1 |
commit: 4abe2ab7c01d53b1eb4600c2ebf914eebf6e697d |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Mar 14 19:47:49 2023 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Mar 14 19:48:35 2023 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4abe2ab7 |
7 |
|
8 |
dev-libs/openssl: add 3.1.0 (unkeyworded) |
9 |
|
10 |
Briefly unkeyworded for some testing but I don't expect this to last long. |
11 |
|
12 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
13 |
|
14 |
dev-libs/openssl/Manifest | 2 + |
15 |
dev-libs/openssl/openssl-3.1.0.ebuild | 270 ++++++++++++++++++++++++++++++++++ |
16 |
2 files changed, 272 insertions(+) |
17 |
|
18 |
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest |
19 |
index f45d7d6c5109..46d864d06642 100644 |
20 |
--- a/dev-libs/openssl/Manifest |
21 |
+++ b/dev-libs/openssl/Manifest |
22 |
@@ -7,3 +7,5 @@ DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e85 |
23 |
DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b |
24 |
DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d |
25 |
DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6 |
26 |
+DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108 SHA512 71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713 |
27 |
+DIST openssl-3.1.0.tar.gz.asc 488 BLAKE2B f4a844e3db2c2bdf42b6f811d16cc2077cacf713d20474d94e2d0180a6f97eadf4f03522e9fed478d263d680d88091dc2bc48e7ebb15d049bc57ee7ed64c7fbb SHA512 8d542e6471b745822d6cd889c5b168841b4366ee9a96edc2ab5b44fa1bd1b75308422aed312f1bd6e6a3c3e306eceaa95ce9bb4d0aa3e8ff86cb0fd92a7e61ea |
28 |
|
29 |
diff --git a/dev-libs/openssl/openssl-3.1.0.ebuild b/dev-libs/openssl/openssl-3.1.0.ebuild |
30 |
new file mode 100644 |
31 |
index 000000000000..802f9f3870be |
32 |
--- /dev/null |
33 |
+++ b/dev-libs/openssl/openssl-3.1.0.ebuild |
34 |
@@ -0,0 +1,270 @@ |
35 |
+# Copyright 1999-2023 Gentoo Authors |
36 |
+# Distributed under the terms of the GNU General Public License v2 |
37 |
+ |
38 |
+EAPI=8 |
39 |
+ |
40 |
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc |
41 |
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig |
42 |
+ |
43 |
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" |
44 |
+HOMEPAGE="https://www.openssl.org/" |
45 |
+ |
46 |
+MY_P=${P/_/-} |
47 |
+ |
48 |
+if [[ ${PV} == 9999 ]] ; then |
49 |
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git" |
50 |
+ |
51 |
+ inherit git-r3 |
52 |
+else |
53 |
+ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz |
54 |
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" |
55 |
+ #KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" |
56 |
+fi |
57 |
+ |
58 |
+S="${WORKDIR}"/${MY_P} |
59 |
+ |
60 |
+LICENSE="Apache-2.0" |
61 |
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto |
62 |
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" |
63 |
+RESTRICT="!test? ( test )" |
64 |
+ |
65 |
+COMMON_DEPEND=" |
66 |
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
67 |
+" |
68 |
+BDEPEND=" |
69 |
+ >=dev-lang/perl-5 |
70 |
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 ) |
71 |
+ test? ( |
72 |
+ sys-apps/diffutils |
73 |
+ sys-devel/bc |
74 |
+ sys-process/procps |
75 |
+ ) |
76 |
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )" |
77 |
+ |
78 |
+DEPEND="${COMMON_DEPEND}" |
79 |
+RDEPEND="${COMMON_DEPEND}" |
80 |
+PDEPEND="app-misc/ca-certificates" |
81 |
+ |
82 |
+MULTILIB_WRAPPED_HEADERS=( |
83 |
+ /usr/include/openssl/configuration.h |
84 |
+) |
85 |
+ |
86 |
+PATCHES=( |
87 |
+ "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch |
88 |
+) |
89 |
+ |
90 |
+pkg_setup() { |
91 |
+ if use ktls ; then |
92 |
+ if kernel_is -lt 4 18 ; then |
93 |
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" |
94 |
+ else |
95 |
+ CONFIG_CHECK="~TLS ~TLS_DEVICE" |
96 |
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" |
97 |
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" |
98 |
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" |
99 |
+ |
100 |
+ linux-info_pkg_setup |
101 |
+ fi |
102 |
+ fi |
103 |
+ |
104 |
+ [[ ${MERGE_TYPE} == binary ]] && return |
105 |
+ |
106 |
+ # must check in pkg_setup; sysctl doesn't work with userpriv! |
107 |
+ if use test && use sctp ; then |
108 |
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" |
109 |
+ # if sctp.auth_enable is not enabled. |
110 |
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) |
111 |
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then |
112 |
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" |
113 |
+ fi |
114 |
+ fi |
115 |
+} |
116 |
+ |
117 |
+src_unpack() { |
118 |
+ # Can delete this once test fix patch is dropped |
119 |
+ if use verify-sig ; then |
120 |
+ # Needed for downloaded patch (which is unsigned, which is fine) |
121 |
+ verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc} |
122 |
+ fi |
123 |
+ |
124 |
+ default |
125 |
+} |
126 |
+ |
127 |
+src_prepare() { |
128 |
+ # Make sure we only ever touch Makefile.org and avoid patching a file |
129 |
+ # that gets blown away anyways by the Configure script in src_configure |
130 |
+ rm -f Makefile |
131 |
+ |
132 |
+ if ! use vanilla ; then |
133 |
+ PATCHES+=( |
134 |
+ # Add patches which are Gentoo-specific customisations here |
135 |
+ ) |
136 |
+ fi |
137 |
+ |
138 |
+ default |
139 |
+ |
140 |
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then |
141 |
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." |
142 |
+ rm test/recipes/80-test_ssl_new.t || die |
143 |
+ fi |
144 |
+} |
145 |
+ |
146 |
+src_configure() { |
147 |
+ # Keep this in sync with app-misc/c_rehash |
148 |
+ SSL_CNF_DIR="/etc/ssl" |
149 |
+ |
150 |
+ # Quiet out unknown driver argument warnings since openssl |
151 |
+ # doesn't have well-split CFLAGS and we're making it even worse |
152 |
+ # and 'make depend' uses -Werror for added fun (bug #417795 again) |
153 |
+ tc-is-clang && append-flags -Qunused-arguments |
154 |
+ |
155 |
+ # We really, really need to build OpenSSL w/ strict aliasing disabled. |
156 |
+ # It's filled with violations and it *will* result in miscompiled |
157 |
+ # code. This has been in the ebuild for > 10 years but even in 2022, |
158 |
+ # it's still relevant: |
159 |
+ # - https://github.com/llvm/llvm-project/issues/55255 |
160 |
+ # - https://github.com/openssl/openssl/issues/18225 |
161 |
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 |
162 |
+ # Don't remove the no strict aliasing bits below! |
163 |
+ filter-flags -fstrict-aliasing |
164 |
+ append-flags -fno-strict-aliasing |
165 |
+ |
166 |
+ append-flags $(test-flags-CC -Wa,--noexecstack) |
167 |
+ |
168 |
+ # bug #197996 |
169 |
+ unset APPS |
170 |
+ # bug #312551 |
171 |
+ unset SCRIPTS |
172 |
+ # bug #311473 |
173 |
+ unset CROSS_COMPILE |
174 |
+ |
175 |
+ tc-export AR CC CXX RANLIB RC |
176 |
+ |
177 |
+ multilib-minimal_src_configure |
178 |
+} |
179 |
+ |
180 |
+multilib_src_configure() { |
181 |
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } |
182 |
+ |
183 |
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") |
184 |
+ |
185 |
+ # See if our toolchain supports __uint128_t. If so, it's 64bit |
186 |
+ # friendly and can use the nicely optimized code paths, bug #460790. |
187 |
+ #local ec_nistp_64_gcc_128 |
188 |
+ # |
189 |
+ # Disable it for now though (bug #469976) |
190 |
+ # Do NOT re-enable without substantial discussion first! |
191 |
+ # |
192 |
+ #echo "__uint128_t i;" > "${T}"/128.c |
193 |
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then |
194 |
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" |
195 |
+ #fi |
196 |
+ |
197 |
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") |
198 |
+ einfo "Using configuration: ${sslout:-(openssl knows best)}" |
199 |
+ |
200 |
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features |
201 |
+ local myeconfargs=( |
202 |
+ ${sslout} |
203 |
+ |
204 |
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") |
205 |
+ enable-camellia |
206 |
+ enable-ec |
207 |
+ enable-ec2m |
208 |
+ enable-sm2 |
209 |
+ enable-srp |
210 |
+ $(use elibc_musl && echo "no-async") |
211 |
+ enable-idea |
212 |
+ enable-mdc2 |
213 |
+ enable-rc5 |
214 |
+ $(use fips && echo "enable-fips") |
215 |
+ $(use_ssl asm) |
216 |
+ $(use_ssl ktls) |
217 |
+ $(use_ssl rfc3779) |
218 |
+ $(use_ssl sctp) |
219 |
+ $(use test || echo "no-tests") |
220 |
+ $(use_ssl tls-compression zlib) |
221 |
+ $(use_ssl weak-ssl-ciphers) |
222 |
+ |
223 |
+ --prefix="${EPREFIX}"/usr |
224 |
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} |
225 |
+ --libdir=$(get_libdir) |
226 |
+ |
227 |
+ shared |
228 |
+ threads |
229 |
+ ) |
230 |
+ |
231 |
+ edo perl "${S}/Configure" "${myeconfargs[@]}" |
232 |
+} |
233 |
+ |
234 |
+multilib_src_compile() { |
235 |
+ emake build_sw |
236 |
+ |
237 |
+ if multilib_is_native_abi; then |
238 |
+ emake build_docs |
239 |
+ fi |
240 |
+} |
241 |
+ |
242 |
+multilib_src_test() { |
243 |
+ # VFP = show subtests verbosely and show failed tests verbosely |
244 |
+ # Normal V=1 would show everything verbosely but this slows things down. |
245 |
+ emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test |
246 |
+} |
247 |
+ |
248 |
+multilib_src_install() { |
249 |
+ emake DESTDIR="${D}" install_sw |
250 |
+ if use fips; then |
251 |
+ emake DESTDIR="${D}" install_fips |
252 |
+ # Regen this in pkg_preinst, bug 900625 |
253 |
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die |
254 |
+ fi |
255 |
+ |
256 |
+ if multilib_is_native_abi; then |
257 |
+ emake DESTDIR="${D}" install_ssldirs |
258 |
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs |
259 |
+ fi |
260 |
+ |
261 |
+ # This is crappy in that the static archives are still built even |
262 |
+ # when USE=static-libs. But this is due to a failing in the openssl |
263 |
+ # build system: the static archives are built as PIC all the time. |
264 |
+ # Only way around this would be to manually configure+compile openssl |
265 |
+ # twice; once with shared lib support enabled and once without. |
266 |
+ if ! use static-libs ; then |
267 |
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die |
268 |
+ fi |
269 |
+} |
270 |
+ |
271 |
+multilib_src_install_all() { |
272 |
+ # openssl installs perl version of c_rehash by default, but |
273 |
+ # we provide a shell version via app-misc/c_rehash |
274 |
+ rm "${ED}"/usr/bin/c_rehash || die |
275 |
+ |
276 |
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el |
277 |
+ |
278 |
+ # Create the certs directory |
279 |
+ keepdir ${SSL_CNF_DIR}/certs |
280 |
+ |
281 |
+ # bug #254521 |
282 |
+ dodir /etc/sandbox.d |
283 |
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl |
284 |
+ |
285 |
+ diropts -m0700 |
286 |
+ keepdir ${SSL_CNF_DIR}/private |
287 |
+} |
288 |
+ |
289 |
+pkg_preinst() { |
290 |
+ if use fips; then |
291 |
+ # Regen fipsmodule.cnf, bug 900625 |
292 |
+ ebegin "Running openssl fipsinstall" |
293 |
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \ |
294 |
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ |
295 |
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" |
296 |
+ eend $? |
297 |
+ fi |
298 |
+} |
299 |
+ |
300 |
+pkg_postinst() { |
301 |
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" |
302 |
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" |
303 |
+ eend $? |
304 |
+} |