diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest index 2d9480b739..be7cd65f37 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest @@ -1,2 +1,5 @@ -DIST openssl-1.0.2-patches-1.4.tar.xz 12864 SHA256 281b3918e32a6db737365ddaafa5279dd14089b63d681570a72b704d10197d61 SHA512 d152af2841f1bf11c7f2a5ebba9a2b903fb4bcdef0468c56af0f9cc8c020adbf4490ac1a62f5bae8cbe18e379934fa997bfda1c2d49ec62365c07a0c0515a72d WHIRLPOOL 4974556135febb4ab662547b7e6f87cff4787fdcd86efff5f6159dae7895528138ad75e7f7da038b25a063d787c2cc7af80be825e934b11355348e01bf7e79c3 -DIST openssl-1.0.2o.tar.gz 5329472 SHA256 ec3f5c9714ba0fd45cb4e087301eb1336c317e0d20b575a125050470e8089e4d SHA512 8a2c93657c85143e76785bb32ee836908c31a6f5f8db993fa9777acba6079e630cdddd03edbad65d1587199fc13a1507789eacf038b56eb99139c2091d9df7fd WHIRLPOOL b50a3f1756e67842bf4ccc233453dd294cc6a43070b5852974119f73cd957917dd1ae0d308b633e460979a635b1f4395c52c20d31f39f73731cca982cf2c3484 +DIST openssl-1.0.2-patches-1.6.tar.xz 16004 BLAKE2B 28c7e9a8c8b09a34aa6ed21dec18b04c1d6140276e319cfa99b63db5ae188ca7837c444e8352748ffc86e6df7676534aef2f28788e825ee8207c0f876efb5b7b SHA512 eac9bbbebd8d942707ef385ee466929045bb4698985f7a0fb16f529f2101a246735cc2e654bfbdaa8a178224bb5ac564478a7587e6156cfcbdfe62a719bfb0a3 +DIST openssl-1.0.2p.tar.gz 5338192 BLAKE2B fe4c0e2bf75d47a76e7377c7977be7bcaaa532061ab89ee989786eeb6495295711a29a88bf026c85d9ed55c97e71b0e9c8cf4c29b6e58a3dc56bcff518666823 SHA512 958c5a7c3324bbdc8f07dfb13e11329d9a1b4452c07cf41fbd2d42b5fe29c95679332a3476d24c2dc2b88be16e4a24744aba675a05a388c0905756c77a8a2f16 +DIST openssl-1.0.2p_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15 +DIST openssl-1.0.2p_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19 +DIST openssl-1.0.2p_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 index 37b83cc2e7..d16175e629 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 1999-2017 Gentoo Foundation +# Copyright 1999-2018 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # # Openssl doesn't play along nicely with cross-compiling @@ -81,8 +81,8 @@ chost_machine=${CHOST%%-*} case ${system} in linux) case ${chost_machine}:${ABI} in - aarch64*be*) machine="generic64 -DB_ENDIAN";; - aarch64*) machine="generic64 -DL_ENDIAN";; + aarch64*be*) machine="aarch64 -DB_ENDIAN";; + aarch64*) machine="aarch64 -DL_ENDIAN";; alphaev56*|\ alphaev[678]*)machine=alpha+bwx-${compiler};; alpha*) machine=alpha-${compiler};; diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch new file mode 100644 index 0000000000..3a458a7836 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch @@ -0,0 +1,283 @@ +Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series. + +From https://src.fedoraproject.org/git/rpms/openssl.git + +Contains parts of the following patches, rediffed. The patches are on various +different branches. +f23 openssl-1.0.2c-ecc-suiteb.patch +f23 openssl-1.0.2a-fips-ec.patch +f28 openssl-1.1.0-ec-curves.patch + +Signed-off-By: Robin H. Johnson + +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv) + } else + # endif + # ifndef OPENSSL_NO_ECDSA +- if (strcmp(*argv, "ecdsap160") == 0) +- ecdsa_doit[R_EC_P160] = 2; +- else if (strcmp(*argv, "ecdsap192") == 0) +- ecdsa_doit[R_EC_P192] = 2; ++ if (0) {} + else if (strcmp(*argv, "ecdsap224") == 0) + ecdsa_doit[R_EC_P224] = 2; + else if (strcmp(*argv, "ecdsap256") == 0) +@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv) + ecdsa_doit[R_EC_P384] = 2; + else if (strcmp(*argv, "ecdsap521") == 0) + ecdsa_doit[R_EC_P521] = 2; +- else if (strcmp(*argv, "ecdsak163") == 0) +- ecdsa_doit[R_EC_K163] = 2; +- else if (strcmp(*argv, "ecdsak233") == 0) +- ecdsa_doit[R_EC_K233] = 2; +- else if (strcmp(*argv, "ecdsak283") == 0) +- ecdsa_doit[R_EC_K283] = 2; +- else if (strcmp(*argv, "ecdsak409") == 0) +- ecdsa_doit[R_EC_K409] = 2; +- else if (strcmp(*argv, "ecdsak571") == 0) +- ecdsa_doit[R_EC_K571] = 2; +- else if (strcmp(*argv, "ecdsab163") == 0) +- ecdsa_doit[R_EC_B163] = 2; +- else if (strcmp(*argv, "ecdsab233") == 0) +- ecdsa_doit[R_EC_B233] = 2; +- else if (strcmp(*argv, "ecdsab283") == 0) +- ecdsa_doit[R_EC_B283] = 2; +- else if (strcmp(*argv, "ecdsab409") == 0) +- ecdsa_doit[R_EC_B409] = 2; +- else if (strcmp(*argv, "ecdsab571") == 0) +- ecdsa_doit[R_EC_B571] = 2; + else if (strcmp(*argv, "ecdsa") == 0) { +- for (i = 0; i < EC_NUM; i++) ++ for (i = R_EC_P224; i < R_EC_P521; i++) + ecdsa_doit[i] = 1; + } else + # endif + # ifndef OPENSSL_NO_ECDH +- if (strcmp(*argv, "ecdhp160") == 0) +- ecdh_doit[R_EC_P160] = 2; +- else if (strcmp(*argv, "ecdhp192") == 0) +- ecdh_doit[R_EC_P192] = 2; ++ if (0) {} + else if (strcmp(*argv, "ecdhp224") == 0) + ecdh_doit[R_EC_P224] = 2; + else if (strcmp(*argv, "ecdhp256") == 0) +@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv) + ecdh_doit[R_EC_P384] = 2; + else if (strcmp(*argv, "ecdhp521") == 0) + ecdh_doit[R_EC_P521] = 2; +- else if (strcmp(*argv, "ecdhk163") == 0) +- ecdh_doit[R_EC_K163] = 2; +- else if (strcmp(*argv, "ecdhk233") == 0) +- ecdh_doit[R_EC_K233] = 2; +- else if (strcmp(*argv, "ecdhk283") == 0) +- ecdh_doit[R_EC_K283] = 2; +- else if (strcmp(*argv, "ecdhk409") == 0) +- ecdh_doit[R_EC_K409] = 2; +- else if (strcmp(*argv, "ecdhk571") == 0) +- ecdh_doit[R_EC_K571] = 2; +- else if (strcmp(*argv, "ecdhb163") == 0) +- ecdh_doit[R_EC_B163] = 2; +- else if (strcmp(*argv, "ecdhb233") == 0) +- ecdh_doit[R_EC_B233] = 2; +- else if (strcmp(*argv, "ecdhb283") == 0) +- ecdh_doit[R_EC_B283] = 2; +- else if (strcmp(*argv, "ecdhb409") == 0) +- ecdh_doit[R_EC_B409] = 2; +- else if (strcmp(*argv, "ecdhb571") == 0) +- ecdh_doit[R_EC_B571] = 2; + else if (strcmp(*argv, "ecdh") == 0) { +- for (i = 0; i < EC_NUM; i++) ++ for (i = R_EC_P224; i <= R_EC_P521; i++) + ecdh_doit[i] = 1; + } else + # endif +@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv) + BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n"); + # endif + # ifndef OPENSSL_NO_ECDSA +- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 " ++ BIO_printf(bio_err, "ecdsap224 " + "ecdsap256 ecdsap384 ecdsap521\n"); +- BIO_printf(bio_err, +- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n"); +- BIO_printf(bio_err, +- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n"); + BIO_printf(bio_err, "ecdsa\n"); + # endif + # ifndef OPENSSL_NO_ECDH +- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 " ++ BIO_printf(bio_err, "ecdhp224 " + "ecdhp256 ecdhp384 ecdhp521\n"); +- BIO_printf(bio_err, +- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n"); +- BIO_printf(bio_err, +- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n"); + BIO_printf(bio_err, "ecdh\n"); + # endif + +@@ -1242,11 +1188,11 @@ int MAIN(int argc, char **argv) + for (i = 0; i < DSA_NUM; i++) + dsa_doit[i] = 1; + # ifndef OPENSSL_NO_ECDSA +- for (i = 0; i < EC_NUM; i++) ++ for (i = R_EC_P224; i <= R_EC_P521; i++) + ecdsa_doit[i] = 1; + # endif + # ifndef OPENSSL_NO_ECDH +- for (i = 0; i < EC_NUM; i++) ++ for (i = R_EC_P224; i <= R_EC_P521; i++) + ecdh_doit[i] = 1; + # endif + } +--- a/crypto/ec/ecp_smpl.c ++++ b/crypto/ec/ecp_smpl.c +@@ -187,6 +187,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, + return 0; + } + ++ if (BN_num_bits(p) < 224) { ++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); ++ return 0; ++ } ++ + if (ctx == NULL) { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) +--- a/crypto/ecdh/ecdhtest.c ++++ b/crypto/ecdh/ecdhtest.c +@@ -501,11 +501,13 @@ int main(int argc, char *argv[]) + goto err; + + /* NIST PRIME CURVES TESTS */ ++# if 0 + if (!test_ecdh_curve + (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) + goto err; + if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) + goto err; ++# endif + if (!test_ecdh_curve + (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) + goto err; +@@ -536,13 +538,14 @@ int main(int argc, char *argv[]) + if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) + goto err; + # endif ++# if 0 + if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256)) + goto err; + if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384)) + goto err; + if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512)) + goto err; +- ++# endif + ret = 0; + + err: +--- a/crypto/ecdsa/ecdsatest.c ++++ b/crypto/ecdsa/ecdsatest.c +@@ -138,9 +138,12 @@ int restore_rand(void) + } + + static int fbytes_counter = 0, use_fake = 0; +-static const char *numbers[8] = { ++static const char *numbers[10] = { ++ "651056770906015076056810763456358567190100156695615665659", + "651056770906015076056810763456358567190100156695615665659", + "6140507067065001063065065565667405560006161556565665656654", ++ "8763001015071075675010661307616710783570106710677817767166" ++ "71676178726717", + "8763001015071075675010661307616710783570106710677817767166" + "71676178726717", + "7000000175690566466555057817571571075705015757757057795755" +@@ -163,7 +166,7 @@ int fbytes(unsigned char *buf, int num) + + use_fake = 0; + +- if (fbytes_counter >= 8) ++ if (fbytes_counter >= 10) + return 0; + tmp = BN_new(); + if (!tmp) +@@ -539,8 +542,10 @@ int main(void) + RAND_seed(rnd_seed, sizeof(rnd_seed)); + + /* the tests */ ++# if 0 + if (!x9_62_tests(out)) + goto err; ++# endif + if (!test_builtin(out)) + goto err; + +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -271,10 +271,7 @@ static const unsigned char eccurves_auto[] = { + 0, 23, /* secp256r1 (23) */ + /* Other >= 256-bit prime curves. */ + 0, 25, /* secp521r1 (25) */ +- 0, 28, /* brainpool512r1 (28) */ +- 0, 27, /* brainpoolP384r1 (27) */ + 0, 24, /* secp384r1 (24) */ +- 0, 26, /* brainpoolP256r1 (26) */ + 0, 22, /* secp256k1 (22) */ + # ifndef OPENSSL_NO_EC2M + /* >= 256-bit binary curves. */ +@@ -292,10 +289,7 @@ static const unsigned char eccurves_all[] = { + 0, 23, /* secp256r1 (23) */ + /* Other >= 256-bit prime curves. */ + 0, 25, /* secp521r1 (25) */ +- 0, 28, /* brainpool512r1 (28) */ +- 0, 27, /* brainpoolP384r1 (27) */ + 0, 24, /* secp384r1 (24) */ +- 0, 26, /* brainpoolP256r1 (26) */ + 0, 22, /* secp256k1 (22) */ + # ifndef OPENSSL_NO_EC2M + /* >= 256-bit binary curves. */ +@@ -310,13 +304,6 @@ static const unsigned char eccurves_all[] = { + * Remaining curves disabled by default but still permitted if set + * via an explicit callback or parameters. + */ +- 0, 20, /* secp224k1 (20) */ +- 0, 21, /* secp224r1 (21) */ +- 0, 18, /* secp192k1 (18) */ +- 0, 19, /* secp192r1 (19) */ +- 0, 15, /* secp160k1 (15) */ +- 0, 16, /* secp160r1 (16) */ +- 0, 17, /* secp160r2 (17) */ + # ifndef OPENSSL_NO_EC2M + 0, 8, /* sect239k1 (8) */ + 0, 6, /* sect233k1 (6) */ +@@ -351,29 +338,21 @@ static const unsigned char fips_curves_default[] = { + 0, 9, /* sect283k1 (9) */ + 0, 10, /* sect283r1 (10) */ + # endif +- 0, 22, /* secp256k1 (22) */ + 0, 23, /* secp256r1 (23) */ + # ifndef OPENSSL_NO_EC2M + 0, 8, /* sect239k1 (8) */ + 0, 6, /* sect233k1 (6) */ + 0, 7, /* sect233r1 (7) */ + # endif +- 0, 20, /* secp224k1 (20) */ +- 0, 21, /* secp224r1 (21) */ + # ifndef OPENSSL_NO_EC2M + 0, 4, /* sect193r1 (4) */ + 0, 5, /* sect193r2 (5) */ + # endif +- 0, 18, /* secp192k1 (18) */ +- 0, 19, /* secp192r1 (19) */ + # ifndef OPENSSL_NO_EC2M + 0, 1, /* sect163k1 (1) */ + 0, 2, /* sect163r1 (2) */ + 0, 3, /* sect163r2 (3) */ + # endif +- 0, 15, /* secp160k1 (15) */ +- 0, 16, /* secp160r1 (16) */ +- 0, 17, /* secp160r2 (17) */ + }; + # endif + diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf deleted file mode 100644 index ce86101ce7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf +++ /dev/null @@ -1,3 +0,0 @@ -d /etc/ssl - - - - - -d /etc/ssl/private 0700 - - - - -L /etc/ssl/openssl.cnf - - - - ../../usr/share/ssl/openssl.cnf diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2o-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2p-r1.ebuild similarity index 68% rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2o-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2p-r1.ebuild index 79caf98ecd..d691659c26 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2o-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2p-r1.ebuild @@ -1,23 +1,27 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2018 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="6" -inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal systemd +inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal -PATCH_SET="openssl-1.0.2-patches-1.4" +PATCH_SET="openssl-1.0.2-patches-1.6" MY_P=${P/_/-} DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" HOMEPAGE="https://www.openssl.org/" SRC_URI="mirror://openssl/source/${MY_P}.tar.gz - mirror://gentoo/${PATCH_SET}.tar.xz - https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz - https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz" + !vanilla? ( + mirror://gentoo/${PATCH_SET}.tar.xz + https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz + https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz + https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz + )" LICENSE="openssl" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux" -IUSE="+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-linux" +IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib" +RESTRICT="!bindist? ( bindist )" RDEPEND=">=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) @@ -32,6 +36,28 @@ DEPEND="${RDEPEND} )" PDEPEND="app-misc/ca-certificates" +# This does not copy the entire Fedora patchset, but JUST the parts that +# are needed to make it safe to use EC with RESTRICT=bindist. +# See openssl.spec for the matching numbering of SourceNNN, PatchNNN +SOURCE1=hobble-openssl +SOURCE12=ec_curve.c +SOURCE13=ectest.c +# These are ported instead +#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC +#PATCH37=openssl-1.1.0-ec-curves.patch +FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' +FEDORA_GIT_BRANCH='f25' +FEDORA_SRC_URI=() +FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 ) +FEDORA_PATCH=( $PATCH1 $PATCH37 ) +for i in "${FEDORA_SOURCE[@]}" ; do + FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) +done +for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix + FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" ) +done +SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" + S="${WORKDIR}/${MY_P}" MULTILIB_WRAPPED_HEADERS=( @@ -39,6 +65,25 @@ MULTILIB_WRAPPED_HEADERS=( ) src_prepare() { + if use bindist; then + # This just removes the prefix, and puts it into WORKDIR like the RPM. + for i in "${FEDORA_SOURCE[@]}" ; do + cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die + done + # .spec %prep + bash "${WORKDIR}"/"${SOURCE1}" || die + cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die + cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1 + for i in "${FEDORA_PATCH[@]}" ; do + eapply "${DISTDIR}"/"${i}" + done + eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch + # Also see the configure parts below: + # enable-ec \ + # $(use_ssl !bindist ec2m) \ + # $(use_ssl !bindist srp) \ + fi + # keep this in sync with app-misc/c_rehash SSL_CNF_DIR="/etc/ssl" @@ -61,7 +106,7 @@ src_prepare() { -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ -e $(has noman FEATURES \ && echo '/^install:/s:install_docs::' \ - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ + || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \ Makefile.org \ || die # show the actual commands in the log @@ -70,7 +115,8 @@ src_prepare() { # since we're forcing $(CC) as makedep anyway, just fix # the conditional as always-on # helps clang (#417795), and versioned gcc (#499818) - sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die + # this breaks build with 1.0.2p, not sure if it is needed anymore + #sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die # quiet out unknown driver argument warnings since openssl # doesn't have well-split CFLAGS and we're making it even worse @@ -85,7 +131,7 @@ src_prepare() { append-flags $(test-flags-CC -Wa,--noexecstack) append-cppflags -DOPENSSL_NO_BUF_FREELISTS - sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 + sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906 # The config script does stupid stuff to prompt the user. Kill it. sed -i '/stty -icanon min 0 time 50; read waste/d' config || die ./config --test-sanity || die "I AM NOT SANE" @@ -134,11 +180,15 @@ multilib_src_configure() { local config="Configure" [[ -z ${sslout} ]] && config="config" + # Fedora hobbled-EC needs 'no-ec2m', 'no-srp' echoit \ ./${config} \ ${sslout} \ $(use cpu_flags_x86_sse2 || echo "no-sse2") \ enable-camellia \ + enable-ec \ + $(use_ssl !bindist ec2m) \ + $(use_ssl !bindist srp) \ ${ec_nistp_64_gcc_128} \ enable-idea \ enable-mdc2 \ @@ -153,8 +203,8 @@ multilib_src_configure() { $(use_ssl sslv3 ssl3) \ $(use_ssl tls-heartbeat heartbeats) \ $(use_ssl zlib) \ - --prefix="${EPREFIX}"/usr \ - --openssldir="${EPREFIX}"${SSL_CNF_DIR} \ + --prefix="${EPREFIX%/}"/usr \ + --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \ --libdir=$(get_libdir) \ shared threads \ || die @@ -177,7 +227,7 @@ multilib_src_configure() { multilib_src_compile() { # depend is needed to use $confopts; it also doesn't matter # that it's -j1 as the code itself serializes subdirs - emake -j1 depend + emake -j1 V=1 depend emake all # rehash is needed to prep the certs/ dir; do this # separately to avoid parallel build issues. @@ -189,13 +239,19 @@ multilib_src_test() { } multilib_src_install() { - emake INSTALL_PREFIX="${D}" install + # We need to create $ED/usr on our own to avoid a race condition #665130 + if [[ ! -d "${ED%/}/usr" ]]; then + # We can only create this directory once + mkdir "${ED%/}"/usr || die + fi + + emake INSTALL_PREFIX="${D%/}" install } multilib_src_install_all() { # openssl installs perl version of c_rehash by default, but # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die + rm "${ED%/}"/usr/bin/c_rehash || die local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el ) einstalldocs @@ -209,6 +265,11 @@ multilib_src_install_all() { # twice; once with shared lib support enabled and once without. use static-libs || rm -f "${ED}"/usr/lib*/lib*.a + # create the certs directory + dodir ${SSL_CNF_DIR}/certs + cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die + rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired} + # Namespace openssl programs to prevent conflicts with other man pages cd "${ED}"/usr/share/man local m d s @@ -234,15 +295,12 @@ multilib_src_install_all() { dodir /etc/sandbox.d #254521 echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - # Don't keep the sample CA files and their ilk in /etc. - rm -r "${ED}"${SSL_CNF_DIR} - - # Save the default openssl.cnf in /usr and link it into place. - dodir /usr/share/ssl - insinto /usr/share/ssl - doins "${S}"/apps/openssl.cnf - systemd_dotmpfilesd "${FILESDIR}"/openssl.conf - - # Package the tmpfiles.d setup for SDK bootstrapping. - systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_postinst() { + ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" + c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null + eend $? } diff --git a/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2o-r3 b/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2p-r1 similarity index 61% rename from sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2o-r3 rename to sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2p-r1 index a014cb7d83..c4fd8994c6 100644 --- a/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2o-r3 +++ b/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2p-r1 @@ -1,14 +1,15 @@ -DEFINED_PHASES=compile configure install prepare test -DEPEND=>=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) kerberos? ( >=app-crypt/mit-krb5-1.11.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) >=dev-lang/perl-5 sctp? ( >=net-misc/lksctp-tools-1.0.12 ) test? ( sys-apps/diffutils sys-devel/bc ) virtual/pkgconfig +DEFINED_PHASES=compile configure install postinst prepare test +DEPEND=>=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) kerberos? ( >=app-crypt/mit-krb5-1.11.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) >=dev-lang/perl-5 sctp? ( >=net-misc/lksctp-tools-1.0.12 ) test? ( sys-apps/diffutils sys-devel/bc ) DESCRIPTION=full-strength general purpose cryptography library (including SSL and TLS) EAPI=6 HOMEPAGE=https://www.openssl.org/ -IUSE=+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib abi_x86_32 abi_x86_64 abi_x86_x32 abi_mips_n32 abi_mips_n64 abi_mips_o32 abi_ppc_32 abi_ppc_64 abi_s390_32 abi_s390_64 -KEYWORDS=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux +IUSE=+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib abi_x86_32 abi_x86_64 abi_x86_x32 abi_mips_n32 abi_mips_n64 abi_mips_o32 abi_ppc_32 abi_ppc_64 abi_s390_32 abi_s390_64 +KEYWORDS=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-linux LICENSE=openssl PDEPEND=app-misc/ca-certificates RDEPEND=>=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) kerberos? ( >=app-crypt/mit-krb5-1.11.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) +RESTRICT=!bindist? ( bindist ) SLOT=0 -SRC_URI=mirror://openssl/source/openssl-1.0.2o.tar.gz mirror://gentoo/openssl-1.0.2-patches-1.4.tar.xz https://dev.gentoo.org/~whissi/dist/openssl/openssl-1.0.2-patches-1.4.tar.xz https://dev.gentoo.org/~polynomial-c/dist/openssl-1.0.2-patches-1.4.tar.xz -_eclasses_=desktop b1d22ac8bdd4679ab79c71aca235009d epatch a1bf4756dba418a7238f3be0cb010c54 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 6e6c2737b59a4b982de6fb3ecefd87f8 flag-o-matic 55aaa148741116aa54ad0d80e361818e ltprune 08f9e1d9ee0af8f5d9a7854efbcd8c0e multibuild 40fe59465edacd730c644ec2bc197809 multilib b2f01ad412baf81650c23fcf0975fa33 multilib-build b42436dc1260f475af229754c165cb6b multilib-minimal 8bddda43703ba94d8341f4e247f97566 preserve-libs ef207dc62baddfddfd39a164d9797648 systemd 47c677ae1d7b69031f11f630ac09f0d1 toolchain-funcs f164325a2cdb5b3ea39311d483988861 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf -_md5_=c4338c372eb9630fcc6925a997f43e77 +SRC_URI=mirror://openssl/source/openssl-1.0.2p.tar.gz !vanilla? ( mirror://gentoo/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~chutzpah/dist/openssl/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~whissi/dist/openssl/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~polynomial-c/dist/openssl-1.0.2-patches-1.6.tar.xz ) bindist? ( https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//hobble-openssl?h=f25 -> openssl-1.0.2p_hobble-openssl https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ec_curve.c?h=f25 -> openssl-1.0.2p_ec_curve.c https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ectest.c?h=f25 -> openssl-1.0.2p_ectest.c ) +_eclasses_=desktop b1d22ac8bdd4679ab79c71aca235009d epatch a1bf4756dba418a7238f3be0cb010c54 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 6e6c2737b59a4b982de6fb3ecefd87f8 flag-o-matic 55aaa148741116aa54ad0d80e361818e ltprune 08f9e1d9ee0af8f5d9a7854efbcd8c0e multibuild 40fe59465edacd730c644ec2bc197809 multilib b2f01ad412baf81650c23fcf0975fa33 multilib-build b42436dc1260f475af229754c165cb6b multilib-minimal 8bddda43703ba94d8341f4e247f97566 preserve-libs ef207dc62baddfddfd39a164d9797648 toolchain-funcs f164325a2cdb5b3ea39311d483988861 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf +_md5_=3284ff7ee6fffb6fc1211d91c96667f4