Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
Date: Wed, 06 Mar 2019 16:56:24
Message-Id: 1551891303.402e35c0c3cfbd46457cad5983c217ea8de6fe8e.whissi@gentoo
1 commit: 402e35c0c3cfbd46457cad5983c217ea8de6fe8e
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Wed Mar 6 16:55:03 2019 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Wed Mar 6 16:55:03 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=402e35c0
7
8 dev-libs/openssl: add patch for CVE-2019-1543
9
10 Package-Manager: Portage-2.3.62, Repoman-2.3.12
11 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
12
13 .../files/openssl-1.1.1b-CVE-2019-1543.patch | 66 +++++
14 dev-libs/openssl/openssl-1.1.0j-r1.ebuild | 299 +++++++++++++++++++++
15 dev-libs/openssl/openssl-1.1.1b-r2.ebuild | 299 +++++++++++++++++++++
16 3 files changed, 664 insertions(+)
17
18 diff --git a/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch
19 new file mode 100644
20 index 00000000000..4d478c484c9
21 --- /dev/null
22 +++ b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch
23 @@ -0,0 +1,66 @@
24 +From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001
25 +From: Matt Caswell <matt@×××××××.org>
26 +Date: Tue, 5 Mar 2019 14:39:15 +0000
27 +Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305
28 +
29 +ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
30 +every encryption operation. RFC 7539 specifies that the nonce value (IV)
31 +should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
32 +front pads the nonce with 0 bytes if it is less than 12 bytes. However it
33 +also incorrectly allows a nonce to be set of up to 16 bytes. In this case
34 +only the last 12 bytes are significant and any additional leading bytes are
35 +ignored.
36 +
37 +It is a requirement of using this cipher that nonce values are unique.
38 +Messages encrypted using a reused nonce value are susceptible to serious
39 +confidentiality and integrity attacks. If an application changes the
40 +default nonce length to be longer than 12 bytes and then makes a change to
41 +the leading bytes of the nonce expecting the new value to be a new unique
42 +nonce then such an application could inadvertently encrypt messages with a
43 +reused nonce.
44 +
45 +Additionally the ignored bytes in a long nonce are not covered by the
46 +integrity guarantee of this cipher. Any application that relies on the
47 +integrity of these ignored leading bytes of a long nonce may be further
48 +affected.
49 +
50 +Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
51 +because no such use sets such a long nonce value. However user
52 +applications that use this cipher directly and set a non-default nonce
53 +length to be longer than 12 bytes may be vulnerable.
54 +
55 +CVE-2019-1543
56 +
57 +Fixes #8345
58 +
59 +Reviewed-by: Paul Dale <paul.dale@××××××.com>
60 +Reviewed-by: Richard Levitte <levitte@×××××××.org>
61 +(Merged from https://github.com/openssl/openssl/pull/8406)
62 +
63 +(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)
64 +---
65 + crypto/evp/e_chacha20_poly1305.c | 4 +++-
66 + 1 file changed, 3 insertions(+), 1 deletion(-)
67 +
68 +diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
69 +index c1917bb86a6..d3e2c622a1b 100644
70 +--- a/crypto/evp/e_chacha20_poly1305.c
71 ++++ b/crypto/evp/e_chacha20_poly1305.c
72 +@@ -30,6 +30,8 @@ typedef struct {
73 +
74 + #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
75 +
76 ++#define CHACHA20_POLY1305_MAX_IVLEN 12
77 ++
78 + static int chacha_init_key(EVP_CIPHER_CTX *ctx,
79 + const unsigned char user_key[CHACHA_KEY_SIZE],
80 + const unsigned char iv[CHACHA_CTR_SIZE], int enc)
81 +@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
82 + return 1;
83 +
84 + case EVP_CTRL_AEAD_SET_IVLEN:
85 +- if (arg <= 0 || arg > CHACHA_CTR_SIZE)
86 ++ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
87 + return 0;
88 + actx->nonce_len = arg;
89 + return 1;
90
91 diff --git a/dev-libs/openssl/openssl-1.1.0j-r1.ebuild b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild
92 new file mode 100644
93 index 00000000000..b21a33a9e0f
94 --- /dev/null
95 +++ b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild
96 @@ -0,0 +1,299 @@
97 +# Copyright 1999-2019 Gentoo Authors
98 +# Distributed under the terms of the GNU General Public License v2
99 +
100 +EAPI="6"
101 +
102 +inherit flag-o-matic toolchain-funcs multilib multilib-minimal
103 +
104 +MY_P=${P/_/-}
105 +DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
106 +HOMEPAGE="https://www.openssl.org/"
107 +SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
108 +
109 +LICENSE="openssl"
110 +SLOT="0/1.1" # .so version of libssl/libcrypto
111 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
112 +IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
113 +RESTRICT="!bindist? ( bindist )"
114 +
115 +RDEPEND=">=app-misc/c_rehash-1.7-r1
116 + zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
117 +DEPEND="${RDEPEND}
118 + >=dev-lang/perl-5
119 + sctp? ( >=net-misc/lksctp-tools-1.0.12 )
120 + test? (
121 + sys-apps/diffutils
122 + sys-devel/bc
123 + )"
124 +PDEPEND="app-misc/ca-certificates"
125 +
126 +# This does not copy the entire Fedora patchset, but JUST the parts that
127 +# are needed to make it safe to use EC with RESTRICT=bindist.
128 +# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
129 +SOURCE1=hobble-openssl
130 +SOURCE12=ec_curve.c
131 +SOURCE13=ectest.c
132 +PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
133 +PATCH37=openssl-1.1.0-ec-curves.patch
134 +FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
135 +FEDORA_GIT_BRANCH='f28'
136 +FEDORA_GIT_COMMIT="d2ede125556ac99aa0faa7744c703af3f559094e"
137 +FEDORA_SRC_URI=()
138 +FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
139 +FEDORA_PATCH=( $PATCH1 $PATCH37 )
140 +for i in "${FEDORA_SOURCE[@]}" ; do
141 + FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH}&id=${FEDORA_GIT_COMMIT} -> ${P}_${FEDORA_GIT_COMMIT}_${i}" )
142 +done
143 +for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
144 + FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH}&id=${FEDORA_GIT_COMMIT} -> ${i%.patch}_${FEDORA_GIT_COMMIT}.patch" )
145 +done
146 +SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
147 +
148 +S="${WORKDIR}/${MY_P}"
149 +
150 +MULTILIB_WRAPPED_HEADERS=(
151 + usr/include/openssl/opensslconf.h
152 +)
153 +
154 +PATCHES=(
155 + "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
156 + "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
157 + "${FILESDIR}"/${PN}-1.1.1b-CVE-2019-1543.patch
158 +)
159 +
160 +src_prepare() {
161 + if use bindist; then
162 + # we need to patch the patch but we cannot patch in DISTDIR...
163 + mkdir "${WORKDIR}"/fedora_patches || die
164 + for i in "${FEDORA_PATCH[@]}" ; do
165 + cp "${DISTDIR}"/"${i%.patch}_${FEDORA_GIT_COMMIT}.patch" "${WORKDIR}"/fedora_patches || die
166 + done
167 +
168 + # now patch the path, due to OpenSSL change cb193560e0da17a41b40ce574a2349f1d4d59ed1
169 + sed -i -e 's#test/evptests.txt#test/recipes/30-test_evp_data/evppkey.txt#g' \
170 + "${WORKDIR}"/fedora_patches/openssl-1.1.0-build_d2ede125556ac99aa0faa7744c703af3f559094e.patch || \
171 + die
172 +
173 + # This just removes the prefix, and puts it into WORKDIR like the RPM.
174 + for i in "${FEDORA_SOURCE[@]}" ; do
175 + cp -f "${DISTDIR}"/"${P}_${FEDORA_GIT_COMMIT}_${i}" "${WORKDIR}"/"${i}" || die
176 + done
177 + # .spec %prep
178 + bash "${WORKDIR}"/"${SOURCE1}" || die
179 + cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
180 + cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
181 + for i in "${FEDORA_PATCH[@]}" ; do
182 + #eapply "${DISTDIR}"/"${i%.patch}_${FEDORA_GIT_COMMIT}.patch"
183 + eapply "${WORKDIR}/fedora_patches/${i%.patch}_${FEDORA_GIT_COMMIT}.patch"
184 + done
185 + # Also see the configure parts below:
186 + # enable-ec \
187 + # $(use_ssl !bindist ec2m) \
188 +
189 + fi
190 + # keep this in sync with app-misc/c_rehash
191 + SSL_CNF_DIR="/etc/ssl"
192 +
193 + # Make sure we only ever touch Makefile.org and avoid patching a file
194 + # that gets blown away anyways by the Configure script in src_configure
195 + rm -f Makefile
196 +
197 + if ! use vanilla ; then
198 + eapply "${PATCHES[@]}"
199 + fi
200 +
201 + eapply_user #332661
202 +
203 + # make sure the man pages are suffixed #302165
204 + # don't bother building man pages if they're disabled
205 + # Make DOCDIR Gentoo compliant
206 + sed -i \
207 + -e '/^MANSUFFIX/s:=.*:=ssl:' \
208 + -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
209 + -e $(has noman FEATURES \
210 + && echo '/^install:/s:install_docs::' \
211 + || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
212 + -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
213 + Configurations/unix-Makefile.tmpl \
214 + || die
215 +
216 + # show the actual commands in the log
217 + sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared || die
218 +
219 + # quiet out unknown driver argument warnings since openssl
220 + # doesn't have well-split CFLAGS and we're making it even worse
221 + # and 'make depend' uses -Werror for added fun (#417795 again)
222 + [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
223 +
224 + # allow openssl to be cross-compiled
225 + cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
226 + chmod a+rx gentoo.config || die
227 +
228 + append-flags -fno-strict-aliasing
229 + append-flags $(test-flags-CC -Wa,--noexecstack)
230 + append-cppflags -DOPENSSL_NO_BUF_FREELISTS
231 +
232 + # Prefixify Configure shebang (#141906)
233 + sed \
234 + -e "1s,/usr/bin/env,${EPREFIX}&," \
235 + -i Configure || die
236 + # Remove test target when FEATURES=test isn't set
237 + if ! use test ; then
238 + sed \
239 + -e '/^$config{dirs}/s@ "test",@@' \
240 + -i Configure || die
241 + fi
242 + # The config script does stupid stuff to prompt the user. Kill it.
243 + sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
244 + ./config --test-sanity || die "I AM NOT SANE"
245 +
246 + multilib_copy_sources
247 +}
248 +
249 +multilib_src_configure() {
250 + unset APPS #197996
251 + unset SCRIPTS #312551
252 + unset CROSS_COMPILE #311473
253 +
254 + tc-export CC AR RANLIB RC
255 +
256 + # Clean out patent-or-otherwise-encumbered code
257 + # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
258 + # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
259 + # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
260 + # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
261 + # RC5: Expired https://en.wikipedia.org/wiki/RC5
262 +
263 + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
264 + echoit() { echo "$@" ; "$@" ; }
265 +
266 + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
267 +
268 + # See if our toolchain supports __uint128_t. If so, it's 64bit
269 + # friendly and can use the nicely optimized code paths. #460790
270 + local ec_nistp_64_gcc_128
271 + # Disable it for now though #469976
272 + #if ! use bindist ; then
273 + # echo "__uint128_t i;" > "${T}"/128.c
274 + # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
275 + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
276 + # fi
277 + #fi
278 +
279 + local sslout=$(./gentoo.config)
280 + einfo "Use configuration ${sslout:-(openssl knows best)}"
281 + local config="Configure"
282 + [[ -z ${sslout} ]] && config="config"
283 +
284 + # Fedora hobbled-EC needs 'no-ec2m'
285 + # 'srp' was restricted until early 2017 as well.
286 + # "disable-deprecated" option breaks too many consumers.
287 + # Don't set it without thorough revdeps testing.
288 + echoit \
289 + ./${config} \
290 + ${sslout} \
291 + $(use cpu_flags_x86_sse2 || echo "no-sse2") \
292 + enable-camellia \
293 + enable-ec \
294 + $(use_ssl !bindist ec2m) \
295 + enable-srp \
296 + $(use elibc_musl && echo "no-async") \
297 + ${ec_nistp_64_gcc_128} \
298 + enable-idea \
299 + enable-mdc2 \
300 + enable-rc5 \
301 + $(use_ssl asm) \
302 + $(use_ssl rfc3779) \
303 + $(use_ssl sctp) \
304 + $(use_ssl tls-heartbeat heartbeats) \
305 + $(use_ssl zlib) \
306 + --prefix="${EPREFIX}"/usr \
307 + --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
308 + --libdir=$(get_libdir) \
309 + shared threads \
310 + || die
311 +
312 + # Clean out hardcoded flags that openssl uses
313 + # Fix quoting for sed
314 + local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
315 + -e 's:^CFLAGS=::' \
316 + -e 's:-fomit-frame-pointer ::g' \
317 + -e 's:-O[0-9] ::g' \
318 + -e 's:-march=[-a-z0-9]* ::g' \
319 + -e 's:-mcpu=[-a-z0-9]* ::g' \
320 + -e 's:-m[a-z0-9]* ::g' \
321 + -e 's:\\:\\\\:g' \
322 + )
323 + sed -i \
324 + -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
325 + -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
326 + Makefile || die
327 +}
328 +
329 +multilib_src_compile() {
330 + # depend is needed to use $confopts; it also doesn't matter
331 + # that it's -j1 as the code itself serializes subdirs
332 + emake -j1 depend
333 + emake all
334 +}
335 +
336 +multilib_src_test() {
337 + emake -j1 test
338 +}
339 +
340 +multilib_src_install() {
341 + emake DESTDIR="${D}" install
342 +}
343 +
344 +multilib_src_install_all() {
345 + # openssl installs perl version of c_rehash by default, but
346 + # we provide a shell version via app-misc/c_rehash
347 + rm "${ED%/}"/usr/bin/c_rehash || die
348 +
349 + dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
350 +
351 + # This is crappy in that the static archives are still built even
352 + # when USE=static-libs. But this is due to a failing in the openssl
353 + # build system: the static archives are built as PIC all the time.
354 + # Only way around this would be to manually configure+compile openssl
355 + # twice; once with shared lib support enabled and once without.
356 + use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
357 +
358 + # create the certs directory
359 + keepdir ${SSL_CNF_DIR}/certs
360 +
361 + # Namespace openssl programs to prevent conflicts with other man pages
362 + cd "${ED%/}"/usr/share/man || die
363 + local m d s
364 + for m in $(find . -type f | xargs grep -L '#include') ; do
365 + d=${m%/*} ; d=${d#./} ; m=${m##*/}
366 + [[ ${m} == openssl.1* ]] && continue
367 + [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
368 + mv ${d}/{,ssl-}${m}
369 + # fix up references to renamed man pages
370 + sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
371 + ln -s ssl-${m} ${d}/openssl-${m}
372 + # locate any symlinks that point to this man page ... we assume
373 + # that any broken links are due to the above renaming
374 + for s in $(find -L ${d} -type l) ; do
375 + s=${s##*/}
376 + rm -f ${d}/${s}
377 + # We don't want to "|| die" here
378 + ln -s ssl-${m} ${d}/ssl-${s}
379 + ln -s ssl-${s} ${d}/openssl-${s}
380 + done
381 + done
382 + [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
383 +
384 + dodir /etc/sandbox.d #254521
385 + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
386 +
387 + diropts -m0700
388 + keepdir ${SSL_CNF_DIR}/private
389 +}
390 +
391 +pkg_postinst() {
392 + ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
393 + c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
394 + eend $?
395 +}
396
397 diff --git a/dev-libs/openssl/openssl-1.1.1b-r2.ebuild b/dev-libs/openssl/openssl-1.1.1b-r2.ebuild
398 new file mode 100644
399 index 00000000000..98e70d05803
400 --- /dev/null
401 +++ b/dev-libs/openssl/openssl-1.1.1b-r2.ebuild
402 @@ -0,0 +1,299 @@
403 +# Copyright 1999-2019 Gentoo Authors
404 +# Distributed under the terms of the GNU General Public License v2
405 +
406 +EAPI="6"
407 +
408 +inherit flag-o-matic toolchain-funcs multilib multilib-minimal
409 +
410 +MY_P=${P/_/-}
411 +DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
412 +HOMEPAGE="https://www.openssl.org/"
413 +SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
414 +
415 +LICENSE="openssl"
416 +SLOT="0/1.1" # .so version of libssl/libcrypto
417 +[[ "${PV}" = *_pre* ]] || \
418 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
419 +IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
420 +RESTRICT="!bindist? ( bindist )"
421 +
422 +RDEPEND=">=app-misc/c_rehash-1.7-r1
423 + zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
424 +DEPEND="${RDEPEND}
425 + >=dev-lang/perl-5
426 + sctp? ( >=net-misc/lksctp-tools-1.0.12 )
427 + test? (
428 + sys-apps/diffutils
429 + sys-devel/bc
430 + )"
431 +PDEPEND="app-misc/ca-certificates"
432 +
433 +PATCHES=(
434 + "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
435 + "${FILESDIR}"/${P}-CVE-2019-1543.patch
436 +)
437 +
438 +# This does not copy the entire Fedora patchset, but JUST the parts that
439 +# are needed to make it safe to use EC with RESTRICT=bindist.
440 +# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
441 +SOURCE1=hobble-openssl
442 +SOURCE12=ec_curve.c
443 +SOURCE13=ectest.c
444 +PATCH37=openssl-1.1.1-ec-curves.patch
445 +FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
446 +FEDORA_GIT_BRANCH='f29'
447 +FEDORA_SRC_URI=()
448 +FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
449 +FEDORA_PATCH=( ${PATCH37} )
450 +for i in "${FEDORA_SOURCE[@]}" ; do
451 + FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
452 +done
453 +for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
454 + FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
455 +done
456 +SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
457 +
458 +S="${WORKDIR}/${MY_P}"
459 +
460 +MULTILIB_WRAPPED_HEADERS=(
461 + usr/include/openssl/opensslconf.h
462 +)
463 +
464 +src_prepare() {
465 + if use bindist; then
466 + # This just removes the prefix, and puts it into WORKDIR like the RPM.
467 + for i in "${FEDORA_SOURCE[@]}" ; do
468 + cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
469 + done
470 +
471 + # .spec %prep
472 + bash "${WORKDIR}"/"${SOURCE1}" || die
473 + cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
474 + cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
475 + for i in "${FEDORA_PATCH[@]}" ; do
476 + if [[ "${i}" == "${PATCH37}" ]] ; then
477 + # apply our own for OpenSSL 1.1.1b adjusted version of this patch
478 + eapply "${FILESDIR}"/openssl-1.1.1b-ec-curves-patch.patch
479 + else
480 + eapply "${DISTDIR}"/"${i}"
481 + fi
482 + done
483 + # Also see the configure parts below:
484 + # enable-ec \
485 + # $(use_ssl !bindist ec2m) \
486 +
487 + fi
488 +
489 + # keep this in sync with app-misc/c_rehash
490 + SSL_CNF_DIR="/etc/ssl"
491 +
492 + # Make sure we only ever touch Makefile.org and avoid patching a file
493 + # that gets blown away anyways by the Configure script in src_configure
494 + rm -f Makefile
495 +
496 + if ! use vanilla ; then
497 + if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
498 + [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
499 + fi
500 + fi
501 +
502 + eapply_user #332661
503 +
504 + # make sure the man pages are suffixed #302165
505 + # don't bother building man pages if they're disabled
506 + # Make DOCDIR Gentoo compliant
507 + sed -i \
508 + -e '/^MANSUFFIX/s:=.*:=ssl:' \
509 + -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
510 + -e $(has noman FEATURES \
511 + && echo '/^install:/s:install_docs::' \
512 + || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
513 + -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
514 + Configurations/unix-Makefile.tmpl \
515 + || die
516 +
517 + # quiet out unknown driver argument warnings since openssl
518 + # doesn't have well-split CFLAGS and we're making it even worse
519 + # and 'make depend' uses -Werror for added fun (#417795 again)
520 + [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
521 +
522 + # allow openssl to be cross-compiled
523 + cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
524 + chmod a+rx gentoo.config || die
525 +
526 + append-flags -fno-strict-aliasing
527 + append-flags $(test-flags-CC -Wa,--noexecstack)
528 + append-cppflags -DOPENSSL_NO_BUF_FREELISTS
529 +
530 + # Prefixify Configure shebang (#141906)
531 + sed \
532 + -e "1s,/usr/bin/env,${EPREFIX%/}&," \
533 + -i Configure || die
534 + # Remove test target when FEATURES=test isn't set
535 + if ! use test ; then
536 + sed \
537 + -e '/^$config{dirs}/s@ "test",@@' \
538 + -i Configure || die
539 + fi
540 + # The config script does stupid stuff to prompt the user. Kill it.
541 + sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
542 + ./config --test-sanity || die "I AM NOT SANE"
543 +
544 + multilib_copy_sources
545 +}
546 +
547 +multilib_src_configure() {
548 + unset APPS #197996
549 + unset SCRIPTS #312551
550 + unset CROSS_COMPILE #311473
551 +
552 + tc-export CC AR RANLIB RC
553 +
554 + # Clean out patent-or-otherwise-encumbered code
555 + # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
556 + # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
557 + # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
558 + # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
559 + # RC5: Expired https://en.wikipedia.org/wiki/RC5
560 +
561 + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
562 + echoit() { echo "$@" ; "$@" ; }
563 +
564 + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
565 +
566 + # See if our toolchain supports __uint128_t. If so, it's 64bit
567 + # friendly and can use the nicely optimized code paths. #460790
568 + local ec_nistp_64_gcc_128
569 + # Disable it for now though #469976
570 + #if ! use bindist ; then
571 + # echo "__uint128_t i;" > "${T}"/128.c
572 + # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
573 + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
574 + # fi
575 + #fi
576 +
577 + local sslout=$(./gentoo.config)
578 + einfo "Use configuration ${sslout:-(openssl knows best)}"
579 + local config="Configure"
580 + [[ -z ${sslout} ]] && config="config"
581 +
582 + # Fedora hobbled-EC needs 'no-ec2m'
583 + # 'srp' was restricted until early 2017 as well.
584 + # "disable-deprecated" option breaks too many consumers.
585 + # Don't set it without thorough revdeps testing.
586 + echoit \
587 + ./${config} \
588 + ${sslout} \
589 + $(use cpu_flags_x86_sse2 || echo "no-sse2") \
590 + enable-camellia \
591 + enable-ec \
592 + $(use_ssl !bindist ec2m) \
593 + enable-srp \
594 + $(use elibc_musl && echo "no-async") \
595 + ${ec_nistp_64_gcc_128} \
596 + enable-idea \
597 + enable-mdc2 \
598 + enable-rc5 \
599 + $(use_ssl sslv3 ssl3) \
600 + $(use_ssl sslv3 ssl3-method) \
601 + $(use_ssl asm) \
602 + $(use_ssl rfc3779) \
603 + $(use_ssl sctp) \
604 + $(use_ssl tls-heartbeat heartbeats) \
605 + $(use_ssl zlib) \
606 + --prefix="${EPREFIX%/}"/usr \
607 + --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
608 + --libdir=$(get_libdir) \
609 + shared threads \
610 + || die
611 +
612 + # Clean out hardcoded flags that openssl uses
613 + # Fix quoting for sed
614 + local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
615 + -e 's:^CFLAGS=::' \
616 + -e 's:-fomit-frame-pointer ::g' \
617 + -e 's:-O[0-9] ::g' \
618 + -e 's:-march=[-a-z0-9]* ::g' \
619 + -e 's:-mcpu=[-a-z0-9]* ::g' \
620 + -e 's:-m[a-z0-9]* ::g' \
621 + -e 's:\\:\\\\:g' \
622 + )
623 + sed -i \
624 + -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
625 + -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
626 + Makefile || die
627 +}
628 +
629 +multilib_src_compile() {
630 + # depend is needed to use $confopts; it also doesn't matter
631 + # that it's -j1 as the code itself serializes subdirs
632 + emake -j1 depend
633 + emake all
634 +}
635 +
636 +multilib_src_test() {
637 + emake -j1 test
638 +}
639 +
640 +multilib_src_install() {
641 + # We need to create $ED/usr on our own to avoid a race condition #665130
642 + if [[ ! -d "${ED%/}/usr" ]]; then
643 + # We can only create this directory once
644 + mkdir "${ED%/}"/usr || die
645 + fi
646 +
647 + emake DESTDIR="${D%/}" install
648 +}
649 +
650 +multilib_src_install_all() {
651 + # openssl installs perl version of c_rehash by default, but
652 + # we provide a shell version via app-misc/c_rehash
653 + rm "${ED%/}"/usr/bin/c_rehash || die
654 +
655 + dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
656 +
657 + # This is crappy in that the static archives are still built even
658 + # when USE=static-libs. But this is due to a failing in the openssl
659 + # build system: the static archives are built as PIC all the time.
660 + # Only way around this would be to manually configure+compile openssl
661 + # twice; once with shared lib support enabled and once without.
662 + use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
663 +
664 + # create the certs directory
665 + keepdir ${SSL_CNF_DIR}/certs
666 +
667 + # Namespace openssl programs to prevent conflicts with other man pages
668 + cd "${ED%/}"/usr/share/man || die
669 + local m d s
670 + for m in $(find . -type f | xargs grep -L '#include') ; do
671 + d=${m%/*} ; d=${d#./} ; m=${m##*/}
672 + [[ ${m} == openssl.1* ]] && continue
673 + [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
674 + mv ${d}/{,ssl-}${m}
675 + # fix up references to renamed man pages
676 + sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
677 + ln -s ssl-${m} ${d}/openssl-${m}
678 + # locate any symlinks that point to this man page ... we assume
679 + # that any broken links are due to the above renaming
680 + for s in $(find -L ${d} -type l) ; do
681 + s=${s##*/}
682 + rm -f ${d}/${s}
683 + # We don't want to "|| die" here
684 + ln -s ssl-${m} ${d}/ssl-${s}
685 + ln -s ssl-${s} ${d}/openssl-${s}
686 + done
687 + done
688 + [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
689 +
690 + dodir /etc/sandbox.d #254521
691 + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
692 +
693 + diropts -m0700
694 + keepdir ${SSL_CNF_DIR}/private
695 +}
696 +
697 +pkg_postinst() {
698 + ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
699 + c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
700 + eend $?
701 +}
Report Message
Find on MARC Find on Google Groups