Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Fabian Groffen <grobian@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/proj/prefix:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
Date: Thu, 08 Feb 2018 18:04:54
Message-Id: 1518113059.ed94450ee6c76aad055c5db84c02ea392650662b.grobian@gentoo
1 commit: ed94450ee6c76aad055c5db84c02ea392650662b
2 Author: Fabian Groffen <grobian <AT> gentoo <DOT> org>
3 AuthorDate: Thu Feb 8 18:04:19 2018 +0000
4 Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org>
5 CommitDate: Thu Feb 8 18:04:19 2018 +0000
6 URL: https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=ed94450e
7
8 dev-libs/openssl: sync, bug #647006
9
10 Closes: https://bugs.gentoo.org/647006
11 Package-Manager: Portage-2.3.18-prefix, Repoman-2.3.6
12
13 dev-libs/openssl/Manifest | 11 +-
14 .../files/openssl-1.1.0g-CVE-2017-3738.patch | 77 ++++++
15 dev-libs/openssl/openssl-1.0.2k.ebuild | 267 ---------------------
16 ...openssl-1.0.2l.ebuild => openssl-1.0.2n.ebuild} | 36 ++-
17 ...nssl-1.1.0f.ebuild => openssl-1.1.0g-r2.ebuild} | 56 ++++-
18 5 files changed, 151 insertions(+), 296 deletions(-)
19
20 diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
21 index b15d822eca..aa1b1accb1 100644
22 --- a/dev-libs/openssl/Manifest
23 +++ b/dev-libs/openssl/Manifest
24 @@ -1,3 +1,8 @@
25 -DIST openssl-1.0.2k.tar.gz 5309236 BLAKE2B 97069b9c7aaab2381ae5be989caff6907cd44ab1831d84685c3421ad985889a2bbc3a462decdff9c4c158ace96975de2b9e49e4f1b9f306990c3dc0f03767dad SHA512 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016
26 -DIST openssl-1.0.2l.tar.gz 5365054 BLAKE2B 0a459a93a0013269dea79bd6df96a434b9dad95b6d98b24a48bc1b1438415c0a8de01b67166ac13a73ae65fb64131568924c3e6f945d862b7e960f05332cf097 SHA512 047d964508ad6025c79caabd8965efd2416dc026a56183d0ef4de7a0a6769ce8e0b4608a3f8393d326f6d03b26a2b067e6e0c750f35b20be190e595e8290c0e3
27 -DIST openssl-1.1.0f.tar.gz 5278176 SHA256 12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765 SHA512 340ab3f38c90dea346e543b58bc0eff0adede15be212ad20b7cf38718a7f94fab51996da414855c180540f7488b8bd31d8b9a0d04bb19159f735c46d8f6df22c WHIRLPOOL bb4ce1d100c5eb567de0139e4a1c0a2bb1cd308bd014704d6bb796d3fcfc16b91fe69839068944831746e0b937a6ccb234b5cea3b4911fab4283500ed380f0b6
28 +DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d SHA512 15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9
29 +DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894 SHA512 144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687
30 +DIST openssl-1.1.0-build.patch 3028 BLAKE2B f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0
31 +DIST openssl-1.1.0-ec-curves.patch 2967 BLAKE2B 1c639514445ea85cf731732aa7901b5a03ddb5f637b0483ab2ec6825433ad978723c5a07316db684bdaca4a12fc673b4e049a49c0cd4dbe5f25a5e2bd3b75cf5 SHA512 8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2
32 +DIST openssl-1.1.0g.tar.gz 5404748 BLAKE2B 23daf80e4143aad4654ae86f8e96042dd7328a9d1186b4922e284fcfe0f68259ea12d21c4472d92d65a7fcef21e049cf9371cc9bdad11b66a3df11286418ed42 SHA512 6c76f698fc2a4540f3977d97c889e139acf7d3f9eb85f349974175e8a7707b19743ef91c5ce32839310b6ea06ca88a03d9709ee011687b4634c5c50b5814f42a
33 +DIST openssl-1.1.0g_ec_curve.c 18393 BLAKE2B 49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2beeeea15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879
34 +DIST openssl-1.1.0g_ectest.c 29907 BLAKE2B 73dc800c1de5449f14d7753f7f7b8e672cd36bd4570e6df07f246d1d823c7dbbeef492f25cdd0ebfd693f5956732bc84c9d91fc6a22c854fe4b245ecf3890bda SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae
35 +DIST openssl-1.1.0g_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
36
37 diff --git a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
38 new file mode 100644
39 index 0000000000..4b01feb8e8
40 --- /dev/null
41 +++ b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
42 @@ -0,0 +1,77 @@
43 +From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001
44 +From: Andy Polyakov <appro@×××××××.org>
45 +Date: Fri, 24 Nov 2017 11:35:50 +0100
46 +Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in
47 + rsaz_1024_mul_avx2.
48 +
49 +Credit to OSS-Fuzz for finding this.
50 +
51 +CVE-2017-3738
52 +
53 +Reviewed-by: Rich Salz <rsalz@×××××××.org>
54 +---
55 + crypto/bn/asm/rsaz-avx2.pl | 15 +++++++--------
56 + 1 file changed, 7 insertions(+), 8 deletions(-)
57 +
58 +diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl
59 +index 0c1b236ef98..46d746b7d0e 100755
60 +--- a/crypto/bn/asm/rsaz-avx2.pl
61 ++++ b/crypto/bn/asm/rsaz-avx2.pl
62 +@@ -246,7 +246,7 @@
63 + vmovdqu 32*8-128($ap), $ACC8
64 +
65 + lea 192(%rsp), $tp0 # 64+128=192
66 +- vpbroadcastq .Land_mask(%rip), $AND_MASK
67 ++ vmovdqu .Land_mask(%rip), $AND_MASK
68 + jmp .LOOP_GRANDE_SQR_1024
69 +
70 + .align 32
71 +@@ -1077,10 +1077,10 @@
72 + vpmuludq 32*6-128($np),$Yi,$TEMP1
73 + vpaddq $TEMP1,$ACC6,$ACC6
74 + vpmuludq 32*7-128($np),$Yi,$TEMP2
75 +- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3
76 ++ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3
77 + vpaddq $TEMP2,$ACC7,$ACC7
78 + vpmuludq 32*8-128($np),$Yi,$TEMP0
79 +- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3
80 ++ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3
81 + vpaddq $TEMP0,$ACC8,$ACC8
82 +
83 + mov %rbx, %rax
84 +@@ -1093,7 +1093,9 @@
85 + vmovdqu -8+32*2-128($ap),$TEMP2
86 +
87 + mov $r1, %rax
88 ++ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3
89 + imull $n0, %eax
90 ++ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3
91 + and \$0x1fffffff, %eax
92 +
93 + imulq 16-128($ap),%rbx
94 +@@ -1329,15 +1331,12 @@
95 + # But as we underutilize resources, it's possible to correct in
96 + # each iteration with marginal performance loss. But then, as
97 + # we do it in each iteration, we can correct less digits, and
98 +-# avoid performance penalties completely. Also note that we
99 +-# correct only three digits out of four. This works because
100 +-# most significant digit is subjected to less additions.
101 ++# avoid performance penalties completely.
102 +
103 + $TEMP0 = $ACC9;
104 + $TEMP3 = $Bi;
105 + $TEMP4 = $Yi;
106 + $code.=<<___;
107 +- vpermq \$0, $AND_MASK, $AND_MASK
108 + vpaddq (%rsp), $TEMP1, $ACC0
109 +
110 + vpsrlq \$29, $ACC0, $TEMP1
111 +@@ -1770,7 +1769,7 @@
112 +
113 + .align 64
114 + .Land_mask:
115 +- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1
116 ++ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
117 + .Lscatter_permd:
118 + .long 0,2,4,6,7,7,7,7
119 + .Lgather_permd:
120
121 diff --git a/dev-libs/openssl/openssl-1.0.2k.ebuild b/dev-libs/openssl/openssl-1.0.2k.ebuild
122 deleted file mode 100644
123 index d512d107f2..0000000000
124 --- a/dev-libs/openssl/openssl-1.0.2k.ebuild
125 +++ /dev/null
126 @@ -1,267 +0,0 @@
127 -# Copyright 1999-2017 Gentoo Foundation
128 -# Distributed under the terms of the GNU General Public License v2
129 -
130 -EAPI="5"
131 -
132 -inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
133 -
134 -MY_P=${P/_/-}
135 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
136 -HOMEPAGE="http://www.openssl.org/"
137 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
138 -
139 -LICENSE="openssl"
140 -SLOT="0"
141 -KEYWORDS="~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
142 -IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
143 -RESTRICT="!bindist? ( bindist )"
144 -
145 -RDEPEND=">=app-misc/c_rehash-1.7-r1
146 - gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
147 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
148 - kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
149 -DEPEND="${RDEPEND}
150 - >=dev-lang/perl-5
151 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
152 - test? (
153 - sys-apps/diffutils
154 - sys-devel/bc
155 - )"
156 -PDEPEND="app-misc/ca-certificates"
157 -
158 -S="${WORKDIR}/${MY_P}"
159 -
160 -MULTILIB_WRAPPED_HEADERS=(
161 - usr/include/openssl/opensslconf.h
162 -)
163 -
164 -src_prepare() {
165 - # keep this in sync with app-misc/c_rehash
166 - SSL_CNF_DIR="/etc/ssl"
167 -
168 - # Make sure we only ever touch Makefile.org and avoid patching a file
169 - # that gets blown away anyways by the Configure script in src_configure
170 - rm -f Makefile
171 -
172 - if ! use vanilla ; then
173 - epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
174 - epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
175 - epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
176 - epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
177 - epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
178 - epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
179 - epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
180 - epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
181 -
182 - epatch_user #332661
183 -
184 - # Solaris /bin/sh does not support "[ -e file ]", added by patches
185 - sed -e 's/\[ -e /\[ -r /' -i Makefile.shared
186 - fi
187 -
188 - # disable fips in the build
189 - # make sure the man pages are suffixed #302165
190 - # don't bother building man pages if they're disabled
191 - sed -i \
192 - -e '/DIRS/s: fips : :g' \
193 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
194 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
195 - -e $(has noman FEATURES \
196 - && echo '/^install:/s:install_docs::' \
197 - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
198 - Makefile.org \
199 - || die
200 - # show the actual commands in the log
201 - sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
202 -
203 - epatch "${FILESDIR}"/${PN}-1.0.2a-aix-soname.patch # like libtool
204 - epatch "${FILESDIR}"/${PN}-0.9.8g-engines-installnames.patch
205 - epatch "${FILESDIR}"/${PN}-1.0.0b-darwin-bundle-compile-fix.patch
206 - epatch "${FILESDIR}"/${PN}-1.0.2-gethostbyname2-solaris.patch
207 -
208 - # remove -arch for Darwin
209 - sed -i '/^"darwin/s,-arch [^ ]\+,,g' Configure || die
210 -
211 - # since we're forcing $(CC) as makedep anyway, just fix
212 - # the conditional as always-on
213 - # helps clang (#417795), and versioned gcc (#499818)
214 - sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
215 -
216 - # quiet out unknown driver argument warnings since openssl
217 - # doesn't have well-split CFLAGS and we're making it even worse
218 - # and 'make depend' uses -Werror for added fun (#417795 again)
219 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
220 -
221 - # allow openssl to be cross-compiled
222 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
223 - chmod a+rx gentoo.config
224 -
225 - append-flags -fno-strict-aliasing
226 - append-flags $(test-flags-CC -Wa,--noexecstack)
227 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
228 -
229 - use prefix-chain && sed -i '1s,^:$,#!/usr/bin/env perl,' Configure #141906
230 - sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
231 - # The config script does stupid stuff to prompt the user. Kill it.
232 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
233 - ./config --test-sanity || die "I AM NOT SANE"
234 -
235 - multilib_copy_sources
236 -}
237 -
238 -multilib_src_configure() {
239 - unset APPS #197996
240 - unset SCRIPTS #312551
241 - unset CROSS_COMPILE #311473
242 -
243 - tc-export CC AR RANLIB RC
244 -
245 - # Clean out patent-or-otherwise-encumbered code
246 - # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
247 - # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
248 - # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
249 - # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
250 - # RC5: Expired http://en.wikipedia.org/wiki/RC5
251 -
252 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
253 - echoit() { echo "$@" ; "$@" ; }
254 -
255 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
256 -
257 - # See if our toolchain supports __uint128_t. If so, it's 64bit
258 - # friendly and can use the nicely optimized code paths. #460790
259 - local ec_nistp_64_gcc_128
260 - # Disable it for now though #469976
261 - #if ! use bindist ; then
262 - # echo "__uint128_t i;" > "${T}"/128.c
263 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
264 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
265 - # fi
266 - #fi
267 -
268 - # https://github.com/openssl/openssl/issues/2286
269 - if use ia64 ; then
270 - replace-flags -g3 -g2
271 - replace-flags -ggdb3 -ggdb2
272 - fi
273 -
274 - local sslout=$(./gentoo.config)
275 - einfo "Use configuration ${sslout:-(openssl knows best)}"
276 - local config="Configure"
277 - [[ -z ${sslout} ]] && config="config"
278 -
279 - echoit \
280 - ./${config} \
281 - ${sslout} \
282 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
283 - enable-camellia \
284 - $(use_ssl !bindist ec) \
285 - ${ec_nistp_64_gcc_128} \
286 - enable-idea \
287 - enable-mdc2 \
288 - enable-rc5 \
289 - enable-tlsext \
290 - $(use_ssl asm) \
291 - $(use_ssl gmp gmp -lgmp) \
292 - $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
293 - $(use_ssl rfc3779) \
294 - $(use_ssl sctp) \
295 - $(use_ssl sslv2 ssl2) \
296 - $(use_ssl sslv3 ssl3) \
297 - $(use_ssl tls-heartbeat heartbeats) \
298 - $(use_ssl zlib) \
299 - --prefix="${EPREFIX}"/usr \
300 - --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
301 - --libdir=$(get_libdir) \
302 - shared threads \
303 - || die
304 -
305 - # Clean out hardcoded flags that openssl uses
306 - local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
307 - -e 's:^CFLAG=::' \
308 - -e 's:-fomit-frame-pointer ::g' \
309 - -e 's:-O[0-9] ::g' \
310 - -e 's:-march=[-a-z0-9]* ::g' \
311 - -e 's:-mcpu=[-a-z0-9]* ::g' \
312 - -e 's:-m[a-z0-9]* ::g' \
313 - )
314 - sed -i \
315 - -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
316 - -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
317 - Makefile || die
318 -}
319 -
320 -multilib_src_compile() {
321 - # depend is needed to use $confopts; it also doesn't matter
322 - # that it's -j1 as the code itself serializes subdirs
323 - emake -j1 depend
324 - emake all
325 - # rehash is needed to prep the certs/ dir; do this
326 - # separately to avoid parallel build issues.
327 - emake rehash
328 -}
329 -
330 -multilib_src_test() {
331 - emake -j1 test
332 -}
333 -
334 -multilib_src_install() {
335 - emake INSTALL_PREFIX="${D}" install
336 -}
337 -
338 -multilib_src_install_all() {
339 - # openssl installs perl version of c_rehash by default, but
340 - # we provide a shell version via app-misc/c_rehash
341 - rm "${ED}"/usr/bin/c_rehash || die
342 -
343 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
344 - dohtml -r doc/*
345 - use rfc3779 && dodoc engines/ccgost/README.gost
346 -
347 - # This is crappy in that the static archives are still built even
348 - # when USE=static-libs. But this is due to a failing in the openssl
349 - # build system: the static archives are built as PIC all the time.
350 - # Only way around this would be to manually configure+compile openssl
351 - # twice; once with shared lib support enabled and once without.
352 - use static-libs || find "${ED}"usr/lib* -mindepth 1 -maxdepth 1 \
353 - -name "lib*.a" -not -name "lib*$(get_libname)" -delete
354 -
355 - # create the certs directory
356 - dodir ${SSL_CNF_DIR}/certs
357 - cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
358 - rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
359 -
360 - # Namespace openssl programs to prevent conflicts with other man pages
361 - cd "${ED}"/usr/share/man
362 - local m d s
363 - for m in $(find . -type f | xargs grep -L '#include') ; do
364 - d=${m%/*} ; d=${d#./} ; m=${m##*/}
365 - [[ ${m} == openssl.1* ]] && continue
366 - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
367 - mv ${d}/{,ssl-}${m}
368 - # fix up references to renamed man pages
369 - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
370 - ln -s ssl-${m} ${d}/openssl-${m}
371 - # locate any symlinks that point to this man page ... we assume
372 - # that any broken links are due to the above renaming
373 - for s in $(find -L ${d} -type l) ; do
374 - s=${s##*/}
375 - rm -f ${d}/${s}
376 - ln -s ssl-${m} ${d}/ssl-${s}
377 - ln -s ssl-${s} ${d}/openssl-${s}
378 - done
379 - done
380 - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
381 -
382 - dodir /etc/sandbox.d #254521
383 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
384 -
385 - diropts -m0700
386 - keepdir ${SSL_CNF_DIR}/private
387 -}
388 -
389 -pkg_postinst() {
390 - ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
391 - c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
392 - eend $?
393 -}
394
395 diff --git a/dev-libs/openssl/openssl-1.0.2l.ebuild b/dev-libs/openssl/openssl-1.0.2n.ebuild
396 similarity index 90%
397 rename from dev-libs/openssl/openssl-1.0.2l.ebuild
398 rename to dev-libs/openssl/openssl-1.0.2n.ebuild
399 index 21850a7d25..b797b4284c 100644
400 --- a/dev-libs/openssl/openssl-1.0.2l.ebuild
401 +++ b/dev-libs/openssl/openssl-1.0.2n.ebuild
402 @@ -1,14 +1,17 @@
403 # Copyright 1999-2018 Gentoo Foundation
404 # Distributed under the terms of the GNU General Public License v2
405
406 -EAPI="5"
407 +EAPI="6"
408
409 inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
410
411 +PATCH_SET="openssl-1.0.2-patches-1.0"
412 MY_P=${P/_/-}
413 DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
414 -HOMEPAGE="http://www.openssl.org/"
415 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
416 +HOMEPAGE="https://www.openssl.org/"
417 +SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
418 + mirror://gentoo/${PATCH_SET}.tar.xz
419 + https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz"
420
421 LICENSE="openssl"
422 SLOT="0"
423 @@ -44,21 +47,14 @@ src_prepare() {
424 rm -f Makefile
425
426 if ! use vanilla ; then
427 - epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
428 - epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
429 - epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
430 - epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
431 - epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
432 - epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
433 - epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
434 - epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
435 -
436 - epatch_user #332661
437 -
438 - # Solaris /bin/sh does not support "[ -e file ]", added by patches
439 - sed -e 's/\[ -e /\[ -r /' -i Makefile.shared
440 + eapply "${WORKDIR}"/patch/*.patch
441 fi
442
443 + eapply_user
444 +
445 + # Solaris /bin/sh does not support "[ -e file ]", added by patches
446 + sed -e 's/\[ -e /\[ -r /' -i Makefile.shared
447 +
448 # disable fips in the build
449 # make sure the man pages are suffixed #302165
450 # don't bother building man pages if they're disabled
451 @@ -96,13 +92,12 @@ src_prepare() {
452
453 # allow openssl to be cross-compiled
454 cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
455 - chmod a+rx gentoo.config
456 + chmod a+rx gentoo.config || die
457
458 append-flags -fno-strict-aliasing
459 append-flags $(test-flags-CC -Wa,--noexecstack)
460 append-cppflags -DOPENSSL_NO_BUF_FREELISTS
461
462 - use prefix-chain && sed -i '1s,^:$,#!/usr/bin/env perl,' Configure #141906
463 sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
464 # The config script does stupid stuff to prompt the user. Kill it.
465 sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
466 @@ -216,8 +211,9 @@ multilib_src_install_all() {
467 # we provide a shell version via app-misc/c_rehash
468 rm "${ED}"/usr/bin/c_rehash || die
469
470 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
471 - dohtml -r doc/*
472 + local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
473 + einstalldocs
474 +
475 use rfc3779 && dodoc engines/ccgost/README.gost
476
477 # This is crappy in that the static archives are still built even
478
479 diff --git a/dev-libs/openssl/openssl-1.1.0f.ebuild b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild
480 similarity index 80%
481 rename from dev-libs/openssl/openssl-1.1.0f.ebuild
482 rename to dev-libs/openssl/openssl-1.1.0g-r2.ebuild
483 index 2ae77799e5..6401834253 100644
484 --- a/dev-libs/openssl/openssl-1.1.0f.ebuild
485 +++ b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild
486 @@ -1,7 +1,7 @@
487 -# Copyright 1999-2017 Gentoo Foundation
488 +# Copyright 1999-2018 Gentoo Foundation
489 # Distributed under the terms of the GNU General Public License v2
490
491 -EAPI=5
492 +EAPI="6"
493
494 inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
495
496 @@ -13,7 +13,7 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
497 LICENSE="openssl"
498 SLOT="0/1.1" # .so version of libssl/libcrypto
499 KEYWORDS="~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
500 -IUSE="+asm bindist rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
501 +IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
502 RESTRICT="!bindist? ( bindist )"
503
504 RDEPEND=">=app-misc/c_rehash-1.7-r1
505 @@ -27,6 +27,27 @@ DEPEND="${RDEPEND}
506 )"
507 PDEPEND="app-misc/ca-certificates"
508
509 +# This does not copy the entire Fedora patchset, but JUST the parts that
510 +# are needed to make it safe to use EC with RESTRICT=bindist.
511 +# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
512 +SOURCE1=hobble-openssl
513 +SOURCE12=ec_curve.c
514 +SOURCE13=ectest.c
515 +PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
516 +PATCH37=openssl-1.1.0-ec-curves.patch
517 +FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
518 +FEDORA_GIT_BRANCH='f27'
519 +FEDORA_SRC_URI=()
520 +FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
521 +FEDORA_PATCH=( $PATCH1 $PATCH37 )
522 +for i in "${FEDORA_SOURCE[@]}" ; do
523 + FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
524 +done
525 +for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
526 + FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
527 +done
528 +SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
529 +
530 S="${WORKDIR}/${MY_P}"
531
532 MULTILIB_WRAPPED_HEADERS=(
533 @@ -35,9 +56,27 @@ MULTILIB_WRAPPED_HEADERS=(
534
535 PATCHES=(
536 "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
537 + "${FILESDIR}"/${PN}-1.1.0g-CVE-2017-3738.patch
538 )
539
540 src_prepare() {
541 + if use bindist; then
542 + # This just removes the prefix, and puts it into WORKDIR like the RPM.
543 + for i in "${FEDORA_SOURCE[@]}" ; do
544 + cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
545 + done
546 + # .spec %prep
547 + bash "${WORKDIR}"/"${SOURCE1}" || die
548 + cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
549 + cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
550 + for i in "${FEDORA_PATCH[@]}" ; do
551 + epatch "${DISTDIR}"/"${i}"
552 + done
553 + # Also see the configure parts below:
554 + # enable-ec \
555 + # $(use_ssl !bindist ec2m) \
556 +
557 + fi
558 # keep this in sync with app-misc/c_rehash
559 SSL_CNF_DIR="/etc/ssl"
560
561 @@ -47,11 +86,12 @@ src_prepare() {
562
563 if ! use vanilla ; then
564 epatch "${PATCHES[@]}"
565 - epatch_user #332661
566 fi
567
568 epatch "${FILESDIR}"/${PN}-1.1.0f-winnt.patch # parity
569
570 + eapply_user #332661
571 +
572 # make sure the man pages are suffixed #302165
573 # don't bother building man pages if they're disabled
574 # Make DOCDIR Gentoo compliant
575 @@ -134,6 +174,8 @@ multilib_src_configure() {
576 local config="Configure"
577 [[ -z ${sslout} ]] && config="config"
578
579 + # Fedora hobbled-EC needs 'no-ec2m'
580 + # 'srp' was restricted until early 2017 as well.
581 echoit \
582 ./${config} \
583 ${sslout} \
584 @@ -141,7 +183,10 @@ multilib_src_configure() {
585 $(use cpu_flags_x86_sse2 || echo "no-sse2") \
586 enable-camellia \
587 disable-deprecated \
588 - $(use_ssl !bindist ec) \
589 + enable-ec \
590 + $(use_ssl !bindist ec2m) \
591 + enable-srp \
592 + $(use elibc_musl && echo "no-async") \
593 ${ec_nistp_64_gcc_128} \
594 enable-idea \
595 enable-mdc2 \
596 @@ -195,7 +240,6 @@ multilib_src_install_all() {
597 rm "${ED}"/usr/bin/c_rehash || die
598
599 dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
600 - dohtml -r doc/*
601
602 # This is crappy in that the static archives are still built even
603 # when USE=static-libs. But this is due to a failing in the openssl
Report Message
Find on MARC Find on Google Groups