1 |
commit: ed94450ee6c76aad055c5db84c02ea392650662b |
2 |
Author: Fabian Groffen <grobian <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Feb 8 18:04:19 2018 +0000 |
4 |
Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Feb 8 18:04:19 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=ed94450e |
7 |
|
8 |
dev-libs/openssl: sync, bug #647006 |
9 |
|
10 |
Closes: https://bugs.gentoo.org/647006 |
11 |
Package-Manager: Portage-2.3.18-prefix, Repoman-2.3.6 |
12 |
|
13 |
dev-libs/openssl/Manifest | 11 +- |
14 |
.../files/openssl-1.1.0g-CVE-2017-3738.patch | 77 ++++++ |
15 |
dev-libs/openssl/openssl-1.0.2k.ebuild | 267 --------------------- |
16 |
...openssl-1.0.2l.ebuild => openssl-1.0.2n.ebuild} | 36 ++- |
17 |
...nssl-1.1.0f.ebuild => openssl-1.1.0g-r2.ebuild} | 56 ++++- |
18 |
5 files changed, 151 insertions(+), 296 deletions(-) |
19 |
|
20 |
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest |
21 |
index b15d822eca..aa1b1accb1 100644 |
22 |
--- a/dev-libs/openssl/Manifest |
23 |
+++ b/dev-libs/openssl/Manifest |
24 |
@@ -1,3 +1,8 @@ |
25 |
-DIST openssl-1.0.2k.tar.gz 5309236 BLAKE2B 97069b9c7aaab2381ae5be989caff6907cd44ab1831d84685c3421ad985889a2bbc3a462decdff9c4c158ace96975de2b9e49e4f1b9f306990c3dc0f03767dad SHA512 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016 |
26 |
-DIST openssl-1.0.2l.tar.gz 5365054 BLAKE2B 0a459a93a0013269dea79bd6df96a434b9dad95b6d98b24a48bc1b1438415c0a8de01b67166ac13a73ae65fb64131568924c3e6f945d862b7e960f05332cf097 SHA512 047d964508ad6025c79caabd8965efd2416dc026a56183d0ef4de7a0a6769ce8e0b4608a3f8393d326f6d03b26a2b067e6e0c750f35b20be190e595e8290c0e3 |
27 |
-DIST openssl-1.1.0f.tar.gz 5278176 SHA256 12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765 SHA512 340ab3f38c90dea346e543b58bc0eff0adede15be212ad20b7cf38718a7f94fab51996da414855c180540f7488b8bd31d8b9a0d04bb19159f735c46d8f6df22c WHIRLPOOL bb4ce1d100c5eb567de0139e4a1c0a2bb1cd308bd014704d6bb796d3fcfc16b91fe69839068944831746e0b937a6ccb234b5cea3b4911fab4283500ed380f0b6 |
28 |
+DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d SHA512 15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9 |
29 |
+DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894 SHA512 144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687 |
30 |
+DIST openssl-1.1.0-build.patch 3028 BLAKE2B f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0 |
31 |
+DIST openssl-1.1.0-ec-curves.patch 2967 BLAKE2B 1c639514445ea85cf731732aa7901b5a03ddb5f637b0483ab2ec6825433ad978723c5a07316db684bdaca4a12fc673b4e049a49c0cd4dbe5f25a5e2bd3b75cf5 SHA512 8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2 |
32 |
+DIST openssl-1.1.0g.tar.gz 5404748 BLAKE2B 23daf80e4143aad4654ae86f8e96042dd7328a9d1186b4922e284fcfe0f68259ea12d21c4472d92d65a7fcef21e049cf9371cc9bdad11b66a3df11286418ed42 SHA512 6c76f698fc2a4540f3977d97c889e139acf7d3f9eb85f349974175e8a7707b19743ef91c5ce32839310b6ea06ca88a03d9709ee011687b4634c5c50b5814f42a |
33 |
+DIST openssl-1.1.0g_ec_curve.c 18393 BLAKE2B 49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2beeeea15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 |
34 |
+DIST openssl-1.1.0g_ectest.c 29907 BLAKE2B 73dc800c1de5449f14d7753f7f7b8e672cd36bd4570e6df07f246d1d823c7dbbeef492f25cdd0ebfd693f5956732bc84c9d91fc6a22c854fe4b245ecf3890bda SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae |
35 |
+DIST openssl-1.1.0g_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 |
36 |
|
37 |
diff --git a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch |
38 |
new file mode 100644 |
39 |
index 0000000000..4b01feb8e8 |
40 |
--- /dev/null |
41 |
+++ b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch |
42 |
@@ -0,0 +1,77 @@ |
43 |
+From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001 |
44 |
+From: Andy Polyakov <appro@×××××××.org> |
45 |
+Date: Fri, 24 Nov 2017 11:35:50 +0100 |
46 |
+Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in |
47 |
+ rsaz_1024_mul_avx2. |
48 |
+ |
49 |
+Credit to OSS-Fuzz for finding this. |
50 |
+ |
51 |
+CVE-2017-3738 |
52 |
+ |
53 |
+Reviewed-by: Rich Salz <rsalz@×××××××.org> |
54 |
+--- |
55 |
+ crypto/bn/asm/rsaz-avx2.pl | 15 +++++++-------- |
56 |
+ 1 file changed, 7 insertions(+), 8 deletions(-) |
57 |
+ |
58 |
+diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl |
59 |
+index 0c1b236ef98..46d746b7d0e 100755 |
60 |
+--- a/crypto/bn/asm/rsaz-avx2.pl |
61 |
++++ b/crypto/bn/asm/rsaz-avx2.pl |
62 |
+@@ -246,7 +246,7 @@ |
63 |
+ vmovdqu 32*8-128($ap), $ACC8 |
64 |
+ |
65 |
+ lea 192(%rsp), $tp0 # 64+128=192 |
66 |
+- vpbroadcastq .Land_mask(%rip), $AND_MASK |
67 |
++ vmovdqu .Land_mask(%rip), $AND_MASK |
68 |
+ jmp .LOOP_GRANDE_SQR_1024 |
69 |
+ |
70 |
+ .align 32 |
71 |
+@@ -1077,10 +1077,10 @@ |
72 |
+ vpmuludq 32*6-128($np),$Yi,$TEMP1 |
73 |
+ vpaddq $TEMP1,$ACC6,$ACC6 |
74 |
+ vpmuludq 32*7-128($np),$Yi,$TEMP2 |
75 |
+- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3 |
76 |
++ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3 |
77 |
+ vpaddq $TEMP2,$ACC7,$ACC7 |
78 |
+ vpmuludq 32*8-128($np),$Yi,$TEMP0 |
79 |
+- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3 |
80 |
++ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3 |
81 |
+ vpaddq $TEMP0,$ACC8,$ACC8 |
82 |
+ |
83 |
+ mov %rbx, %rax |
84 |
+@@ -1093,7 +1093,9 @@ |
85 |
+ vmovdqu -8+32*2-128($ap),$TEMP2 |
86 |
+ |
87 |
+ mov $r1, %rax |
88 |
++ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3 |
89 |
+ imull $n0, %eax |
90 |
++ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3 |
91 |
+ and \$0x1fffffff, %eax |
92 |
+ |
93 |
+ imulq 16-128($ap),%rbx |
94 |
+@@ -1329,15 +1331,12 @@ |
95 |
+ # But as we underutilize resources, it's possible to correct in |
96 |
+ # each iteration with marginal performance loss. But then, as |
97 |
+ # we do it in each iteration, we can correct less digits, and |
98 |
+-# avoid performance penalties completely. Also note that we |
99 |
+-# correct only three digits out of four. This works because |
100 |
+-# most significant digit is subjected to less additions. |
101 |
++# avoid performance penalties completely. |
102 |
+ |
103 |
+ $TEMP0 = $ACC9; |
104 |
+ $TEMP3 = $Bi; |
105 |
+ $TEMP4 = $Yi; |
106 |
+ $code.=<<___; |
107 |
+- vpermq \$0, $AND_MASK, $AND_MASK |
108 |
+ vpaddq (%rsp), $TEMP1, $ACC0 |
109 |
+ |
110 |
+ vpsrlq \$29, $ACC0, $TEMP1 |
111 |
+@@ -1770,7 +1769,7 @@ |
112 |
+ |
113 |
+ .align 64 |
114 |
+ .Land_mask: |
115 |
+- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1 |
116 |
++ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff |
117 |
+ .Lscatter_permd: |
118 |
+ .long 0,2,4,6,7,7,7,7 |
119 |
+ .Lgather_permd: |
120 |
|
121 |
diff --git a/dev-libs/openssl/openssl-1.0.2k.ebuild b/dev-libs/openssl/openssl-1.0.2k.ebuild |
122 |
deleted file mode 100644 |
123 |
index d512d107f2..0000000000 |
124 |
--- a/dev-libs/openssl/openssl-1.0.2k.ebuild |
125 |
+++ /dev/null |
126 |
@@ -1,267 +0,0 @@ |
127 |
-# Copyright 1999-2017 Gentoo Foundation |
128 |
-# Distributed under the terms of the GNU General Public License v2 |
129 |
- |
130 |
-EAPI="5" |
131 |
- |
132 |
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal |
133 |
- |
134 |
-MY_P=${P/_/-} |
135 |
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" |
136 |
-HOMEPAGE="http://www.openssl.org/" |
137 |
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" |
138 |
- |
139 |
-LICENSE="openssl" |
140 |
-SLOT="0" |
141 |
-KEYWORDS="~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" |
142 |
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib" |
143 |
-RESTRICT="!bindist? ( bindist )" |
144 |
- |
145 |
-RDEPEND=">=app-misc/c_rehash-1.7-r1 |
146 |
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
147 |
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) |
148 |
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )" |
149 |
-DEPEND="${RDEPEND} |
150 |
- >=dev-lang/perl-5 |
151 |
- sctp? ( >=net-misc/lksctp-tools-1.0.12 ) |
152 |
- test? ( |
153 |
- sys-apps/diffutils |
154 |
- sys-devel/bc |
155 |
- )" |
156 |
-PDEPEND="app-misc/ca-certificates" |
157 |
- |
158 |
-S="${WORKDIR}/${MY_P}" |
159 |
- |
160 |
-MULTILIB_WRAPPED_HEADERS=( |
161 |
- usr/include/openssl/opensslconf.h |
162 |
-) |
163 |
- |
164 |
-src_prepare() { |
165 |
- # keep this in sync with app-misc/c_rehash |
166 |
- SSL_CNF_DIR="/etc/ssl" |
167 |
- |
168 |
- # Make sure we only ever touch Makefile.org and avoid patching a file |
169 |
- # that gets blown away anyways by the Configure script in src_configure |
170 |
- rm -f Makefile |
171 |
- |
172 |
- if ! use vanilla ; then |
173 |
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421 |
174 |
- epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch |
175 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch |
176 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch |
177 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028 |
178 |
- epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch |
179 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 |
180 |
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338 |
181 |
- |
182 |
- epatch_user #332661 |
183 |
- |
184 |
- # Solaris /bin/sh does not support "[ -e file ]", added by patches |
185 |
- sed -e 's/\[ -e /\[ -r /' -i Makefile.shared |
186 |
- fi |
187 |
- |
188 |
- # disable fips in the build |
189 |
- # make sure the man pages are suffixed #302165 |
190 |
- # don't bother building man pages if they're disabled |
191 |
- sed -i \ |
192 |
- -e '/DIRS/s: fips : :g' \ |
193 |
- -e '/^MANSUFFIX/s:=.*:=ssl:' \ |
194 |
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ |
195 |
- -e $(has noman FEATURES \ |
196 |
- && echo '/^install:/s:install_docs::' \ |
197 |
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ |
198 |
- Makefile.org \ |
199 |
- || die |
200 |
- # show the actual commands in the log |
201 |
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared |
202 |
- |
203 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-aix-soname.patch # like libtool |
204 |
- epatch "${FILESDIR}"/${PN}-0.9.8g-engines-installnames.patch |
205 |
- epatch "${FILESDIR}"/${PN}-1.0.0b-darwin-bundle-compile-fix.patch |
206 |
- epatch "${FILESDIR}"/${PN}-1.0.2-gethostbyname2-solaris.patch |
207 |
- |
208 |
- # remove -arch for Darwin |
209 |
- sed -i '/^"darwin/s,-arch [^ ]\+,,g' Configure || die |
210 |
- |
211 |
- # since we're forcing $(CC) as makedep anyway, just fix |
212 |
- # the conditional as always-on |
213 |
- # helps clang (#417795), and versioned gcc (#499818) |
214 |
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die |
215 |
- |
216 |
- # quiet out unknown driver argument warnings since openssl |
217 |
- # doesn't have well-split CFLAGS and we're making it even worse |
218 |
- # and 'make depend' uses -Werror for added fun (#417795 again) |
219 |
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments |
220 |
- |
221 |
- # allow openssl to be cross-compiled |
222 |
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die |
223 |
- chmod a+rx gentoo.config |
224 |
- |
225 |
- append-flags -fno-strict-aliasing |
226 |
- append-flags $(test-flags-CC -Wa,--noexecstack) |
227 |
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
228 |
- |
229 |
- use prefix-chain && sed -i '1s,^:$,#!/usr/bin/env perl,' Configure #141906 |
230 |
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 |
231 |
- # The config script does stupid stuff to prompt the user. Kill it. |
232 |
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die |
233 |
- ./config --test-sanity || die "I AM NOT SANE" |
234 |
- |
235 |
- multilib_copy_sources |
236 |
-} |
237 |
- |
238 |
-multilib_src_configure() { |
239 |
- unset APPS #197996 |
240 |
- unset SCRIPTS #312551 |
241 |
- unset CROSS_COMPILE #311473 |
242 |
- |
243 |
- tc-export CC AR RANLIB RC |
244 |
- |
245 |
- # Clean out patent-or-otherwise-encumbered code |
246 |
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) |
247 |
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm |
248 |
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography |
249 |
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 |
250 |
- # RC5: Expired http://en.wikipedia.org/wiki/RC5 |
251 |
- |
252 |
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } |
253 |
- echoit() { echo "$@" ; "$@" ; } |
254 |
- |
255 |
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") |
256 |
- |
257 |
- # See if our toolchain supports __uint128_t. If so, it's 64bit |
258 |
- # friendly and can use the nicely optimized code paths. #460790 |
259 |
- local ec_nistp_64_gcc_128 |
260 |
- # Disable it for now though #469976 |
261 |
- #if ! use bindist ; then |
262 |
- # echo "__uint128_t i;" > "${T}"/128.c |
263 |
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then |
264 |
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" |
265 |
- # fi |
266 |
- #fi |
267 |
- |
268 |
- # https://github.com/openssl/openssl/issues/2286 |
269 |
- if use ia64 ; then |
270 |
- replace-flags -g3 -g2 |
271 |
- replace-flags -ggdb3 -ggdb2 |
272 |
- fi |
273 |
- |
274 |
- local sslout=$(./gentoo.config) |
275 |
- einfo "Use configuration ${sslout:-(openssl knows best)}" |
276 |
- local config="Configure" |
277 |
- [[ -z ${sslout} ]] && config="config" |
278 |
- |
279 |
- echoit \ |
280 |
- ./${config} \ |
281 |
- ${sslout} \ |
282 |
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \ |
283 |
- enable-camellia \ |
284 |
- $(use_ssl !bindist ec) \ |
285 |
- ${ec_nistp_64_gcc_128} \ |
286 |
- enable-idea \ |
287 |
- enable-mdc2 \ |
288 |
- enable-rc5 \ |
289 |
- enable-tlsext \ |
290 |
- $(use_ssl asm) \ |
291 |
- $(use_ssl gmp gmp -lgmp) \ |
292 |
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ |
293 |
- $(use_ssl rfc3779) \ |
294 |
- $(use_ssl sctp) \ |
295 |
- $(use_ssl sslv2 ssl2) \ |
296 |
- $(use_ssl sslv3 ssl3) \ |
297 |
- $(use_ssl tls-heartbeat heartbeats) \ |
298 |
- $(use_ssl zlib) \ |
299 |
- --prefix="${EPREFIX}"/usr \ |
300 |
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \ |
301 |
- --libdir=$(get_libdir) \ |
302 |
- shared threads \ |
303 |
- || die |
304 |
- |
305 |
- # Clean out hardcoded flags that openssl uses |
306 |
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ |
307 |
- -e 's:^CFLAG=::' \ |
308 |
- -e 's:-fomit-frame-pointer ::g' \ |
309 |
- -e 's:-O[0-9] ::g' \ |
310 |
- -e 's:-march=[-a-z0-9]* ::g' \ |
311 |
- -e 's:-mcpu=[-a-z0-9]* ::g' \ |
312 |
- -e 's:-m[a-z0-9]* ::g' \ |
313 |
- ) |
314 |
- sed -i \ |
315 |
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \ |
316 |
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \ |
317 |
- Makefile || die |
318 |
-} |
319 |
- |
320 |
-multilib_src_compile() { |
321 |
- # depend is needed to use $confopts; it also doesn't matter |
322 |
- # that it's -j1 as the code itself serializes subdirs |
323 |
- emake -j1 depend |
324 |
- emake all |
325 |
- # rehash is needed to prep the certs/ dir; do this |
326 |
- # separately to avoid parallel build issues. |
327 |
- emake rehash |
328 |
-} |
329 |
- |
330 |
-multilib_src_test() { |
331 |
- emake -j1 test |
332 |
-} |
333 |
- |
334 |
-multilib_src_install() { |
335 |
- emake INSTALL_PREFIX="${D}" install |
336 |
-} |
337 |
- |
338 |
-multilib_src_install_all() { |
339 |
- # openssl installs perl version of c_rehash by default, but |
340 |
- # we provide a shell version via app-misc/c_rehash |
341 |
- rm "${ED}"/usr/bin/c_rehash || die |
342 |
- |
343 |
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el |
344 |
- dohtml -r doc/* |
345 |
- use rfc3779 && dodoc engines/ccgost/README.gost |
346 |
- |
347 |
- # This is crappy in that the static archives are still built even |
348 |
- # when USE=static-libs. But this is due to a failing in the openssl |
349 |
- # build system: the static archives are built as PIC all the time. |
350 |
- # Only way around this would be to manually configure+compile openssl |
351 |
- # twice; once with shared lib support enabled and once without. |
352 |
- use static-libs || find "${ED}"usr/lib* -mindepth 1 -maxdepth 1 \ |
353 |
- -name "lib*.a" -not -name "lib*$(get_libname)" -delete |
354 |
- |
355 |
- # create the certs directory |
356 |
- dodir ${SSL_CNF_DIR}/certs |
357 |
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die |
358 |
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired} |
359 |
- |
360 |
- # Namespace openssl programs to prevent conflicts with other man pages |
361 |
- cd "${ED}"/usr/share/man |
362 |
- local m d s |
363 |
- for m in $(find . -type f | xargs grep -L '#include') ; do |
364 |
- d=${m%/*} ; d=${d#./} ; m=${m##*/} |
365 |
- [[ ${m} == openssl.1* ]] && continue |
366 |
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" |
367 |
- mv ${d}/{,ssl-}${m} |
368 |
- # fix up references to renamed man pages |
369 |
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} |
370 |
- ln -s ssl-${m} ${d}/openssl-${m} |
371 |
- # locate any symlinks that point to this man page ... we assume |
372 |
- # that any broken links are due to the above renaming |
373 |
- for s in $(find -L ${d} -type l) ; do |
374 |
- s=${s##*/} |
375 |
- rm -f ${d}/${s} |
376 |
- ln -s ssl-${m} ${d}/ssl-${s} |
377 |
- ln -s ssl-${s} ${d}/openssl-${s} |
378 |
- done |
379 |
- done |
380 |
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" |
381 |
- |
382 |
- dodir /etc/sandbox.d #254521 |
383 |
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl |
384 |
- |
385 |
- diropts -m0700 |
386 |
- keepdir ${SSL_CNF_DIR}/private |
387 |
-} |
388 |
- |
389 |
-pkg_postinst() { |
390 |
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" |
391 |
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null |
392 |
- eend $? |
393 |
-} |
394 |
|
395 |
diff --git a/dev-libs/openssl/openssl-1.0.2l.ebuild b/dev-libs/openssl/openssl-1.0.2n.ebuild |
396 |
similarity index 90% |
397 |
rename from dev-libs/openssl/openssl-1.0.2l.ebuild |
398 |
rename to dev-libs/openssl/openssl-1.0.2n.ebuild |
399 |
index 21850a7d25..b797b4284c 100644 |
400 |
--- a/dev-libs/openssl/openssl-1.0.2l.ebuild |
401 |
+++ b/dev-libs/openssl/openssl-1.0.2n.ebuild |
402 |
@@ -1,14 +1,17 @@ |
403 |
# Copyright 1999-2018 Gentoo Foundation |
404 |
# Distributed under the terms of the GNU General Public License v2 |
405 |
|
406 |
-EAPI="5" |
407 |
+EAPI="6" |
408 |
|
409 |
inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal |
410 |
|
411 |
+PATCH_SET="openssl-1.0.2-patches-1.0" |
412 |
MY_P=${P/_/-} |
413 |
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" |
414 |
-HOMEPAGE="http://www.openssl.org/" |
415 |
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" |
416 |
+HOMEPAGE="https://www.openssl.org/" |
417 |
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz |
418 |
+ mirror://gentoo/${PATCH_SET}.tar.xz |
419 |
+ https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz" |
420 |
|
421 |
LICENSE="openssl" |
422 |
SLOT="0" |
423 |
@@ -44,21 +47,14 @@ src_prepare() { |
424 |
rm -f Makefile |
425 |
|
426 |
if ! use vanilla ; then |
427 |
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421 |
428 |
- epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch |
429 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch |
430 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch |
431 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028 |
432 |
- epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch |
433 |
- epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 |
434 |
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338 |
435 |
- |
436 |
- epatch_user #332661 |
437 |
- |
438 |
- # Solaris /bin/sh does not support "[ -e file ]", added by patches |
439 |
- sed -e 's/\[ -e /\[ -r /' -i Makefile.shared |
440 |
+ eapply "${WORKDIR}"/patch/*.patch |
441 |
fi |
442 |
|
443 |
+ eapply_user |
444 |
+ |
445 |
+ # Solaris /bin/sh does not support "[ -e file ]", added by patches |
446 |
+ sed -e 's/\[ -e /\[ -r /' -i Makefile.shared |
447 |
+ |
448 |
# disable fips in the build |
449 |
# make sure the man pages are suffixed #302165 |
450 |
# don't bother building man pages if they're disabled |
451 |
@@ -96,13 +92,12 @@ src_prepare() { |
452 |
|
453 |
# allow openssl to be cross-compiled |
454 |
cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die |
455 |
- chmod a+rx gentoo.config |
456 |
+ chmod a+rx gentoo.config || die |
457 |
|
458 |
append-flags -fno-strict-aliasing |
459 |
append-flags $(test-flags-CC -Wa,--noexecstack) |
460 |
append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
461 |
|
462 |
- use prefix-chain && sed -i '1s,^:$,#!/usr/bin/env perl,' Configure #141906 |
463 |
sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 |
464 |
# The config script does stupid stuff to prompt the user. Kill it. |
465 |
sed -i '/stty -icanon min 0 time 50; read waste/d' config || die |
466 |
@@ -216,8 +211,9 @@ multilib_src_install_all() { |
467 |
# we provide a shell version via app-misc/c_rehash |
468 |
rm "${ED}"/usr/bin/c_rehash || die |
469 |
|
470 |
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el |
471 |
- dohtml -r doc/* |
472 |
+ local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el ) |
473 |
+ einstalldocs |
474 |
+ |
475 |
use rfc3779 && dodoc engines/ccgost/README.gost |
476 |
|
477 |
# This is crappy in that the static archives are still built even |
478 |
|
479 |
diff --git a/dev-libs/openssl/openssl-1.1.0f.ebuild b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild |
480 |
similarity index 80% |
481 |
rename from dev-libs/openssl/openssl-1.1.0f.ebuild |
482 |
rename to dev-libs/openssl/openssl-1.1.0g-r2.ebuild |
483 |
index 2ae77799e5..6401834253 100644 |
484 |
--- a/dev-libs/openssl/openssl-1.1.0f.ebuild |
485 |
+++ b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild |
486 |
@@ -1,7 +1,7 @@ |
487 |
-# Copyright 1999-2017 Gentoo Foundation |
488 |
+# Copyright 1999-2018 Gentoo Foundation |
489 |
# Distributed under the terms of the GNU General Public License v2 |
490 |
|
491 |
-EAPI=5 |
492 |
+EAPI="6" |
493 |
|
494 |
inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal |
495 |
|
496 |
@@ -13,7 +13,7 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" |
497 |
LICENSE="openssl" |
498 |
SLOT="0/1.1" # .so version of libssl/libcrypto |
499 |
KEYWORDS="~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" |
500 |
-IUSE="+asm bindist rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib" |
501 |
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib" |
502 |
RESTRICT="!bindist? ( bindist )" |
503 |
|
504 |
RDEPEND=">=app-misc/c_rehash-1.7-r1 |
505 |
@@ -27,6 +27,27 @@ DEPEND="${RDEPEND} |
506 |
)" |
507 |
PDEPEND="app-misc/ca-certificates" |
508 |
|
509 |
+# This does not copy the entire Fedora patchset, but JUST the parts that |
510 |
+# are needed to make it safe to use EC with RESTRICT=bindist. |
511 |
+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN |
512 |
+SOURCE1=hobble-openssl |
513 |
+SOURCE12=ec_curve.c |
514 |
+SOURCE13=ectest.c |
515 |
+PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC |
516 |
+PATCH37=openssl-1.1.0-ec-curves.patch |
517 |
+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' |
518 |
+FEDORA_GIT_BRANCH='f27' |
519 |
+FEDORA_SRC_URI=() |
520 |
+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 ) |
521 |
+FEDORA_PATCH=( $PATCH1 $PATCH37 ) |
522 |
+for i in "${FEDORA_SOURCE[@]}" ; do |
523 |
+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) |
524 |
+done |
525 |
+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix |
526 |
+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" ) |
527 |
+done |
528 |
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" |
529 |
+ |
530 |
S="${WORKDIR}/${MY_P}" |
531 |
|
532 |
MULTILIB_WRAPPED_HEADERS=( |
533 |
@@ -35,9 +56,27 @@ MULTILIB_WRAPPED_HEADERS=( |
534 |
|
535 |
PATCHES=( |
536 |
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 |
537 |
+ "${FILESDIR}"/${PN}-1.1.0g-CVE-2017-3738.patch |
538 |
) |
539 |
|
540 |
src_prepare() { |
541 |
+ if use bindist; then |
542 |
+ # This just removes the prefix, and puts it into WORKDIR like the RPM. |
543 |
+ for i in "${FEDORA_SOURCE[@]}" ; do |
544 |
+ cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die |
545 |
+ done |
546 |
+ # .spec %prep |
547 |
+ bash "${WORKDIR}"/"${SOURCE1}" || die |
548 |
+ cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die |
549 |
+ cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die |
550 |
+ for i in "${FEDORA_PATCH[@]}" ; do |
551 |
+ epatch "${DISTDIR}"/"${i}" |
552 |
+ done |
553 |
+ # Also see the configure parts below: |
554 |
+ # enable-ec \ |
555 |
+ # $(use_ssl !bindist ec2m) \ |
556 |
+ |
557 |
+ fi |
558 |
# keep this in sync with app-misc/c_rehash |
559 |
SSL_CNF_DIR="/etc/ssl" |
560 |
|
561 |
@@ -47,11 +86,12 @@ src_prepare() { |
562 |
|
563 |
if ! use vanilla ; then |
564 |
epatch "${PATCHES[@]}" |
565 |
- epatch_user #332661 |
566 |
fi |
567 |
|
568 |
epatch "${FILESDIR}"/${PN}-1.1.0f-winnt.patch # parity |
569 |
|
570 |
+ eapply_user #332661 |
571 |
+ |
572 |
# make sure the man pages are suffixed #302165 |
573 |
# don't bother building man pages if they're disabled |
574 |
# Make DOCDIR Gentoo compliant |
575 |
@@ -134,6 +174,8 @@ multilib_src_configure() { |
576 |
local config="Configure" |
577 |
[[ -z ${sslout} ]] && config="config" |
578 |
|
579 |
+ # Fedora hobbled-EC needs 'no-ec2m' |
580 |
+ # 'srp' was restricted until early 2017 as well. |
581 |
echoit \ |
582 |
./${config} \ |
583 |
${sslout} \ |
584 |
@@ -141,7 +183,10 @@ multilib_src_configure() { |
585 |
$(use cpu_flags_x86_sse2 || echo "no-sse2") \ |
586 |
enable-camellia \ |
587 |
disable-deprecated \ |
588 |
- $(use_ssl !bindist ec) \ |
589 |
+ enable-ec \ |
590 |
+ $(use_ssl !bindist ec2m) \ |
591 |
+ enable-srp \ |
592 |
+ $(use elibc_musl && echo "no-async") \ |
593 |
${ec_nistp_64_gcc_128} \ |
594 |
enable-idea \ |
595 |
enable-mdc2 \ |
596 |
@@ -195,7 +240,6 @@ multilib_src_install_all() { |
597 |
rm "${ED}"/usr/bin/c_rehash || die |
598 |
|
599 |
dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el |
600 |
- dohtml -r doc/* |
601 |
|
602 |
# This is crappy in that the static archives are still built even |
603 |
# when USE=static-libs. But this is due to a failing in the openssl |