/statem/extensions.c |
239 |
-+++ b/ssl/statem/extensions.c |
240 |
-@@ -1506,7 +1506,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, |
241 |
- |
242 |
- /* Generate the binder key */ |
243 |
- if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash, |
244 |
-- hashsize, binderkey, hashsize)) { |
245 |
-+ hashsize, binderkey, hashsize, 1)) { |
246 |
- /* SSLfatal() already called */ |
247 |
- goto err; |
248 |
- } |
249 |
-diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c |
250 |
-index 5a8f1163dfa..a0e495d8e83 100644 |
251 |
---- a/ssl/statem/statem_clnt.c |
252 |
-+++ b/ssl/statem/statem_clnt.c |
253 |
-@@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) |
254 |
- PACKET_data(&nonce), |
255 |
- PACKET_remaining(&nonce), |
256 |
- s->session->master_key, |
257 |
-- hashlen)) { |
258 |
-+ hashlen, 1)) { |
259 |
- /* SSLfatal() already called */ |
260 |
- goto err; |
261 |
- } |
262 |
-diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c |
263 |
-index e7c11c4bea4..a8e862ced55 100644 |
264 |
---- a/ssl/statem/statem_srvr.c |
265 |
-+++ b/ssl/statem/statem_srvr.c |
266 |
-@@ -4099,7 +4099,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) |
267 |
- tick_nonce, |
268 |
- TICKET_NONCE_SIZE, |
269 |
- s->session->master_key, |
270 |
-- hashlen)) { |
271 |
-+ hashlen, 1)) { |
272 |
- /* SSLfatal() already called */ |
273 |
- goto err; |
274 |
- } |
275 |
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c |
276 |
-index f7ab0fa4704..c3021d18aa9 100644 |
277 |
---- a/ssl/tls13_enc.c |
278 |
-+++ b/ssl/tls13_enc.c |
279 |
-@@ -13,7 +13,7 @@ |
280 |
- #include <openssl/evp.h> |
281 |
- #include <openssl/kdf.h> |
282 |
- |
283 |
--#define TLS13_MAX_LABEL_LEN 246 |
284 |
-+#define TLS13_MAX_LABEL_LEN 249 |
285 |
- |
286 |
- /* Always filled with zeros */ |
287 |
- static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; |
288 |
-@@ -22,30 +22,47 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; |
289 |
- * Given a |secret|; a |label| of length |labellen|; and |data| of length |
290 |
- * |datalen| (e.g. typically a hash of the handshake messages), derive a new |
291 |
- * secret |outlen| bytes long and store it in the location pointed to be |out|. |
292 |
-- * The |data| value may be zero length. Returns 1 on success 0 on failure. |
293 |
-+ * The |data| value may be zero length. Any errors will be treated as fatal if |
294 |
-+ * |fatal| is set. Returns 1 on success 0 on failure. |
295 |
- */ |
296 |
- int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
297 |
- const unsigned char *label, size_t labellen, |
298 |
- const unsigned char *data, size_t datalen, |
299 |
-- unsigned char *out, size_t outlen) |
300 |
-+ unsigned char *out, size_t outlen, int fatal) |
301 |
- { |
302 |
-- const unsigned char label_prefix[] = "tls13 "; |
303 |
-+ static const unsigned char label_prefix[] = "tls13 "; |
304 |
- EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
305 |
- int ret; |
306 |
- size_t hkdflabellen; |
307 |
- size_t hashlen; |
308 |
- /* |
309 |
-- * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined |
310 |
-- * prefix and label + bytes for the label itself + bytes for the hash |
311 |
-+ * 2 bytes for length of derived secret + 1 byte for length of combined |
312 |
-+ * prefix and label + bytes for the label itself + 1 byte length of hash |
313 |
-+ * + bytes for the hash itself |
314 |
- */ |
315 |
- unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + |
316 |
- + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN |
317 |
-- + EVP_MAX_MD_SIZE]; |
318 |
-+ + 1 + EVP_MAX_MD_SIZE]; |
319 |
- WPACKET pkt; |
320 |
- |
321 |
- if (pctx == NULL) |
322 |
- return 0; |
323 |
- |
324 |
-+ if (labellen > TLS13_MAX_LABEL_LEN) { |
325 |
-+ if (fatal) { |
326 |
-+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
327 |
-+ ERR_R_INTERNAL_ERROR); |
328 |
-+ } else { |
329 |
-+ /* |
330 |
-+ * Probably we have been called from SSL_export_keying_material(), |
331 |
-+ * or SSL_export_keying_material_early(). |
332 |
-+ */ |
333 |
-+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); |
334 |
-+ } |
335 |
-+ EVP_PKEY_CTX_free(pctx); |
336 |
-+ return 0; |
337 |
-+ } |
338 |
-+ |
339 |
- hashlen = EVP_MD_size(md); |
340 |
- |
341 |
- if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) |
342 |
-@@ -59,8 +76,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
343 |
- || !WPACKET_finish(&pkt)) { |
344 |
- EVP_PKEY_CTX_free(pctx); |
345 |
- WPACKET_cleanup(&pkt); |
346 |
-- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
347 |
-- ERR_R_INTERNAL_ERROR); |
348 |
-+ if (fatal) |
349 |
-+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
350 |
-+ ERR_R_INTERNAL_ERROR); |
351 |
-+ else |
352 |
-+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); |
353 |
- return 0; |
354 |
- } |
355 |
- |
356 |
-@@ -74,9 +94,13 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
357 |
- |
358 |
- EVP_PKEY_CTX_free(pctx); |
359 |
- |
360 |
-- if (ret != 0) |
361 |
-- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
362 |
-- ERR_R_INTERNAL_ERROR); |
363 |
-+ if (ret != 0) { |
364 |
-+ if (fatal) |
365 |
-+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
366 |
-+ ERR_R_INTERNAL_ERROR); |
367 |
-+ else |
368 |
-+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); |
369 |
-+ } |
370 |
- |
371 |
- return ret == 0; |
372 |
- } |
373 |
-@@ -91,7 +115,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, |
374 |
- static const unsigned char keylabel[] = "key"; |
375 |
- |
376 |
- return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, |
377 |
-- NULL, 0, key, keylen); |
378 |
-+ NULL, 0, key, keylen, 1); |
379 |
- } |
380 |
- |
381 |
- /* |
382 |
-@@ -104,7 +128,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, |
383 |
- static const unsigned char ivlabel[] = "iv"; |
384 |
- |
385 |
- return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, |
386 |
-- NULL, 0, iv, ivlen); |
387 |
-+ NULL, 0, iv, ivlen, 1); |
388 |
- } |
389 |
- |
390 |
- int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, |
391 |
-@@ -114,7 +138,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, |
392 |
- static const unsigned char finishedlabel[] = "finished"; |
393 |
- |
394 |
- return tls13_hkdf_expand(s, md, secret, finishedlabel, |
395 |
-- sizeof(finishedlabel) - 1, NULL, 0, fin, finlen); |
396 |
-+ sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); |
397 |
- } |
398 |
- |
399 |
- /* |
400 |
-@@ -177,7 +201,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, |
401 |
- if (!tls13_hkdf_expand(s, md, prevsecret, |
402 |
- (unsigned char *)derived_secret_label, |
403 |
- sizeof(derived_secret_label) - 1, hash, mdlen, |
404 |
-- preextractsec, mdlen)) { |
405 |
-+ preextractsec, mdlen, 1)) { |
406 |
- /* SSLfatal() already called */ |
407 |
- EVP_PKEY_CTX_free(pctx); |
408 |
- return 0; |
409 |
-@@ -337,7 +361,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, |
410 |
- hashlen = (size_t)hashleni; |
411 |
- |
412 |
- if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, |
413 |
-- secret, hashlen)) { |
414 |
-+ secret, hashlen, 1)) { |
415 |
- /* SSLfatal() already called */ |
416 |
- goto err; |
417 |
- } |
418 |
-@@ -517,7 +541,8 @@ int tls13_change_cipher_state(SSL *s, int which) |
419 |
- early_exporter_master_secret, |
420 |
- sizeof(early_exporter_master_secret) - 1, |
421 |
- hashval, hashlen, |
422 |
-- s->early_exporter_master_secret, hashlen)) { |
423 |
-+ s->early_exporter_master_secret, hashlen, |
424 |
-+ 1)) { |
425 |
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
426 |
- SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
427 |
- goto err; |
428 |
-@@ -604,7 +629,7 @@ int tls13_change_cipher_state(SSL *s, int which) |
429 |
- resumption_master_secret, |
430 |
- sizeof(resumption_master_secret) - 1, |
431 |
- hashval, hashlen, s->resumption_master_secret, |
432 |
-- hashlen)) { |
433 |
-+ hashlen, 1)) { |
434 |
- /* SSLfatal() already called */ |
435 |
- goto err; |
436 |
- } |
437 |
-@@ -624,7 +649,7 @@ int tls13_change_cipher_state(SSL *s, int which) |
438 |
- exporter_master_secret, |
439 |
- sizeof(exporter_master_secret) - 1, |
440 |
- hash, hashlen, s->exporter_master_secret, |
441 |
-- hashlen)) { |
442 |
-+ hashlen, 1)) { |
443 |
- /* SSLfatal() already called */ |
444 |
- goto err; |
445 |
- } |
446 |
-@@ -738,10 +763,10 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, |
447 |
- || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
448 |
- || !tls13_hkdf_expand(s, md, s->exporter_master_secret, |
449 |
- (const unsigned char *)label, llen, |
450 |
-- data, datalen, exportsecret, hashsize) |
451 |
-+ data, datalen, exportsecret, hashsize, 0) |
452 |
- || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
453 |
- sizeof(exporterlabel) - 1, hash, hashsize, |
454 |
-- out, olen)) |
455 |
-+ out, olen, 0)) |
456 |
- goto err; |
457 |
- |
458 |
- ret = 1; |
459 |
-@@ -797,10 +822,10 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, |
460 |
- || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
461 |
- || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, |
462 |
- (const unsigned char *)label, llen, |
463 |
-- data, datalen, exportsecret, hashsize) |
464 |
-+ data, datalen, exportsecret, hashsize, 0) |
465 |
- || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
466 |
- sizeof(exporterlabel) - 1, hash, hashsize, |
467 |
-- out, olen)) |
468 |
-+ out, olen, 0)) |
469 |
- goto err; |
470 |
- |
471 |
- ret = 1; |
472 |
-diff --git a/test/sslapitest.c b/test/sslapitest.c |
473 |
-index 108d57e4781..a4bbb4fead4 100644 |
474 |
---- a/test/sslapitest.c |
475 |
-+++ b/test/sslapitest.c |
476 |
-@@ -4028,20 +4028,25 @@ static int test_serverinfo(int tst) |
477 |
- * no test vectors so all we do is test that both sides of the communication |
478 |
- * produce the same results for different protocol versions. |
479 |
- */ |
480 |
-+#define SMALL_LABEL_LEN 10 |
481 |
-+#define LONG_LABEL_LEN 249 |
482 |
- static int test_export_key_mat(int tst) |
483 |
- { |
484 |
- int testresult = 0; |
485 |
- SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; |
486 |
- SSL *clientssl = NULL, *serverssl = NULL; |
487 |
-- const char label[] = "test label"; |
488 |
-+ const char label[LONG_LABEL_LEN + 1] = "test label"; |
489 |
- const unsigned char context[] = "context"; |
490 |
- const unsigned char *emptycontext = NULL; |
491 |
- unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; |
492 |
- unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; |
493 |
-+ size_t labellen; |
494 |
- const int protocols[] = { |
495 |
- TLS1_VERSION, |
496 |
- TLS1_1_VERSION, |
497 |
- TLS1_2_VERSION, |
498 |
-+ TLS1_3_VERSION, |
499 |
-+ TLS1_3_VERSION, |
500 |
- TLS1_3_VERSION |
501 |
- }; |
502 |
- |
503 |
-@@ -4058,7 +4063,7 @@ static int test_export_key_mat(int tst) |
504 |
- return 1; |
505 |
- #endif |
506 |
- #ifdef OPENSSL_NO_TLS1_3 |
507 |
-- if (tst == 3) |
508 |
-+ if (tst >= 3) |
509 |
- return 1; |
510 |
- #endif |
511 |
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), |
512 |
-@@ -4076,33 +4081,52 @@ static int test_export_key_mat(int tst) |
513 |
- SSL_ERROR_NONE))) |
514 |
- goto end; |
515 |
- |
516 |
-+ if (tst == 5) { |
517 |
-+ /* |
518 |
-+ * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we |
519 |
-+ * go over that. |
520 |
-+ */ |
521 |
-+ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, |
522 |
-+ sizeof(ckeymat1), label, |
523 |
-+ LONG_LABEL_LEN + 1, context, |
524 |
-+ sizeof(context) - 1, 1), 0)) |
525 |
-+ goto end; |
526 |
-+ |
527 |
-+ testresult = 1; |
528 |
-+ goto end; |
529 |
-+ } else if (tst == 4) { |
530 |
-+ labellen = LONG_LABEL_LEN; |
531 |
-+ } else { |
532 |
-+ labellen = SMALL_LABEL_LEN; |
533 |
-+ } |
534 |
-+ |
535 |
- if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, |
536 |
- sizeof(ckeymat1), label, |
537 |
-- sizeof(label) - 1, context, |
538 |
-+ labellen, context, |
539 |
- sizeof(context) - 1, 1), 1) |
540 |
- || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, |
541 |
- sizeof(ckeymat2), label, |
542 |
-- sizeof(label) - 1, |
543 |
-+ labellen, |
544 |
- emptycontext, |
545 |
- 0, 1), 1) |
546 |
- || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, |
547 |
- sizeof(ckeymat3), label, |
548 |
-- sizeof(label) - 1, |
549 |
-+ labellen, |
550 |
- NULL, 0, 0), 1) |
551 |
- || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, |
552 |
- sizeof(skeymat1), label, |
553 |
-- sizeof(label) - 1, |
554 |
-+ labellen, |
555 |
- context, |
556 |
- sizeof(context) -1, 1), |
557 |
- 1) |
558 |
- || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, |
559 |
- sizeof(skeymat2), label, |
560 |
-- sizeof(label) - 1, |
561 |
-+ labellen, |
562 |
- emptycontext, |
563 |
- 0, 1), 1) |
564 |
- || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, |
565 |
- sizeof(skeymat3), label, |
566 |
-- sizeof(label) - 1, |
567 |
-+ labellen, |
568 |
- NULL, 0, 0), 1) |
569 |
- /* |
570 |
- * Check that both sides created the same key material with the |
571 |
-@@ -4131,10 +4155,10 @@ static int test_export_key_mat(int tst) |
572 |
- * Check that an empty context and no context produce different results in |
573 |
- * protocols less than TLSv1.3. In TLSv1.3 they should be the same. |
574 |
- */ |
575 |
-- if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, |
576 |
-+ if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, |
577 |
- sizeof(ckeymat3))) |
578 |
-- || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, |
579 |
-- sizeof(ckeymat3)))) |
580 |
-+ || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, |
581 |
-+ sizeof(ckeymat3)))) |
582 |
- goto end; |
583 |
- |
584 |
- testresult = 1; |
585 |
-@@ -5909,7 +5933,7 @@ int setup_tests(void) |
586 |
- ADD_ALL_TESTS(test_custom_exts, 3); |
587 |
- #endif |
588 |
- ADD_ALL_TESTS(test_serverinfo, 8); |
589 |
-- ADD_ALL_TESTS(test_export_key_mat, 4); |
590 |
-+ ADD_ALL_TESTS(test_export_key_mat, 6); |
591 |
- #ifndef OPENSSL_NO_TLS1_3 |
592 |
- ADD_ALL_TESTS(test_export_key_mat_early, 3); |
593 |
- #endif |
594 |
-diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c |
595 |
-index 319df17bab0..de318df02b4 100644 |
596 |
---- a/test/tls13secretstest.c |
597 |
-+++ b/test/tls13secretstest.c |
598 |
-@@ -226,7 +226,7 @@ static int test_secret(SSL *s, unsigned char *prk, |
599 |
- } |
600 |
- |
601 |
- if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize, |
602 |
-- gensecret, hashsize)) { |
603 |
-+ gensecret, hashsize, 1)) { |
604 |
- TEST_error("Secret generation failed"); |
605 |
- return 0; |
606 |
- } |
607 |
|
608 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch |
609 |
deleted file mode 100644 |
610 |
index c2f8bb638b3..00000000000 |
611 |
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch |
612 |
+++ /dev/null |
613 |
@@ -1,26 +0,0 @@ |
614 |
-From 3ccccb91ae1c07a4310778b3d7ba74ff4ff787f0 Mon Sep 17 00:00:00 2001 |
615 |
-From: Paul Yang <yang.yang@××××××××××××.com> |
616 |
-Date: Wed, 21 Nov 2018 13:16:27 +0800 |
617 |
-Subject: [PATCH] Fix wrong return value in ssl3_ctx_ctrl |
618 |
- |
619 |
-This fixes issue #7677 |
620 |
- |
621 |
-Reviewed-by: Matt Caswell <matt@×××××××.org> |
622 |
-(Merged from https://github.com/openssl/openssl/pull/7678) |
623 |
---- |
624 |
- ssl/s3_lib.c | 2 +- |
625 |
- 1 file changed, 1 insertion(+), 1 deletion(-) |
626 |
- |
627 |
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c |
628 |
-index 866ca4dfa9b..99ae48199c2 100644 |
629 |
---- a/ssl/s3_lib.c |
630 |
-+++ b/ssl/s3_lib.c |
631 |
-@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) |
632 |
- EVP_PKEY_security_bits(pkdh), 0, pkdh)) { |
633 |
- SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); |
634 |
- EVP_PKEY_free(pkdh); |
635 |
-- return 1; |
636 |
-+ return 0; |
637 |
- } |
638 |
- EVP_PKEY_free(ctx->cert->dh_tmp); |
639 |
- ctx->cert->dh_tmp = pkdh; |
640 |
|
641 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch b/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch |
642 |
deleted file mode 100644 |
643 |
index cfa84c73a5b..00000000000 |
644 |
--- a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch |
645 |
+++ /dev/null |
646 |
@@ -1,68 +0,0 @@ |
647 |
-From 99992ad22019e752c7b103a45f860a48b6bc0972 Mon Sep 17 00:00:00 2001 |
648 |
-From: Matt Caswell <matt@×××××××.org> |
649 |
-Date: Wed, 21 Nov 2018 11:44:42 +0000 |
650 |
-Subject: [PATCH] Make sure build_SYS_str_reasons() preserves errno |
651 |
- |
652 |
-This function can end up being called during ERR_get_error() if we are |
653 |
-initialising. ERR_get_error() must preserve errno since it gets called via |
654 |
-SSL_get_error(). If that function returns SSL_ERROR_SYSCALL then you are |
655 |
-supposed to inspect errno. |
656 |
- |
657 |
-Reviewed-by: Richard Levitte <levitte@×××××××.org> |
658 |
-(Merged from https://github.com/openssl/openssl/pull/7680) |
659 |
- |
660 |
-(cherry picked from commit 71b1ceffc4c795f5db21861dd1016fbe23a53a53) |
661 |
---- |
662 |
- |
663 |
-diff --git a/crypto/err/err.c b/crypto/err/err.c |
664 |
-index 03cbd73..2eeeab2 100644 |
665 |
---- a/crypto/err/err.c |
666 |
-+++ b/crypto/err/err.c |
667 |
-@@ -19,6 +19,7 @@ |
668 |
- #include <openssl/bio.h> |
669 |
- #include <openssl/opensslconf.h> |
670 |
- #include "internal/thread_once.h" |
671 |
-+#include "e_os.h" |
672 |
- |
673 |
- static int err_load_strings(const ERR_STRING_DATA *str); |
674 |
- |
675 |
-@@ -201,6 +202,7 @@ static void build_SYS_str_reasons(void) |
676 |
- static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON]; |
677 |
- static int init = 1; |
678 |
- int i; |
679 |
-+ int saveerrno = get_last_sys_error(); |
680 |
- |
681 |
- CRYPTO_THREAD_write_lock(err_string_lock); |
682 |
- if (!init) { |
683 |
-@@ -229,6 +231,8 @@ static void build_SYS_str_reasons(void) |
684 |
- init = 0; |
685 |
- |
686 |
- CRYPTO_THREAD_unlock(err_string_lock); |
687 |
-+ /* openssl_strerror_r could change errno, but we want to preserve it */ |
688 |
-+ set_sys_error(saveerrno); |
689 |
- err_load_strings(SYS_str_reasons); |
690 |
- } |
691 |
- #endif |
692 |
-diff --git a/e_os.h b/e_os.h |
693 |
-index 5340593..8e6efa9 100644 |
694 |
---- a/e_os.h |
695 |
-+++ b/e_os.h |
696 |
-@@ -49,6 +49,7 @@ |
697 |
- |
698 |
- # define get_last_sys_error() errno |
699 |
- # define clear_sys_error() errno=0 |
700 |
-+# define set_sys_error(e) errno=(e) |
701 |
- |
702 |
- /******************************************************************** |
703 |
- The Microsoft section |
704 |
-@@ -66,8 +67,10 @@ |
705 |
- # ifdef WIN32 |
706 |
- # undef get_last_sys_error |
707 |
- # undef clear_sys_error |
708 |
-+# undef set_sys_error |
709 |
- # define get_last_sys_error() GetLastError() |
710 |
- # define clear_sys_error() SetLastError(0) |
711 |
-+# define set_sys_error(e) SetLastError(e) |
712 |
- # if !defined(WINNT) |
713 |
- # define WIN_CONSOLE_BUG |
714 |
- # endif |
715 |
|
716 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch |
717 |
deleted file mode 100644 |
718 |
index ed8f2dd96be..00000000000 |
719 |
--- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch |
720 |
+++ /dev/null |
721 |
@@ -1,51 +0,0 @@ |
722 |
-From ef97becf522fc4e2e9d98e6ae7bcb26651883d9a Mon Sep 17 00:00:00 2001 |
723 |
-From: Matt Caswell <matt@×××××××.org> |
724 |
-Date: Wed, 21 Nov 2018 11:57:04 +0000 |
725 |
-Subject: [PATCH] Preserve errno on dlopen |
726 |
- |
727 |
-For the same reasons as in the previous commit we must preserve errno |
728 |
-across dlopen calls. Some implementations (e.g. solaris) do not preserve |
729 |
-errno even on a successful dlopen call. |
730 |
- |
731 |
-Fixes #6953 |
732 |
- |
733 |
-Reviewed-by: Richard Levitte <levitte@×××××××.org> |
734 |
-(Merged from https://github.com/openssl/openssl/pull/7680) |
735 |
- |
736 |
-(cherry picked from commit 3cb4e7dc1cf92022f62b9bbdd59695885a1265ff) |
737 |
---- |
738 |
- crypto/dso/dso_dlfcn.c | 7 +++++++ |
739 |
- 1 file changed, 7 insertions(+) |
740 |
- |
741 |
-diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c |
742 |
-index ad8899c289a..4240f5f5e30 100644 |
743 |
---- a/crypto/dso/dso_dlfcn.c |
744 |
-+++ b/crypto/dso/dso_dlfcn.c |
745 |
-@@ -17,6 +17,7 @@ |
746 |
- #endif |
747 |
- |
748 |
- #include "dso_locl.h" |
749 |
-+#include "e_os.h" |
750 |
- |
751 |
- #ifdef DSO_DLFCN |
752 |
- |
753 |
-@@ -99,6 +100,7 @@ static int dlfcn_load(DSO *dso) |
754 |
- /* See applicable comments in dso_dl.c */ |
755 |
- char *filename = DSO_convert_filename(dso, NULL); |
756 |
- int flags = DLOPEN_FLAG; |
757 |
-+ int saveerrno = get_last_sys_error(); |
758 |
- |
759 |
- if (filename == NULL) { |
760 |
- DSOerr(DSO_F_DLFCN_LOAD, DSO_R_NO_FILENAME); |
761 |
-@@ -118,6 +120,11 @@ static int dlfcn_load(DSO *dso) |
762 |
- ERR_add_error_data(4, "filename(", filename, "): ", dlerror()); |
763 |
- goto err; |
764 |
- } |
765 |
-+ /* |
766 |
-+ * Some dlopen() implementations (e.g. solaris) do no preserve errno, even |
767 |
-+ * on a successful call. |
768 |
-+ */ |
769 |
-+ set_sys_error(saveerrno); |
770 |
- if (!sk_void_push(dso->meth_data, (char *)ptr)) { |
771 |
- DSOerr(DSO_F_DLFCN_LOAD, DSO_R_STACK_ERROR); |
772 |
- goto err; |
773 |
|
774 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch |
775 |
deleted file mode 100644 |
776 |
index 84c43a3c3e0..00000000000 |
777 |
--- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch |
778 |
+++ /dev/null |
779 |
@@ -1,57 +0,0 @@ |
780 |
-From 145419423e1a74ae54cdbd3aed8bb15cbd53c7cc Mon Sep 17 00:00:00 2001 |
781 |
-From: Richard Levitte <levitte@×××××××.org> |
782 |
-Date: Fri, 14 Dec 2018 19:33:55 +0100 |
783 |
-Subject: [PATCH] ERR: preserve system error number in a few more places |
784 |
- |
785 |
-It turns out that intialization may change the error number, so we |
786 |
-need to preserve the system error number in functions where |
787 |
-initialization is called for. |
788 |
-These are ERR_get_state() and err_shelve_state() |
789 |
- |
790 |
-Fixes #7897 |
791 |
- |
792 |
-Reviewed-by: Matt Caswell <matt@×××××××.org> |
793 |
-(Merged from https://github.com/openssl/openssl/pull/7902) |
794 |
- |
795 |
-(cherry picked from commit 91c5473035aaf2c0d86e4039c2a29a5b70541905) |
796 |
---- |
797 |
- crypto/err/err.c | 5 +++++ |
798 |
- 1 file changed, 5 insertions(+) |
799 |
- |
800 |
-diff --git a/crypto/err/err.c b/crypto/err/err.c |
801 |
-index 5cfb02d821b..aef2543d60b 100644 |
802 |
---- a/crypto/err/err.c |
803 |
-+++ b/crypto/err/err.c |
804 |
-@@ -697,6 +697,7 @@ DEFINE_RUN_ONCE_STATIC(err_do_init) |
805 |
- ERR_STATE *ERR_get_state(void) |
806 |
- { |
807 |
- ERR_STATE *state; |
808 |
-+ int saveerrno = get_last_sys_error(); |
809 |
- |
810 |
- if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) |
811 |
- return NULL; |
812 |
-@@ -728,6 +729,7 @@ ERR_STATE *ERR_get_state(void) |
813 |
- OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); |
814 |
- } |
815 |
- |
816 |
-+ set_sys_error(saveerrno); |
817 |
- return state; |
818 |
- } |
819 |
- |
820 |
-@@ -737,6 +739,8 @@ ERR_STATE *ERR_get_state(void) |
821 |
- */ |
822 |
- int err_shelve_state(void **state) |
823 |
- { |
824 |
-+ int saveerrno = get_last_sys_error(); |
825 |
-+ |
826 |
- if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) |
827 |
- return 0; |
828 |
- |
829 |
-@@ -747,6 +751,7 @@ int err_shelve_state(void **state) |
830 |
- if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1)) |
831 |
- return 0; |
832 |
- |
833 |
-+ set_sys_error(saveerrno); |
834 |
- return 1; |
835 |
- } |
836 |
- |
837 |
|
838 |
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch b/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch |
839 |
deleted file mode 100644 |
840 |
index 5ea4fb97bfc..00000000000 |
841 |
--- a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch |
842 |
+++ /dev/null |
843 |
@@ -1,56 +0,0 @@ |
844 |
-From ed371b8cbac0d0349667558c061c1ae380cf75eb Mon Sep 17 00:00:00 2001 |
845 |
-From: Matt Caswell <matt@×××××××.org> |
846 |
-Date: Mon, 3 Dec 2018 18:14:57 +0000 |
847 |
-Subject: [PATCH] Revert "Reduce stack usage in tls13_hkdf_expand" |
848 |
- |
849 |
-This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d. |
850 |
- |
851 |
-SSL_export_keying_material() may use longer label lengths. |
852 |
- |
853 |
-Fixes #7712 |
854 |
- |
855 |
-Reviewed-by: Tim Hudson <tjh@×××××××.org> |
856 |
-(Merged from https://github.com/openssl/openssl/pull/7755) |
857 |
---- |
858 |
- ssl/tls13_enc.c | 16 ++++------------ |
859 |
- 1 file changed, 4 insertions(+), 12 deletions(-) |
860 |
- |
861 |
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c |
862 |
-index b6825d20c2d..f7ab0fa4704 100644 |
863 |
---- a/ssl/tls13_enc.c |
864 |
-+++ b/ssl/tls13_enc.c |
865 |
-@@ -13,14 +13,7 @@ |
866 |
- #include <openssl/evp.h> |
867 |
- #include <openssl/kdf.h> |
868 |
- |
869 |
--/* |
870 |
-- * RFC 8446, 7.1 Key Schedule, says: |
871 |
-- * Note: With common hash functions, any label longer than 12 characters |
872 |
-- * requires an additional iteration of the hash function to compute. |
873 |
-- * The labels in this specification have all been chosen to fit within |
874 |
-- * this limit. |
875 |
-- */ |
876 |
--#define TLS13_MAX_LABEL_LEN 12 |
877 |
-+#define TLS13_MAX_LABEL_LEN 246 |
878 |
- |
879 |
- /* Always filled with zeros */ |
880 |
- static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; |
881 |
-@@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
882 |
- const unsigned char *data, size_t datalen, |
883 |
- unsigned char *out, size_t outlen) |
884 |
- { |
885 |
-- static const unsigned char label_prefix[] = "tls13 "; |
886 |
-+ const unsigned char label_prefix[] = "tls13 "; |
887 |
- EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
888 |
- int ret; |
889 |
- size_t hkdflabellen; |
890 |
- size_t hashlen; |
891 |
- /* |
892 |
-- * 2 bytes for length of derived secret + 1 byte for length of combined |
893 |
-- * prefix and label + bytes for the label itself + 1 byte length of hash |
894 |
-- * + bytes for the hash itself |
895 |
-+ * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined |
896 |
-+ * prefix and label + bytes for the label itself + bytes for the hash |
897 |
- */ |
898 |
- unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + |
899 |
- + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN |
900 |
|
901 |
diff --git a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild b/dev-libs/openssl/openssl-1.0.2q-r200.ebuild |
902 |
deleted file mode 100644 |
903 |
index 44b9547d141..00000000000 |
904 |
--- a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild |
905 |
+++ /dev/null |
906 |
@@ -1,248 +0,0 @@ |
907 |
-# Copyright 1999-2019 Gentoo Authors |
908 |
-# Distributed under the terms of the GNU General Public License v2 |
909 |
- |
910 |
-EAPI="6" |
911 |
- |
912 |
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal |
913 |
- |
914 |
-# openssl-1.0.2-patches-1.6 contain additional CVE patches |
915 |
-# which got fixed with this release. |
916 |
-# Please use 1.7 version number when rolling a new tarball! |
917 |
-PATCH_SET="openssl-1.0.2-patches-1.5" |
918 |
-MY_P=${P/_/-} |
919 |
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" |
920 |
-HOMEPAGE="https://www.openssl.org/" |
921 |
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz |
922 |
- !vanilla? ( |
923 |
- mirror://gentoo/${PATCH_SET}.tar.xz |
924 |
- https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz |
925 |
- https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz |
926 |
- https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz |
927 |
- )" |
928 |
- |
929 |
-LICENSE="openssl" |
930 |
-SLOT="1.0.0" |
931 |
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux" |
932 |
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib" |
933 |
-RESTRICT="!bindist? ( bindist )" |
934 |
- |
935 |
-RDEPEND=">=app-misc/c_rehash-1.7-r1 |
936 |
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
937 |
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
938 |
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] ) |
939 |
- !=dev-libs/openssl-1.0.2*:0" |
940 |
-DEPEND="${RDEPEND} |
941 |
- >=dev-lang/perl-5 |
942 |
- sctp? ( >=net-misc/lksctp-tools-1.0.12 ) |
943 |
- test? ( |
944 |
- sys-apps/diffutils |
945 |
- sys-devel/bc |
946 |
- )" |
947 |
- |
948 |
-RESTRICT="test" |
949 |
- |
950 |
-# Do not install any docs |
951 |
-DOCS=() |
952 |
- |
953 |
-# This does not copy the entire Fedora patchset, but JUST the parts that |
954 |
-# are needed to make it safe to use EC with RESTRICT=bindist. |
955 |
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN |
956 |
-SOURCE1=hobble-openssl |
957 |
-SOURCE12=ec_curve.c |
958 |
-SOURCE13=ectest.c |
959 |
-# These are ported instead |
960 |
-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC |
961 |
-#PATCH37=openssl-1.1.0-ec-curves.patch |
962 |
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' |
963 |
-FEDORA_GIT_BRANCH='f25' |
964 |
-FEDORA_SRC_URI=() |
965 |
-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 ) |
966 |
-FEDORA_PATCH=( $PATCH1 $PATCH37 ) |
967 |
-for i in "${FEDORA_SOURCE[@]}" ; do |
968 |
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) |
969 |
-done |
970 |
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix |
971 |
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" ) |
972 |
-done |
973 |
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" |
974 |
- |
975 |
-S="${WORKDIR}/${MY_P}" |
976 |
- |
977 |
-MULTILIB_WRAPPED_HEADERS=( |
978 |
- usr/include/openssl/opensslconf.h |
979 |
-) |
980 |
- |
981 |
-src_prepare() { |
982 |
- if use bindist; then |
983 |
- # This just removes the prefix, and puts it into WORKDIR like the RPM. |
984 |
- for i in "${FEDORA_SOURCE[@]}" ; do |
985 |
- cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die |
986 |
- done |
987 |
- # .spec %prep |
988 |
- bash "${WORKDIR}"/"${SOURCE1}" || die |
989 |
- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die |
990 |
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1 |
991 |
- for i in "${FEDORA_PATCH[@]}" ; do |
992 |
- eapply "${DISTDIR}"/"${i}" |
993 |
- done |
994 |
- eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch |
995 |
- # Also see the configure parts below: |
996 |
- # enable-ec \ |
997 |
- # $(use_ssl !bindist ec2m) \ |
998 |
- # $(use_ssl !bindist srp) \ |
999 |
- fi |
1000 |
- |
1001 |
- # keep this in sync with app-misc/c_rehash |
1002 |
- SSL_CNF_DIR="/etc/ssl" |
1003 |
- |
1004 |
- # Make sure we only ever touch Makefile.org and avoid patching a file |
1005 |
- # that gets blown away anyways by the Configure script in src_configure |
1006 |
- rm -f Makefile |
1007 |
- |
1008 |
- if ! use vanilla ; then |
1009 |
- eapply "${WORKDIR}"/patch/*.patch |
1010 |
- fi |
1011 |
- |
1012 |
- eapply_user |
1013 |
- |
1014 |
- # disable fips in the build |
1015 |
- # make sure the man pages are suffixed #302165 |
1016 |
- # don't bother building man pages if they're disabled |
1017 |
- sed -i \ |
1018 |
- -e '/DIRS/s: fips : :g' \ |
1019 |
- -e '/^MANSUFFIX/s:=.*:=ssl:' \ |
1020 |
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ |
1021 |
- -e $(has noman FEATURES \ |
1022 |
- && echo '/^install:/s:install_docs::' \ |
1023 |
- || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \ |
1024 |
- Makefile.org \ |
1025 |
- || die |
1026 |
- # show the actual commands in the log |
1027 |
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared |
1028 |
- |
1029 |
- # since we're forcing $(CC) as makedep anyway, just fix |
1030 |
- # the conditional as always-on |
1031 |
- # helps clang (#417795), and versioned gcc (#499818) |
1032 |
- # this breaks build with 1.0.2p, not sure if it is needed anymore |
1033 |
- #sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die |
1034 |
- |
1035 |
- # quiet out unknown driver argument warnings since openssl |
1036 |
- # doesn't have well-split CFLAGS and we're making it even worse |
1037 |
- # and 'make depend' uses -Werror for added fun (#417795 again) |
1038 |
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments |
1039 |
- |
1040 |
- # allow openssl to be cross-compiled |
1041 |
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die |
1042 |
- chmod a+rx gentoo.config || die |
1043 |
- |
1044 |
- append-flags -fno-strict-aliasing |
1045 |
- append-flags $(test-flags-CC -Wa,--noexecstack) |
1046 |
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
1047 |
- |
1048 |
- sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906 |
1049 |
- # The config script does stupid stuff to prompt the user. Kill it. |
1050 |
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die |
1051 |
- ./config --test-sanity || die "I AM NOT SANE" |
1052 |
- |
1053 |
- multilib_copy_sources |
1054 |
-} |
1055 |
- |
1056 |
-multilib_src_configure() { |
1057 |
- unset APPS #197996 |
1058 |
- unset SCRIPTS #312551 |
1059 |
- unset CROSS_COMPILE #311473 |
1060 |
- |
1061 |
- tc-export CC AR RANLIB RC |
1062 |
- |
1063 |
- # Clean out patent-or-otherwise-encumbered code |
1064 |
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher) |
1065 |
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm |
1066 |
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography |
1067 |
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2 |
1068 |
- # RC5: Expired https://en.wikipedia.org/wiki/RC5 |
1069 |
- |
1070 |
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } |
1071 |
- echoit() { echo "$@" ; "$@" ; } |
1072 |
- |
1073 |
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") |
1074 |
- |
1075 |
- # See if our toolchain supports __uint128_t. If so, it's 64bit |
1076 |
- # friendly and can use the nicely optimized code paths. #460790 |
1077 |
- local ec_nistp_64_gcc_128 |
1078 |
- # Disable it for now though #469976 |
1079 |
- #if ! use bindist ; then |
1080 |
- # echo "__uint128_t i;" > "${T}"/128.c |
1081 |
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then |
1082 |
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" |
1083 |
- # fi |
1084 |
- #fi |
1085 |
- |
1086 |
- # https://github.com/openssl/openssl/issues/2286 |
1087 |
- if use ia64 ; then |
1088 |
- replace-flags -g3 -g2 |
1089 |
- replace-flags -ggdb3 -ggdb2 |
1090 |
- fi |
1091 |
- |
1092 |
- local sslout=$(./gentoo.config) |
1093 |
- einfo "Use configuration ${sslout:-(openssl knows best)}" |
1094 |
- local config="Configure" |
1095 |
- [[ -z ${sslout} ]] && config="config" |
1096 |
- |
1097 |
- # Fedora hobbled-EC needs 'no-ec2m', 'no-srp' |
1098 |
- echoit \ |
1099 |
- ./${config} \ |
1100 |
- ${sslout} \ |
1101 |
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \ |
1102 |
- enable-camellia \ |
1103 |
- enable-ec \ |
1104 |
- $(use_ssl !bindist ec2m) \ |
1105 |
- $(use_ssl !bindist srp) \ |
1106 |
- ${ec_nistp_64_gcc_128} \ |
1107 |
- enable-idea \ |
1108 |
- enable-mdc2 \ |
1109 |
- enable-rc5 \ |
1110 |
- enable-tlsext \ |
1111 |
- $(use_ssl asm) \ |
1112 |
- $(use_ssl gmp gmp -lgmp) \ |
1113 |
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ |
1114 |
- $(use_ssl rfc3779) \ |
1115 |
- $(use_ssl sctp) \ |
1116 |
- $(use_ssl sslv2 ssl2) \ |
1117 |
- $(use_ssl sslv3 ssl3) \ |
1118 |
- $(use_ssl tls-heartbeat heartbeats) \ |
1119 |
- $(use_ssl zlib) \ |
1120 |
- --prefix="${EPREFIX%/}"/usr \ |
1121 |
- --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \ |
1122 |
- --libdir=$(get_libdir) \ |
1123 |
- shared threads \ |
1124 |
- || die |
1125 |
- |
1126 |
- # Clean out hardcoded flags that openssl uses |
1127 |
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ |
1128 |
- -e 's:^CFLAG=::' \ |
1129 |
- -e 's:-fomit-frame-pointer ::g' \ |
1130 |
- -e 's:-O[0-9] ::g' \ |
1131 |
- -e 's:-march=[-a-z0-9]* ::g' \ |
1132 |
- -e 's:-mcpu=[-a-z0-9]* ::g' \ |
1133 |
- -e 's:-m[a-z0-9]* ::g' \ |
1134 |
- ) |
1135 |
- sed -i \ |
1136 |
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \ |
1137 |
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \ |
1138 |
- Makefile || die |
1139 |
-} |
1140 |
- |
1141 |
-multilib_src_compile() { |
1142 |
- # depend is needed to use $confopts; it also doesn't matter |
1143 |
- # that it's -j1 as the code itself serializes subdirs |
1144 |
- emake -j1 V=1 depend |
1145 |
- emake build_libs |
1146 |
-} |
1147 |
- |
1148 |
-multilib_src_test() { |
1149 |
- emake -j1 test |
1150 |
-} |
1151 |
- |
1152 |
-multilib_src_install() { |
1153 |
- dolib.so lib{crypto,ssl}.so.${SLOT} |
1154 |
-} |
1155 |
|
1156 |
diff --git a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild b/dev-libs/openssl/openssl-1.1.1a-r1.ebuild |
1157 |
deleted file mode 100644 |
1158 |
index 0ad3e058c0c..00000000000 |
1159 |
--- a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild |
1160 |
+++ /dev/null |
1161 |
@@ -1,299 +0,0 @@ |
1162 |
-# Copyright 1999-2019 Gentoo Authors |
1163 |
-# Distributed under the terms of the GNU General Public License v2 |
1164 |
- |
1165 |
-EAPI="6" |
1166 |
- |
1167 |
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal |
1168 |
- |
1169 |
-MY_P=${P/_/-} |
1170 |
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" |
1171 |
-HOMEPAGE="https://www.openssl.org/" |
1172 |
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" |
1173 |
- |
1174 |
-LICENSE="openssl" |
1175 |
-SLOT="0/1.1" # .so version of libssl/libcrypto |
1176 |
-[[ "${PV}" = *_pre* ]] || \ |
1177 |
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux" |
1178 |
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib" |
1179 |
-RESTRICT="!bindist? ( bindist )" |
1180 |
- |
1181 |
-RDEPEND=">=app-misc/c_rehash-1.7-r1 |
1182 |
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )" |
1183 |
-DEPEND="${RDEPEND} |
1184 |
- >=dev-lang/perl-5 |
1185 |
- sctp? ( >=net-misc/lksctp-tools-1.0.12 ) |
1186 |
- test? ( |
1187 |
- sys-apps/diffutils |
1188 |
- sys-devel/bc |
1189 |
- )" |
1190 |
-PDEPEND="app-misc/ca-certificates" |
1191 |
- |
1192 |
-PATCHES=( |
1193 |
- "${FILESDIR}"/${P}-make-sure-build_SYS_str_reasons_preserves_errno.patch |
1194 |
- "${FILESDIR}"/${P}-preserve-errno-on-dlopen.patch |
1195 |
- "${FILESDIR}"/${P}-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch |
1196 |
- "${FILESDIR}"/${P}-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch |
1197 |
- "${FILESDIR}"/${P}-fix-some-SSL_export_keying_material-issues.patch |
1198 |
- "${FILESDIR}"/${P}-preserve-system-error-number-in-a-few-more-places.patch |
1199 |
- "${FILESDIR}"/${P}-fix-a-minor-nit-in-hkdflabel-size.patch |
1200 |
- "${FILESDIR}"/${P}-fix-cert-with-rsa-instead-of-rsaEncryption.patch |
1201 |
-) |
1202 |
- |
1203 |
-# This does not copy the entire Fedora patchset, but JUST the parts that |
1204 |
-# are needed to make it safe to use EC with RESTRICT=bindist. |
1205 |
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN |
1206 |
-SOURCE1=hobble-openssl |
1207 |
-SOURCE12=ec_curve.c |
1208 |
-SOURCE13=ectest.c |
1209 |
-PATCH37=openssl-1.1.1-ec-curves.patch |
1210 |
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' |
1211 |
-FEDORA_GIT_BRANCH='f29' |
1212 |
-FEDORA_SRC_URI=() |
1213 |
-FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} ) |
1214 |
-FEDORA_PATCH=( ${PATCH37} ) |
1215 |
-for i in "${FEDORA_SOURCE[@]}" ; do |
1216 |
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) |
1217 |
-done |
1218 |
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix |
1219 |
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" ) |
1220 |
-done |
1221 |
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" |
1222 |
- |
1223 |
-S="${WORKDIR}/${MY_P}" |
1224 |
- |
1225 |
-MULTILIB_WRAPPED_HEADERS=( |
1226 |
- usr/include/openssl/opensslconf.h |
1227 |
-) |
1228 |
- |
1229 |
-src_prepare() { |
1230 |
- if use bindist; then |
1231 |
- # This just removes the prefix, and puts it into WORKDIR like the RPM. |
1232 |
- for i in "${FEDORA_SOURCE[@]}" ; do |
1233 |
- cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die |
1234 |
- done |
1235 |
- # .spec %prep |
1236 |
- bash "${WORKDIR}"/"${SOURCE1}" || die |
1237 |
- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die |
1238 |
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die |
1239 |
- for i in "${FEDORA_PATCH[@]}" ; do |
1240 |
- eapply "${DISTDIR}"/"${i}" |
1241 |
- done |
1242 |
- # Also see the configure parts below: |
1243 |
- # enable-ec \ |
1244 |
- # $(use_ssl !bindist ec2m) \ |
1245 |
- |
1246 |
- fi |
1247 |
- |
1248 |
- # keep this in sync with app-misc/c_rehash |
1249 |
- SSL_CNF_DIR="/etc/ssl" |
1250 |
- |
1251 |
- # Make sure we only ever touch Makefile.org and avoid patching a file |
1252 |
- # that gets blown away anyways by the Configure script in src_configure |
1253 |
- rm -f Makefile |
1254 |
- |
1255 |
- if ! use vanilla ; then |
1256 |
- if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then |
1257 |
- [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}" |
1258 |
- fi |
1259 |
- fi |
1260 |
- |
1261 |
- eapply_user #332661 |
1262 |
- |
1263 |
- # make sure the man pages are suffixed #302165 |
1264 |
- # don't bother building man pages if they're disabled |
1265 |
- # Make DOCDIR Gentoo compliant |
1266 |
- sed -i \ |
1267 |
- -e '/^MANSUFFIX/s:=.*:=ssl:' \ |
1268 |
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ |
1269 |
- -e $(has noman FEATURES \ |
1270 |
- && echo '/^install:/s:install_docs::' \ |
1271 |
- || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \ |
1272 |
- -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \ |
1273 |
- Configurations/unix-Makefile.tmpl \ |
1274 |
- || die |
1275 |
- |
1276 |
- # quiet out unknown driver argument warnings since openssl |
1277 |
- # doesn't have well-split CFLAGS and we're making it even worse |
1278 |
- # and 'make depend' uses -Werror for added fun (#417795 again) |
1279 |
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments |
1280 |
- |
1281 |
- # allow openssl to be cross-compiled |
1282 |
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die |
1283 |
- chmod a+rx gentoo.config || die |
1284 |
- |
1285 |
- append-flags -fno-strict-aliasing |
1286 |
- append-flags $(test-flags-CC -Wa,--noexecstack) |
1287 |
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
1288 |
- |
1289 |
- # Prefixify Configure shebang (#141906) |
1290 |
- sed \ |
1291 |
- -e "1s,/usr/bin/env,${EPREFIX%/}&," \ |
1292 |
- -i Configure || die |
1293 |
- # Remove test target when FEATURES=test isn't set |
1294 |
- if ! use test ; then |
1295 |
- sed \ |
1296 |
- -e '/^$config{dirs}/s@ "test",@@' \ |
1297 |
- -i Configure || die |
1298 |
- fi |
1299 |
- # The config script does stupid stuff to prompt the user. Kill it. |
1300 |
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die |
1301 |
- ./config --test-sanity || die "I AM NOT SANE" |
1302 |
- |
1303 |
- multilib_copy_sources |
1304 |
-} |
1305 |
- |
1306 |
-multilib_src_configure() { |
1307 |
- unset APPS #197996 |
1308 |
- unset SCRIPTS #312551 |
1309 |
- unset CROSS_COMPILE #311473 |
1310 |
- |
1311 |
- tc-export CC AR RANLIB RC |
1312 |
- |
1313 |
- # Clean out patent-or-otherwise-encumbered code |
1314 |
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher) |
1315 |
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm |
1316 |
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography |
1317 |
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2 |
1318 |
- # RC5: Expired https://en.wikipedia.org/wiki/RC5 |
1319 |
- |
1320 |
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } |
1321 |
- echoit() { echo "$@" ; "$@" ; } |
1322 |
- |
1323 |
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") |
1324 |
- |
1325 |
- # See if our toolchain supports __uint128_t. If so, it's 64bit |
1326 |
- # friendly and can use the nicely optimized code paths. #460790 |
1327 |
- local ec_nistp_64_gcc_128 |
1328 |
- # Disable it for now though #469976 |
1329 |
- #if ! use bindist ; then |
1330 |
- # echo "__uint128_t i;" > "${T}"/128.c |
1331 |
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then |
1332 |
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" |
1333 |
- # fi |
1334 |
- #fi |
1335 |
- |
1336 |
- local sslout=$(./gentoo.config) |
1337 |
- einfo "Use configuration ${sslout:-(openssl knows best)}" |
1338 |
- local config="Configure" |
1339 |
- [[ -z ${sslout} ]] && config="config" |
1340 |
- |
1341 |
- # Fedora hobbled-EC needs 'no-ec2m' |
1342 |
- # 'srp' was restricted until early 2017 as well. |
1343 |
- # "disable-deprecated" option breaks too many consumers. |
1344 |
- # Don't set it without thorough revdeps testing. |
1345 |
- echoit \ |
1346 |
- ./${config} \ |
1347 |
- ${sslout} \ |
1348 |
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \ |
1349 |
- enable-camellia \ |
1350 |
- enable-ec \ |
1351 |
- $(use_ssl !bindist ec2m) \ |
1352 |
- enable-srp \ |
1353 |
- $(use elibc_musl && echo "no-async") \ |
1354 |
- ${ec_nistp_64_gcc_128} \ |
1355 |
- enable-idea \ |
1356 |
- enable-mdc2 \ |
1357 |
- enable-rc5 \ |
1358 |
- $(use_ssl sslv3 ssl3) \ |
1359 |
- $(use_ssl sslv3 ssl3-method) \ |
1360 |
- $(use_ssl asm) \ |
1361 |
- $(use_ssl rfc3779) \ |
1362 |
- $(use_ssl sctp) \ |
1363 |
- $(use_ssl tls-heartbeat heartbeats) \ |
1364 |
- $(use_ssl zlib) \ |
1365 |
- --prefix="${EPREFIX%/}"/usr \ |
1366 |
- --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \ |
1367 |
- --libdir=$(get_libdir) \ |
1368 |
- shared threads \ |
1369 |
- || die |
1370 |
- |
1371 |
- # Clean out hardcoded flags that openssl uses |
1372 |
- # Fix quoting for sed |
1373 |
- local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ |
1374 |
- -e 's:^CFLAGS=::' \ |
1375 |
- -e 's:-fomit-frame-pointer ::g' \ |
1376 |
- -e 's:-O[0-9] ::g' \ |
1377 |
- -e 's:-march=[-a-z0-9]* ::g' \ |
1378 |
- -e 's:-mcpu=[-a-z0-9]* ::g' \ |
1379 |
- -e 's:-m[a-z0-9]* ::g' \ |
1380 |
- -e 's:\\:\\\\:g' \ |
1381 |
- ) |
1382 |
- sed -i \ |
1383 |
- -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ |
1384 |
- -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ |
1385 |
- Makefile || die |
1386 |
-} |
1387 |
- |
1388 |
-multilib_src_compile() { |
1389 |
- # depend is needed to use $confopts; it also doesn't matter |
1390 |
- # that it's -j1 as the code itself serializes subdirs |
1391 |
- emake -j1 depend |
1392 |
- emake all |
1393 |
-} |
1394 |
- |
1395 |
-multilib_src_test() { |
1396 |
- emake -j1 test |
1397 |
-} |
1398 |
- |
1399 |
-multilib_src_install() { |
1400 |
- # We need to create $ED/usr on our own to avoid a race condition #665130 |
1401 |
- if [[ ! -d "${ED%/}/usr" ]]; then |
1402 |
- # We can only create this directory once |
1403 |
- mkdir "${ED%/}"/usr || die |
1404 |
- fi |
1405 |
- |
1406 |
- emake DESTDIR="${D%/}" install |
1407 |
-} |
1408 |
- |
1409 |
-multilib_src_install_all() { |
1410 |
- # openssl installs perl version of c_rehash by default, but |
1411 |
- # we provide a shell version via app-misc/c_rehash |
1412 |
- rm "${ED%/}"/usr/bin/c_rehash || die |
1413 |
- |
1414 |
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el |
1415 |
- |
1416 |
- # This is crappy in that the static archives are still built even |
1417 |
- # when USE=static-libs. But this is due to a failing in the openssl |
1418 |
- # build system: the static archives are built as PIC all the time. |
1419 |
- # Only way around this would be to manually configure+compile openssl |
1420 |
- # twice; once with shared lib support enabled and once without. |
1421 |
- use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a |
1422 |
- |
1423 |
- # create the certs directory |
1424 |
- keepdir ${SSL_CNF_DIR}/certs |
1425 |
- |
1426 |
- # Namespace openssl programs to prevent conflicts with other man pages |
1427 |
- cd "${ED%/}"/usr/share/man || die |
1428 |
- local m d s |
1429 |
- for m in $(find . -type f | xargs grep -L '#include') ; do |
1430 |
- d=${m%/*} ; d=${d#./} ; m=${m##*/} |
1431 |
- [[ ${m} == openssl.1* ]] && continue |
1432 |
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" |
1433 |
- mv ${d}/{,ssl-}${m} |
1434 |
- # fix up references to renamed man pages |
1435 |
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} |
1436 |
- ln -s ssl-${m} ${d}/openssl-${m} |
1437 |
- # locate any symlinks that point to this man page ... we assume |
1438 |
- # that any broken links are due to the above renaming |
1439 |
- for s in $(find -L ${d} -type l) ; do |
1440 |
- s=${s##*/} |
1441 |
- rm -f ${d}/${s} |
1442 |
- # We don't want to "|| die" here |
1443 |
- ln -s ssl-${m} ${d}/ssl-${s} |
1444 |
- ln -s ssl-${s} ${d}/openssl-${s} |
1445 |
- done |
1446 |
- done |
1447 |
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" |
1448 |
- |
1449 |
- dodir /etc/sandbox.d #254521 |
1450 |
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl |
1451 |
- |
1452 |
- diropts -m0700 |
1453 |
- keepdir ${SSL_CNF_DIR}/private |
1454 |
-} |
1455 |
- |
1456 |
-pkg_postinst() { |
1457 |
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" |
1458 |
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null |
1459 |
- eend $? |
1460 |
-} |
1461 |
|
1462 |
diff --git a/dev-libs/openssl/openssl-1.1.1a.ebuild b/dev-libs/openssl/openssl-1.1.1a.ebuild |
1463 |
deleted file mode 100644 |
1464 |
index 5b5bb76c6b7..00000000000 |
1465 |
--- a/dev-libs/openssl/openssl-1.1.1a.ebuild |
1466 |
+++ /dev/null |
1467 |
@@ -1,288 +0,0 @@ |
1468 |
-# Copyright 1999-2018 Gentoo Authors |
1469 |
-# Distributed under the terms of the GNU General Public License v2 |
1470 |
- |
1471 |
-EAPI="6" |
1472 |
- |
1473 |
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal |
1474 |
- |
1475 |
-MY_P=${P/_/-} |
1476 |
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" |
1477 |
-HOMEPAGE="https://www.openssl.org/" |
1478 |
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" |
1479 |
- |
1480 |
-LICENSE="openssl" |
1481 |
-SLOT="0/1.1" # .so version of libssl/libcrypto |
1482 |
-[[ "${PV}" = *_pre* ]] || \ |
1483 |
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux" |
1484 |
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib" |
1485 |
-RESTRICT="!bindist? ( bindist )" |
1486 |
- |
1487 |
-RDEPEND=">=app-misc/c_rehash-1.7-r1 |
1488 |
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )" |
1489 |
-DEPEND="${RDEPEND} |
1490 |
- >=dev-lang/perl-5 |
1491 |
- sctp? ( >=net-misc/lksctp-tools-1.0.12 ) |
1492 |
- test? ( |
1493 |
- sys-apps/diffutils |
1494 |
- sys-devel/bc |
1495 |
- )" |
1496 |
-PDEPEND="app-misc/ca-certificates" |
1497 |
- |
1498 |
-# This does not copy the entire Fedora patchset, but JUST the parts that |
1499 |
-# are needed to make it safe to use EC with RESTRICT=bindist. |
1500 |
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN |
1501 |
-SOURCE1=hobble-openssl |
1502 |
-SOURCE12=ec_curve.c |
1503 |
-SOURCE13=ectest.c |
1504 |
-PATCH37=openssl-1.1.1-ec-curves.patch |
1505 |
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' |
1506 |
-FEDORA_GIT_BRANCH='f29' |
1507 |
-FEDORA_SRC_URI=() |
1508 |
-FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} ) |
1509 |
-FEDORA_PATCH=( ${PATCH37} ) |
1510 |
-for i in "${FEDORA_SOURCE[@]}" ; do |
1511 |
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) |
1512 |
-done |
1513 |
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix |
1514 |
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" ) |
1515 |
-done |
1516 |
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" |
1517 |
- |
1518 |
-S="${WORKDIR}/${MY_P}" |
1519 |
- |
1520 |
-MULTILIB_WRAPPED_HEADERS=( |
1521 |
- usr/include/openssl/opensslconf.h |
1522 |
-) |
1523 |
- |
1524 |
-src_prepare() { |
1525 |
- if use bindist; then |
1526 |
- # This just removes the prefix, and puts it into WORKDIR like the RPM. |
1527 |
- for i in "${FEDORA_SOURCE[@]}" ; do |
1528 |
- cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die |
1529 |
- done |
1530 |
- # .spec %prep |
1531 |
- bash "${WORKDIR}"/"${SOURCE1}" || die |
1532 |
- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die |
1533 |
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die |
1534 |
- for i in "${FEDORA_PATCH[@]}" ; do |
1535 |
- eapply "${DISTDIR}"/"${i}" |
1536 |
- done |
1537 |
- # Also see the configure parts below: |
1538 |
- # enable-ec \ |
1539 |
- # $(use_ssl !bindist ec2m) \ |
1540 |
- |
1541 |
- fi |
1542 |
- |
1543 |
- # keep this in sync with app-misc/c_rehash |
1544 |
- SSL_CNF_DIR="/etc/ssl" |
1545 |
- |
1546 |
- # Make sure we only ever touch Makefile.org and avoid patching a file |
1547 |
- # that gets blown away anyways by the Configure script in src_configure |
1548 |
- rm -f Makefile |
1549 |
- |
1550 |
- if ! use vanilla ; then |
1551 |
- if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then |
1552 |
- [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}" |
1553 |
- fi |
1554 |
- fi |
1555 |
- |
1556 |
- eapply_user #332661 |
1557 |
- |
1558 |
- # make sure the man pages are suffixed #302165 |
1559 |
- # don't bother building man pages if they're disabled |
1560 |
- # Make DOCDIR Gentoo compliant |
1561 |
- sed -i \ |
1562 |
- -e '/^MANSUFFIX/s:=.*:=ssl:' \ |
1563 |
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ |
1564 |
- -e $(has noman FEATURES \ |
1565 |
- && echo '/^install:/s:install_docs::' \ |
1566 |
- || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \ |
1567 |
- -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \ |
1568 |
- Configurations/unix-Makefile.tmpl \ |
1569 |
- || die |
1570 |
- |
1571 |
- # quiet out unknown driver argument warnings since openssl |
1572 |
- # doesn't have well-split CFLAGS and we're making it even worse |
1573 |
- # and 'make depend' uses -Werror for added fun (#417795 again) |
1574 |
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments |
1575 |
- |
1576 |
- # allow openssl to be cross-compiled |
1577 |
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die |
1578 |
- chmod a+rx gentoo.config || die |
1579 |
- |
1580 |
- append-flags -fno-strict-aliasing |
1581 |
- append-flags $(test-flags-CC -Wa,--noexecstack) |
1582 |
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
1583 |
- |
1584 |
- # Prefixify Configure shebang (#141906) |
1585 |
- sed \ |
1586 |
- -e "1s,/usr/bin/env,${EPREFIX%/}&," \ |
1587 |
- -i Configure || die |
1588 |
- # Remove test target when FEATURES=test isn't set |
1589 |
- if ! use test ; then |
1590 |
- sed \ |
1591 |
- -e '/^$config{dirs}/s@ "test",@@' \ |
1592 |
- -i Configure || die |
1593 |
- fi |
1594 |
- # The config script does stupid stuff to prompt the user. Kill it. |
1595 |
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die |
1596 |
- ./config --test-sanity || die "I AM NOT SANE" |
1597 |
- |
1598 |
- multilib_copy_sources |
1599 |
-} |
1600 |
- |
1601 |
-multilib_src_configure() { |
1602 |
- unset APPS #197996 |
1603 |
- unset SCRIPTS #312551 |
1604 |
- unset CROSS_COMPILE #311473 |
1605 |
- |
1606 |
- tc-export CC AR RANLIB RC |
1607 |
- |
1608 |
- # Clean out patent-or-otherwise-encumbered code |
1609 |
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher) |
1610 |
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm |
1611 |
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography |
1612 |
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2 |
1613 |
- # RC5: Expired https://en.wikipedia.org/wiki/RC5 |
1614 |
- |
1615 |
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } |
1616 |
- echoit() { echo "$@" ; "$@" ; } |
1617 |
- |
1618 |
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") |
1619 |
- |
1620 |
- # See if our toolchain supports __uint128_t. If so, it's 64bit |
1621 |
- # friendly and can use the nicely optimized code paths. #460790 |
1622 |
- local ec_nistp_64_gcc_128 |
1623 |
- # Disable it for now though #469976 |
1624 |
- #if ! use bindist ; then |
1625 |
- # echo "__uint128_t i;" > "${T}"/128.c |
1626 |
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then |
1627 |
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" |
1628 |
- # fi |
1629 |
- #fi |
1630 |
- |
1631 |
- local sslout=$(./gentoo.config) |
1632 |
- einfo "Use configuration ${sslout:-(openssl knows best)}" |
1633 |
- local config="Configure" |
1634 |
- [[ -z ${sslout} ]] && config="config" |
1635 |
- |
1636 |
- # Fedora hobbled-EC needs 'no-ec2m' |
1637 |
- # 'srp' was restricted until early 2017 as well. |
1638 |
- # "disable-deprecated" option breaks too many consumers. |
1639 |
- # Don't set it without thorough revdeps testing. |
1640 |
- echoit \ |
1641 |
- ./${config} \ |
1642 |
- ${sslout} \ |
1643 |
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \ |
1644 |
- enable-camellia \ |
1645 |
- enable-ec \ |
1646 |
- $(use_ssl !bindist ec2m) \ |
1647 |
- enable-srp \ |
1648 |
- $(use elibc_musl && echo "no-async") \ |
1649 |
- ${ec_nistp_64_gcc_128} \ |
1650 |
- enable-idea \ |
1651 |
- enable-mdc2 \ |
1652 |
- enable-rc5 \ |
1653 |
- $(use_ssl sslv3 ssl3) \ |
1654 |
- $(use_ssl sslv3 ssl3-method) \ |
1655 |
- $(use_ssl asm) \ |
1656 |
- $(use_ssl rfc3779) \ |
1657 |
- $(use_ssl sctp) \ |
1658 |
- $(use_ssl tls-heartbeat heartbeats) \ |
1659 |
- $(use_ssl zlib) \ |
1660 |
- --prefix="${EPREFIX%/}"/usr \ |
1661 |
- --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \ |
1662 |
- --libdir=$(get_libdir) \ |
1663 |
- shared threads \ |
1664 |
- || die |
1665 |
- |
1666 |
- # Clean out hardcoded flags that openssl uses |
1667 |
- # Fix quoting for sed |
1668 |
- local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ |
1669 |
- -e 's:^CFLAGS=::' \ |
1670 |
- -e 's:-fomit-frame-pointer ::g' \ |
1671 |
- -e 's:-O[0-9] ::g' \ |
1672 |
- -e 's:-march=[-a-z0-9]* ::g' \ |
1673 |
- -e 's:-mcpu=[-a-z0-9]* ::g' \ |
1674 |
- -e 's:-m[a-z0-9]* ::g' \ |
1675 |
- -e 's:\\:\\\\:g' \ |
1676 |
- ) |
1677 |
- sed -i \ |
1678 |
- -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ |
1679 |
- -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ |
1680 |
- Makefile || die |
1681 |
-} |
1682 |
- |
1683 |
-multilib_src_compile() { |
1684 |
- # depend is needed to use $confopts; it also doesn't matter |
1685 |
- # that it's -j1 as the code itself serializes subdirs |
1686 |
- emake -j1 depend |
1687 |
- emake all |
1688 |
-} |
1689 |
- |
1690 |
-multilib_src_test() { |
1691 |
- emake -j1 test |
1692 |
-} |
1693 |
- |
1694 |
-multilib_src_install() { |
1695 |
- # We need to create $ED/usr on our own to avoid a race condition #665130 |
1696 |
- if [[ ! -d "${ED%/}/usr" ]]; then |
1697 |
- # We can only create this directory once |
1698 |
- mkdir "${ED%/}"/usr || die |
1699 |
- fi |
1700 |
- |
1701 |
- emake DESTDIR="${D%/}" install |
1702 |
-} |
1703 |
- |
1704 |
-multilib_src_install_all() { |
1705 |
- # openssl installs perl version of c_rehash by default, but |
1706 |
- # we provide a shell version via app-misc/c_rehash |
1707 |
- rm "${ED%/}"/usr/bin/c_rehash || die |
1708 |
- |
1709 |
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el |
1710 |
- |
1711 |
- # This is crappy in that the static archives are still built even |
1712 |
- # when USE=static-libs. But this is due to a failing in the openssl |
1713 |
- # build system: the static archives are built as PIC all the time. |
1714 |
- # Only way around this would be to manually configure+compile openssl |
1715 |
- # twice; once with shared lib support enabled and once without. |
1716 |
- use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a |
1717 |
- |
1718 |
- # create the certs directory |
1719 |
- keepdir ${SSL_CNF_DIR}/certs |
1720 |
- |
1721 |
- # Namespace openssl programs to prevent conflicts with other man pages |
1722 |
- cd "${ED%/}"/usr/share/man || die |
1723 |
- local m d s |
1724 |
- for m in $(find . -type f | xargs grep -L '#include') ; do |
1725 |
- d=${m%/*} ; d=${d#./} ; m=${m##*/} |
1726 |
- [[ ${m} == openssl.1* ]] && continue |
1727 |
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" |
1728 |
- mv ${d}/{,ssl-}${m} |
1729 |
- # fix up references to renamed man pages |
1730 |
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} |
1731 |
- ln -s ssl-${m} ${d}/openssl-${m} |
1732 |
- # locate any symlinks that point to this man page ... we assume |
1733 |
- # that any broken links are due to the above renaming |
1734 |
- for s in $(find -L ${d} -type l) ; do |
1735 |
- s=${s##*/} |
1736 |
- rm -f ${d}/${s} |
1737 |
- # We don't want to "|| die" here |
1738 |
- ln -s ssl-${m} ${d}/ssl-${s} |
1739 |
- ln -s ssl-${s} ${d}/openssl-${s} |
1740 |
- done |
1741 |
- done |
1742 |
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" |
1743 |
- |
1744 |
- dodir /etc/sandbox.d #254521 |
1745 |
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl |
1746 |
- |
1747 |
- diropts -m0700 |
1748 |
- keepdir ${SSL_CNF_DIR}/private |
1749 |
-} |
1750 |
- |
1751 |
-pkg_postinst() { |
1752 |
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" |
1753 |
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null |
1754 |
- eend $? |
1755 |
-} |