From 1f0ce56f2a3b991449d4e22b1d26b5bbc1c31451 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Mon, 22 Feb 2016 19:40:40 -0800 Subject: [PATCH 1/3] openssl: sync up with upstream Just minor stuff like keywords. --- .../dev-libs/openssl/files/gentoo.config-1.0.2 | 7 ++++++- .../coreos-overlay/dev-libs/openssl/openssl-1.0.2f.ebuild | 6 +++--- .../profiles/coreos/base/package.accept_keywords | 5 ----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 index b3f6cedfbe..0528c1c15b 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -108,8 +108,13 @@ linux) # sh64*) machine=elf;; sh*b*) machine="generic32 -DB_ENDIAN";; sh*) machine="generic32 -DL_ENDIAN";; + # TODO: Might want to do -mcpu probing like glibc to determine a + # better default for sparc-linux-gnu targets. This logic will + # break v7 and older systems when they use it. sparc*v7*) machine="generic32 -DB_ENDIAN";; - sparc64*) machine=sparcv9;; + sparc64*) machine=sparcv9 system=linux64;; + sparc*v9*) machine=sparcv9;; + sparc*v8*) machine=sparcv8;; sparc*) machine=sparcv8;; s390x*) machine=s390x system=linux64;; s390*) machine="generic32 -DB_ENDIAN";; diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f.ebuild index e8c229f66f..a7c3eb620a 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f.ebuild @@ -1,8 +1,8 @@ -# Copyright 1999-2015 Gentoo Foundation +# Copyright 1999-2016 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Id$ -EAPI="4" +EAPI=5 inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal @@ -13,7 +13,7 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" LICENSE="openssl" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib" RESTRICT="!bindist? ( bindist )" diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 8117e3c02d..a1745326aa 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -80,11 +80,6 @@ dev-util/checkbashisms # https://github.com/golang/go/issues?q=milestone%3AGo1.4.3 =dev-lang/go-1.4.3 ~amd64 -# 1.0.2e contains some security fixes. -# https://bugs.gentoo.org/show_bug.cgi?id=567476 -=app-misc/c_rehash-1.7-r1 ~amd64 ~arm64 -=dev-libs/openssl-1.0.2f ~amd64 ~arm64 - # newer btrfs-progs improve things like preserving capabilities in send/receive # https://github.com/coreos/bugs/issues/923 =sys-fs/btrfs-progs-4.2.2 ~amd64 ~arm64 From 39cd9a9b1fa971942b65b6f3c56c245f226df1f2 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Mon, 22 Feb 2016 20:01:59 -0800 Subject: [PATCH 2/3] openssl: drop 0.9.8 migration I am dubious of the call to c_rehash in there but we don't need any of the 0.9.8 migration stuff anyway so just drop it all. --- ...nssl-1.0.2f.ebuild => openssl-1.0.2f-r1.ebuild} | 14 -------------- 1 file changed, 14 deletions(-) rename sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/{openssl-1.0.2f.ebuild => openssl-1.0.2f-r1.ebuild} (95%) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f-r1.ebuild similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f.ebuild rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f-r1.ebuild index a7c3eb620a..1edef54bc3 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f-r1.ebuild @@ -249,17 +249,3 @@ multilib_src_install_all() { diropts -m0700 keepdir ${SSL_CNF_DIR}/private } - -pkg_preinst() { - has_version ${CATEGORY}/${PN}:0.9.8 && return 0 - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8 -} - -pkg_postinst() { - ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" - c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null - eend $? - - has_version ${CATEGORY}/${PN}:0.9.8 && return 0 - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8 -} From 3aff3aeae23bd912654de8de0beb833cdbc09ea0 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Mon, 22 Feb 2016 19:56:43 -0800 Subject: [PATCH 3/3] openssl: remove bindist restriction and enable ec algorithms The bindist use flag can also be dropped from openssh, now it always requires an openssl build with 'bindist' missing or unset. --- .../dev-libs/openssl/openssl-1.0.2f-r1.ebuild | 19 ++++--------------- .../net-misc/openssh/openssh-7.1_p1-r4.ebuild | 10 +++------- 2 files changed, 7 insertions(+), 22 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f-r1.ebuild index 1edef54bc3..8fed425eff 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f-r1.ebuild @@ -14,8 +14,7 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" LICENSE="openssl" SLOT="0" KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" -IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib" -RESTRICT="!bindist? ( bindist )" +IUSE="+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib" # The blocks are temporary just to make sure people upgrade to a # version that lack runtime version checking. We'll drop them in @@ -115,13 +114,6 @@ multilib_src_configure() { tc-export CC AR RANLIB RC - # Clean out patent-or-otherwise-encumbered code - # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) - # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm - # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography - # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 - # RC5: Expired http://en.wikipedia.org/wiki/RC5 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } echoit() { echo "$@" ; "$@" ; } @@ -131,11 +123,9 @@ multilib_src_configure() { # friendly and can use the nicely optimized code paths. #460790 local ec_nistp_64_gcc_128 # Disable it for now though #469976 - #if ! use bindist ; then - # echo "__uint128_t i;" > "${T}"/128.c - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - # fi + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" #fi local sslout=$(./gentoo.config) @@ -148,7 +138,6 @@ multilib_src_configure() { ${sslout} \ $(use cpu_flags_x86_sse2 || echo "no-sse2") \ enable-camellia \ - $(use_ssl !bindist ec) \ ${ec_nistp_64_gcc_128} \ enable-idea \ enable-mdc2 \ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r4.ebuild index 7ff7f87803..54c2f25e50 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r4.ebuild @@ -30,7 +30,7 @@ LICENSE="BSD GPL-2" SLOT="0" KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" # Probably want to drop ssl defaulting to on in a future version. -IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509" +IUSE="debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509" REQUIRED_USE="ldns? ( ssl ) pie? ( !static ) ssh1? ( ssl ) @@ -38,18 +38,14 @@ REQUIRED_USE="ldns? ( ssl ) X509? ( !ldap ssl )" LIB_DEPEND=" - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl] ) - bindist? ( net-libs/ldns[-ecdsa,ssl] ) - ) + ldns? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) libedit? ( dev-libs/libedit[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) ssl? ( !libressl? ( - >=dev-libs/openssl-0.9.8f:0[bindist=] + >=dev-libs/openssl-0.9.8f:0[-bindist(-)] dev-libs/openssl:0[static-libs(+)] ) libressl? ( dev-libs/libressl[static-libs(+)] )