[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/ - gentoo-commits

From:	Sam James <sam@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/
Date:	Tue, 14 Mar 2023 19:49:00
Message-Id:	`1678823315.4abe2ab7c01d53b1eb4600c2ebf914eebf6e697d.sam@gentoo`

1

commit:     4abe2ab7c01d53b1eb4600c2ebf914eebf6e697d

2

Author:     Sam James <sam <AT> gentoo <DOT> org>

3

AuthorDate: Tue Mar 14 19:47:49 2023 +0000

4

Commit:     Sam James <sam <AT> gentoo <DOT> org>

5

CommitDate: Tue Mar 14 19:48:35 2023 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4abe2ab7

7

8

dev-libs/openssl: add 3.1.0 (unkeyworded)

9

10

Briefly unkeyworded for some testing but I don't expect this to last long.

11

12

Signed-off-by: Sam James <sam <AT> gentoo.org>

13

14

 dev-libs/openssl/Manifest             |   2 +

15

 dev-libs/openssl/openssl-3.1.0.ebuild | 270 ++++++++++++++++++++++++++++++++++

16

 2 files changed, 272 insertions(+)

17

18

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest

19

index f45d7d6c5109..46d864d06642 100644

20

--- a/dev-libs/openssl/Manifest

21

+++ b/dev-libs/openssl/Manifest

22

@@ -7,3 +7,5 @@ DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e85

23

 DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b

24

 DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d

25

 DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6

26

+DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108 SHA512 71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713

27

+DIST openssl-3.1.0.tar.gz.asc 488 BLAKE2B f4a844e3db2c2bdf42b6f811d16cc2077cacf713d20474d94e2d0180a6f97eadf4f03522e9fed478d263d680d88091dc2bc48e7ebb15d049bc57ee7ed64c7fbb SHA512 8d542e6471b745822d6cd889c5b168841b4366ee9a96edc2ab5b44fa1bd1b75308422aed312f1bd6e6a3c3e306eceaa95ce9bb4d0aa3e8ff86cb0fd92a7e61ea

28

29

diff --git a/dev-libs/openssl/openssl-3.1.0.ebuild b/dev-libs/openssl/openssl-3.1.0.ebuild

30

new file mode 100644

31

index 000000000000..802f9f3870be

32

--- /dev/null

33

+++ b/dev-libs/openssl/openssl-3.1.0.ebuild

34

@@ -0,0 +1,270 @@

35

+# Copyright 1999-2023 Gentoo Authors

36

+# Distributed under the terms of the GNU General Public License v2

37

+

38

+EAPI=8

39

+

40

+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc

41

+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig

42

+

43

+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"

44

+HOMEPAGE="https://www.openssl.org/"

45

+

46

+MY_P=${P/_/-}

47

+

48

+if [[ ${PV} == 9999 ]] ; then

49

+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"

50

+

51

+	inherit git-r3

52

+else

53

+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz

54

+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"

55

+	#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"

56

+fi

57

+

58

+S="${WORKDIR}"/${MY_P}

59

+

60

+LICENSE="Apache-2.0"

61

+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto

62

+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"

63

+RESTRICT="!test? ( test )"

64

+

65

+COMMON_DEPEND="

66

+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )

67

+"

68

+BDEPEND="

69

+	>=dev-lang/perl-5

70

+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )

71

+	test? (

72

+		sys-apps/diffutils

73

+		sys-devel/bc

74

+		sys-process/procps

75

+	)

76

+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"

77

+

78

+DEPEND="${COMMON_DEPEND}"

79

+RDEPEND="${COMMON_DEPEND}"

80

+PDEPEND="app-misc/ca-certificates"

81

+

82

+MULTILIB_WRAPPED_HEADERS=(

83

+	/usr/include/openssl/configuration.h

84

+)

85

+

86

+PATCHES=(

87

+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch

88

+)

89

+

90

+pkg_setup() {

91

+	if use ktls ; then

92

+		if kernel_is -lt 4 18 ; then

93

+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"

94

+		else

95

+			CONFIG_CHECK="~TLS ~TLS_DEVICE"

96

+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"

97

+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"

98

+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"

99

+

100

+			linux-info_pkg_setup

101

+		fi

102

+	fi

103

+

104

+	[[ ${MERGE_TYPE} == binary ]] && return

105

+

106

+	# must check in pkg_setup; sysctl doesn't work with userpriv!

107

+	if use test && use sctp ; then

108

+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"

109

+		# if sctp.auth_enable is not enabled.

110

+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)

111

+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then

112

+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"

113

+		fi

114

+	fi

115

+}

116

+

117

+src_unpack() {

118

+	# Can delete this once test fix patch is dropped

119

+	if use verify-sig ; then

120

+		# Needed for downloaded patch (which is unsigned, which is fine)

121

+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}

122

+	fi

123

+

124

+	default

125

+}

126

+

127

+src_prepare() {

128

+	# Make sure we only ever touch Makefile.org and avoid patching a file

129

+	# that gets blown away anyways by the Configure script in src_configure

130

+	rm -f Makefile

131

+

132

+	if ! use vanilla ; then

133

+		PATCHES+=(

134

+			# Add patches which are Gentoo-specific customisations here

135

+		)

136

+	fi

137

+

138

+	default

139

+

140

+	if use test && use sctp && has network-sandbox ${FEATURES} ; then

141

+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."

142

+		rm test/recipes/80-test_ssl_new.t || die

143

+	fi

144

+}

145

+

146

+src_configure() {

147

+	# Keep this in sync with app-misc/c_rehash

148

+	SSL_CNF_DIR="/etc/ssl"

149

+

150

+	# Quiet out unknown driver argument warnings since openssl

151

+	# doesn't have well-split CFLAGS and we're making it even worse

152

+	# and 'make depend' uses -Werror for added fun (bug #417795 again)

153

+	tc-is-clang && append-flags -Qunused-arguments

154

+

155

+	# We really, really need to build OpenSSL w/ strict aliasing disabled.

156

+	# It's filled with violations and it *will* result in miscompiled

157

+	# code. This has been in the ebuild for > 10 years but even in 2022,

158

+	# it's still relevant:

159

+	# - https://github.com/llvm/llvm-project/issues/55255

160

+	# - https://github.com/openssl/openssl/issues/18225

161

+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057

162

+	# Don't remove the no strict aliasing bits below!

163

+	filter-flags -fstrict-aliasing

164

+	append-flags -fno-strict-aliasing

165

+

166

+	append-flags $(test-flags-CC -Wa,--noexecstack)

167

+

168

+	# bug #197996

169

+	unset APPS

170

+	# bug #312551

171

+	unset SCRIPTS

172

+	# bug #311473

173

+	unset CROSS_COMPILE

174

+

175

+	tc-export AR CC CXX RANLIB RC

176

+

177

+	multilib-minimal_src_configure

178

+}

179

+

180

+multilib_src_configure() {

181

+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }

182

+

183

+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

184

+

185

+	# See if our toolchain supports __uint128_t.  If so, it's 64bit

186

+	# friendly and can use the nicely optimized code paths, bug #460790.

187

+	#local ec_nistp_64_gcc_128

188

+	#

189

+	# Disable it for now though (bug #469976)

190

+	# Do NOT re-enable without substantial discussion first!

191

+	#

192

+	#echo "__uint128_t i;" > "${T}"/128.c

193

+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then

194

+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"

195

+	#fi

196

+

197

+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")

198

+	einfo "Using configuration: ${sslout:-(openssl knows best)}"

199

+

200

+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features

201

+	local myeconfargs=(

202

+		${sslout}

203

+

204

+		$(use cpu_flags_x86_sse2 || echo "no-sse2")

205

+		enable-camellia

206

+		enable-ec

207

+		enable-ec2m

208

+		enable-sm2

209

+		enable-srp

210

+		$(use elibc_musl && echo "no-async")

211

+		enable-idea

212

+		enable-mdc2

213

+		enable-rc5

214

+		$(use fips && echo "enable-fips")

215

+		$(use_ssl asm)

216

+		$(use_ssl ktls)

217

+		$(use_ssl rfc3779)

218

+		$(use_ssl sctp)

219

+		$(use test || echo "no-tests")

220

+		$(use_ssl tls-compression zlib)

221

+		$(use_ssl weak-ssl-ciphers)

222

+

223

+		--prefix="${EPREFIX}"/usr

224

+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}

225

+		--libdir=$(get_libdir)

226

+

227

+		shared

228

+		threads

229

+	)

230

+

231

+	edo perl "${S}/Configure" "${myeconfargs[@]}"

232

+}

233

+

234

+multilib_src_compile() {

235

+	emake build_sw

236

+

237

+	if multilib_is_native_abi; then

238

+		emake build_docs

239

+	fi

240

+}

241

+

242

+multilib_src_test() {

243

+	# VFP = show subtests verbosely and show failed tests verbosely

244

+	# Normal V=1 would show everything verbosely but this slows things down.

245

+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test

246

+}

247

+

248

+multilib_src_install() {

249

+	emake DESTDIR="${D}" install_sw

250

+	if use fips; then

251

+		emake DESTDIR="${D}" install_fips

252

+		# Regen this in pkg_preinst, bug 900625

253

+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die

254

+	fi

255

+

256

+	if multilib_is_native_abi; then

257

+		emake DESTDIR="${D}" install_ssldirs

258

+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs

259

+	fi

260

+

261

+	# This is crappy in that the static archives are still built even

262

+	# when USE=static-libs. But this is due to a failing in the openssl

263

+	# build system: the static archives are built as PIC all the time.

264

+	# Only way around this would be to manually configure+compile openssl

265

+	# twice; once with shared lib support enabled and once without.

266

+	if ! use static-libs ; then

267

+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die

268

+	fi

269

+}

270

+

271

+multilib_src_install_all() {

272

+	# openssl installs perl version of c_rehash by default, but

273

+	# we provide a shell version via app-misc/c_rehash

274

+	rm "${ED}"/usr/bin/c_rehash || die

275

+

276

+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el

277

+

278

+	# Create the certs directory

279

+	keepdir ${SSL_CNF_DIR}/certs

280

+

281

+	# bug #254521

282

+	dodir /etc/sandbox.d

283

+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

284

+

285

+	diropts -m0700

286

+	keepdir ${SSL_CNF_DIR}/private

287

+}

288

+

289

+pkg_preinst() {

290

+	if use fips; then

291

+		# Regen fipsmodule.cnf, bug 900625

292

+		ebegin "Running openssl fipsinstall"

293

+		"${ED}/usr/bin/openssl" fipsinstall -quiet \

294

+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \

295

+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"

296

+		eend $?

297

+	fi

298

+}

299

+

300

+pkg_postinst() {

301

+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"

302

+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"

303

+	eend $?

304

+}

1	commit: 4abe2ab7c01d53b1eb4600c2ebf914eebf6e697d
2	Author: Sam James <sam <AT> gentoo <DOT> org>
3	AuthorDate: Tue Mar 14 19:47:49 2023 +0000
4	Commit: Sam James <sam <AT> gentoo <DOT> org>
5	CommitDate: Tue Mar 14 19:48:35 2023 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4abe2ab7
7
8	dev-libs/openssl: add 3.1.0 (unkeyworded)
9
10	Briefly unkeyworded for some testing but I don't expect this to last long.
11
12	Signed-off-by: Sam James <sam <AT> gentoo.org>
13
14	dev-libs/openssl/Manifest \| 2 +
15	dev-libs/openssl/openssl-3.1.0.ebuild \| 270 ++++++++++++++++++++++++++++++++++
16	2 files changed, 272 insertions(+)
17
18	diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
19	index f45d7d6c5109..46d864d06642 100644
20	--- a/dev-libs/openssl/Manifest
21	+++ b/dev-libs/openssl/Manifest
22	@@ -7,3 +7,5 @@ DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e85
23	DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b
24	DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
25	DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6
26	+DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108 SHA512 71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713
27	+DIST openssl-3.1.0.tar.gz.asc 488 BLAKE2B f4a844e3db2c2bdf42b6f811d16cc2077cacf713d20474d94e2d0180a6f97eadf4f03522e9fed478d263d680d88091dc2bc48e7ebb15d049bc57ee7ed64c7fbb SHA512 8d542e6471b745822d6cd889c5b168841b4366ee9a96edc2ab5b44fa1bd1b75308422aed312f1bd6e6a3c3e306eceaa95ce9bb4d0aa3e8ff86cb0fd92a7e61ea
28
29	diff --git a/dev-libs/openssl/openssl-3.1.0.ebuild b/dev-libs/openssl/openssl-3.1.0.ebuild
30	new file mode 100644
31	index 000000000000..802f9f3870be
32	--- /dev/null
33	+++ b/dev-libs/openssl/openssl-3.1.0.ebuild
34	@@ -0,0 +1,270 @@
35	+# Copyright 1999-2023 Gentoo Authors
36	+# Distributed under the terms of the GNU General Public License v2
37	+
38	+EAPI=8
39	+
40	+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
41	+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
42	+
43	+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
44	+HOMEPAGE="https://www.openssl.org/"
45	+
46	+MY_P=${P/_/-}
47	+
48	+if [[ ${PV} == 9999 ]] ; then
49	+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
50	+
51	+ inherit git-r3
52	+else
53	+ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
54	+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
55	+ #KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
56	+fi
57	+
58	+S="${WORKDIR}"/${MY_P}
59	+
60	+LICENSE="Apache-2.0"
61	+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
62	+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
63	+RESTRICT="!test? ( test )"
64	+
65	+COMMON_DEPEND="
66	+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
67	+"
68	+BDEPEND="
69	+ >=dev-lang/perl-5
70	+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
71	+ test? (
72	+ sys-apps/diffutils
73	+ sys-devel/bc
74	+ sys-process/procps
75	+ )
76	+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
77	+
78	+DEPEND="${COMMON_DEPEND}"
79	+RDEPEND="${COMMON_DEPEND}"
80	+PDEPEND="app-misc/ca-certificates"
81	+
82	+MULTILIB_WRAPPED_HEADERS=(
83	+ /usr/include/openssl/configuration.h
84	+)
85	+
86	+PATCHES=(
87	+ "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
88	+)
89	+
90	+pkg_setup() {
91	+ if use ktls ; then
92	+ if kernel_is -lt 4 18 ; then
93	+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
94	+ else
95	+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
96	+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
97	+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
98	+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
99	+
100	+ linux-info_pkg_setup
101	+ fi
102	+ fi
103	+
104	+ [[ ${MERGE_TYPE} == binary ]] && return
105	+
106	+ # must check in pkg_setup; sysctl doesn't work with userpriv!
107	+ if use test && use sctp ; then
108	+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
109	+ # if sctp.auth_enable is not enabled.
110	+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
111	+ if [[ -z "${sctp_auth_status}" ]] \|\| [[ ${sctp_auth_status} != 1 ]] ; then
112	+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
113	+ fi
114	+ fi
115	+}
116	+
117	+src_unpack() {
118	+ # Can delete this once test fix patch is dropped
119	+ if use verify-sig ; then
120	+ # Needed for downloaded patch (which is unsigned, which is fine)
121	+ verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
122	+ fi
123	+
124	+ default
125	+}
126	+
127	+src_prepare() {
128	+ # Make sure we only ever touch Makefile.org and avoid patching a file
129	+ # that gets blown away anyways by the Configure script in src_configure
130	+ rm -f Makefile
131	+
132	+ if ! use vanilla ; then
133	+ PATCHES+=(
134	+ # Add patches which are Gentoo-specific customisations here
135	+ )
136	+ fi
137	+
138	+ default
139	+
140	+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
141	+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
142	+ rm test/recipes/80-test_ssl_new.t \|\| die
143	+ fi
144	+}
145	+
146	+src_configure() {
147	+ # Keep this in sync with app-misc/c_rehash
148	+ SSL_CNF_DIR="/etc/ssl"
149	+
150	+ # Quiet out unknown driver argument warnings since openssl
151	+ # doesn't have well-split CFLAGS and we're making it even worse
152	+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
153	+ tc-is-clang && append-flags -Qunused-arguments
154	+
155	+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
156	+ # It's filled with violations and it will result in miscompiled
157	+ # code. This has been in the ebuild for > 10 years but even in 2022,
158	+ # it's still relevant:
159	+ # - https://github.com/llvm/llvm-project/issues/55255
160	+ # - https://github.com/openssl/openssl/issues/18225
161	+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
162	+ # Don't remove the no strict aliasing bits below!
163	+ filter-flags -fstrict-aliasing
164	+ append-flags -fno-strict-aliasing
165	+
166	+ append-flags $(test-flags-CC -Wa,--noexecstack)
167	+
168	+ # bug #197996
169	+ unset APPS
170	+ # bug #312551
171	+ unset SCRIPTS
172	+ # bug #311473
173	+ unset CROSS_COMPILE
174	+
175	+ tc-export AR CC CXX RANLIB RC
176	+
177	+ multilib-minimal_src_configure
178	+}
179	+
180	+multilib_src_configure() {
181	+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
182	+
183	+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
184	+
185	+ # See if our toolchain supports __uint128_t. If so, it's 64bit
186	+ # friendly and can use the nicely optimized code paths, bug #460790.
187	+ #local ec_nistp_64_gcc_128
188	+ #
189	+ # Disable it for now though (bug #469976)
190	+ # Do NOT re-enable without substantial discussion first!
191	+ #
192	+ #echo "__uint128_t i;" > "${T}"/128.c
193	+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
194	+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
195	+ #fi
196	+
197	+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
198	+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
199	+
200	+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
201	+ local myeconfargs=(
202	+ ${sslout}
203	+
204	+ $(use cpu_flags_x86_sse2 \|\| echo "no-sse2")
205	+ enable-camellia
206	+ enable-ec
207	+ enable-ec2m
208	+ enable-sm2
209	+ enable-srp
210	+ $(use elibc_musl && echo "no-async")
211	+ enable-idea
212	+ enable-mdc2
213	+ enable-rc5
214	+ $(use fips && echo "enable-fips")
215	+ $(use_ssl asm)
216	+ $(use_ssl ktls)
217	+ $(use_ssl rfc3779)
218	+ $(use_ssl sctp)
219	+ $(use test \|\| echo "no-tests")
220	+ $(use_ssl tls-compression zlib)
221	+ $(use_ssl weak-ssl-ciphers)
222	+
223	+ --prefix="${EPREFIX}"/usr
224	+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
225	+ --libdir=$(get_libdir)
226	+
227	+ shared
228	+ threads
229	+ )
230	+
231	+ edo perl "${S}/Configure" "${myeconfargs[@]}"
232	+}
233	+
234	+multilib_src_compile() {
235	+ emake build_sw
236	+
237	+ if multilib_is_native_abi; then
238	+ emake build_docs
239	+ fi
240	+}
241	+
242	+multilib_src_test() {
243	+ # VFP = show subtests verbosely and show failed tests verbosely
244	+ # Normal V=1 would show everything verbosely but this slows things down.
245	+ emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
246	+}
247	+
248	+multilib_src_install() {
249	+ emake DESTDIR="${D}" install_sw
250	+ if use fips; then
251	+ emake DESTDIR="${D}" install_fips
252	+ # Regen this in pkg_preinst, bug 900625
253	+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf \|\| die
254	+ fi
255	+
256	+ if multilib_is_native_abi; then
257	+ emake DESTDIR="${D}" install_ssldirs
258	+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
259	+ fi
260	+
261	+ # This is crappy in that the static archives are still built even
262	+ # when USE=static-libs. But this is due to a failing in the openssl
263	+ # build system: the static archives are built as PIC all the time.
264	+ # Only way around this would be to manually configure+compile openssl
265	+ # twice; once with shared lib support enabled and once without.
266	+ if ! use static-libs ; then
267	+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a \|\| die
268	+ fi
269	+}
270	+
271	+multilib_src_install_all() {
272	+ # openssl installs perl version of c_rehash by default, but
273	+ # we provide a shell version via app-misc/c_rehash
274	+ rm "${ED}"/usr/bin/c_rehash \|\| die
275	+
276	+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
277	+
278	+ # Create the certs directory
279	+ keepdir ${SSL_CNF_DIR}/certs
280	+
281	+ # bug #254521
282	+ dodir /etc/sandbox.d
283	+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
284	+
285	+ diropts -m0700
286	+ keepdir ${SSL_CNF_DIR}/private
287	+}
288	+
289	+pkg_preinst() {
290	+ if use fips; then
291	+ # Regen fipsmodule.cnf, bug 900625
292	+ ebegin "Running openssl fipsinstall"
293	+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
294	+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
295	+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
296	+ eend $?
297	+ fi
298	+}
299	+
300	+pkg_postinst() {
301	+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
302	+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
303	+ eend $?
304	+}

Gentoo Archives: gentoo-commits