dev-libs/openssl: bump to 1.0.2j

Addresses CVE-2016-8610.

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest

@@ -1 +1 @@
-DIST openssl-1.0.2h.tar.gz 5274412 SHA256 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 WHIRLPOOL 41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6
+DIST openssl-1.0.2j.tar.gz 5307912 SHA256 e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 SHA512 7d6ccae4aa3ccec3a5d128da29c68401cdb1210cba6d212d55235fc3bc63d7085e2f119e2bbee7ddff6b7b5eef07c6196156791724cd2caf313a4c2fef724edd WHIRLPOOL 1f17e80bc10da2eab9d4c1c3a662b0e2b4f7e8bc448aabb44cd98a96ba3d6cd0ef6cf9a3371d44b39a4d11b1a4087c8f0d056272ace6eba5bd2417f7ab9503b7

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.0d-windres.patch

@@ -1,76 +0,0 @@
-URL: http://rt.openssl.org/Ticket/Display.html?id=2558&user=guest&pass=guest
-Subject: make windres controllable via build env var settings
-
-atm, the windres code in openssl is only usable via the cross-compile prefix 
-option unlike all the other build tools. so add support for the standard $RC 
-/ $WINDRES env vars as well.
-
-Index: Configure
-===================================================================
-RCS file: /usr/local/src/openssl/CVSROOT/openssl/Configure,v
-retrieving revision 1.621.2.40
-diff -u -p -r1.621.2.40 Configure
---- Configure	30 Nov 2010 22:19:26 -0000	1.621.2.40
-+++ Configure	4 Jul 2011 23:12:32 -0000
-@@ -1094,6 +1094,7 @@ my $shared_extension = $fields[$idx_shar
- my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib];
- my $ar = $ENV{'AR'} || "ar";
- my $arflags = $fields[$idx_arflags];
-+my $windres = $ENV{'RC'} || $ENV{'WINDRES'} || "windres";
- my $multilib = $fields[$idx_multilib];
- 
- # if $prefix/lib$multilib is not an existing directory, then
-@@ -1511,12 +1512,14 @@ while (<IN>)
- 		s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/;
- 		s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
- 		s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
-+		s/^WINDRES=\s*/WINDRES= \$\(CROSS_COMPILE\)/;
- 		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc";
- 		}
- 	else	{
- 		s/^CC=.*$/CC= $cc/;
- 		s/^AR=\s*ar/AR= $ar/;
- 		s/^RANLIB=.*/RANLIB= $ranlib/;
-+		s/^WINDRES=.*/WINDRES= $windres/;
- 		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
- 		}
- 	s/^CFLAG=.*$/CFLAG= $cflags/;
-Index: Makefile.org
-===================================================================
-RCS file: /usr/local/src/openssl/CVSROOT/openssl/Makefile.org,v
-retrieving revision 1.295.2.10
-diff -u -p -r1.295.2.10 Makefile.org
---- Makefile.org	27 Jan 2010 16:06:58 -0000	1.295.2.10
-+++ Makefile.org	4 Jul 2011 23:13:08 -0000
-@@ -66,6 +66,7 @@ EXE_EXT= 
- ARFLAGS=
- AR=ar $(ARFLAGS) r
- RANLIB= ranlib
-+WINDRES= windres
- NM= nm
- PERL= perl
- TAR= tar
-@@ -180,6 +181,7 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESS
- 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
- 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
- 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
-+		WINDRES='$(WINDRES)'				\
- 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
- 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
- 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
-Index: Makefile.shared
-===================================================================
-RCS file: /usr/local/src/openssl/CVSROOT/openssl/Makefile.shared,v
-retrieving revision 1.72.2.4
-diff -u -p -r1.72.2.4 Makefile.shared
---- Makefile.shared	21 Aug 2010 11:36:49 -0000	1.72.2.4
-+++ Makefile.shared	4 Jul 2011 23:13:52 -0000
-@@ -293,7 +293,7 @@ link_a.cygwin:
- 	fi; \
- 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
- 	$(PERL) util/mkrc.pl $$dll_name | \
--		$(CROSS_COMPILE)windres -o rc.o; \
-+		$(WINDRES) -o rc.o; \
- 	extras="$$extras rc.o"; \
- 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
- 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2i-parallel-build.patch

@@ -1,5 +1,5 @@
---- openssl-1.0.2g/crypto/Makefile
-+++ openssl-1.0.2g/crypto/Makefile
+--- openssl-1.0.2i/crypto/Makefile
++++ openssl-1.0.2i/crypto/Makefile
 @@ -85,11 +85,11 @@
  	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
  
@@ -41,8 +41,8 @@
  
  lint:
  	@target=lint; $(RECURSIVE_MAKE)
---- openssl-1.0.2g/engines/Makefile
-+++ openssl-1.0.2g/engines/Makefile
+--- openssl-1.0.2i/engines/Makefile
++++ openssl-1.0.2i/engines/Makefile
 @@ -72,7 +72,7 @@
  
  all:	lib subdirs
@@ -70,9 +70,9 @@
  
  tags:
  	ctags $(SRC)
---- openssl-1.0.2g/Makefile.org
-+++ openssl-1.0.2g/Makefile.org
-@@ -279,17 +279,17 @@
+--- openssl-1.0.2i/Makefile.org
++++ openssl-1.0.2i/Makefile.org
+@@ -281,17 +281,17 @@
  build_libssl: build_ssl libssl.pc
  
  build_crypto:
@@ -96,7 +96,7 @@
  
  all_testapps: build_libs build_testapps
  build_testapps:
-@@ -544,7 +544,7 @@
+@@ -547,7 +547,7 @@
  	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
  	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
  	done;
@@ -105,8 +105,8 @@
  	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
  	do \
  		if [ -f "$$i" ]; then \
---- openssl-1.0.2g/Makefile.shared
-+++ openssl-1.0.2g/Makefile.shared
+--- openssl-1.0.2i/Makefile.shared
++++ openssl-1.0.2i/Makefile.shared
 @@ -105,6 +105,7 @@
      SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
      LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
@@ -123,9 +123,9 @@
  			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
  			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
  		fi; \
---- openssl-1.0.2g/test/Makefile
-+++ openssl-1.0.2g/test/Makefile
-@@ -139,7 +139,7 @@
+--- openssl-1.0.2i/test/Makefile
++++ openssl-1.0.2i/test/Makefile
+@@ -144,7 +144,7 @@
  tags:
  	ctags $(SRC)
  
@@ -134,7 +134,7 @@
  
  apps:
  	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -421,130 +421,130 @@
+@@ -435,136 +435,136 @@
  		link_app.$${shlib_target}
  
  $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
@@ -301,13 +301,21 @@
 -	@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
 +	+@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
  
+ $(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o
+-	@target=$(BADDTLSTEST) $(BUILD_CMD)
++	+@target=$(BADDTLSTEST) $(BUILD_CMD)
+ 
  $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
 -	@target=$(SSLV2CONFTEST) $(BUILD_CMD)
 +	+@target=$(SSLV2CONFTEST) $(BUILD_CMD)
  
+ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO)
+-	@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
++	+@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
+ 
  #$(AESTEST).o: $(AESTEST).c
  #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -557,7 +557,7 @@
+@@ -577,7 +577,7 @@
  #	fi
  
  dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml

@@ -8,8 +8,9 @@
 <use>
  <flag name="asm">Support assembly hand optimized crypto functions (i.e. faster run time)</flag>
  <flag name="bindist">Disable EC algorithms (as they seem to be patented) -- note: changes the ABI</flag>
- <flag name="sctp">Support for Stream Control Transmission Protocol</flag>
  <flag name="rfc3779">Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)</flag>
+ <flag name="sslv2">Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https</flag>
+ <flag name="sslv3">Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https</flag>
  <flag name="tls-heartbeat">Enable the Heartbeat Extension in TLS and DTLS</flag>
 </use>
 <upstream>
@@ -20,5 +21,6 @@
   that provides headers and command line tools.</slot>
  <slot name="0.9.8">For binary compatibility, provides libcrypto.so.0.9.8
   and libssl.so.0.9.8 only.</slot>
+ <subslots>Reflect ABI of libcrypto.so and libssl.so.</subslots>
 </slots>
 </pkgmetadata>

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2j.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 # $Id$
 
-EAPI=5
+EAPI="5"
 
 inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
 
@@ -13,8 +13,9 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
 
 LICENSE="openssl"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
 
 RDEPEND=">=app-misc/c_rehash-1.7-r1
 	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
@@ -45,8 +46,7 @@ src_prepare() {
 
 	if ! use vanilla ; then
 		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.2g-parallel-build.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
 		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
 		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
 		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
@@ -105,6 +105,13 @@ multilib_src_configure() {
 
 	tc-export CC AR RANLIB RC
 
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
+
 	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
 	echoit() { echo "$@" ; "$@" ; }
 
@@ -114,9 +121,11 @@ multilib_src_configure() {
 	# friendly and can use the nicely optimized code paths. #460790
 	local ec_nistp_64_gcc_128
 	# Disable it for now though #469976
-	#echo "__uint128_t i;" > "${T}"/128.c
-	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
 	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
 	#fi
 
 	local sslout=$(./gentoo.config)
@@ -129,17 +138,19 @@ multilib_src_configure() {
 		${sslout} \
 		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
 		enable-camellia \
+		$(use_ssl !bindist ec) \
 		${ec_nistp_64_gcc_128} \
 		enable-idea \
 		enable-mdc2 \
 		enable-rc5 \
 		enable-tlsext \
-		enable-ssl2 \
 		$(use_ssl asm) \
 		$(use_ssl gmp gmp -lgmp) \
 		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
 		$(use_ssl rfc3779) \
 		$(use_ssl sctp) \
+		$(use_ssl sslv2 ssl2) \
+		$(use_ssl sslv3 ssl3) \
 		$(use_ssl tls-heartbeat heartbeats) \
 		$(use_ssl zlib) \
 		--prefix="${EPREFIX}"/usr \
@@ -230,3 +241,9 @@ multilib_src_install_all() {
 	diropts -m0700
 	keepdir ${SSL_CNF_DIR}/private
 }
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}