[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/ - gentoo-commits

From:	Lars Wendler <polynomial-c@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/
Date:	Tue, 24 Aug 2021 14:27:24
Message-Id:	`1629815042.d077679d20fcedb1af74ec9bcff3bc760acded09.polynomial-c@gentoo`

1

commit:     d077679d20fcedb1af74ec9bcff3bc760acded09

2

Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

3

AuthorDate: Tue Aug 24 14:24:02 2021 +0000

4

Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

5

CommitDate: Tue Aug 24 14:24:02 2021 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d077679d

7

8

dev-libs/openssl: Bump to version 1.1.1l

9

10

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

11

12

 dev-libs/openssl/Manifest              |   1 +

13

 dev-libs/openssl/openssl-1.1.1l.ebuild | 328 +++++++++++++++++++++++++++++++++

14

 2 files changed, 329 insertions(+)

15

16

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest

17

index fa78265a279..f6f3fd887e6 100644

18

--- a/dev-libs/openssl/Manifest

19

+++ b/dev-libs/openssl/Manifest

20

@@ -3,5 +3,6 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1

21

 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32

22

 DIST openssl-1.1.1i-bindist-1.0.tar.xz 18124 BLAKE2B bcbce700676d1d61498ac98281b7ad06f9970d91afa6bfb2c259ab7462b2554be79a1c06759bc7aaeca9948c2f5276bac2c4f42dbc6822669f863444b9913ccd SHA512 1dbb81bcb4cf7e634bb363c7e2bb2590a1fe3fcb6c3b5e377cac3c5241abd116c2a89c516be8e5fd1799ab64375a58052a4df944eeadc87b0b7785da710906d8

23

 DIST openssl-1.1.1k.tar.gz 9823400 BLAKE2B e9bd90f17bc819c4960d07bbee04346e8a7adb87a764a09d033ef76f1d638c67b180c4f2beb84ec25fbff54ccc9c14c13b9b16a27cac231a5dd22b02635d5cec SHA512 73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121

24

+DIST openssl-1.1.1l.tar.gz 9834044 BLAKE2B 9e8739015db63a013c05587e3d164d67c3f65f1f6c5fc75e4592bcd038c036cde88a7bc95fbc1f1b4ed876f6124ca4dabcd4f5dbb45d1b84299f2efe1a59431a SHA512 d9611f393e37577cca05004531388d3e0ebbf714894cab9f95f4903909cd4f45c214faab664c0cbc3ad3cca309d500b9e6d0ecbf9a0a0588d1677dc6b047f9e0

25

 DIST openssl-3.0.0-beta1.tar.gz 14878832 BLAKE2B a2c8d8cbb226803e78ff00fcbee355f41da90275830714e8c0aea532309ef0b98c27f6796119e2942387a9e92afd917d766faac7b5ea65a36326c368790b8055 SHA512 fbb650638a7ca406b0b5d1eafcef0ca431172c8b255adaf7575325d9c1545dfdacf8e9550b8bec4e1ec73759a02c9efbd729a07e9959932564ba81be61238d5d

26

 DIST openssl-3.0.0-beta2.tar.gz 14912360 BLAKE2B f1180eee6561f04e778f40d3d6f9fac5645777de09d965662f00c2506da30d3c3cfa0e98a25fc668e2e1fd39b8d700d7f0fd901f80964be048cb3aaa6432a5f5 SHA512 3eb9b472429bc26a7fc5c5837e2ea496706e3c6273ba33f36bbe3dc13bf7dcf7cba08d19ce005ee9b1cecfc63de68ef86cd8d911df28c82873ee44ba5d7e253a

27

28

diff --git a/dev-libs/openssl/openssl-1.1.1l.ebuild b/dev-libs/openssl/openssl-1.1.1l.ebuild

29

new file mode 100644

30

index 00000000000..40abe5cb2d8

31

--- /dev/null

32

+++ b/dev-libs/openssl/openssl-1.1.1l.ebuild

33

@@ -0,0 +1,328 @@

34

+# Copyright 1999-2021 Gentoo Authors

35

+# Distributed under the terms of the GNU General Public License v2

36

+

37

+EAPI="7"

38

+

39

+inherit flag-o-matic toolchain-funcs multilib-minimal

40

+

41

+MY_P=${P/_/-}

42

+

43

+# This patch set is based on the following files from Fedora 31,

44

+# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec

45

+# for more details:

46

+# - hobble-openssl (SOURCE1)

47

+# - ec_curve.c (SOURCE12) -- MODIFIED

48

+# - ectest.c (SOURCE13)

49

+# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED

50

+BINDIST_PATCH_SET="openssl-1.1.1i-bindist-1.0.tar.xz"

51

+

52

+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"

53

+HOMEPAGE="https://www.openssl.org/"

54

+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz

55

+	bindist? (

56

+		mirror://gentoo/${BINDIST_PATCH_SET}

57

+		https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}

58

+	)"

59

+

60

+LICENSE="openssl"

61

+SLOT="0/1.1" # .so version of libssl/libcrypto

62

+[[ "${PV}" = *_pre* ]] || \

63

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"

64

+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla"

65

+RESTRICT="!bindist? ( bindist )

66

+	!test? ( test )"

67

+

68

+RDEPEND=">=app-misc/c_rehash-1.7-r1

69

+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"

70

+DEPEND="${RDEPEND}"

71

+BDEPEND="

72

+	>=dev-lang/perl-5

73

+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )

74

+	test? (

75

+		sys-apps/diffutils

76

+		sys-devel/bc

77

+		sys-process/procps

78

+	)"

79

+PDEPEND="app-misc/ca-certificates"

80

+

81

+PATCHES=(

82

+	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602

83

+	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch

84

+)

85

+

86

+S="${WORKDIR}/${MY_P}"

87

+

88

+# force upgrade to prevent broken login, bug 696950

89

+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"

90

+

91

+MULTILIB_WRAPPED_HEADERS=(

92

+	usr/include/openssl/opensslconf.h

93

+)

94

+

95

+pkg_setup() {

96

+	[[ ${MERGE_TYPE} == binary ]] && return

97

+

98

+	# must check in pkg_setup; sysctl don't work with userpriv!

99

+	if use test && use sctp; then

100

+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"

101

+		# if sctp.auth_enable is not enabled.

102

+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)

103

+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then

104

+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"

105

+		fi

106

+	fi

107

+}

108

+

109

+src_prepare() {

110

+	# allow openssl to be cross-compiled

111

+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die

112

+	chmod a+rx gentoo.config || die

113

+

114

+	if use bindist; then

115

+		mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die

116

+		bash "${WORKDIR}"/hobble-openssl || die

117

+

118

+		cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die

119

+		cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die

120

+

121

+		eapply "${WORKDIR}"/bindist-patches/ec-curves.patch

122

+

123

+		local known_failing_test

124

+		for known_failing_test in \

125

+			30-test_evp_extra.t \

126

+			80-test_ssl_new.t \

127

+		; do

128

+			ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"

129

+			rm test/recipes/${known_failing_test} || die

130

+			eend $?

131

+		done

132

+

133

+		# Also see the configure parts below:

134

+		# enable-ec \

135

+		# $(use_ssl !bindist ec2m) \

136

+	fi

137

+

138

+	# keep this in sync with app-misc/c_rehash

139

+	SSL_CNF_DIR="/etc/ssl"

140

+

141

+	# Make sure we only ever touch Makefile.org and avoid patching a file

142

+	# that gets blown away anyways by the Configure script in src_configure

143

+	rm -f Makefile

144

+

145

+	if ! use vanilla ; then

146

+		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then

147

+			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"

148

+		fi

149

+	fi

150

+

151

+	eapply_user #332661

152

+

153

+	if use test && use sctp && has network-sandbox ${FEATURES}; then

154

+		ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"

155

+		rm test/recipes/80-test_ssl_new.t || die

156

+		eend $?

157

+	fi

158

+

159

+	# make sure the man pages are suffixed #302165

160

+	# don't bother building man pages if they're disabled

161

+	# Make DOCDIR Gentoo compliant

162

+	sed -i \

163

+		-e '/^MANSUFFIX/s:=.*:=ssl:' \

164

+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \

165

+		-e $(has noman FEATURES \

166

+			&& echo '/^install:/s:install_docs::' \

167

+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \

168

+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \

169

+		Configurations/unix-Makefile.tmpl \

170

+		|| die

171

+

172

+	# quiet out unknown driver argument warnings since openssl

173

+	# doesn't have well-split CFLAGS and we're making it even worse

174

+	# and 'make depend' uses -Werror for added fun (#417795 again)

175

+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments

176

+

177

+	append-flags -fno-strict-aliasing

178

+	append-flags $(test-flags-CC -Wa,--noexecstack)

179

+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS

180

+

181

+	# Prefixify Configure shebang (#141906)

182

+	sed \

183

+		-e "1s,/usr/bin/env,${EPREFIX}&," \

184

+		-i Configure || die

185

+	# Remove test target when FEATURES=test isn't set

186

+	if ! use test ; then

187

+		sed \

188

+			-e '/^$config{dirs}/s@ "test",@@' \

189

+			-i Configure || die

190

+	fi

191

+	# The config script does stupid stuff to prompt the user.  Kill it.

192

+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die

193

+	./config --test-sanity || die "I AM NOT SANE"

194

+

195

+	multilib_copy_sources

196

+}

197

+

198

+multilib_src_configure() {

199

+	unset APPS #197996

200

+	unset SCRIPTS #312551

201

+	unset CROSS_COMPILE #311473

202

+

203

+	tc-export CC AR RANLIB RC

204

+

205

+	# Clean out patent-or-otherwise-encumbered code

206

+	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)

207

+	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm

208

+	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography

209

+	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2

210

+	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5

211

+

212

+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }

213

+	echoit() { echo "$@" ; "$@" ; }

214

+

215

+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

216

+

217

+	# See if our toolchain supports __uint128_t.  If so, it's 64bit

218

+	# friendly and can use the nicely optimized code paths. #460790

219

+	local ec_nistp_64_gcc_128

220

+	# Disable it for now though #469976

221

+	#if ! use bindist ; then

222

+	#	echo "__uint128_t i;" > "${T}"/128.c

223

+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then

224

+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"

225

+	#	fi

226

+	#fi

227

+

228

+	local sslout=$(./gentoo.config)

229

+	einfo "Use configuration ${sslout:-(openssl knows best)}"

230

+	local config="Configure"

231

+	[[ -z ${sslout} ]] && config="config"

232

+

233

+	# Fedora hobbled-EC needs 'no-ec2m'

234

+	# 'srp' was restricted until early 2017 as well.

235

+	# "disable-deprecated" option breaks too many consumers.

236

+	# Don't set it without thorough revdeps testing.

237

+	# Make sure user flags don't get added *yet* to avoid duplicated

238

+	# flags.

239

+	CFLAGS= LDFLAGS= echoit \

240

+	./${config} \

241

+		${sslout} \

242

+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \

243

+		enable-camellia \

244

+		enable-ec \

245

+		$(use_ssl !bindist ec2m) \

246

+		$(use_ssl !bindist sm2) \

247

+		enable-srp \

248

+		$(use elibc_musl && echo "no-async") \

249

+		${ec_nistp_64_gcc_128} \

250

+		enable-idea \

251

+		enable-mdc2 \

252

+		enable-rc5 \

253

+		$(use_ssl sslv3 ssl3) \

254

+		$(use_ssl sslv3 ssl3-method) \

255

+		$(use_ssl asm) \

256

+		$(use_ssl rfc3779) \

257

+		$(use_ssl sctp) \

258

+		$(use_ssl tls-compression zlib) \

259

+		$(use_ssl tls-heartbeat heartbeats) \

260

+		--prefix="${EPREFIX}"/usr \

261

+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \

262

+		--libdir=$(get_libdir) \

263

+		shared threads \

264

+		|| die

265

+

266

+	# Clean out hardcoded flags that openssl uses

267

+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \

268

+		-e 's:^CFLAGS=::' \

269

+		-e 's:\(^\| \)-fomit-frame-pointer::g' \

270

+		-e 's:\(^\| \)-O[^ ]*::g' \

271

+		-e 's:\(^\| \)-march=[^ ]*::g' \

272

+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \

273

+		-e 's:\(^\| \)-m[^ ]*::g' \

274

+		-e 's:^ *::' \

275

+		-e 's: *$::' \

276

+		-e 's: \+: :g' \

277

+		-e 's:\\:\\\\:g'

278

+	)

279

+

280

+	# Now insert clean default flags with user flags

281

+	sed -i \

282

+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \

283

+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \

284

+		Makefile || die

285

+}

286

+

287

+multilib_src_compile() {

288

+	# depend is needed to use $confopts; it also doesn't matter

289

+	# that it's -j1 as the code itself serializes subdirs

290

+	emake -j1 depend

291

+	emake all

292

+}

293

+

294

+multilib_src_test() {

295

+	emake -j1 test

296

+}

297

+

298

+multilib_src_install() {

299

+	# We need to create $ED/usr on our own to avoid a race condition #665130

300

+	if [[ ! -d "${ED}/usr" ]]; then

301

+		# We can only create this directory once

302

+		mkdir "${ED}"/usr || die

303

+	fi

304

+

305

+	emake DESTDIR="${D}" install

306

+

307

+	# This is crappy in that the static archives are still built even

308

+	# when USE=static-libs.  But this is due to a failing in the openssl

309

+	# build system: the static archives are built as PIC all the time.

310

+	# Only way around this would be to manually configure+compile openssl

311

+	# twice; once with shared lib support enabled and once without.

312

+	if ! use static-libs; then

313

+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die

314

+	fi

315

+}

316

+

317

+multilib_src_install_all() {

318

+	# openssl installs perl version of c_rehash by default, but

319

+	# we provide a shell version via app-misc/c_rehash

320

+	rm "${ED}"/usr/bin/c_rehash || die

321

+

322

+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el

323

+

324

+	# create the certs directory

325

+	keepdir ${SSL_CNF_DIR}/certs

326

+

327

+	# Namespace openssl programs to prevent conflicts with other man pages

328

+	cd "${ED}"/usr/share/man || die

329

+	local m d s

330

+	for m in $(find . -type f | xargs grep -L '#include') ; do

331

+		d=${m%/*} ; d=${d#./} ; m=${m##*/}

332

+		[[ ${m} == openssl.1* ]] && continue

333

+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"

334

+		mv ${d}/{,ssl-}${m}

335

+		# fix up references to renamed man pages

336

+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}

337

+		ln -s ssl-${m} ${d}/openssl-${m}

338

+		# locate any symlinks that point to this man page ... we assume

339

+		# that any broken links are due to the above renaming

340

+		for s in $(find -L ${d} -type l) ; do

341

+			s=${s##*/}

342

+			rm -f ${d}/${s}

343

+			# We don't want to "|| die" here

344

+			ln -s ssl-${m} ${d}/ssl-${s}

345

+			ln -s ssl-${s} ${d}/openssl-${s}

346

+		done

347

+	done

348

+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

349

+

350

+	dodir /etc/sandbox.d #254521

351

+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

352

+

353

+	diropts -m0700

354

+	keepdir ${SSL_CNF_DIR}/private

355

+}

356

+

357

+pkg_postinst() {

358

+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"

359

+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null

360

+	eend $?

361

+}

1	commit: d077679d20fcedb1af74ec9bcff3bc760acded09
2	Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3	AuthorDate: Tue Aug 24 14:24:02 2021 +0000
4	Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5	CommitDate: Tue Aug 24 14:24:02 2021 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d077679d
7
8	dev-libs/openssl: Bump to version 1.1.1l
9
10	Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
11
12	dev-libs/openssl/Manifest \| 1 +
13	dev-libs/openssl/openssl-1.1.1l.ebuild \| 328 +++++++++++++++++++++++++++++++++
14	2 files changed, 329 insertions(+)
15
16	diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
17	index fa78265a279..f6f3fd887e6 100644
18	--- a/dev-libs/openssl/Manifest
19	+++ b/dev-libs/openssl/Manifest
20	@@ -3,5 +3,6 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1
21	DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
22	DIST openssl-1.1.1i-bindist-1.0.tar.xz 18124 BLAKE2B bcbce700676d1d61498ac98281b7ad06f9970d91afa6bfb2c259ab7462b2554be79a1c06759bc7aaeca9948c2f5276bac2c4f42dbc6822669f863444b9913ccd SHA512 1dbb81bcb4cf7e634bb363c7e2bb2590a1fe3fcb6c3b5e377cac3c5241abd116c2a89c516be8e5fd1799ab64375a58052a4df944eeadc87b0b7785da710906d8
23	DIST openssl-1.1.1k.tar.gz 9823400 BLAKE2B e9bd90f17bc819c4960d07bbee04346e8a7adb87a764a09d033ef76f1d638c67b180c4f2beb84ec25fbff54ccc9c14c13b9b16a27cac231a5dd22b02635d5cec SHA512 73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121
24	+DIST openssl-1.1.1l.tar.gz 9834044 BLAKE2B 9e8739015db63a013c05587e3d164d67c3f65f1f6c5fc75e4592bcd038c036cde88a7bc95fbc1f1b4ed876f6124ca4dabcd4f5dbb45d1b84299f2efe1a59431a SHA512 d9611f393e37577cca05004531388d3e0ebbf714894cab9f95f4903909cd4f45c214faab664c0cbc3ad3cca309d500b9e6d0ecbf9a0a0588d1677dc6b047f9e0
25	DIST openssl-3.0.0-beta1.tar.gz 14878832 BLAKE2B a2c8d8cbb226803e78ff00fcbee355f41da90275830714e8c0aea532309ef0b98c27f6796119e2942387a9e92afd917d766faac7b5ea65a36326c368790b8055 SHA512 fbb650638a7ca406b0b5d1eafcef0ca431172c8b255adaf7575325d9c1545dfdacf8e9550b8bec4e1ec73759a02c9efbd729a07e9959932564ba81be61238d5d
26	DIST openssl-3.0.0-beta2.tar.gz 14912360 BLAKE2B f1180eee6561f04e778f40d3d6f9fac5645777de09d965662f00c2506da30d3c3cfa0e98a25fc668e2e1fd39b8d700d7f0fd901f80964be048cb3aaa6432a5f5 SHA512 3eb9b472429bc26a7fc5c5837e2ea496706e3c6273ba33f36bbe3dc13bf7dcf7cba08d19ce005ee9b1cecfc63de68ef86cd8d911df28c82873ee44ba5d7e253a
27
28	diff --git a/dev-libs/openssl/openssl-1.1.1l.ebuild b/dev-libs/openssl/openssl-1.1.1l.ebuild
29	new file mode 100644
30	index 00000000000..40abe5cb2d8
31	--- /dev/null
32	+++ b/dev-libs/openssl/openssl-1.1.1l.ebuild
33	@@ -0,0 +1,328 @@
34	+# Copyright 1999-2021 Gentoo Authors
35	+# Distributed under the terms of the GNU General Public License v2
36	+
37	+EAPI="7"
38	+
39	+inherit flag-o-matic toolchain-funcs multilib-minimal
40	+
41	+MY_P=${P/_/-}
42	+
43	+# This patch set is based on the following files from Fedora 31,
44	+# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
45	+# for more details:
46	+# - hobble-openssl (SOURCE1)
47	+# - ec_curve.c (SOURCE12) -- MODIFIED
48	+# - ectest.c (SOURCE13)
49	+# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
50	+BINDIST_PATCH_SET="openssl-1.1.1i-bindist-1.0.tar.xz"
51	+
52	+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
53	+HOMEPAGE="https://www.openssl.org/"
54	+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
55	+ bindist? (
56	+ mirror://gentoo/${BINDIST_PATCH_SET}
57	+ https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
58	+ )"
59	+
60	+LICENSE="openssl"
61	+SLOT="0/1.1" # .so version of libssl/libcrypto
62	+[[ "${PV}" = _pre ]] \|\| \
63	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
64	+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla"
65	+RESTRICT="!bindist? ( bindist )
66	+ !test? ( test )"
67	+
68	+RDEPEND=">=app-misc/c_rehash-1.7-r1
69	+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
70	+DEPEND="${RDEPEND}"
71	+BDEPEND="
72	+ >=dev-lang/perl-5
73	+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
74	+ test? (
75	+ sys-apps/diffutils
76	+ sys-devel/bc
77	+ sys-process/procps
78	+ )"
79	+PDEPEND="app-misc/ca-certificates"
80	+
81	+PATCHES=(
82	+ "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
83	+ "${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
84	+)
85	+
86	+S="${WORKDIR}/${MY_P}"
87	+
88	+# force upgrade to prevent broken login, bug 696950
89	+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
90	+
91	+MULTILIB_WRAPPED_HEADERS=(
92	+ usr/include/openssl/opensslconf.h
93	+)
94	+
95	+pkg_setup() {
96	+ [[ ${MERGE_TYPE} == binary ]] && return
97	+
98	+ # must check in pkg_setup; sysctl don't work with userpriv!
99	+ if use test && use sctp; then
100	+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
101	+ # if sctp.auth_enable is not enabled.
102	+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
103	+ if [[ -z "${sctp_auth_status}" ]] \|\| [[ ${sctp_auth_status} != 1 ]]; then
104	+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
105	+ fi
106	+ fi
107	+}
108	+
109	+src_prepare() {
110	+ # allow openssl to be cross-compiled
111	+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config \|\| die
112	+ chmod a+rx gentoo.config \|\| die
113	+
114	+ if use bindist; then
115	+ mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" \|\| die
116	+ bash "${WORKDIR}"/hobble-openssl \|\| die
117	+
118	+ cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ \|\| die
119	+ cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ \|\| die
120	+
121	+ eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
122	+
123	+ local known_failing_test
124	+ for known_failing_test in \
125	+ 30-test_evp_extra.t \
126	+ 80-test_ssl_new.t \
127	+ ; do
128	+ ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
129	+ rm test/recipes/${known_failing_test} \|\| die
130	+ eend $?
131	+ done
132	+
133	+ # Also see the configure parts below:
134	+ # enable-ec \
135	+ # $(use_ssl !bindist ec2m) \
136	+ fi
137	+
138	+ # keep this in sync with app-misc/c_rehash
139	+ SSL_CNF_DIR="/etc/ssl"
140	+
141	+ # Make sure we only ever touch Makefile.org and avoid patching a file
142	+ # that gets blown away anyways by the Configure script in src_configure
143	+ rm -f Makefile
144	+
145	+ if ! use vanilla ; then
146	+ if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
147	+ [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
148	+ fi
149	+ fi
150	+
151	+ eapply_user #332661
152	+
153	+ if use test && use sctp && has network-sandbox ${FEATURES}; then
154	+ ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
155	+ rm test/recipes/80-test_ssl_new.t \|\| die
156	+ eend $?
157	+ fi
158	+
159	+ # make sure the man pages are suffixed #302165
160	+ # don't bother building man pages if they're disabled
161	+ # Make DOCDIR Gentoo compliant
162	+ sed -i \
163	+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
164	+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
165	+ -e $(has noman FEATURES \
166	+ && echo '/^install:/s:install_docs::' \
167	+ \|\| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
168	+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
169	+ Configurations/unix-Makefile.tmpl \
170	+ \|\| die
171	+
172	+ # quiet out unknown driver argument warnings since openssl
173	+ # doesn't have well-split CFLAGS and we're making it even worse
174	+ # and 'make depend' uses -Werror for added fun (#417795 again)
175	+ [[ ${CC} == clang ]] && append-flags -Qunused-arguments
176	+
177	+ append-flags -fno-strict-aliasing
178	+ append-flags $(test-flags-CC -Wa,--noexecstack)
179	+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
180	+
181	+ # Prefixify Configure shebang (#141906)
182	+ sed \
183	+ -e "1s,/usr/bin/env,${EPREFIX}&," \
184	+ -i Configure \|\| die
185	+ # Remove test target when FEATURES=test isn't set
186	+ if ! use test ; then
187	+ sed \
188	+ -e '/^$config{dirs}/s@ "test",@@' \
189	+ -i Configure \|\| die
190	+ fi
191	+ # The config script does stupid stuff to prompt the user. Kill it.
192	+ sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
193	+ ./config --test-sanity \|\| die "I AM NOT SANE"
194	+
195	+ multilib_copy_sources
196	+}
197	+
198	+multilib_src_configure() {
199	+ unset APPS #197996
200	+ unset SCRIPTS #312551
201	+ unset CROSS_COMPILE #311473
202	+
203	+ tc-export CC AR RANLIB RC
204	+
205	+ # Clean out patent-or-otherwise-encumbered code
206	+ # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
207	+ # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
208	+ # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
209	+ # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
210	+ # RC5: Expired https://en.wikipedia.org/wiki/RC5
211	+
212	+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
213	+ echoit() { echo "$@" ; "$@" ; }
214	+
215	+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
216	+
217	+ # See if our toolchain supports __uint128_t. If so, it's 64bit
218	+ # friendly and can use the nicely optimized code paths. #460790
219	+ local ec_nistp_64_gcc_128
220	+ # Disable it for now though #469976
221	+ #if ! use bindist ; then
222	+ # echo "__uint128_t i;" > "${T}"/128.c
223	+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
224	+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
225	+ # fi
226	+ #fi
227	+
228	+ local sslout=$(./gentoo.config)
229	+ einfo "Use configuration ${sslout:-(openssl knows best)}"
230	+ local config="Configure"
231	+ [[ -z ${sslout} ]] && config="config"
232	+
233	+ # Fedora hobbled-EC needs 'no-ec2m'
234	+ # 'srp' was restricted until early 2017 as well.
235	+ # "disable-deprecated" option breaks too many consumers.
236	+ # Don't set it without thorough revdeps testing.
237	+ # Make sure user flags don't get added yet to avoid duplicated
238	+ # flags.
239	+ CFLAGS= LDFLAGS= echoit \
240	+ ./${config} \
241	+ ${sslout} \
242	+ $(use cpu_flags_x86_sse2 \|\| echo "no-sse2") \
243	+ enable-camellia \
244	+ enable-ec \
245	+ $(use_ssl !bindist ec2m) \
246	+ $(use_ssl !bindist sm2) \
247	+ enable-srp \
248	+ $(use elibc_musl && echo "no-async") \
249	+ ${ec_nistp_64_gcc_128} \
250	+ enable-idea \
251	+ enable-mdc2 \
252	+ enable-rc5 \
253	+ $(use_ssl sslv3 ssl3) \
254	+ $(use_ssl sslv3 ssl3-method) \
255	+ $(use_ssl asm) \
256	+ $(use_ssl rfc3779) \
257	+ $(use_ssl sctp) \
258	+ $(use_ssl tls-compression zlib) \
259	+ $(use_ssl tls-heartbeat heartbeats) \
260	+ --prefix="${EPREFIX}"/usr \
261	+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
262	+ --libdir=$(get_libdir) \
263	+ shared threads \
264	+ \|\| die
265	+
266	+ # Clean out hardcoded flags that openssl uses
267	+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile \| LC_ALL=C sed \
268	+ -e 's:^CFLAGS=::' \
269	+ -e 's:\(^\\| \)-fomit-frame-pointer::g' \
270	+ -e 's:\(^\\| \)-O[^ ]*::g' \
271	+ -e 's:\(^\\| \)-march=[^ ]*::g' \
272	+ -e 's:\(^\\| \)-mcpu=[^ ]*::g' \
273	+ -e 's:\(^\\| \)-m[^ ]*::g' \
274	+ -e 's:^ *::' \
275	+ -e 's: *$::' \
276	+ -e 's: \+: :g' \
277	+ -e 's:\\:\\\\:g'
278	+ )
279	+
280	+ # Now insert clean default flags with user flags
281	+ sed -i \
282	+ -e "/^CFLAGS=/s\|=.*\|=${DEFAULT_CFLAGS} ${CFLAGS}\|" \
283	+ -e "/^LDFLAGS=/s\|=[[:space:]]*$\|=${LDFLAGS}\|" \
284	+ Makefile \|\| die
285	+}
286	+
287	+multilib_src_compile() {
288	+ # depend is needed to use $confopts; it also doesn't matter
289	+ # that it's -j1 as the code itself serializes subdirs
290	+ emake -j1 depend
291	+ emake all
292	+}
293	+
294	+multilib_src_test() {
295	+ emake -j1 test
296	+}
297	+
298	+multilib_src_install() {
299	+ # We need to create $ED/usr on our own to avoid a race condition #665130
300	+ if [[ ! -d "${ED}/usr" ]]; then
301	+ # We can only create this directory once
302	+ mkdir "${ED}"/usr \|\| die
303	+ fi
304	+
305	+ emake DESTDIR="${D}" install
306	+
307	+ # This is crappy in that the static archives are still built even
308	+ # when USE=static-libs. But this is due to a failing in the openssl
309	+ # build system: the static archives are built as PIC all the time.
310	+ # Only way around this would be to manually configure+compile openssl
311	+ # twice; once with shared lib support enabled and once without.
312	+ if ! use static-libs; then
313	+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a \|\| die
314	+ fi
315	+}
316	+
317	+multilib_src_install_all() {
318	+ # openssl installs perl version of c_rehash by default, but
319	+ # we provide a shell version via app-misc/c_rehash
320	+ rm "${ED}"/usr/bin/c_rehash \|\| die
321	+
322	+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
323	+
324	+ # create the certs directory
325	+ keepdir ${SSL_CNF_DIR}/certs
326	+
327	+ # Namespace openssl programs to prevent conflicts with other man pages
328	+ cd "${ED}"/usr/share/man \|\| die
329	+ local m d s
330	+ for m in $(find . -type f \| xargs grep -L '#include') ; do
331	+ d=${m%/} ; d=${d#./} ; m=${m##/}
332	+ [[ ${m} == openssl.1* ]] && continue
333	+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
334	+ mv ${d}/{,ssl-}${m}
335	+ # fix up references to renamed man pages
336	+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
337	+ ln -s ssl-${m} ${d}/openssl-${m}
338	+ # locate any symlinks that point to this man page ... we assume
339	+ # that any broken links are due to the above renaming
340	+ for s in $(find -L ${d} -type l) ; do
341	+ s=${s##*/}
342	+ rm -f ${d}/${s}
343	+ # We don't want to "\|\| die" here
344	+ ln -s ssl-${m} ${d}/ssl-${s}
345	+ ln -s ssl-${s} ${d}/openssl-${s}
346	+ done
347	+ done
348	+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
349	+
350	+ dodir /etc/sandbox.d #254521
351	+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
352	+
353	+ diropts -m0700
354	+ keepdir ${SSL_CNF_DIR}/private
355	+}
356	+
357	+pkg_postinst() {
358	+ ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
359	+ c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
360	+ eend $?
361	+}

Gentoo Archives: gentoo-commits