Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dev-libs/openssl: add Fedora Hobbled-EC.
As resolved in the Foundation Trustees meeting 2017/10/22, and the Licensing team, Fedora's Hobbled-EC patchset is added for USE=bindist in OpenSSL 1.1 series. This provides the subset of Elliptic Curve Cryptography that Fedora & RedHat believe to be free of patent concerns at this time, and use for their RPMs. The patch disables or modifies: - some Elliptic Curves - some EC methods - code that interacts the above OpenSSL 1.1 is still in package.mask at this time, and a 1.0 version of this patch will follow soon. Upstream: https://src.fedoraproject.org/cgit/rpms/openssl.git Bug: https://bugs.gentoo.org/531540 Package-Manager: Portage-2.3.8, Repoman-2.3.3 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
- Loading branch information
Showing
3 changed files
with
288 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,9 @@ | ||
DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf | ||
DIST openssl-1.0.2k.tar.gz 5309236 SHA256 6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0 SHA512 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016 WHIRLPOOL ffa3d89a078db6829f1fff21779a19c87e059600162e6d7d3114b8440ba5fa7d1a08e04594b6ed8ab47e148782de299d7ec338f2ba2d466bf7737b0749f590cd | ||
DIST openssl-1.0.2l.tar.gz 5365054 SHA256 ce07195b659e75f4e1db43552860070061f156a98bb37b672b101ba6e3ddf30c SHA512 047d964508ad6025c79caabd8965efd2416dc026a56183d0ef4de7a0a6769ce8e0b4608a3f8393d326f6d03b26a2b067e6e0c750f35b20be190e595e8290c0e3 WHIRLPOOL fa5b303fd7007eb2b7afe0b6a7d90a6676b738bf39addc1005f15a4664e61e72f9465d5020477abcf6b3e420d46a618e44751ad9e21671c70e5dbe8cdc768bfc | ||
DIST openssl-1.1.0-build.patch 3028 SHA256 c626ac8b34df5d55a7272a741f87f06dc06cc20ac80085048788a2c76c08c25f SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0 WHIRLPOOL 950febb159139b145eb7de5bda1115465fa8551234182e6d15459ab5519213f515b4c3e3a3136d05c440d3eec04a7247461d36c2d45136a6f1963613d5896b3e | ||
DIST openssl-1.1.0-ec-curves.patch 2967 SHA256 da60dfa01ed244cd3f77f60cc2ef479a36e64a58fa5e242aa03647c698cc1a42 SHA512 8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2 WHIRLPOOL e7293ef84f6c36e8e5f5ec8158023fdca484bc9082e73956bd0cc74a17c880350a49799146c855a37f116d743e7c93e54cbe4aa7f70483e235d03687a15a46a5 | ||
DIST openssl-1.1.0f.tar.gz 5278176 SHA256 12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765 SHA512 340ab3f38c90dea346e543b58bc0eff0adede15be212ad20b7cf38718a7f94fab51996da414855c180540f7488b8bd31d8b9a0d04bb19159f735c46d8f6df22c WHIRLPOOL bb4ce1d100c5eb567de0139e4a1c0a2bb1cd308bd014704d6bb796d3fcfc16b91fe69839068944831746e0b937a6ccb234b5cea3b4911fab4283500ed380f0b6 | ||
DIST openssl-1.1.0f_ec_curve.c 18393 SHA256 9dd0e1f422116da45eb16936fbbbe4e4e05e7a8fc0f359594af76e935c37716e SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 WHIRLPOOL 6f43f3b8037f5edf323ea865d1150eaa63ee60f60b512b52e37b752b328855e57eae70c812071caba0f91eeeb379c4dd9574806ba50d5bee38ad3b0e3fe03f55 | ||
DIST openssl-1.1.0f_ectest.c 29907 SHA256 37682adb07ba260339fad3fead87b186fc8c26321a0aad45deefed4c25ad87cb SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae WHIRLPOOL f39da1830f5a6492add40f460af9d85b2fbfac0d5d8ff4eb4ba3cb16e6ff50a030aee38c518d7a06d1167f59030ded5496000793ad4cf2de7ff36f22eeefe7c7 | ||
DIST openssl-1.1.0f_hobble-openssl 1117 SHA256 ab168bd8bf578f7361524f9a12eecbbaf41fd7e2c852a0158aafd3bce9cac569 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 WHIRLPOOL 94537166ad8f5cacba2d30d0b6e4676d896cab157be5891fbeecdb2efa10a322d77e2b35a44ff1d474e860dcece63a8688f9df5edf8fe859bf67b410148ea64a |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,282 @@ | ||
# Copyright 1999-2017 Gentoo Foundation | ||
# Distributed under the terms of the GNU General Public License v2 | ||
|
||
EAPI=5 | ||
|
||
inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal | ||
|
||
MY_P=${P/_/-} | ||
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" | ||
HOMEPAGE="http://www.openssl.org/" | ||
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" | ||
|
||
LICENSE="openssl" | ||
SLOT="0/1.1" # .so version of libssl/libcrypto | ||
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" | ||
IUSE="+asm bindist rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib" | ||
RESTRICT="!bindist? ( bindist )" | ||
|
||
RDEPEND=">=app-misc/c_rehash-1.7-r1 | ||
zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )" | ||
DEPEND="${RDEPEND} | ||
>=dev-lang/perl-5 | ||
sctp? ( >=net-misc/lksctp-tools-1.0.12 ) | ||
test? ( | ||
sys-apps/diffutils | ||
sys-devel/bc | ||
)" | ||
PDEPEND="app-misc/ca-certificates" | ||
|
||
# This does not copy the entire Fedora patchset, but JUST the parts that | ||
# are needed to make it safe to use EC with RESTRICT=bindist. | ||
# See openssl.spec for the matching numbering of SourceNNN, PatchNNN | ||
SOURCE1=hobble-openssl | ||
SOURCE12=ec_curve.c | ||
SOURCE13=ectest.c | ||
PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC | ||
PATCH37=openssl-1.1.0-ec-curves.patch | ||
FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' | ||
FEDORA_GIT_BRANCH='f27' | ||
FEDORA_SRC_URI=() | ||
FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 ) | ||
FEDORA_PATCH=( $PATCH1 $PATCH37 ) | ||
for i in "${FEDORA_SOURCE[@]}" ; do | ||
FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) | ||
done | ||
for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix | ||
FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" ) | ||
done | ||
SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" | ||
|
||
S="${WORKDIR}/${MY_P}" | ||
|
||
MULTILIB_WRAPPED_HEADERS=( | ||
usr/include/openssl/opensslconf.h | ||
) | ||
|
||
PATCHES=( | ||
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 | ||
) | ||
|
||
src_prepare() { | ||
if use bindist; then | ||
# This just removes the prefix, and puts it into WORKDIR like the RPM. | ||
for i in "${FEDORA_SOURCE[@]}" ; do | ||
cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die | ||
done | ||
# .spec %prep | ||
bash "${WORKDIR}"/"${SOURCE1}" || die | ||
cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die | ||
cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die | ||
for i in "${FEDORA_PATCH[@]}" ; do | ||
epatch "${DISTDIR}"/"${i}" | ||
done | ||
# Also see the configure parts below: | ||
# enable-ec \ | ||
# $(use_ssl !bindist ec2m) \ | ||
|
||
fi | ||
# keep this in sync with app-misc/c_rehash | ||
SSL_CNF_DIR="/etc/ssl" | ||
|
||
# Make sure we only ever touch Makefile.org and avoid patching a file | ||
# that gets blown away anyways by the Configure script in src_configure | ||
rm -f Makefile | ||
|
||
if ! use vanilla ; then | ||
epatch "${PATCHES[@]}" | ||
epatch_user #332661 | ||
fi | ||
|
||
# make sure the man pages are suffixed #302165 | ||
# don't bother building man pages if they're disabled | ||
# Make DOCDIR Gentoo compliant | ||
sed -i \ | ||
-e '/^MANSUFFIX/s:=.*:=ssl:' \ | ||
-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ | ||
-e $(has noman FEATURES \ | ||
&& echo '/^install:/s:install_docs::' \ | ||
|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ | ||
-e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \ | ||
Configurations/unix-Makefile.tmpl \ | ||
|| die | ||
|
||
# show the actual commands in the log | ||
sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared | ||
|
||
# quiet out unknown driver argument warnings since openssl | ||
# doesn't have well-split CFLAGS and we're making it even worse | ||
# and 'make depend' uses -Werror for added fun (#417795 again) | ||
[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments | ||
|
||
# allow openssl to be cross-compiled | ||
cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die | ||
chmod a+rx gentoo.config | ||
|
||
append-flags -fno-strict-aliasing | ||
append-flags $(test-flags-CC -Wa,--noexecstack) | ||
append-cppflags -DOPENSSL_NO_BUF_FREELISTS | ||
|
||
# Prefixify Configure shebang (#141906) | ||
sed \ | ||
-e "1s,/usr/bin/env,${EPREFIX}&," \ | ||
-i Configure || die | ||
# Remove test target when FEATURES=test isn't set | ||
if ! use test ; then | ||
sed \ | ||
-e '/^$config{dirs}/s@ "test",@@' \ | ||
-i Configure || die | ||
fi | ||
# The config script does stupid stuff to prompt the user. Kill it. | ||
sed -i '/stty -icanon min 0 time 50; read waste/d' config || die | ||
./config --test-sanity || die "I AM NOT SANE" | ||
|
||
multilib_copy_sources | ||
} | ||
|
||
multilib_src_configure() { | ||
unset APPS #197996 | ||
unset SCRIPTS #312551 | ||
unset CROSS_COMPILE #311473 | ||
|
||
tc-export CC AR RANLIB RC | ||
|
||
# Clean out patent-or-otherwise-encumbered code | ||
# Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) | ||
# IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm | ||
# EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography | ||
# MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 | ||
# RC5: Expired http://en.wikipedia.org/wiki/RC5 | ||
|
||
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } | ||
echoit() { echo "$@" ; "$@" ; } | ||
|
||
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") | ||
|
||
# See if our toolchain supports __uint128_t. If so, it's 64bit | ||
# friendly and can use the nicely optimized code paths. #460790 | ||
local ec_nistp_64_gcc_128 | ||
# Disable it for now though #469976 | ||
#if ! use bindist ; then | ||
# echo "__uint128_t i;" > "${T}"/128.c | ||
# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then | ||
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" | ||
# fi | ||
#fi | ||
|
||
local sslout=$(./gentoo.config) | ||
einfo "Use configuration ${sslout:-(openssl knows best)}" | ||
local config="Configure" | ||
[[ -z ${sslout} ]] && config="config" | ||
|
||
# Fedora hobbled-EC needs 'no-ec2m' | ||
# 'srp' was restricted until early 2017 as well. | ||
echoit \ | ||
./${config} \ | ||
${sslout} \ | ||
--api=1.0.0 \ | ||
$(use cpu_flags_x86_sse2 || echo "no-sse2") \ | ||
enable-camellia \ | ||
disable-deprecated \ | ||
enable-ec \ | ||
$(use_ssl !bindist ec2m) \ | ||
enable-srp \ | ||
${ec_nistp_64_gcc_128} \ | ||
enable-idea \ | ||
enable-mdc2 \ | ||
enable-rc5 \ | ||
$(use_ssl asm) \ | ||
$(use_ssl rfc3779) \ | ||
$(use_ssl sctp) \ | ||
$(use_ssl tls-heartbeat heartbeats) \ | ||
$(use_ssl zlib) \ | ||
--prefix="${EPREFIX}"/usr \ | ||
--openssldir="${EPREFIX}"${SSL_CNF_DIR} \ | ||
--libdir=$(get_libdir) \ | ||
shared threads \ | ||
|| die | ||
|
||
# Clean out hardcoded flags that openssl uses | ||
# Fix quoting for sed | ||
local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ | ||
-e 's:^CFLAGS=::' \ | ||
-e 's:-fomit-frame-pointer ::g' \ | ||
-e 's:-O[0-9] ::g' \ | ||
-e 's:-march=[-a-z0-9]* ::g' \ | ||
-e 's:-mcpu=[-a-z0-9]* ::g' \ | ||
-e 's:-m[a-z0-9]* ::g' \ | ||
-e 's:\\:\\\\:g' \ | ||
) | ||
sed -i \ | ||
-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ | ||
-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ | ||
Makefile || die | ||
} | ||
|
||
multilib_src_compile() { | ||
# depend is needed to use $confopts; it also doesn't matter | ||
# that it's -j1 as the code itself serializes subdirs | ||
emake -j1 depend | ||
emake all | ||
} | ||
|
||
multilib_src_test() { | ||
emake -j1 test | ||
} | ||
|
||
multilib_src_install() { | ||
emake DESTDIR="${D}" install | ||
} | ||
|
||
multilib_src_install_all() { | ||
# openssl installs perl version of c_rehash by default, but | ||
# we provide a shell version via app-misc/c_rehash | ||
rm "${ED}"/usr/bin/c_rehash || die | ||
|
||
dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el | ||
dohtml -r doc/* | ||
|
||
# This is crappy in that the static archives are still built even | ||
# when USE=static-libs. But this is due to a failing in the openssl | ||
# build system: the static archives are built as PIC all the time. | ||
# Only way around this would be to manually configure+compile openssl | ||
# twice; once with shared lib support enabled and once without. | ||
use static-libs || rm -f "${ED}"/usr/lib*/lib*.a | ||
|
||
# create the certs directory | ||
keepdir ${SSL_CNF_DIR}/certs | ||
|
||
# Namespace openssl programs to prevent conflicts with other man pages | ||
cd "${ED}"/usr/share/man | ||
local m d s | ||
for m in $(find . -type f | xargs grep -L '#include') ; do | ||
d=${m%/*} ; d=${d#./} ; m=${m##*/} | ||
[[ ${m} == openssl.1* ]] && continue | ||
[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" | ||
mv ${d}/{,ssl-}${m} | ||
# fix up references to renamed man pages | ||
sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} | ||
ln -s ssl-${m} ${d}/openssl-${m} | ||
# locate any symlinks that point to this man page ... we assume | ||
# that any broken links are due to the above renaming | ||
for s in $(find -L ${d} -type l) ; do | ||
s=${s##*/} | ||
rm -f ${d}/${s} | ||
ln -s ssl-${m} ${d}/ssl-${s} | ||
ln -s ssl-${s} ${d}/openssl-${s} | ||
done | ||
done | ||
[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" | ||
|
||
dodir /etc/sandbox.d #254521 | ||
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl | ||
|
||
diropts -m0700 | ||
keepdir ${SSL_CNF_DIR}/private | ||
} | ||
|
||
pkg_postinst() { | ||
ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" | ||
c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null | ||
eend $? | ||
} |