diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest index 00fa5591c1..860cf1106d 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest @@ -1,3 +1,2 @@ -DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659 -DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6 -DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32 +DIST openssl-1.1.1e-bindist-1.0.tar.xz 16948 BLAKE2B 78e034f1d263cbf5e57c92393f72acd07e86e39a5511a8852bad151371430954e07d787fd82cca55b373d1579bb22b9d29c9d677104ed68291a9d2dffe3ffbbb SHA512 0dbfb378b8f2724db82915e17fd4e43977e3e45030db25cdb9241c0ab842e41ef3d597ef71c4db5103635752dc2059ea6022597511a440f55fb56a5a52d3ccea +DIST openssl-1.1.1g.tar.gz 9801502 BLAKE2B 5e3dd4725ff89b959a5436d64b521317c6ffeb377418cc24c6d1927fab923423cb5f5fce2f9c2cdee597041c7be156d09668a5fd13dc6ff06d235a83db94cf19 SHA512 01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch deleted file mode 100644 index 3a005c9b09..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch +++ /dev/null @@ -1,43 +0,0 @@ -https://rt.openssl.org/Ticket/Display.html?id=3759&user=guest&pass=guest - -From 6257d59b3a68d2feb9d64317a1c556dc3813ee61 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger -Date: Sat, 21 Mar 2015 06:01:25 -0400 -Subject: [PATCH] crypto: use bigint in x86-64 perl - -When building on x32 systems where the default type is 32bit, make sure -we can transparently represent 64bit integers. Otherwise we end up with -build errors like: -/usr/bin/perl asm/ghash-x86_64.pl elf > ghash-x86_64.s -Integer overflow in hexadecimal number at asm/../../perlasm/x86_64-xlate.pl line 201, <> line 890. -... -ghash-x86_64.s: Assembler messages: -ghash-x86_64.s:890: Error: junk '.15473355479995e+19' after expression - -We don't enable this globally as there are some cases where we'd get -32bit values interpreted as unsigned when we need them as signed. - -Reported-by: Bertrand Jacquin -URL: https://bugs.gentoo.org/542618 ---- - crypto/perlasm/x86_64-xlate.pl | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl -index aae8288..0bf9774 100755 ---- a/crypto/perlasm/x86_64-xlate.pl -+++ b/crypto/perlasm/x86_64-xlate.pl -@@ -195,6 +195,10 @@ my %globals; - sub out { - my $self = shift; - -+ # When building on x32 ABIs, the expanded hex value might be too -+ # big to fit into 32bits. Enable transparent 64bit support here -+ # so we can safely print it out. -+ use bigint; - if ($gas) { - # Solaris /usr/ccs/bin/as can't handle multiplications - # in $self->{value} --- -2.3.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch deleted file mode 100644 index 3a458a7836..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch +++ /dev/null @@ -1,283 +0,0 @@ -Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series. - -From https://src.fedoraproject.org/git/rpms/openssl.git - -Contains parts of the following patches, rediffed. The patches are on various -different branches. -f23 openssl-1.0.2c-ecc-suiteb.patch -f23 openssl-1.0.2a-fips-ec.patch -f28 openssl-1.1.0-ec-curves.patch - -Signed-off-By: Robin H. Johnson - ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv) - } else - # endif - # ifndef OPENSSL_NO_ECDSA -- if (strcmp(*argv, "ecdsap160") == 0) -- ecdsa_doit[R_EC_P160] = 2; -- else if (strcmp(*argv, "ecdsap192") == 0) -- ecdsa_doit[R_EC_P192] = 2; -+ if (0) {} - else if (strcmp(*argv, "ecdsap224") == 0) - ecdsa_doit[R_EC_P224] = 2; - else if (strcmp(*argv, "ecdsap256") == 0) -@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv) - ecdsa_doit[R_EC_P384] = 2; - else if (strcmp(*argv, "ecdsap521") == 0) - ecdsa_doit[R_EC_P521] = 2; -- else if (strcmp(*argv, "ecdsak163") == 0) -- ecdsa_doit[R_EC_K163] = 2; -- else if (strcmp(*argv, "ecdsak233") == 0) -- ecdsa_doit[R_EC_K233] = 2; -- else if (strcmp(*argv, "ecdsak283") == 0) -- ecdsa_doit[R_EC_K283] = 2; -- else if (strcmp(*argv, "ecdsak409") == 0) -- ecdsa_doit[R_EC_K409] = 2; -- else if (strcmp(*argv, "ecdsak571") == 0) -- ecdsa_doit[R_EC_K571] = 2; -- else if (strcmp(*argv, "ecdsab163") == 0) -- ecdsa_doit[R_EC_B163] = 2; -- else if (strcmp(*argv, "ecdsab233") == 0) -- ecdsa_doit[R_EC_B233] = 2; -- else if (strcmp(*argv, "ecdsab283") == 0) -- ecdsa_doit[R_EC_B283] = 2; -- else if (strcmp(*argv, "ecdsab409") == 0) -- ecdsa_doit[R_EC_B409] = 2; -- else if (strcmp(*argv, "ecdsab571") == 0) -- ecdsa_doit[R_EC_B571] = 2; - else if (strcmp(*argv, "ecdsa") == 0) { -- for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P224; i < R_EC_P521; i++) - ecdsa_doit[i] = 1; - } else - # endif - # ifndef OPENSSL_NO_ECDH -- if (strcmp(*argv, "ecdhp160") == 0) -- ecdh_doit[R_EC_P160] = 2; -- else if (strcmp(*argv, "ecdhp192") == 0) -- ecdh_doit[R_EC_P192] = 2; -+ if (0) {} - else if (strcmp(*argv, "ecdhp224") == 0) - ecdh_doit[R_EC_P224] = 2; - else if (strcmp(*argv, "ecdhp256") == 0) -@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv) - ecdh_doit[R_EC_P384] = 2; - else if (strcmp(*argv, "ecdhp521") == 0) - ecdh_doit[R_EC_P521] = 2; -- else if (strcmp(*argv, "ecdhk163") == 0) -- ecdh_doit[R_EC_K163] = 2; -- else if (strcmp(*argv, "ecdhk233") == 0) -- ecdh_doit[R_EC_K233] = 2; -- else if (strcmp(*argv, "ecdhk283") == 0) -- ecdh_doit[R_EC_K283] = 2; -- else if (strcmp(*argv, "ecdhk409") == 0) -- ecdh_doit[R_EC_K409] = 2; -- else if (strcmp(*argv, "ecdhk571") == 0) -- ecdh_doit[R_EC_K571] = 2; -- else if (strcmp(*argv, "ecdhb163") == 0) -- ecdh_doit[R_EC_B163] = 2; -- else if (strcmp(*argv, "ecdhb233") == 0) -- ecdh_doit[R_EC_B233] = 2; -- else if (strcmp(*argv, "ecdhb283") == 0) -- ecdh_doit[R_EC_B283] = 2; -- else if (strcmp(*argv, "ecdhb409") == 0) -- ecdh_doit[R_EC_B409] = 2; -- else if (strcmp(*argv, "ecdhb571") == 0) -- ecdh_doit[R_EC_B571] = 2; - else if (strcmp(*argv, "ecdh") == 0) { -- for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P224; i <= R_EC_P521; i++) - ecdh_doit[i] = 1; - } else - # endif -@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv) - BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n"); - # endif - # ifndef OPENSSL_NO_ECDSA -- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 " -+ BIO_printf(bio_err, "ecdsap224 " - "ecdsap256 ecdsap384 ecdsap521\n"); -- BIO_printf(bio_err, -- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n"); -- BIO_printf(bio_err, -- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n"); - BIO_printf(bio_err, "ecdsa\n"); - # endif - # ifndef OPENSSL_NO_ECDH -- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 " -+ BIO_printf(bio_err, "ecdhp224 " - "ecdhp256 ecdhp384 ecdhp521\n"); -- BIO_printf(bio_err, -- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n"); -- BIO_printf(bio_err, -- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n"); - BIO_printf(bio_err, "ecdh\n"); - # endif - -@@ -1242,11 +1188,11 @@ int MAIN(int argc, char **argv) - for (i = 0; i < DSA_NUM; i++) - dsa_doit[i] = 1; - # ifndef OPENSSL_NO_ECDSA -- for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P224; i <= R_EC_P521; i++) - ecdsa_doit[i] = 1; - # endif - # ifndef OPENSSL_NO_ECDH -- for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P224; i <= R_EC_P521; i++) - ecdh_doit[i] = 1; - # endif - } ---- a/crypto/ec/ecp_smpl.c -+++ b/crypto/ec/ecp_smpl.c -@@ -187,6 +187,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, - return 0; - } - -+ if (BN_num_bits(p) < 224) { -+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); -+ return 0; -+ } -+ - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) ---- a/crypto/ecdh/ecdhtest.c -+++ b/crypto/ecdh/ecdhtest.c -@@ -501,11 +501,13 @@ int main(int argc, char *argv[]) - goto err; - - /* NIST PRIME CURVES TESTS */ -+# if 0 - if (!test_ecdh_curve - (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) - goto err; - if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) - goto err; -+# endif - if (!test_ecdh_curve - (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) - goto err; -@@ -536,13 +538,14 @@ int main(int argc, char *argv[]) - if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) - goto err; - # endif -+# if 0 - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256)) - goto err; - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384)) - goto err; - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512)) - goto err; -- -+# endif - ret = 0; - - err: ---- a/crypto/ecdsa/ecdsatest.c -+++ b/crypto/ecdsa/ecdsatest.c -@@ -138,9 +138,12 @@ int restore_rand(void) - } - - static int fbytes_counter = 0, use_fake = 0; --static const char *numbers[8] = { -+static const char *numbers[10] = { -+ "651056770906015076056810763456358567190100156695615665659", - "651056770906015076056810763456358567190100156695615665659", - "6140507067065001063065065565667405560006161556565665656654", -+ "8763001015071075675010661307616710783570106710677817767166" -+ "71676178726717", - "8763001015071075675010661307616710783570106710677817767166" - "71676178726717", - "7000000175690566466555057817571571075705015757757057795755" -@@ -163,7 +166,7 @@ int fbytes(unsigned char *buf, int num) - - use_fake = 0; - -- if (fbytes_counter >= 8) -+ if (fbytes_counter >= 10) - return 0; - tmp = BN_new(); - if (!tmp) -@@ -539,8 +542,10 @@ int main(void) - RAND_seed(rnd_seed, sizeof(rnd_seed)); - - /* the tests */ -+# if 0 - if (!x9_62_tests(out)) - goto err; -+# endif - if (!test_builtin(out)) - goto err; - ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -271,10 +271,7 @@ static const unsigned char eccurves_auto[] = { - 0, 23, /* secp256r1 (23) */ - /* Other >= 256-bit prime curves. */ - 0, 25, /* secp521r1 (25) */ -- 0, 28, /* brainpool512r1 (28) */ -- 0, 27, /* brainpoolP384r1 (27) */ - 0, 24, /* secp384r1 (24) */ -- 0, 26, /* brainpoolP256r1 (26) */ - 0, 22, /* secp256k1 (22) */ - # ifndef OPENSSL_NO_EC2M - /* >= 256-bit binary curves. */ -@@ -292,10 +289,7 @@ static const unsigned char eccurves_all[] = { - 0, 23, /* secp256r1 (23) */ - /* Other >= 256-bit prime curves. */ - 0, 25, /* secp521r1 (25) */ -- 0, 28, /* brainpool512r1 (28) */ -- 0, 27, /* brainpoolP384r1 (27) */ - 0, 24, /* secp384r1 (24) */ -- 0, 26, /* brainpoolP256r1 (26) */ - 0, 22, /* secp256k1 (22) */ - # ifndef OPENSSL_NO_EC2M - /* >= 256-bit binary curves. */ -@@ -310,13 +304,6 @@ static const unsigned char eccurves_all[] = { - * Remaining curves disabled by default but still permitted if set - * via an explicit callback or parameters. - */ -- 0, 20, /* secp224k1 (20) */ -- 0, 21, /* secp224r1 (21) */ -- 0, 18, /* secp192k1 (18) */ -- 0, 19, /* secp192r1 (19) */ -- 0, 15, /* secp160k1 (15) */ -- 0, 16, /* secp160r1 (16) */ -- 0, 17, /* secp160r2 (17) */ - # ifndef OPENSSL_NO_EC2M - 0, 8, /* sect239k1 (8) */ - 0, 6, /* sect233k1 (6) */ -@@ -351,29 +338,21 @@ static const unsigned char fips_curves_default[] = { - 0, 9, /* sect283k1 (9) */ - 0, 10, /* sect283r1 (10) */ - # endif -- 0, 22, /* secp256k1 (22) */ - 0, 23, /* secp256r1 (23) */ - # ifndef OPENSSL_NO_EC2M - 0, 8, /* sect239k1 (8) */ - 0, 6, /* sect233k1 (6) */ - 0, 7, /* sect233r1 (7) */ - # endif -- 0, 20, /* secp224k1 (20) */ -- 0, 21, /* secp224r1 (21) */ - # ifndef OPENSSL_NO_EC2M - 0, 4, /* sect193r1 (4) */ - 0, 5, /* sect193r2 (5) */ - # endif -- 0, 18, /* secp192k1 (18) */ -- 0, 19, /* secp192r1 (19) */ - # ifndef OPENSSL_NO_EC2M - 0, 1, /* sect163k1 (1) */ - 0, 2, /* sect163r1 (2) */ - 0, 3, /* sect163r2 (3) */ - # endif -- 0, 15, /* secp160k1 (15) */ -- 0, 16, /* secp160r1 (16) */ -- 0, 17, /* secp160r2 (17) */ - }; - # endif - diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch new file mode 100644 index 0000000000..c837e208cf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch @@ -0,0 +1,21 @@ +https://github.com/openssl/openssl/issues/7679 + +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -77,8 +77,14 @@ + # to. You're welcome. + sub dependmagic { + my $target = shift; +- +- return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target"; ++ my $magic = <<"_____"; ++$target: build_generated depend ++ \$(MAKE) _$target ++_$target ++_____ ++ # Remove line ending ++ $magic =~ s|\R$||; ++ return $magic; + } + ''; + -} diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf deleted file mode 100644 index ce86101ce7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf +++ /dev/null @@ -1,3 +0,0 @@ -d /etc/ssl - - - - - -d /etc/ssl/private 0700 - - - - -L /etc/ssl/openssl.cnf - - - - ../../usr/share/ssl/openssl.cnf diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2u.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1g.ebuild similarity index 69% rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2u.ebuild rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1g.ebuild index 8897acef02..7a3f675be5 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2u.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1g.ebuild @@ -3,23 +3,18 @@ EAPI="7" -inherit flag-o-matic toolchain-funcs multilib multilib-minimal systemd - -# openssl-1.0.2-patches-1.6 contain additional CVE patches -# which got fixed with this release. -# Please use 1.7 version number when rolling a new tarball! -PATCH_SET="openssl-1.0.2-patches-1.5" +inherit flag-o-matic toolchain-funcs multilib multilib-minimal MY_P=${P/_/-} -# This patch set is based on the following files from Fedora 25, -# see https://src.fedoraproject.org/rpms/openssl/blob/25/f/openssl.spec +# This patch set is based on the following files from Fedora 31, +# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec # for more details: # - hobble-openssl (SOURCE1) # - ec_curve.c (SOURCE12) -- MODIFIED # - ectest.c (SOURCE13) # - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED -BINDIST_PATCH_SET="openssl-1.0.2t-bindist-1.0.tar.xz" +BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz" DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" HOMEPAGE="https://www.openssl.org/" @@ -27,24 +22,17 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz bindist? ( mirror://gentoo/${BINDIST_PATCH_SET} https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET} - ) - !vanilla? ( - mirror://gentoo/${PATCH_SET}.tar.xz - https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz - https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz - https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz )" LICENSE="openssl" -SLOT="0" +SLOT="0/1.1" # .so version of libssl/libcrypto +[[ "${PV}" = *_pre* ]] || \ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x86-linux" -IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib" +IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib" RESTRICT="!bindist? ( bindist ) !test? ( test )" RDEPEND=">=app-misc/c_rehash-1.7-r1 - gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) - kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] ) zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )" DEPEND="${RDEPEND}" BDEPEND=" @@ -53,29 +41,64 @@ BDEPEND=" test? ( sys-apps/diffutils sys-devel/bc + sys-process/procps )" PDEPEND="app-misc/ca-certificates" +PATCHES=( + "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602 +) + S="${WORKDIR}/${MY_P}" +# force upgrade to prevent broken login, bug 696950 +RDEPEND+=" !/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + src_prepare() { + # allow openssl to be cross-compiled + cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die + chmod a+rx gentoo.config || die + if use bindist; then mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die bash "${WORKDIR}"/hobble-openssl || die cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die - cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/crypto/ec/ || die + cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die eapply "${WORKDIR}"/bindist-patches/ec-curves.patch + local known_failing_test + for known_failing_test in \ + 30-test_evp_extra.t \ + 80-test_ssl_new.t \ + ; do + ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist" + rm test/recipes/${known_failing_test} || die + eend $? + done + # Also see the configure parts below: # enable-ec \ # $(use_ssl !bindist ec2m) \ - # $(use_ssl !bindist srp) \ fi # keep this in sync with app-misc/c_rehash @@ -86,46 +109,51 @@ src_prepare() { rm -f Makefile if ! use vanilla ; then - eapply "${WORKDIR}"/patch/*.patch + if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then + [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}" + fi fi - eapply_user + eapply_user #332661 + + if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then + ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox" + rm test/recipes/80-test_ssl_new.t || die + eend $? + fi - # disable fips in the build # make sure the man pages are suffixed #302165 # don't bother building man pages if they're disabled + # Make DOCDIR Gentoo compliant sed -i \ - -e '/DIRS/s: fips : :g' \ -e '/^MANSUFFIX/s:=.*:=ssl:' \ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ -e $(has noman FEATURES \ && echo '/^install:/s:install_docs::' \ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ - Makefile.org \ + -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \ + Configurations/unix-Makefile.tmpl \ || die - # show the actual commands in the log - sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared - - # since we're forcing $(CC) as makedep anyway, just fix - # the conditional as always-on - # helps clang (#417795), and versioned gcc (#499818) - # this breaks build with 1.0.2p, not sure if it is needed anymore - #sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die # quiet out unknown driver argument warnings since openssl # doesn't have well-split CFLAGS and we're making it even worse # and 'make depend' uses -Werror for added fun (#417795 again) [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments - # allow openssl to be cross-compiled - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die - chmod a+rx gentoo.config || die - append-flags -fno-strict-aliasing append-flags $(test-flags-CC -Wa,--noexecstack) append-cppflags -DOPENSSL_NO_BUF_FREELISTS - sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 + # Prefixify Configure shebang (#141906) + sed \ + -e "1s,/usr/bin/env,${EPREFIX}&," \ + -i Configure || die + # Remove test target when FEATURES=test isn't set + if ! use test ; then + sed \ + -e '/^$config{dirs}/s@ "test",@@' \ + -i Configure || die + fi # The config script does stupid stuff to prompt the user. Kill it. sed -i '/stty -icanon min 0 time 50; read waste/d' config || die ./config --test-sanity || die "I AM NOT SANE" @@ -163,18 +191,15 @@ multilib_src_configure() { # fi #fi - # https://github.com/openssl/openssl/issues/2286 - if use ia64 ; then - replace-flags -g3 -g2 - replace-flags -ggdb3 -ggdb2 - fi - local sslout=$(./gentoo.config) einfo "Use configuration ${sslout:-(openssl knows best)}" local config="Configure" [[ -z ${sslout} ]] && config="config" - # Fedora hobbled-EC needs 'no-ec2m', 'no-srp' + # Fedora hobbled-EC needs 'no-ec2m' + # 'srp' was restricted until early 2017 as well. + # "disable-deprecated" option breaks too many consumers. + # Don't set it without thorough revdeps testing. # Make sure user flags don't get added *yet* to avoid duplicated # flags. CFLAGS= LDFLAGS= echoit \ @@ -184,19 +209,17 @@ multilib_src_configure() { enable-camellia \ enable-ec \ $(use_ssl !bindist ec2m) \ - $(use_ssl !bindist srp) \ + enable-srp \ + $(use elibc_musl && echo "no-async") \ ${ec_nistp_64_gcc_128} \ enable-idea \ enable-mdc2 \ enable-rc5 \ - enable-tlsext \ + $(use_ssl sslv3 ssl3) \ + $(use_ssl sslv3 ssl3-method) \ $(use_ssl asm) \ - $(use_ssl gmp gmp -lgmp) \ - $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ $(use_ssl rfc3779) \ $(use_ssl sctp) \ - $(use_ssl sslv2 ssl2) \ - $(use_ssl sslv3 ssl3) \ $(use_ssl tls-heartbeat heartbeats) \ $(use_ssl zlib) \ --prefix="${EPREFIX}"/usr \ @@ -206,8 +229,8 @@ multilib_src_configure() { || die # Clean out hardcoded flags that openssl uses - local DEFAULT_CFLAGS=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ - -e 's:^CFLAG=::' \ + local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ + -e 's:^CFLAGS=::' \ -e 's:\(^\| \)-fomit-frame-pointer::g' \ -e 's:\(^\| \)-O[^ ]*::g' \ -e 's:\(^\| \)-march=[^ ]*::g' \ @@ -221,7 +244,7 @@ multilib_src_configure() { # Now insert clean default flags with user flags sed -i \ - -e "/^CFLAG/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ + -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ Makefile || die } @@ -229,11 +252,8 @@ multilib_src_configure() { multilib_src_compile() { # depend is needed to use $confopts; it also doesn't matter # that it's -j1 as the code itself serializes subdirs - emake -j1 V=1 depend + emake -j1 depend emake all - # rehash is needed to prep the certs/ dir; do this - # separately to avoid parallel build issues. - emake rehash } multilib_src_test() { @@ -247,7 +267,7 @@ multilib_src_install() { mkdir "${ED}"/usr || die fi - emake INSTALL_PREFIX="${D}" install + emake DESTDIR="${D}" install } multilib_src_install_all() { @@ -255,10 +275,7 @@ multilib_src_install_all() { # we provide a shell version via app-misc/c_rehash rm "${ED}"/usr/bin/c_rehash || die - local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el ) - einstalldocs - - use rfc3779 && dodoc engines/ccgost/README.gost + dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el # This is crappy in that the static archives are still built even # when USE=static-libs. But this is due to a failing in the openssl @@ -267,8 +284,11 @@ multilib_src_install_all() { # twice; once with shared lib support enabled and once without. use static-libs || rm -f "${ED}"/usr/lib*/lib*.a + # create the certs directory + keepdir ${SSL_CNF_DIR}/certs + # Namespace openssl programs to prevent conflicts with other man pages - cd "${ED}"/usr/share/man + cd "${ED}"/usr/share/man || die local m d s for m in $(find . -type f | xargs grep -L '#include') ; do d=${m%/*} ; d=${d#./} ; m=${m##*/} @@ -283,6 +303,7 @@ multilib_src_install_all() { for s in $(find -L ${d} -type l) ; do s=${s##*/} rm -f ${d}/${s} + # We don't want to "|| die" here ln -s ssl-${m} ${d}/ssl-${s} ln -s ssl-${s} ${d}/openssl-${s} done @@ -292,15 +313,12 @@ multilib_src_install_all() { dodir /etc/sandbox.d #254521 echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - # Don't keep the sample CA files and their ilk in /etc. - rm -r "${ED}"${SSL_CNF_DIR} - - # Save the default openssl.cnf in /usr and link it into place. - dodir /usr/share/ssl - insinto /usr/share/ssl - doins "${S}"/apps/openssl.cnf - systemd_dotmpfilesd "${FILESDIR}"/openssl.conf - - # Package the tmpfiles.d setup for SDK bootstrapping. - systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_postinst() { + ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" + c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null + eend $? }