Merge pull request #1784 from marineam/openssl-ec

openssl: remove bindist restriction and enable ec algorithms

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2

@@ -108,8 +108,13 @@ linux)
 	#	sh64*)        machine=elf;;
 		sh*b*)        machine="generic32 -DB_ENDIAN";;
 		sh*)          machine="generic32 -DL_ENDIAN";;
+		# TODO: Might want to do -mcpu probing like glibc to determine a
+		# better default for sparc-linux-gnu targets.  This logic will
+		# break v7 and older systems when they use it.
 		sparc*v7*)    machine="generic32 -DB_ENDIAN";;
-		sparc64*)     machine=sparcv9;;
+		sparc64*)     machine=sparcv9 system=linux64;;
+		sparc*v9*)    machine=sparcv9;;
+		sparc*v8*)    machine=sparcv8;;
 		sparc*)       machine=sparcv8;;
 		s390x*)       machine=s390x system=linux64;;
 		s390*)        machine="generic32 -DB_ENDIAN";;

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2f-r1.ebuild

@@ -1,8 +1,8 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Id$
 
-EAPI="4"
+EAPI=5
 
 inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
 
@@ -13,9 +13,8 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
 
 LICENSE="openssl"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
 
 # The blocks are temporary just to make sure people upgrade to a
 # version that lack runtime version checking.  We'll drop them in
@@ -115,13 +114,6 @@ multilib_src_configure() {
 
 	tc-export CC AR RANLIB RC
 
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
 	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
 	echoit() { echo "$@" ; "$@" ; }
 
@@ -131,11 +123,9 @@ multilib_src_configure() {
 	# friendly and can use the nicely optimized code paths. #460790
 	local ec_nistp_64_gcc_128
 	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
 	#	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
 	#fi
 
 	local sslout=$(./gentoo.config)
@@ -148,7 +138,6 @@ multilib_src_configure() {
 		${sslout} \
 		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
 		enable-camellia \
-		$(use_ssl !bindist ec) \
 		${ec_nistp_64_gcc_128} \
 		enable-idea \
 		enable-mdc2 \
@@ -249,17 +238,3 @@ multilib_src_install_all() {
 	diropts -m0700
 	keepdir ${SSL_CNF_DIR}/private
 }
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r4.ebuild

@@ -30,7 +30,7 @@ LICENSE="BSD GPL-2"
 SLOT="0"
 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
+IUSE="debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
 REQUIRED_USE="ldns? ( ssl )
 	pie? ( !static )
 	ssh1? ( ssl )
@@ -38,18 +38,14 @@ REQUIRED_USE="ldns? ( ssl )
 	X509? ( !ldap ssl )"
 
 LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
+	ldns? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
 	libedit? ( dev-libs/libedit[static-libs(+)] )
 	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
 	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
 	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
 	ssl? (
 		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
+			>=dev-libs/openssl-0.9.8f:0[-bindist(-)]
 			dev-libs/openssl:0[static-libs(+)]
 		)
 		libressl? ( dev-libs/libressl[static-libs(+)] )

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -80,11 +80,6 @@ dev-util/checkbashisms
 # https://github.com/golang/go/issues?q=milestone%3AGo1.4.3
 =dev-lang/go-1.4.3 ~amd64
 
-# 1.0.2e contains some security fixes.
-# https://bugs.gentoo.org/show_bug.cgi?id=567476
-=app-misc/c_rehash-1.7-r1 ~amd64 ~arm64
-=dev-libs/openssl-1.0.2f ~amd64 ~arm64
-
 # newer btrfs-progs improve things like preserving capabilities in send/receive
 # https://github.com/coreos/bugs/issues/923
 =sys-fs/btrfs-progs-4.2.2 ~amd64 ~arm64