[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/
Date:	Tue, 31 Mar 2020 14:05:19
Message-Id:	`1585663505.0577a74dfa8c5a293c5004bf80b6f0b3d0f6bb51.whissi@gentoo`

1

commit:     0577a74dfa8c5a293c5004bf80b6f0b3d0f6bb51

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Tue Mar 31 14:03:30 2020 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Tue Mar 31 14:05:05 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0577a74d

7

8

dev-libs/openssl: bump to v1.1.1f

9

10

Package-Manager: Portage-2.3.96, Repoman-2.3.22

11

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

12

13

 dev-libs/openssl/Manifest              |   1 +

14

 dev-libs/openssl/openssl-1.1.1f.ebuild | 324 +++++++++++++++++++++++++++++++++

15

 2 files changed, 325 insertions(+)

16

17

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest

18

index 371e84b8bd8..0d29f70e684 100644

19

--- a/dev-libs/openssl/Manifest

20

+++ b/dev-libs/openssl/Manifest

21

@@ -7,3 +7,4 @@ DIST openssl-1.1.1d-bindist-1.0.tar.xz 13180 BLAKE2B 680bd7400d3dd3930067ee7efa9

22

 DIST openssl-1.1.1d.tar.gz 8845861 BLAKE2B d3155f07b487ebd8dd4fe25396c874f9af18b5cfd7e622298d29c4f2c8ce14ad4534609d321314a4bcd0d44414e1306190340daaacd3c8fca061c04498446244 SHA512 2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7

23

 DIST openssl-1.1.1e-bindist-1.0.tar.xz 16948 BLAKE2B 78e034f1d263cbf5e57c92393f72acd07e86e39a5511a8852bad151371430954e07d787fd82cca55b373d1579bb22b9d29c9d677104ed68291a9d2dffe3ffbbb SHA512 0dbfb378b8f2724db82915e17fd4e43977e3e45030db25cdb9241c0ab842e41ef3d597ef71c4db5103635752dc2059ea6022597511a440f55fb56a5a52d3ccea

24

 DIST openssl-1.1.1e.tar.gz 9792634 BLAKE2B d8731ece2f0929fdb71c324480128e182e41bda1b9ef32b9a0ff2d7a1120ad45d918ee6162fbf038bb7459cfad283307d5bc85777fe75fd7b3c11ebab8cfe3ec SHA512 dbc2124f6ce9f1927e2f5e03101ed565d4e52ef09d620200f5cd9372c88c65dd7d74b24b31a8bf404713a5adfab80e0c3b25bf538c52702c4c3af1d80aef16c2

25

+DIST openssl-1.1.1f.tar.gz 9792828 BLAKE2B eba30dd12772cd714666ed8e5371e068623d8bfd4ff45863d10e82c65551654508a27f22f7ef1edadb543ab56f3c4c40ac3bcad665c667eb06ee90c69b24782e SHA512 b00bd9b5ad5298fbceeec6bb19c1ab0c106ca5cfb31178497c58bf7e0e0cf30fcc19c20f84e23af31cc126bf2447d3e4f8461db97bafa7bd78f69561932f000c

26

27

diff --git a/dev-libs/openssl/openssl-1.1.1f.ebuild b/dev-libs/openssl/openssl-1.1.1f.ebuild

28

new file mode 100644

29

index 00000000000..ccc0cbc5d58

30

--- /dev/null

31

+++ b/dev-libs/openssl/openssl-1.1.1f.ebuild

32

@@ -0,0 +1,324 @@

33

+# Copyright 1999-2020 Gentoo Authors

34

+# Distributed under the terms of the GNU General Public License v2

35

+

36

+EAPI="7"

37

+

38

+inherit flag-o-matic toolchain-funcs multilib multilib-minimal

39

+

40

+MY_P=${P/_/-}

41

+

42

+# This patch set is based on the following files from Fedora 31,

43

+# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec

44

+# for more details:

45

+# - hobble-openssl (SOURCE1)

46

+# - ec_curve.c (SOURCE12) -- MODIFIED

47

+# - ectest.c (SOURCE13)

48

+# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED

49

+BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz"

50

+

51

+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"

52

+HOMEPAGE="https://www.openssl.org/"

53

+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz

54

+	bindist? (

55

+		mirror://gentoo/${BINDIST_PATCH_SET}

56

+		https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}

57

+	)"

58

+

59

+LICENSE="openssl"

60

+SLOT="0/1.1" # .so version of libssl/libcrypto

61

+[[ "${PV}" = *_pre* ]] || \

62

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"

63

+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"

64

+RESTRICT="!bindist? ( bindist )

65

+	!test? ( test )"

66

+

67

+RDEPEND=">=app-misc/c_rehash-1.7-r1

68

+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"

69

+DEPEND="${RDEPEND}"

70

+BDEPEND="

71

+	>=dev-lang/perl-5

72

+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )

73

+	test? (

74

+		sys-apps/diffutils

75

+		sys-devel/bc

76

+		sys-process/procps

77

+	)"

78

+PDEPEND="app-misc/ca-certificates"

79

+

80

+PATCHES=(

81

+	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602

82

+)

83

+

84

+S="${WORKDIR}/${MY_P}"

85

+

86

+# force upgrade to prevent broken login, bug 696950

87

+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"

88

+

89

+MULTILIB_WRAPPED_HEADERS=(

90

+	usr/include/openssl/opensslconf.h

91

+)

92

+

93

+pkg_setup() {

94

+	[[ ${MERGE_TYPE} == binary ]] && return

95

+

96

+	# must check in pkg_setup; sysctl don't work with userpriv!

97

+	if has test ${FEATURES} && use sctp; then

98

+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"

99

+		# if sctp.auth_enable is not enabled.

100

+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)

101

+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then

102

+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"

103

+		fi

104

+	fi

105

+}

106

+

107

+src_prepare() {

108

+	# allow openssl to be cross-compiled

109

+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die

110

+	chmod a+rx gentoo.config || die

111

+

112

+	if use bindist; then

113

+		mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die

114

+		bash "${WORKDIR}"/hobble-openssl || die

115

+

116

+		cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die

117

+		cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die

118

+

119

+		eapply "${WORKDIR}"/bindist-patches/ec-curves.patch

120

+

121

+		local known_failing_test

122

+		for known_failing_test in \

123

+			30-test_evp_extra.t \

124

+			80-test_ssl_new.t \

125

+		; do

126

+			ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"

127

+			rm test/recipes/${known_failing_test} || die

128

+			eend $?

129

+		done

130

+

131

+		# Also see the configure parts below:

132

+		# enable-ec \

133

+		# $(use_ssl !bindist ec2m) \

134

+	fi

135

+

136

+	# keep this in sync with app-misc/c_rehash

137

+	SSL_CNF_DIR="/etc/ssl"

138

+

139

+	# Make sure we only ever touch Makefile.org and avoid patching a file

140

+	# that gets blown away anyways by the Configure script in src_configure

141

+	rm -f Makefile

142

+

143

+	if ! use vanilla ; then

144

+		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then

145

+			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"

146

+		fi

147

+	fi

148

+

149

+	eapply_user #332661

150

+

151

+	if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then

152

+		ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"

153

+		rm test/recipes/80-test_ssl_new.t || die

154

+		eend $?

155

+	fi

156

+

157

+	# make sure the man pages are suffixed #302165

158

+	# don't bother building man pages if they're disabled

159

+	# Make DOCDIR Gentoo compliant

160

+	sed -i \

161

+		-e '/^MANSUFFIX/s:=.*:=ssl:' \

162

+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \

163

+		-e $(has noman FEATURES \

164

+			&& echo '/^install:/s:install_docs::' \

165

+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \

166

+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \

167

+		Configurations/unix-Makefile.tmpl \

168

+		|| die

169

+

170

+	# quiet out unknown driver argument warnings since openssl

171

+	# doesn't have well-split CFLAGS and we're making it even worse

172

+	# and 'make depend' uses -Werror for added fun (#417795 again)

173

+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments

174

+

175

+	append-flags -fno-strict-aliasing

176

+	append-flags $(test-flags-CC -Wa,--noexecstack)

177

+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS

178

+

179

+	# Prefixify Configure shebang (#141906)

180

+	sed \

181

+		-e "1s,/usr/bin/env,${EPREFIX}&," \

182

+		-i Configure || die

183

+	# Remove test target when FEATURES=test isn't set

184

+	if ! use test ; then

185

+		sed \

186

+			-e '/^$config{dirs}/s@ "test",@@' \

187

+			-i Configure || die

188

+	fi

189

+	# The config script does stupid stuff to prompt the user.  Kill it.

190

+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die

191

+	./config --test-sanity || die "I AM NOT SANE"

192

+

193

+	multilib_copy_sources

194

+}

195

+

196

+multilib_src_configure() {

197

+	unset APPS #197996

198

+	unset SCRIPTS #312551

199

+	unset CROSS_COMPILE #311473

200

+

201

+	tc-export CC AR RANLIB RC

202

+

203

+	# Clean out patent-or-otherwise-encumbered code

204

+	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)

205

+	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm

206

+	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography

207

+	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2

208

+	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5

209

+

210

+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }

211

+	echoit() { echo "$@" ; "$@" ; }

212

+

213

+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

214

+

215

+	# See if our toolchain supports __uint128_t.  If so, it's 64bit

216

+	# friendly and can use the nicely optimized code paths. #460790

217

+	local ec_nistp_64_gcc_128

218

+	# Disable it for now though #469976

219

+	#if ! use bindist ; then

220

+	#	echo "__uint128_t i;" > "${T}"/128.c

221

+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then

222

+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"

223

+	#	fi

224

+	#fi

225

+

226

+	local sslout=$(./gentoo.config)

227

+	einfo "Use configuration ${sslout:-(openssl knows best)}"

228

+	local config="Configure"

229

+	[[ -z ${sslout} ]] && config="config"

230

+

231

+	# Fedora hobbled-EC needs 'no-ec2m'

232

+	# 'srp' was restricted until early 2017 as well.

233

+	# "disable-deprecated" option breaks too many consumers.

234

+	# Don't set it without thorough revdeps testing.

235

+	# Make sure user flags don't get added *yet* to avoid duplicated

236

+	# flags.

237

+	CFLAGS= LDFLAGS= echoit \

238

+	./${config} \

239

+		${sslout} \

240

+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \

241

+		enable-camellia \

242

+		enable-ec \

243

+		$(use_ssl !bindist ec2m) \

244

+		enable-srp \

245

+		$(use elibc_musl && echo "no-async") \

246

+		${ec_nistp_64_gcc_128} \

247

+		enable-idea \

248

+		enable-mdc2 \

249

+		enable-rc5 \

250

+		$(use_ssl sslv3 ssl3) \

251

+		$(use_ssl sslv3 ssl3-method) \

252

+		$(use_ssl asm) \

253

+		$(use_ssl rfc3779) \

254

+		$(use_ssl sctp) \

255

+		$(use_ssl tls-heartbeat heartbeats) \

256

+		$(use_ssl zlib) \

257

+		--prefix="${EPREFIX}"/usr \

258

+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \

259

+		--libdir=$(get_libdir) \

260

+		shared threads \

261

+		|| die

262

+

263

+	# Clean out hardcoded flags that openssl uses

264

+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \

265

+		-e 's:^CFLAGS=::' \

266

+		-e 's:\(^\| \)-fomit-frame-pointer::g' \

267

+		-e 's:\(^\| \)-O[^ ]*::g' \

268

+		-e 's:\(^\| \)-march=[^ ]*::g' \

269

+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \

270

+		-e 's:\(^\| \)-m[^ ]*::g' \

271

+		-e 's:^ *::' \

272

+		-e 's: *$::' \

273

+		-e 's: \+: :g' \

274

+		-e 's:\\:\\\\:g'

275

+	)

276

+

277

+	# Now insert clean default flags with user flags

278

+	sed -i \

279

+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \

280

+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \

281

+		Makefile || die

282

+}

283

+

284

+multilib_src_compile() {

285

+	# depend is needed to use $confopts; it also doesn't matter

286

+	# that it's -j1 as the code itself serializes subdirs

287

+	emake -j1 depend

288

+	emake all

289

+}

290

+

291

+multilib_src_test() {

292

+	emake -j1 test

293

+}

294

+

295

+multilib_src_install() {

296

+	# We need to create $ED/usr on our own to avoid a race condition #665130

297

+	if [[ ! -d "${ED}/usr" ]]; then

298

+		# We can only create this directory once

299

+		mkdir "${ED}"/usr || die

300

+	fi

301

+

302

+	emake DESTDIR="${D}" install

303

+}

304

+

305

+multilib_src_install_all() {

306

+	# openssl installs perl version of c_rehash by default, but

307

+	# we provide a shell version via app-misc/c_rehash

308

+	rm "${ED}"/usr/bin/c_rehash || die

309

+

310

+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el

311

+

312

+	# This is crappy in that the static archives are still built even

313

+	# when USE=static-libs.  But this is due to a failing in the openssl

314

+	# build system: the static archives are built as PIC all the time.

315

+	# Only way around this would be to manually configure+compile openssl

316

+	# twice; once with shared lib support enabled and once without.

317

+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a

318

+

319

+	# create the certs directory

320

+	keepdir ${SSL_CNF_DIR}/certs

321

+

322

+	# Namespace openssl programs to prevent conflicts with other man pages

323

+	cd "${ED}"/usr/share/man || die

324

+	local m d s

325

+	for m in $(find . -type f | xargs grep -L '#include') ; do

326

+		d=${m%/*} ; d=${d#./} ; m=${m##*/}

327

+		[[ ${m} == openssl.1* ]] && continue

328

+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"

329

+		mv ${d}/{,ssl-}${m}

330

+		# fix up references to renamed man pages

331

+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}

332

+		ln -s ssl-${m} ${d}/openssl-${m}

333

+		# locate any symlinks that point to this man page ... we assume

334

+		# that any broken links are due to the above renaming

335

+		for s in $(find -L ${d} -type l) ; do

336

+			s=${s##*/}

337

+			rm -f ${d}/${s}

338

+			# We don't want to "|| die" here

339

+			ln -s ssl-${m} ${d}/ssl-${s}

340

+			ln -s ssl-${s} ${d}/openssl-${s}

341

+		done

342

+	done

343

+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

344

+

345

+	dodir /etc/sandbox.d #254521

346

+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

347

+

348

+	diropts -m0700

349

+	keepdir ${SSL_CNF_DIR}/private

350

+}

351

+

352

+pkg_postinst() {

353

+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"

354

+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null

355

+	eend $?

356

+}

1	commit: 0577a74dfa8c5a293c5004bf80b6f0b3d0f6bb51
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Tue Mar 31 14:03:30 2020 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Tue Mar 31 14:05:05 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0577a74d
7
8	dev-libs/openssl: bump to v1.1.1f
9
10	Package-Manager: Portage-2.3.96, Repoman-2.3.22
11	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
12
13	dev-libs/openssl/Manifest \| 1 +
14	dev-libs/openssl/openssl-1.1.1f.ebuild \| 324 +++++++++++++++++++++++++++++++++
15	2 files changed, 325 insertions(+)
16
17	diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
18	index 371e84b8bd8..0d29f70e684 100644
19	--- a/dev-libs/openssl/Manifest
20	+++ b/dev-libs/openssl/Manifest
21	@@ -7,3 +7,4 @@ DIST openssl-1.1.1d-bindist-1.0.tar.xz 13180 BLAKE2B 680bd7400d3dd3930067ee7efa9
22	DIST openssl-1.1.1d.tar.gz 8845861 BLAKE2B d3155f07b487ebd8dd4fe25396c874f9af18b5cfd7e622298d29c4f2c8ce14ad4534609d321314a4bcd0d44414e1306190340daaacd3c8fca061c04498446244 SHA512 2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7
23	DIST openssl-1.1.1e-bindist-1.0.tar.xz 16948 BLAKE2B 78e034f1d263cbf5e57c92393f72acd07e86e39a5511a8852bad151371430954e07d787fd82cca55b373d1579bb22b9d29c9d677104ed68291a9d2dffe3ffbbb SHA512 0dbfb378b8f2724db82915e17fd4e43977e3e45030db25cdb9241c0ab842e41ef3d597ef71c4db5103635752dc2059ea6022597511a440f55fb56a5a52d3ccea
24	DIST openssl-1.1.1e.tar.gz 9792634 BLAKE2B d8731ece2f0929fdb71c324480128e182e41bda1b9ef32b9a0ff2d7a1120ad45d918ee6162fbf038bb7459cfad283307d5bc85777fe75fd7b3c11ebab8cfe3ec SHA512 dbc2124f6ce9f1927e2f5e03101ed565d4e52ef09d620200f5cd9372c88c65dd7d74b24b31a8bf404713a5adfab80e0c3b25bf538c52702c4c3af1d80aef16c2
25	+DIST openssl-1.1.1f.tar.gz 9792828 BLAKE2B eba30dd12772cd714666ed8e5371e068623d8bfd4ff45863d10e82c65551654508a27f22f7ef1edadb543ab56f3c4c40ac3bcad665c667eb06ee90c69b24782e SHA512 b00bd9b5ad5298fbceeec6bb19c1ab0c106ca5cfb31178497c58bf7e0e0cf30fcc19c20f84e23af31cc126bf2447d3e4f8461db97bafa7bd78f69561932f000c
26
27	diff --git a/dev-libs/openssl/openssl-1.1.1f.ebuild b/dev-libs/openssl/openssl-1.1.1f.ebuild
28	new file mode 100644
29	index 00000000000..ccc0cbc5d58
30	--- /dev/null
31	+++ b/dev-libs/openssl/openssl-1.1.1f.ebuild
32	@@ -0,0 +1,324 @@
33	+# Copyright 1999-2020 Gentoo Authors
34	+# Distributed under the terms of the GNU General Public License v2
35	+
36	+EAPI="7"
37	+
38	+inherit flag-o-matic toolchain-funcs multilib multilib-minimal
39	+
40	+MY_P=${P/_/-}
41	+
42	+# This patch set is based on the following files from Fedora 31,
43	+# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
44	+# for more details:
45	+# - hobble-openssl (SOURCE1)
46	+# - ec_curve.c (SOURCE12) -- MODIFIED
47	+# - ectest.c (SOURCE13)
48	+# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
49	+BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz"
50	+
51	+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
52	+HOMEPAGE="https://www.openssl.org/"
53	+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
54	+ bindist? (
55	+ mirror://gentoo/${BINDIST_PATCH_SET}
56	+ https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
57	+ )"
58	+
59	+LICENSE="openssl"
60	+SLOT="0/1.1" # .so version of libssl/libcrypto
61	+[[ "${PV}" = _pre ]] \|\| \
62	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
63	+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
64	+RESTRICT="!bindist? ( bindist )
65	+ !test? ( test )"
66	+
67	+RDEPEND=">=app-misc/c_rehash-1.7-r1
68	+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
69	+DEPEND="${RDEPEND}"
70	+BDEPEND="
71	+ >=dev-lang/perl-5
72	+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
73	+ test? (
74	+ sys-apps/diffutils
75	+ sys-devel/bc
76	+ sys-process/procps
77	+ )"
78	+PDEPEND="app-misc/ca-certificates"
79	+
80	+PATCHES=(
81	+ "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
82	+)
83	+
84	+S="${WORKDIR}/${MY_P}"
85	+
86	+# force upgrade to prevent broken login, bug 696950
87	+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
88	+
89	+MULTILIB_WRAPPED_HEADERS=(
90	+ usr/include/openssl/opensslconf.h
91	+)
92	+
93	+pkg_setup() {
94	+ [[ ${MERGE_TYPE} == binary ]] && return
95	+
96	+ # must check in pkg_setup; sysctl don't work with userpriv!
97	+ if has test ${FEATURES} && use sctp; then
98	+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
99	+ # if sctp.auth_enable is not enabled.
100	+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
101	+ if [[ -z "${sctp_auth_status}" ]] \|\| [[ ${sctp_auth_status} != 1 ]]; then
102	+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
103	+ fi
104	+ fi
105	+}
106	+
107	+src_prepare() {
108	+ # allow openssl to be cross-compiled
109	+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config \|\| die
110	+ chmod a+rx gentoo.config \|\| die
111	+
112	+ if use bindist; then
113	+ mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" \|\| die
114	+ bash "${WORKDIR}"/hobble-openssl \|\| die
115	+
116	+ cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ \|\| die
117	+ cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ \|\| die
118	+
119	+ eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
120	+
121	+ local known_failing_test
122	+ for known_failing_test in \
123	+ 30-test_evp_extra.t \
124	+ 80-test_ssl_new.t \
125	+ ; do
126	+ ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
127	+ rm test/recipes/${known_failing_test} \|\| die
128	+ eend $?
129	+ done
130	+
131	+ # Also see the configure parts below:
132	+ # enable-ec \
133	+ # $(use_ssl !bindist ec2m) \
134	+ fi
135	+
136	+ # keep this in sync with app-misc/c_rehash
137	+ SSL_CNF_DIR="/etc/ssl"
138	+
139	+ # Make sure we only ever touch Makefile.org and avoid patching a file
140	+ # that gets blown away anyways by the Configure script in src_configure
141	+ rm -f Makefile
142	+
143	+ if ! use vanilla ; then
144	+ if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
145	+ [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
146	+ fi
147	+ fi
148	+
149	+ eapply_user #332661
150	+
151	+ if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
152	+ ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
153	+ rm test/recipes/80-test_ssl_new.t \|\| die
154	+ eend $?
155	+ fi
156	+
157	+ # make sure the man pages are suffixed #302165
158	+ # don't bother building man pages if they're disabled
159	+ # Make DOCDIR Gentoo compliant
160	+ sed -i \
161	+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
162	+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
163	+ -e $(has noman FEATURES \
164	+ && echo '/^install:/s:install_docs::' \
165	+ \|\| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
166	+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
167	+ Configurations/unix-Makefile.tmpl \
168	+ \|\| die
169	+
170	+ # quiet out unknown driver argument warnings since openssl
171	+ # doesn't have well-split CFLAGS and we're making it even worse
172	+ # and 'make depend' uses -Werror for added fun (#417795 again)
173	+ [[ ${CC} == clang ]] && append-flags -Qunused-arguments
174	+
175	+ append-flags -fno-strict-aliasing
176	+ append-flags $(test-flags-CC -Wa,--noexecstack)
177	+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
178	+
179	+ # Prefixify Configure shebang (#141906)
180	+ sed \
181	+ -e "1s,/usr/bin/env,${EPREFIX}&," \
182	+ -i Configure \|\| die
183	+ # Remove test target when FEATURES=test isn't set
184	+ if ! use test ; then
185	+ sed \
186	+ -e '/^$config{dirs}/s@ "test",@@' \
187	+ -i Configure \|\| die
188	+ fi
189	+ # The config script does stupid stuff to prompt the user. Kill it.
190	+ sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
191	+ ./config --test-sanity \|\| die "I AM NOT SANE"
192	+
193	+ multilib_copy_sources
194	+}
195	+
196	+multilib_src_configure() {
197	+ unset APPS #197996
198	+ unset SCRIPTS #312551
199	+ unset CROSS_COMPILE #311473
200	+
201	+ tc-export CC AR RANLIB RC
202	+
203	+ # Clean out patent-or-otherwise-encumbered code
204	+ # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
205	+ # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
206	+ # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
207	+ # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
208	+ # RC5: Expired https://en.wikipedia.org/wiki/RC5
209	+
210	+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
211	+ echoit() { echo "$@" ; "$@" ; }
212	+
213	+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
214	+
215	+ # See if our toolchain supports __uint128_t. If so, it's 64bit
216	+ # friendly and can use the nicely optimized code paths. #460790
217	+ local ec_nistp_64_gcc_128
218	+ # Disable it for now though #469976
219	+ #if ! use bindist ; then
220	+ # echo "__uint128_t i;" > "${T}"/128.c
221	+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
222	+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
223	+ # fi
224	+ #fi
225	+
226	+ local sslout=$(./gentoo.config)
227	+ einfo "Use configuration ${sslout:-(openssl knows best)}"
228	+ local config="Configure"
229	+ [[ -z ${sslout} ]] && config="config"
230	+
231	+ # Fedora hobbled-EC needs 'no-ec2m'
232	+ # 'srp' was restricted until early 2017 as well.
233	+ # "disable-deprecated" option breaks too many consumers.
234	+ # Don't set it without thorough revdeps testing.
235	+ # Make sure user flags don't get added yet to avoid duplicated
236	+ # flags.
237	+ CFLAGS= LDFLAGS= echoit \
238	+ ./${config} \
239	+ ${sslout} \
240	+ $(use cpu_flags_x86_sse2 \|\| echo "no-sse2") \
241	+ enable-camellia \
242	+ enable-ec \
243	+ $(use_ssl !bindist ec2m) \
244	+ enable-srp \
245	+ $(use elibc_musl && echo "no-async") \
246	+ ${ec_nistp_64_gcc_128} \
247	+ enable-idea \
248	+ enable-mdc2 \
249	+ enable-rc5 \
250	+ $(use_ssl sslv3 ssl3) \
251	+ $(use_ssl sslv3 ssl3-method) \
252	+ $(use_ssl asm) \
253	+ $(use_ssl rfc3779) \
254	+ $(use_ssl sctp) \
255	+ $(use_ssl tls-heartbeat heartbeats) \
256	+ $(use_ssl zlib) \
257	+ --prefix="${EPREFIX}"/usr \
258	+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
259	+ --libdir=$(get_libdir) \
260	+ shared threads \
261	+ \|\| die
262	+
263	+ # Clean out hardcoded flags that openssl uses
264	+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile \| LC_ALL=C sed \
265	+ -e 's:^CFLAGS=::' \
266	+ -e 's:\(^\\| \)-fomit-frame-pointer::g' \
267	+ -e 's:\(^\\| \)-O[^ ]*::g' \
268	+ -e 's:\(^\\| \)-march=[^ ]*::g' \
269	+ -e 's:\(^\\| \)-mcpu=[^ ]*::g' \
270	+ -e 's:\(^\\| \)-m[^ ]*::g' \
271	+ -e 's:^ *::' \
272	+ -e 's: *$::' \
273	+ -e 's: \+: :g' \
274	+ -e 's:\\:\\\\:g'
275	+ )
276	+
277	+ # Now insert clean default flags with user flags
278	+ sed -i \
279	+ -e "/^CFLAGS=/s\|=.*\|=${DEFAULT_CFLAGS} ${CFLAGS}\|" \
280	+ -e "/^LDFLAGS=/s\|=[[:space:]]*$\|=${LDFLAGS}\|" \
281	+ Makefile \|\| die
282	+}
283	+
284	+multilib_src_compile() {
285	+ # depend is needed to use $confopts; it also doesn't matter
286	+ # that it's -j1 as the code itself serializes subdirs
287	+ emake -j1 depend
288	+ emake all
289	+}
290	+
291	+multilib_src_test() {
292	+ emake -j1 test
293	+}
294	+
295	+multilib_src_install() {
296	+ # We need to create $ED/usr on our own to avoid a race condition #665130
297	+ if [[ ! -d "${ED}/usr" ]]; then
298	+ # We can only create this directory once
299	+ mkdir "${ED}"/usr \|\| die
300	+ fi
301	+
302	+ emake DESTDIR="${D}" install
303	+}
304	+
305	+multilib_src_install_all() {
306	+ # openssl installs perl version of c_rehash by default, but
307	+ # we provide a shell version via app-misc/c_rehash
308	+ rm "${ED}"/usr/bin/c_rehash \|\| die
309	+
310	+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
311	+
312	+ # This is crappy in that the static archives are still built even
313	+ # when USE=static-libs. But this is due to a failing in the openssl
314	+ # build system: the static archives are built as PIC all the time.
315	+ # Only way around this would be to manually configure+compile openssl
316	+ # twice; once with shared lib support enabled and once without.
317	+ use static-libs \|\| rm -f "${ED}"/usr/lib/lib.a
318	+
319	+ # create the certs directory
320	+ keepdir ${SSL_CNF_DIR}/certs
321	+
322	+ # Namespace openssl programs to prevent conflicts with other man pages
323	+ cd "${ED}"/usr/share/man \|\| die
324	+ local m d s
325	+ for m in $(find . -type f \| xargs grep -L '#include') ; do
326	+ d=${m%/} ; d=${d#./} ; m=${m##/}
327	+ [[ ${m} == openssl.1* ]] && continue
328	+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
329	+ mv ${d}/{,ssl-}${m}
330	+ # fix up references to renamed man pages
331	+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
332	+ ln -s ssl-${m} ${d}/openssl-${m}
333	+ # locate any symlinks that point to this man page ... we assume
334	+ # that any broken links are due to the above renaming
335	+ for s in $(find -L ${d} -type l) ; do
336	+ s=${s##*/}
337	+ rm -f ${d}/${s}
338	+ # We don't want to "\|\| die" here
339	+ ln -s ssl-${m} ${d}/ssl-${s}
340	+ ln -s ssl-${s} ${d}/openssl-${s}
341	+ done
342	+ done
343	+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
344	+
345	+ dodir /etc/sandbox.d #254521
346	+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
347	+
348	+ diropts -m0700
349	+ keepdir ${SSL_CNF_DIR}/private
350	+}
351	+
352	+pkg_postinst() {
353	+ ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
354	+ c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
355	+ eend $?
356	+}

Gentoo Archives: gentoo-commits