1 |
commit: 93630094c0989383439d077f02be5c65d838fae0 |
2 |
Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Jun 11 13:56:19 2018 +0000 |
4 |
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jun 11 13:58:33 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93630094 |
7 |
|
8 |
dev-libs/openssl: Add Fedora Hobble-EC patch |
9 |
|
10 |
With this patch present, USE=bindist should now provide a enough EC |
11 |
functionality to be used by most packages. |
12 |
|
13 |
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org> |
14 |
Package-Manager: Portage-2.3.33, Repoman-2.3.9 |
15 |
|
16 |
.../openssl/files/openssl-1.0.2o-hobble-ecc.patch | 290 ++++++++++++++++++++ |
17 |
dev-libs/openssl/openssl-1.0.2o-r5.ebuild | 296 +++++++++++++++++++++ |
18 |
2 files changed, 586 insertions(+) |
19 |
|
20 |
diff --git a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch |
21 |
new file mode 100644 |
22 |
index 00000000000..e105fe45e45 |
23 |
--- /dev/null |
24 |
+++ b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch |
25 |
@@ -0,0 +1,290 @@ |
26 |
+Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series. |
27 |
+ |
28 |
+From https://src.fedoraproject.org/git/rpms/openssl.git |
29 |
+ |
30 |
+Contains parts of the following patches, rediffed. The patches are on various |
31 |
+different branches. |
32 |
+f23 openssl-1.0.2c-ecc-suiteb.patch |
33 |
+f23 openssl-1.0.2a-fips-ec.patch |
34 |
+f28 openssl-1.1.0-ec-curves.patch |
35 |
+ |
36 |
+Signed-off-By: Robin H. Johnson <robbat2@g.o> |
37 |
+ |
38 |
+diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/apps/speed.c openssl-1.0.2m.mod/apps/speed.c |
39 |
+--- openssl-1.0.2m.hobble/apps/speed.c 2017-11-02 07:32:57.000000000 -0700 |
40 |
++++ openssl-1.0.2m.mod/apps/speed.c 2018-06-10 19:00:09.264550382 -0700 |
41 |
+@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv) |
42 |
+ } else |
43 |
+ # endif |
44 |
+ # ifndef OPENSSL_NO_ECDSA |
45 |
+- if (strcmp(*argv, "ecdsap160") == 0) |
46 |
+- ecdsa_doit[R_EC_P160] = 2; |
47 |
+- else if (strcmp(*argv, "ecdsap192") == 0) |
48 |
+- ecdsa_doit[R_EC_P192] = 2; |
49 |
++ if (0) {} |
50 |
+ else if (strcmp(*argv, "ecdsap224") == 0) |
51 |
+ ecdsa_doit[R_EC_P224] = 2; |
52 |
+ else if (strcmp(*argv, "ecdsap256") == 0) |
53 |
+@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv) |
54 |
+ ecdsa_doit[R_EC_P384] = 2; |
55 |
+ else if (strcmp(*argv, "ecdsap521") == 0) |
56 |
+ ecdsa_doit[R_EC_P521] = 2; |
57 |
+- else if (strcmp(*argv, "ecdsak163") == 0) |
58 |
+- ecdsa_doit[R_EC_K163] = 2; |
59 |
+- else if (strcmp(*argv, "ecdsak233") == 0) |
60 |
+- ecdsa_doit[R_EC_K233] = 2; |
61 |
+- else if (strcmp(*argv, "ecdsak283") == 0) |
62 |
+- ecdsa_doit[R_EC_K283] = 2; |
63 |
+- else if (strcmp(*argv, "ecdsak409") == 0) |
64 |
+- ecdsa_doit[R_EC_K409] = 2; |
65 |
+- else if (strcmp(*argv, "ecdsak571") == 0) |
66 |
+- ecdsa_doit[R_EC_K571] = 2; |
67 |
+- else if (strcmp(*argv, "ecdsab163") == 0) |
68 |
+- ecdsa_doit[R_EC_B163] = 2; |
69 |
+- else if (strcmp(*argv, "ecdsab233") == 0) |
70 |
+- ecdsa_doit[R_EC_B233] = 2; |
71 |
+- else if (strcmp(*argv, "ecdsab283") == 0) |
72 |
+- ecdsa_doit[R_EC_B283] = 2; |
73 |
+- else if (strcmp(*argv, "ecdsab409") == 0) |
74 |
+- ecdsa_doit[R_EC_B409] = 2; |
75 |
+- else if (strcmp(*argv, "ecdsab571") == 0) |
76 |
+- ecdsa_doit[R_EC_B571] = 2; |
77 |
+ else if (strcmp(*argv, "ecdsa") == 0) { |
78 |
+- for (i = 0; i < EC_NUM; i++) |
79 |
++ for (i = R_EC_P224; i < R_EC_P521; i++) |
80 |
+ ecdsa_doit[i] = 1; |
81 |
+ } else |
82 |
+ # endif |
83 |
+ # ifndef OPENSSL_NO_ECDH |
84 |
+- if (strcmp(*argv, "ecdhp160") == 0) |
85 |
+- ecdh_doit[R_EC_P160] = 2; |
86 |
+- else if (strcmp(*argv, "ecdhp192") == 0) |
87 |
+- ecdh_doit[R_EC_P192] = 2; |
88 |
++ if (0) {} |
89 |
+ else if (strcmp(*argv, "ecdhp224") == 0) |
90 |
+ ecdh_doit[R_EC_P224] = 2; |
91 |
+ else if (strcmp(*argv, "ecdhp256") == 0) |
92 |
+@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv) |
93 |
+ ecdh_doit[R_EC_P384] = 2; |
94 |
+ else if (strcmp(*argv, "ecdhp521") == 0) |
95 |
+ ecdh_doit[R_EC_P521] = 2; |
96 |
+- else if (strcmp(*argv, "ecdhk163") == 0) |
97 |
+- ecdh_doit[R_EC_K163] = 2; |
98 |
+- else if (strcmp(*argv, "ecdhk233") == 0) |
99 |
+- ecdh_doit[R_EC_K233] = 2; |
100 |
+- else if (strcmp(*argv, "ecdhk283") == 0) |
101 |
+- ecdh_doit[R_EC_K283] = 2; |
102 |
+- else if (strcmp(*argv, "ecdhk409") == 0) |
103 |
+- ecdh_doit[R_EC_K409] = 2; |
104 |
+- else if (strcmp(*argv, "ecdhk571") == 0) |
105 |
+- ecdh_doit[R_EC_K571] = 2; |
106 |
+- else if (strcmp(*argv, "ecdhb163") == 0) |
107 |
+- ecdh_doit[R_EC_B163] = 2; |
108 |
+- else if (strcmp(*argv, "ecdhb233") == 0) |
109 |
+- ecdh_doit[R_EC_B233] = 2; |
110 |
+- else if (strcmp(*argv, "ecdhb283") == 0) |
111 |
+- ecdh_doit[R_EC_B283] = 2; |
112 |
+- else if (strcmp(*argv, "ecdhb409") == 0) |
113 |
+- ecdh_doit[R_EC_B409] = 2; |
114 |
+- else if (strcmp(*argv, "ecdhb571") == 0) |
115 |
+- ecdh_doit[R_EC_B571] = 2; |
116 |
+ else if (strcmp(*argv, "ecdh") == 0) { |
117 |
+- for (i = 0; i < EC_NUM; i++) |
118 |
++ for (i = R_EC_P224; i <= R_EC_P521; i++) |
119 |
+ ecdh_doit[i] = 1; |
120 |
+ } else |
121 |
+ # endif |
122 |
+@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv) |
123 |
+ BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n"); |
124 |
+ # endif |
125 |
+ # ifndef OPENSSL_NO_ECDSA |
126 |
+- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 " |
127 |
++ BIO_printf(bio_err, "ecdsap224 " |
128 |
+ "ecdsap256 ecdsap384 ecdsap521\n"); |
129 |
+- BIO_printf(bio_err, |
130 |
+- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n"); |
131 |
+- BIO_printf(bio_err, |
132 |
+- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n"); |
133 |
+ BIO_printf(bio_err, "ecdsa\n"); |
134 |
+ # endif |
135 |
+ # ifndef OPENSSL_NO_ECDH |
136 |
+- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 " |
137 |
++ BIO_printf(bio_err, "ecdhp224 " |
138 |
+ "ecdhp256 ecdhp384 ecdhp521\n"); |
139 |
+- BIO_printf(bio_err, |
140 |
+- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n"); |
141 |
+- BIO_printf(bio_err, |
142 |
+- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n"); |
143 |
+ BIO_printf(bio_err, "ecdh\n"); |
144 |
+ # endif |
145 |
+ |
146 |
+@@ -1242,11 +1188,11 @@ int MAIN(int argc, char **argv) |
147 |
+ for (i = 0; i < DSA_NUM; i++) |
148 |
+ dsa_doit[i] = 1; |
149 |
+ # ifndef OPENSSL_NO_ECDSA |
150 |
+- for (i = 0; i < EC_NUM; i++) |
151 |
++ for (i = R_EC_P224; i <= R_EC_P521; i++) |
152 |
+ ecdsa_doit[i] = 1; |
153 |
+ # endif |
154 |
+ # ifndef OPENSSL_NO_ECDH |
155 |
+- for (i = 0; i < EC_NUM; i++) |
156 |
++ for (i = R_EC_P224; i <= R_EC_P521; i++) |
157 |
+ ecdh_doit[i] = 1; |
158 |
+ # endif |
159 |
+ } |
160 |
+diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/crypto/ec/ecp_smpl.c openssl-1.0.2m.mod/crypto/ec/ecp_smpl.c |
161 |
+--- openssl-1.0.2m.hobble/crypto/ec/ecp_smpl.c 2017-11-02 07:32:57.000000000 -0700 |
162 |
++++ openssl-1.0.2m.mod/crypto/ec/ecp_smpl.c 2018-06-10 18:45:36.909911848 -0700 |
163 |
+@@ -187,6 +187,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO |
164 |
+ return 0; |
165 |
+ } |
166 |
+ |
167 |
++ if (BN_num_bits(p) < 224) { |
168 |
++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); |
169 |
++ return 0; |
170 |
++ } |
171 |
++ |
172 |
+ if (ctx == NULL) { |
173 |
+ ctx = new_ctx = BN_CTX_new(); |
174 |
+ if (ctx == NULL) |
175 |
+diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/ssl/t1_lib.c openssl-1.0.2m.mod/ssl/t1_lib.c |
176 |
+--- openssl-1.0.2m.hobble/ssl/t1_lib.c 2017-11-02 07:32:58.000000000 -0700 |
177 |
++++ openssl-1.0.2m.mod/ssl/t1_lib.c 2018-06-10 18:46:55.329811812 -0700 |
178 |
+@@ -271,10 +271,7 @@ static const unsigned char eccurves_auto |
179 |
+ 0, 23, /* secp256r1 (23) */ |
180 |
+ /* Other >= 256-bit prime curves. */ |
181 |
+ 0, 25, /* secp521r1 (25) */ |
182 |
+- 0, 28, /* brainpool512r1 (28) */ |
183 |
+- 0, 27, /* brainpoolP384r1 (27) */ |
184 |
+ 0, 24, /* secp384r1 (24) */ |
185 |
+- 0, 26, /* brainpoolP256r1 (26) */ |
186 |
+ 0, 22, /* secp256k1 (22) */ |
187 |
+ # ifndef OPENSSL_NO_EC2M |
188 |
+ /* >= 256-bit binary curves. */ |
189 |
+@@ -292,10 +289,7 @@ static const unsigned char eccurves_all[ |
190 |
+ 0, 23, /* secp256r1 (23) */ |
191 |
+ /* Other >= 256-bit prime curves. */ |
192 |
+ 0, 25, /* secp521r1 (25) */ |
193 |
+- 0, 28, /* brainpool512r1 (28) */ |
194 |
+- 0, 27, /* brainpoolP384r1 (27) */ |
195 |
+ 0, 24, /* secp384r1 (24) */ |
196 |
+- 0, 26, /* brainpoolP256r1 (26) */ |
197 |
+ 0, 22, /* secp256k1 (22) */ |
198 |
+ # ifndef OPENSSL_NO_EC2M |
199 |
+ /* >= 256-bit binary curves. */ |
200 |
+@@ -310,13 +304,6 @@ static const unsigned char eccurves_all[ |
201 |
+ * Remaining curves disabled by default but still permitted if set |
202 |
+ * via an explicit callback or parameters. |
203 |
+ */ |
204 |
+- 0, 20, /* secp224k1 (20) */ |
205 |
+- 0, 21, /* secp224r1 (21) */ |
206 |
+- 0, 18, /* secp192k1 (18) */ |
207 |
+- 0, 19, /* secp192r1 (19) */ |
208 |
+- 0, 15, /* secp160k1 (15) */ |
209 |
+- 0, 16, /* secp160r1 (16) */ |
210 |
+- 0, 17, /* secp160r2 (17) */ |
211 |
+ # ifndef OPENSSL_NO_EC2M |
212 |
+ 0, 8, /* sect239k1 (8) */ |
213 |
+ 0, 6, /* sect233k1 (6) */ |
214 |
+@@ -351,29 +338,21 @@ static const unsigned char fips_curves_d |
215 |
+ 0, 9, /* sect283k1 (9) */ |
216 |
+ 0, 10, /* sect283r1 (10) */ |
217 |
+ # endif |
218 |
+- 0, 22, /* secp256k1 (22) */ |
219 |
+ 0, 23, /* secp256r1 (23) */ |
220 |
+ # ifndef OPENSSL_NO_EC2M |
221 |
+ 0, 8, /* sect239k1 (8) */ |
222 |
+ 0, 6, /* sect233k1 (6) */ |
223 |
+ 0, 7, /* sect233r1 (7) */ |
224 |
+ # endif |
225 |
+- 0, 20, /* secp224k1 (20) */ |
226 |
+- 0, 21, /* secp224r1 (21) */ |
227 |
+ # ifndef OPENSSL_NO_EC2M |
228 |
+ 0, 4, /* sect193r1 (4) */ |
229 |
+ 0, 5, /* sect193r2 (5) */ |
230 |
+ # endif |
231 |
+- 0, 18, /* secp192k1 (18) */ |
232 |
+- 0, 19, /* secp192r1 (19) */ |
233 |
+ # ifndef OPENSSL_NO_EC2M |
234 |
+ 0, 1, /* sect163k1 (1) */ |
235 |
+ 0, 2, /* sect163r1 (2) */ |
236 |
+ 0, 3, /* sect163r2 (3) */ |
237 |
+ # endif |
238 |
+- 0, 15, /* secp160k1 (15) */ |
239 |
+- 0, 16, /* secp160r1 (16) */ |
240 |
+- 0, 17, /* secp160r2 (17) */ |
241 |
+ }; |
242 |
+ # endif |
243 |
+ |
244 |
+diff -up openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.2a/crypto/ecdh/ecdhtest.c |
245 |
+--- openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec 2015-03-19 14:30:36.000000000 +0100 |
246 |
++++ openssl-1.0.2a/crypto/ecdh/ecdhtest.c 2015-04-22 19:00:19.721884512 +0200 |
247 |
+@@ -501,11 +501,13 @@ int main(int argc, char *argv[]) |
248 |
+ goto err; |
249 |
+ |
250 |
+ /* NIST PRIME CURVES TESTS */ |
251 |
++# if 0 |
252 |
+ if (!test_ecdh_curve |
253 |
+ (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) |
254 |
+ goto err; |
255 |
+ if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) |
256 |
+ goto err; |
257 |
++# endif |
258 |
+ if (!test_ecdh_curve |
259 |
+ (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) |
260 |
+ goto err; |
261 |
+@@ -536,13 +538,14 @@ int main(int argc, char *argv[]) |
262 |
+ if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) |
263 |
+ goto err; |
264 |
+ # endif |
265 |
++# if 0 |
266 |
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256)) |
267 |
+ goto err; |
268 |
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384)) |
269 |
+ goto err; |
270 |
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512)) |
271 |
+ goto err; |
272 |
+- |
273 |
++# endif |
274 |
+ ret = 0; |
275 |
+ |
276 |
+ err: |
277 |
+diff -up openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecdsatest.c |
278 |
+--- openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec 2015-03-19 14:19:00.000000000 +0100 |
279 |
++++ openssl-1.0.2a/crypto/ecdsa/ecdsatest.c 2015-04-22 19:00:19.722884536 +0200 |
280 |
+@@ -138,11 +138,14 @@ int restore_rand(void) |
281 |
+ } |
282 |
+ |
283 |
+ static int fbytes_counter = 0; |
284 |
+-static const char *numbers[8] = { |
285 |
++static const char *numbers[10] = { |
286 |
++ "651056770906015076056810763456358567190100156695615665659", |
287 |
+ "651056770906015076056810763456358567190100156695615665659", |
288 |
+ "6140507067065001063065065565667405560006161556565665656654", |
289 |
+ "8763001015071075675010661307616710783570106710677817767166" |
290 |
+ "71676178726717", |
291 |
++ "8763001015071075675010661307616710783570106710677817767166" |
292 |
++ "71676178726717", |
293 |
+ "7000000175690566466555057817571571075705015757757057795755" |
294 |
+ "55657156756655", |
295 |
+ "1275552191113212300012030439187146164646146646466749494799", |
296 |
+@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num) |
297 |
+ int ret; |
298 |
+ BIGNUM *tmp = NULL; |
299 |
+ |
300 |
+- if (fbytes_counter >= 8) |
301 |
++ if (fbytes_counter >= 10) |
302 |
+ return 0; |
303 |
+ tmp = BN_new(); |
304 |
+ if (!tmp) |
305 |
+@@ -532,8 +535,10 @@ int main(void) |
306 |
+ RAND_seed(rnd_seed, sizeof(rnd_seed)); |
307 |
+ |
308 |
+ /* the tests */ |
309 |
++# if 0 |
310 |
+ if (!x9_62_tests(out)) |
311 |
+ goto err; |
312 |
++# endif |
313 |
+ if (!test_builtin(out)) |
314 |
+ goto err; |
315 |
+ |
316 |
|
317 |
diff --git a/dev-libs/openssl/openssl-1.0.2o-r5.ebuild b/dev-libs/openssl/openssl-1.0.2o-r5.ebuild |
318 |
new file mode 100644 |
319 |
index 00000000000..5f43db3451e |
320 |
--- /dev/null |
321 |
+++ b/dev-libs/openssl/openssl-1.0.2o-r5.ebuild |
322 |
@@ -0,0 +1,296 @@ |
323 |
+# Copyright 1999-2018 Gentoo Foundation |
324 |
+# Distributed under the terms of the GNU General Public License v2 |
325 |
+ |
326 |
+EAPI="6" |
327 |
+ |
328 |
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal |
329 |
+ |
330 |
+PATCH_SET="openssl-1.0.2-patches-1.4" |
331 |
+MY_P=${P/_/-} |
332 |
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" |
333 |
+HOMEPAGE="https://www.openssl.org/" |
334 |
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz |
335 |
+ mirror://gentoo/${PATCH_SET}.tar.xz |
336 |
+ https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz |
337 |
+ https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz" |
338 |
+ |
339 |
+LICENSE="openssl" |
340 |
+SLOT="0" |
341 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux" |
342 |
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib" |
343 |
+RESTRICT="!bindist? ( bindist )" |
344 |
+ |
345 |
+RDEPEND=">=app-misc/c_rehash-1.7-r1 |
346 |
+ gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
347 |
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
348 |
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )" |
349 |
+DEPEND="${RDEPEND} |
350 |
+ >=dev-lang/perl-5 |
351 |
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 ) |
352 |
+ test? ( |
353 |
+ sys-apps/diffutils |
354 |
+ sys-devel/bc |
355 |
+ )" |
356 |
+PDEPEND="app-misc/ca-certificates" |
357 |
+ |
358 |
+# This does not copy the entire Fedora patchset, but JUST the parts that |
359 |
+# are needed to make it safe to use EC with RESTRICT=bindist. |
360 |
+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN |
361 |
+SOURCE1=hobble-openssl |
362 |
+SOURCE12=ec_curve.c |
363 |
+SOURCE13=ectest.c |
364 |
+# These are ported instead |
365 |
+#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC |
366 |
+#PATCH37=openssl-1.1.0-ec-curves.patch |
367 |
+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' |
368 |
+FEDORA_GIT_BRANCH='f25' |
369 |
+FEDORA_SRC_URI=() |
370 |
+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 ) |
371 |
+FEDORA_PATCH=( $PATCH1 $PATCH37 ) |
372 |
+for i in "${FEDORA_SOURCE[@]}" ; do |
373 |
+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) |
374 |
+done |
375 |
+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix |
376 |
+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" ) |
377 |
+done |
378 |
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" |
379 |
+ |
380 |
+S="${WORKDIR}/${MY_P}" |
381 |
+ |
382 |
+MULTILIB_WRAPPED_HEADERS=( |
383 |
+ usr/include/openssl/opensslconf.h |
384 |
+) |
385 |
+ |
386 |
+src_prepare() { |
387 |
+ if use bindist; then |
388 |
+ # This just removes the prefix, and puts it into WORKDIR like the RPM. |
389 |
+ for i in "${FEDORA_SOURCE[@]}" ; do |
390 |
+ cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die |
391 |
+ done |
392 |
+ # .spec %prep |
393 |
+ bash "${WORKDIR}"/"${SOURCE1}" || die |
394 |
+ cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die |
395 |
+ cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1 |
396 |
+ for i in "${FEDORA_PATCH[@]}" ; do |
397 |
+ eapply "${DISTDIR}"/"${i}" |
398 |
+ done |
399 |
+ eapply "${FILESDIR}"/openssl-1.0.2o-hobble-ecc.patch |
400 |
+ # Also see the configure parts below: |
401 |
+ # enable-ec \ |
402 |
+ # $(use_ssl !bindist ec2m) \ |
403 |
+ # $(use_ssl !bindist srp) \ |
404 |
+ fi |
405 |
+ |
406 |
+ # keep this in sync with app-misc/c_rehash |
407 |
+ SSL_CNF_DIR="/etc/ssl" |
408 |
+ |
409 |
+ # Make sure we only ever touch Makefile.org and avoid patching a file |
410 |
+ # that gets blown away anyways by the Configure script in src_configure |
411 |
+ rm -f Makefile |
412 |
+ |
413 |
+ if ! use vanilla ; then |
414 |
+ eapply "${WORKDIR}"/patch/*.patch |
415 |
+ fi |
416 |
+ |
417 |
+ eapply_user |
418 |
+ |
419 |
+ # disable fips in the build |
420 |
+ # make sure the man pages are suffixed #302165 |
421 |
+ # don't bother building man pages if they're disabled |
422 |
+ sed -i \ |
423 |
+ -e '/DIRS/s: fips : :g' \ |
424 |
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \ |
425 |
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ |
426 |
+ -e $(has noman FEATURES \ |
427 |
+ && echo '/^install:/s:install_docs::' \ |
428 |
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ |
429 |
+ Makefile.org \ |
430 |
+ || die |
431 |
+ # show the actual commands in the log |
432 |
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared |
433 |
+ |
434 |
+ # since we're forcing $(CC) as makedep anyway, just fix |
435 |
+ # the conditional as always-on |
436 |
+ # helps clang (#417795), and versioned gcc (#499818) |
437 |
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die |
438 |
+ |
439 |
+ # quiet out unknown driver argument warnings since openssl |
440 |
+ # doesn't have well-split CFLAGS and we're making it even worse |
441 |
+ # and 'make depend' uses -Werror for added fun (#417795 again) |
442 |
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments |
443 |
+ |
444 |
+ # allow openssl to be cross-compiled |
445 |
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die |
446 |
+ chmod a+rx gentoo.config || die |
447 |
+ |
448 |
+ append-flags -fno-strict-aliasing |
449 |
+ append-flags $(test-flags-CC -Wa,--noexecstack) |
450 |
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
451 |
+ |
452 |
+ sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 |
453 |
+ # The config script does stupid stuff to prompt the user. Kill it. |
454 |
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die |
455 |
+ ./config --test-sanity || die "I AM NOT SANE" |
456 |
+ |
457 |
+ multilib_copy_sources |
458 |
+} |
459 |
+ |
460 |
+multilib_src_configure() { |
461 |
+ unset APPS #197996 |
462 |
+ unset SCRIPTS #312551 |
463 |
+ unset CROSS_COMPILE #311473 |
464 |
+ |
465 |
+ tc-export CC AR RANLIB RC |
466 |
+ |
467 |
+ # Clean out patent-or-otherwise-encumbered code |
468 |
+ # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher) |
469 |
+ # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm |
470 |
+ # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography |
471 |
+ # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2 |
472 |
+ # RC5: Expired https://en.wikipedia.org/wiki/RC5 |
473 |
+ |
474 |
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } |
475 |
+ echoit() { echo "$@" ; "$@" ; } |
476 |
+ |
477 |
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") |
478 |
+ |
479 |
+ # See if our toolchain supports __uint128_t. If so, it's 64bit |
480 |
+ # friendly and can use the nicely optimized code paths. #460790 |
481 |
+ local ec_nistp_64_gcc_128 |
482 |
+ # Disable it for now though #469976 |
483 |
+ #if ! use bindist ; then |
484 |
+ # echo "__uint128_t i;" > "${T}"/128.c |
485 |
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then |
486 |
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" |
487 |
+ # fi |
488 |
+ #fi |
489 |
+ |
490 |
+ # https://github.com/openssl/openssl/issues/2286 |
491 |
+ if use ia64 ; then |
492 |
+ replace-flags -g3 -g2 |
493 |
+ replace-flags -ggdb3 -ggdb2 |
494 |
+ fi |
495 |
+ |
496 |
+ local sslout=$(./gentoo.config) |
497 |
+ einfo "Use configuration ${sslout:-(openssl knows best)}" |
498 |
+ local config="Configure" |
499 |
+ [[ -z ${sslout} ]] && config="config" |
500 |
+ |
501 |
+ # Fedora hobbled-EC needs 'no-ec2m', 'no-srp' |
502 |
+ echoit \ |
503 |
+ ./${config} \ |
504 |
+ ${sslout} \ |
505 |
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \ |
506 |
+ enable-camellia \ |
507 |
+ enable-ec \ |
508 |
+ $(use_ssl !bindist ec2m) \ |
509 |
+ $(use_ssl !bindist srp) \ |
510 |
+ ${ec_nistp_64_gcc_128} \ |
511 |
+ enable-idea \ |
512 |
+ enable-mdc2 \ |
513 |
+ enable-rc5 \ |
514 |
+ enable-tlsext \ |
515 |
+ $(use_ssl asm) \ |
516 |
+ $(use_ssl gmp gmp -lgmp) \ |
517 |
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ |
518 |
+ $(use_ssl rfc3779) \ |
519 |
+ $(use_ssl sctp) \ |
520 |
+ $(use_ssl sslv2 ssl2) \ |
521 |
+ $(use_ssl sslv3 ssl3) \ |
522 |
+ $(use_ssl tls-heartbeat heartbeats) \ |
523 |
+ $(use_ssl zlib) \ |
524 |
+ --prefix="${EPREFIX}"/usr \ |
525 |
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \ |
526 |
+ --libdir=$(get_libdir) \ |
527 |
+ shared threads \ |
528 |
+ || die |
529 |
+ |
530 |
+ # Clean out hardcoded flags that openssl uses |
531 |
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ |
532 |
+ -e 's:^CFLAG=::' \ |
533 |
+ -e 's:-fomit-frame-pointer ::g' \ |
534 |
+ -e 's:-O[0-9] ::g' \ |
535 |
+ -e 's:-march=[-a-z0-9]* ::g' \ |
536 |
+ -e 's:-mcpu=[-a-z0-9]* ::g' \ |
537 |
+ -e 's:-m[a-z0-9]* ::g' \ |
538 |
+ ) |
539 |
+ sed -i \ |
540 |
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \ |
541 |
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \ |
542 |
+ Makefile || die |
543 |
+} |
544 |
+ |
545 |
+multilib_src_compile() { |
546 |
+ # depend is needed to use $confopts; it also doesn't matter |
547 |
+ # that it's -j1 as the code itself serializes subdirs |
548 |
+ emake -j1 depend |
549 |
+ emake all |
550 |
+ # rehash is needed to prep the certs/ dir; do this |
551 |
+ # separately to avoid parallel build issues. |
552 |
+ emake rehash |
553 |
+} |
554 |
+ |
555 |
+multilib_src_test() { |
556 |
+ emake -j1 test |
557 |
+} |
558 |
+ |
559 |
+multilib_src_install() { |
560 |
+ emake INSTALL_PREFIX="${D}" install |
561 |
+} |
562 |
+ |
563 |
+multilib_src_install_all() { |
564 |
+ # openssl installs perl version of c_rehash by default, but |
565 |
+ # we provide a shell version via app-misc/c_rehash |
566 |
+ rm "${ED}"/usr/bin/c_rehash || die |
567 |
+ |
568 |
+ local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el ) |
569 |
+ einstalldocs |
570 |
+ |
571 |
+ use rfc3779 && dodoc engines/ccgost/README.gost |
572 |
+ |
573 |
+ # This is crappy in that the static archives are still built even |
574 |
+ # when USE=static-libs. But this is due to a failing in the openssl |
575 |
+ # build system: the static archives are built as PIC all the time. |
576 |
+ # Only way around this would be to manually configure+compile openssl |
577 |
+ # twice; once with shared lib support enabled and once without. |
578 |
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a |
579 |
+ |
580 |
+ # create the certs directory |
581 |
+ dodir ${SSL_CNF_DIR}/certs |
582 |
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die |
583 |
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired} |
584 |
+ |
585 |
+ # Namespace openssl programs to prevent conflicts with other man pages |
586 |
+ cd "${ED}"/usr/share/man |
587 |
+ local m d s |
588 |
+ for m in $(find . -type f | xargs grep -L '#include') ; do |
589 |
+ d=${m%/*} ; d=${d#./} ; m=${m##*/} |
590 |
+ [[ ${m} == openssl.1* ]] && continue |
591 |
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" |
592 |
+ mv ${d}/{,ssl-}${m} |
593 |
+ # fix up references to renamed man pages |
594 |
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} |
595 |
+ ln -s ssl-${m} ${d}/openssl-${m} |
596 |
+ # locate any symlinks that point to this man page ... we assume |
597 |
+ # that any broken links are due to the above renaming |
598 |
+ for s in $(find -L ${d} -type l) ; do |
599 |
+ s=${s##*/} |
600 |
+ rm -f ${d}/${s} |
601 |
+ ln -s ssl-${m} ${d}/ssl-${s} |
602 |
+ ln -s ssl-${s} ${d}/openssl-${s} |
603 |
+ done |
604 |
+ done |
605 |
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" |
606 |
+ |
607 |
+ dodir /etc/sandbox.d #254521 |
608 |
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl |
609 |
+ |
610 |
+ diropts -m0700 |
611 |
+ keepdir ${SSL_CNF_DIR}/private |
612 |
+} |
613 |
+ |
614 |
+pkg_postinst() { |
615 |
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" |
616 |
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null |
617 |
+ eend $? |
618 |
+} |