Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Frysinger (vapier)" <vapier@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in dev-libs/openssl: openssl-1.0.2-r2.ebuild ChangeLog
Date: Wed, 04 Mar 2015 07:34:34
Message-Id: 20150304073428.264F11301C@oystercatcher.gentoo.org
1 vapier 15/03/04 07:34:28
2
3 Modified: ChangeLog
4 Added: openssl-1.0.2-r2.ebuild
5 Log:
6 Add fix from upstream for CVE-2015-0209 #541502 by Agostino Sarubbo and CVE-2015-0288 #542038 by Kristian Fiskerstrand.
7
8 (Portage version: 2.2.17/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
9
10 Revision Changes Path
11 1.630 dev-libs/openssl/ChangeLog
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/ChangeLog?rev=1.630&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/ChangeLog?rev=1.630&content-type=text/plain
15 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/ChangeLog?r1=1.629&r2=1.630
16
17 Index: ChangeLog
18 ===================================================================
19 RCS file: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v
20 retrieving revision 1.629
21 retrieving revision 1.630
22 diff -u -r1.629 -r1.630
23 --- ChangeLog 28 Jan 2015 19:35:28 -0000 1.629
24 +++ ChangeLog 4 Mar 2015 07:34:28 -0000 1.630
25 @@ -1,6 +1,14 @@
26 # ChangeLog for dev-libs/openssl
27 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
28 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.629 2015/01/28 19:35:28 mgorny Exp $
29 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.630 2015/03/04 07:34:28 vapier Exp $
30 +
31 +*openssl-1.0.2-r2 (04 Mar 2015)
32 +
33 + 04 Mar 2015; Mike Frysinger <vapier@g.o>
34 + +files/openssl-1.0.2-CVE-2015-0209.patch,
35 + +files/openssl-1.0.2-CVE-2015-0288.patch, +openssl-1.0.2-r2.ebuild:
36 + Add fix from upstream for CVE-2015-0209 #541502 by Agostino Sarubbo and
37 + CVE-2015-0288 #542038 by Kristian Fiskerstrand.
38
39 28 Jan 2015; Michał Górny <mgorny@g.o> openssl-0.9.8z_p1-r2.ebuild,
40 openssl-0.9.8z_p2.ebuild, openssl-0.9.8z_p3.ebuild, openssl-0.9.8z_p4.ebuild,
41
42
43
44 1.1 dev-libs/openssl/openssl-1.0.2-r2.ebuild
45
46 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/openssl-1.0.2-r2.ebuild?rev=1.1&view=markup
47 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/openssl-1.0.2-r2.ebuild?rev=1.1&content-type=text/plain
48
49 Index: openssl-1.0.2-r2.ebuild
50 ===================================================================
51 # Copyright 1999-2015 Gentoo Foundation
52 # Distributed under the terms of the GNU General Public License v2
53 # $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-1.0.2-r2.ebuild,v 1.1 2015/03/04 07:34:28 vapier Exp $
54
55 EAPI="4"
56
57 inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
58
59 REV="1.7"
60 MY_P=${P/_/-}
61 DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
62 HOMEPAGE="http://www.openssl.org/"
63 SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
64 http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
65
66 LICENSE="openssl"
67 SLOT="0"
68 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
69 IUSE="bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
70
71 # The blocks are temporary just to make sure people upgrade to a
72 # version that lack runtime version checking. We'll drop them in
73 # the future.
74 RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
75 zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
76 kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
77 abi_x86_32? (
78 !<=app-emulation/emul-linux-x86-baselibs-20140508
79 !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
80 )
81 !<net-misc/openssh-5.9_p1-r4
82 !<net-libs/neon-0.29.6-r1"
83 DEPEND="${RDEPEND}
84 sys-apps/diffutils
85 >=dev-lang/perl-5
86 sctp? ( net-misc/lksctp-tools )
87 test? ( sys-devel/bc )"
88 PDEPEND="app-misc/ca-certificates"
89
90 S="${WORKDIR}/${MY_P}"
91
92 MULTILIB_WRAPPED_HEADERS=(
93 usr/include/openssl/opensslconf.h
94 )
95
96 src_prepare() {
97 SSL_CNF_DIR="/etc/ssl"
98 sed \
99 -e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
100 -e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
101 "${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
102 > "${WORKDIR}"/c_rehash || die #416717
103
104 # Make sure we only ever touch Makefile.org and avoid patching a file
105 # that gets blown away anyways by the Configure script in src_configure
106 rm -f Makefile
107
108 epatch "${FILESDIR}"/${P}-CVE-2015-0209.patch #541502
109 epatch "${FILESDIR}"/${P}-CVE-2015-0288.patch #542038
110 if ! use vanilla ; then
111 epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
112 epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
113 epatch "${FILESDIR}"/${PN}-1.0.2-parallel-build.patch
114 epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
115 epatch "${FILESDIR}"/${PN}-1.0.2-s_client-verify.patch #472584
116
117 epatch_user #332661
118 fi
119
120 # disable fips in the build
121 # make sure the man pages are suffixed #302165
122 # don't bother building man pages if they're disabled
123 sed -i \
124 -e '/DIRS/s: fips : :g' \
125 -e '/^MANSUFFIX/s:=.*:=ssl:' \
126 -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
127 -e $(has noman FEATURES \
128 && echo '/^install:/s:install_docs::' \
129 || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
130 Makefile.org \
131 || die
132 # show the actual commands in the log
133 sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
134
135 # since we're forcing $(CC) as makedep anyway, just fix
136 # the conditional as always-on
137 # helps clang (#417795), and versioned gcc (#499818)
138 sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
139
140 # quiet out unknown driver argument warnings since openssl
141 # doesn't have well-split CFLAGS and we're making it even worse
142 # and 'make depend' uses -Werror for added fun (#417795 again)
143 [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
144
145 # allow openssl to be cross-compiled
146 cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
147 chmod a+rx gentoo.config
148
149 append-flags -fno-strict-aliasing
150 append-flags $(test-flags-CC -Wa,--noexecstack)
151 append-cppflags -DOPENSSL_NO_BUF_FREELISTS
152
153 sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
154 # The config script does stupid stuff to prompt the user. Kill it.
155 sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
156 ./config --test-sanity || die "I AM NOT SANE"
157
158 multilib_copy_sources
159 }
160
161 multilib_src_configure() {
162 unset APPS #197996
163 unset SCRIPTS #312551
164 unset CROSS_COMPILE #311473
165
166 tc-export CC AR RANLIB RC
167
168 # Clean out patent-or-otherwise-encumbered code
169 # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
170 # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
171 # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
172 # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
173 # RC5: Expirted http://en.wikipedia.org/wiki/RC5
174
175 use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
176 echoit() { echo "$@" ; "$@" ; }
177
178 local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
179
180 # See if our toolchain supports __uint128_t. If so, it's 64bit
181 # friendly and can use the nicely optimized code paths. #460790
182 local ec_nistp_64_gcc_128
183 # Disable it for now though #469976
184 #if ! use bindist ; then
185 # echo "__uint128_t i;" > "${T}"/128.c
186 # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
187 # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
188 # fi
189 #fi
190
191 local sslout=$(./gentoo.config)
192 einfo "Use configuration ${sslout:-(openssl knows best)}"
193 local config="Configure"
194 [[ -z ${sslout} ]] && config="config"
195
196 echoit \
197 ./${config} \
198 ${sslout} \
199 $(use sctp && echo "sctp") \
200 $(use cpu_flags_x86_sse2 || echo "no-sse2") \
201 enable-camellia \
202 $(use_ssl !bindist ec) \
203 ${ec_nistp_64_gcc_128} \
204 enable-idea \
205 enable-mdc2 \
206 enable-rc5 \
207 enable-tlsext \
208 $(use_ssl gmp gmp -lgmp) \
209 $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
210 $(use_ssl rfc3779) \
211 $(use_ssl tls-heartbeat heartbeats) \
212 $(use_ssl zlib) \
213 --prefix="${EPREFIX}"/usr \
214 --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
215 --libdir=$(get_libdir) \
216 shared threads \
217 || die
218
219 # Clean out hardcoded flags that openssl uses
220 local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
221 -e 's:^CFLAG=::' \
222 -e 's:-fomit-frame-pointer ::g' \
223 -e 's:-O[0-9] ::g' \
224 -e 's:-march=[-a-z0-9]* ::g' \
225 -e 's:-mcpu=[-a-z0-9]* ::g' \
226 -e 's:-m[a-z0-9]* ::g' \
227 )
228 sed -i \
229 -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
230 -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
231 Makefile || die
232 }
233
234 multilib_src_compile() {
235 # depend is needed to use $confopts; it also doesn't matter
236 # that it's -j1 as the code itself serializes subdirs
237 emake -j1 depend
238 emake all
239 # rehash is needed to prep the certs/ dir; do this
240 # separately to avoid parallel build issues.
241 emake rehash
242 }
243
244 multilib_src_test() {
245 emake -j1 test
246 }
247
248 multilib_src_install() {
249 emake INSTALL_PREFIX="${D}" install
250 }
251
252 multilib_src_install_all() {
253 dobin "${WORKDIR}"/c_rehash #333117
254 dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
255 dohtml -r doc/*
256 use rfc3779 && dodoc engines/ccgost/README.gost
257
258 # This is crappy in that the static archives are still built even
259 # when USE=static-libs. But this is due to a failing in the openssl
260 # build system: the static archives are built as PIC all the time.
261 # Only way around this would be to manually configure+compile openssl
262 # twice; once with shared lib support enabled and once without.
263 use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
264
265 # create the certs directory
266 dodir ${SSL_CNF_DIR}/certs
267 cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
268 rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
269
270 # Namespace openssl programs to prevent conflicts with other man pages
271 cd "${ED}"/usr/share/man
272 local m d s
273 for m in $(find . -type f | xargs grep -L '#include') ; do
274 d=${m%/*} ; d=${d#./} ; m=${m##*/}
275 [[ ${m} == openssl.1* ]] && continue
276 [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
277 mv ${d}/{,ssl-}${m}
278 # fix up references to renamed man pages
279 sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
280 ln -s ssl-${m} ${d}/openssl-${m}
281 # locate any symlinks that point to this man page ... we assume
282 # that any broken links are due to the above renaming
283 for s in $(find -L ${d} -type l) ; do
284 s=${s##*/}
285 rm -f ${d}/${s}
286 ln -s ssl-${m} ${d}/ssl-${s}
287 ln -s ssl-${s} ${d}/openssl-${s}
288 done
289 done
290 [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
291
292 dodir /etc/sandbox.d #254521
293 echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
294
295 diropts -m0700
296 keepdir ${SSL_CNF_DIR}/private
297 }
298
299 pkg_preinst() {
300 has_version ${CATEGORY}/${PN}:0.9.8 && return 0
301 preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
302 }
303
304 pkg_postinst() {
305 ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
306 c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
307 eend $?
308
309 has_version ${CATEGORY}/${PN}:0.9.8 && return 0
310 preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
311 }
Report Message
Find on MARC Find on Google Groups