* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2015-12-03 17:10 Mike Frysinger
0 siblings, 0 replies; 36+ messages in thread
From: Mike Frysinger @ 2015-12-03 17:10 UTC (permalink / raw
To: gentoo-commits
commit: 3db5c05c662167d9b25fb6d7404663a9a5138fe7
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 3 17:09:57 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Dec 3 17:10:00 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db5c05c
dev-libs/openssl: version bump to 0.9.8zh & 1.0.2e #567476
dev-libs/openssl/Manifest | 2 +
.../openssl/files/openssl-1.0.2e-pod2man.patch | 63 +++++
dev-libs/openssl/openssl-0.9.8z_p8.ebuild | 162 +++++++++++++
dev-libs/openssl/openssl-1.0.2e.ebuild | 266 +++++++++++++++++++++
4 files changed, 493 insertions(+)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index d78f82a..2625dc8 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,7 +1,9 @@
DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 06500060639930e471050474f537fcd28ec934af92ee282d78b52460fbe8f580 SHA512 c757454de321d168ac6d89fe2859966a9f07a8b28305bf697af9018db13fc457e0883346b3d35977461ab058442375563554ecb2a8756a687ff9fc2fdd9103c9 WHIRLPOOL 55ecf50a264a2ddd9b5755b5d90b9b736d2f27e0ba2fd529ccff3b68bbd726d1f60460182a0d215ae6712dbc4d3ef2df11339fb2d8424e049f54c3e904fcfab0
+DIST openssl-0.9.8zh.tar.gz 3817665 SHA256 ea1a43a47900b90e014360572d752f85617fb119fa048800872c1b37db04fad3 SHA512 dba8e9093aa8f43c9b1c2be97c505a966a8bb89d897540cec82886831000c1ef0d4146cdadcc9a8b015fd7a9d79436b2edbb166ecd4610b39fcfc0781dc54272 WHIRLPOOL 6839260c184f0cd8560fda70e15c6e45d66bdbf1bc9227457b9e082d93700b6b48dabbef3b0e3f2605008e0264177fdfd5341f20e376de61dbe55304651931ac
DIST openssl-1.0.1p.tar.gz 4560208 SHA256 bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5 WHIRLPOOL 2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819
DIST openssl-1.0.2a.tar.gz 5262089 SHA256 15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a SHA512 02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4 WHIRLPOOL a590c71794f5d29b80afa28b18621b7535e96b714b3690d793c1422a90b09a89cbcb912841d400c5982a8197bb02c13051190e96ba0e4d530509b48b43067cd7
DIST openssl-1.0.2b.tar.gz 5281009 SHA256 d5d488cc9f0a07974195a7427094ea3cab9800a4e90178b989aa621fbc238e3f SHA512 563eb662113668bb9ccf17a6e36697ad6392321ac1a32aa2cada9d8f4047651c2fa4da61f508ee3e1834fea343dbba189e09c1d6cabe5d1de5e3e6d022c31f4f WHIRLPOOL d828dc76842d25f02f211031b3ab9a2a8fd44975e9aaf87d0fd5fca9935a27b61c3e4f896a2186194f1a7b4d668fc48cafc5be9f7c670017ba342ce40113935f
DIST openssl-1.0.2c.tar.gz 5280670 SHA256 0038ba37f35a6367c58f17a7a7f687953ef8ce4f9684bbdec63e62515ed36a83 SHA512 2a68e8b017d0d3e34e4f9d33b77abd960b3d04e418f106e852684a2ff247dc8ea390b7d6a42d130fd84d821a15e84e77b68b3677433433ef5c10d156333b9dae WHIRLPOOL c59878c3bd5e8904913b97d71a15ef1eaafcfb4eb58c691ba4fb38bf81752308d0ef4a902e53aec4c6e7585677f2404d29cdea0832d14206fabf28d744af2622
DIST openssl-1.0.2d.tar.gz 5295447 SHA256 671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 SHA512 68a051e92aaed0e7a8b218c185427c534c32f30f50c45f5d2c1f5b7a26d1416e83863d2953c77486acde3b636a148f39faf48246d28a207607ec069f62b13d75 WHIRLPOOL e3d8f0784903c8d6aa05ada7b8b410517c99157a3c2f4ac34c8a9d80c77408bd6ff9e820ded47f6223ccac4a77413174aa625303166ec28fdbf8374a7d4659ec
+DIST openssl-1.0.2e.tar.gz 5255719 SHA256 eee11def03647aa2267434a779608af6fca645023c9a194ddb82f14426835537 SHA512 0c674ab90395ca28d97493dc9b99b32785b04f1ef8ed8c12122d076270de1645412003a527a3dc757ac47a9217eeceddbfbaa3b0ccd0cfd4910d254a6ca6961b WHIRLPOOL e4c16fbdf8a40fd84eb8acfa3952d5af78bca623395114420cdc6fcc7bf3bb53d5fba125e30582e2b8fefab140fe509396d5c6802ea3eadbd8266715e5fe1c67
DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1
diff --git a/dev-libs/openssl/files/openssl-1.0.2e-pod2man.patch b/dev-libs/openssl/files/openssl-1.0.2e-pod2man.patch
new file mode 100644
index 0000000..076842f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2e-pod2man.patch
@@ -0,0 +1,63 @@
+upstream removed the local pod2man logic in master, but didn't in the 1.0.2e
+release. yet they also dropped the pod2mantest helper in the 1.0.2e release
+which makes it uninstallable. backport part of the master changes.
+
+note: this is based on top of other Gentoo parallel patches
+
+From a4a934119dd213e16c9d8b11150a4815604c13bb Mon Sep 17 00:00:00 2001
+From: Rich Salz <rsalz@openssl.org>
+Date: Wed, 10 Dec 2014 17:10:59 -0500
+Subject: [PATCH] Remove old private pod2man
+
+Include Richard's point to remove the 'sh -c' wrapper
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+---
+ Makefile.org | 9 +-
+ util/pod2man.pl | 1184 --------------------------------------------------
+ util/pod2mantest | 58 ---
+ util/pod2mantest.pod | 15 -
+ 4 files changed, 4 insertions(+), 1262 deletions(-)
+ delete mode 100755 util/pod2man.pl
+ delete mode 100755 util/pod2mantest
+ delete mode 100644 util/pod2mantest.pod
+
+diff --git a/Makefile.org b/Makefile.org
+index 8bb7e01..7c802e8 100644
+--- a/Makefile.org
++++ b/Makefile.org
+@@ -716,7 +716,6 @@ install_docs:
+ done
+
+ install_docs: install_dirs
+- @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
+ here="`pwd`"; \
+ filecase=; \
+ case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
+@@ -727,9 +726,9 @@ install_docs:
+ sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ (cd `$(PERL) util/dirname.pl $$i`; \
+- sh -c "$$pod2man \
++ pod2man \
+ --section=$$sec --center=OpenSSL \
+- --release=$(VERSION) `basename $$i`") \
++ --release=$(VERSION) `basename $$i`) \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+ $(PERL) util/extract-names.pl < $$i | \
+ (grep -v $$filecase "^$$fn\$$"; true) | \
+@@ -744,9 +743,9 @@ install_docs:
+ sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ (cd `$(PERL) util/dirname.pl $$i`; \
+- sh -c "$$pod2man \
++ pod2man \
+ --section=$$sec --center=OpenSSL \
+- --release=$(VERSION) `basename $$i`") \
++ --release=$(VERSION) `basename $$i`) \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+ $(PERL) util/extract-names.pl < $$i | \
+ (grep -v $$filecase "^$$fn\$$"; true) | \
+--
+2.6.2
+
diff --git a/dev-libs/openssl/openssl-0.9.8z_p8.ebuild b/dev-libs/openssl/openssl-0.9.8z_p8.ebuild
new file mode 100644
index 0000000..3897edd
--- /dev/null
+++ b/dev-libs/openssl/openssl-0.9.8z_p8.ebuild
@@ -0,0 +1,162 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME for ABI compat
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+PLEVEL=$(echo "${PV##*_p}" | tr '[1-9]' '[a-i]')
+MY_PV=${PV/_p*/${PLEVEL}}
+MY_P=${PN}-${MY_PV}
+S="${WORKDIR}/${MY_P}"
+DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0.9.8"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r4
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )
+ !=dev-libs/openssl-0.9.8*:0"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+
+# Do not install any docs
+DOCS=()
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
+ epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
+ epatch "${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
+ Makefile{,.org} \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+ # update the enginedir path.
+ # punt broken config we don't care about as it fails sanity check.
+ sed -i \
+ -e '/^"debug-ben-debug-64"/d' \
+ -e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \
+ Configure || die
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags -Wa,--noexecstack
+
+ sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906
+ sed -i '/^"debug-bodo/d' Configure # 0.9.8za shipped broken
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+
+ tc-export CC AR RANLIB
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ enable-idea \
+ enable-mdc2 \
+ $(use_ssl !bindist rc5) \
+ enable-tlsext \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl zlib) \
+ --prefix=/usr \
+ --openssldir=/etc/ssl \
+ shared threads \
+ || die "Configure failed"
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^LIBDIR=/s|=.*|=$(get_libdir)|" \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts
+ emake -j1 depend
+ emake -j1 build_libs
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ dolib.so lib{crypto,ssl}.so.0.9.8
+}
diff --git a/dev-libs/openssl/openssl-1.0.2e.ebuild b/dev-libs/openssl/openssl-1.0.2e.ebuild
new file mode 100644
index 0000000..1249476
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2e.ebuild
@@ -0,0 +1,266 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+# The blocks are temporary just to make sure people upgrade to a
+# version that lack runtime version checking. We'll drop them in
+# the future.
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )
+ !<net-misc/openssh-5.9_p1-r4
+ !<net-libs/neon-0.29.6-r1"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+ epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+ epatch "${FILESDIR}"/${PN}-1.0.2d-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
+ epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+ epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
+ epatch "${FILESDIR}"/${PN}-1.0.2e-pod2man.patch
+
+ epatch_user #332661
+ fi
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ Makefile.org \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ enable-tlsext \
+ $(use_ssl asm) \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+ # rehash is needed to prep the certs/ dir; do this
+ # separately to avoid parallel build issues.
+ emake rehash
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+ dohtml -r doc/*
+ use rfc3779 && dodoc engines/ccgost/README.gost
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ dodir ${SSL_CNF_DIR}/certs
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2015-12-03 18:40 Lars Wendler
0 siblings, 0 replies; 36+ messages in thread
From: Lars Wendler @ 2015-12-03 18:40 UTC (permalink / raw
To: gentoo-commits
commit: c955b7aaea1f5fcb401424c50561bd2ddb8ebc07
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 3 18:40:41 2015 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Thu Dec 3 18:40:52 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c955b7aa
dev-libs/openssl: Added new parallel build patch for 1.0.2e version.
Package-Manager: portage-2.2.26
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
.../files/openssl-1.0.2e-parallel-build.patch | 314 +++++++++++++++++++++
dev-libs/openssl/openssl-1.0.2e.ebuild | 2 +-
2 files changed, 315 insertions(+), 1 deletion(-)
diff --git a/dev-libs/openssl/files/openssl-1.0.2e-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2e-parallel-build.patch
new file mode 100644
index 0000000..53d4baa
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2e-parallel-build.patch
@@ -0,0 +1,314 @@
+--- openssl-1.0.2e/crypto/Makefile
++++ openssl-1.0.2e/crypto/Makefile
+@@ -85,11 +85,11 @@
+ @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+
+ subdirs:
+- @target=all; $(RECURSIVE_MAKE)
++ +@target=all; $(RECURSIVE_MAKE)
+
+ files:
+ $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
+- @target=files; $(RECURSIVE_MAKE)
++ +@target=files; $(RECURSIVE_MAKE)
+
+ links:
+ @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+@@ -100,7 +100,7 @@
+ # lib: $(LIB): are splitted to avoid end-less loop
+ lib: $(LIB)
+ @touch lib
+-$(LIB): $(LIBOBJ)
++$(LIB): $(LIBOBJ) | subdirs
+ $(AR) $(LIB) $(LIBOBJ)
+ test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+ $(RANLIB) $(LIB) || echo Never mind.
+@@ -111,7 +111,7 @@
+ fi
+
+ libs:
+- @target=lib; $(RECURSIVE_MAKE)
++ +@target=lib; $(RECURSIVE_MAKE)
+
+ install:
+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+@@ -120,7 +120,7 @@
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+- @target=install; $(RECURSIVE_MAKE)
++ +@target=install; $(RECURSIVE_MAKE)
+
+ lint:
+ @target=lint; $(RECURSIVE_MAKE)
+--- openssl-1.0.2e/engines/Makefile
++++ openssl-1.0.2e/engines/Makefile
+@@ -72,7 +72,7 @@
+
+ all: lib subdirs
+
+-lib: $(LIBOBJ)
++lib: $(LIBOBJ) | subdirs
+ @if [ -n "$(SHARED_LIBS)" ]; then \
+ set -e; \
+ for l in $(LIBNAMES); do \
+@@ -89,7 +89,7 @@
+
+ subdirs:
+ echo $(EDIRS)
+- @target=all; $(RECURSIVE_MAKE)
++ +@target=all; $(RECURSIVE_MAKE)
+
+ files:
+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+@@ -128,7 +128,7 @@
+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ done; \
+ fi
+- @target=install; $(RECURSIVE_MAKE)
++ +@target=install; $(RECURSIVE_MAKE)
+
+ tags:
+ ctags $(SRC)
+--- openssl-1.0.2e/Makefile.org
++++ openssl-1.0.2e/Makefile.org
+@@ -280,17 +280,17 @@
+ build_libssl: build_ssl libssl.pc
+
+ build_crypto:
+- @dir=crypto; target=all; $(BUILD_ONE_CMD)
++ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
+ build_ssl: build_crypto
+- @dir=ssl; target=all; $(BUILD_ONE_CMD)
++ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
+ build_engines: build_crypto
+- @dir=engines; target=all; $(BUILD_ONE_CMD)
++ +@dir=engines; target=all; $(BUILD_ONE_CMD)
+ build_apps: build_libs
+- @dir=apps; target=all; $(BUILD_ONE_CMD)
++ +@dir=apps; target=all; $(BUILD_ONE_CMD)
+ build_tests: build_libs
+- @dir=test; target=all; $(BUILD_ONE_CMD)
++ +@dir=test; target=all; $(BUILD_ONE_CMD)
+ build_tools: build_libs
+- @dir=tools; target=all; $(BUILD_ONE_CMD)
++ +@dir=tools; target=all; $(BUILD_ONE_CMD)
+
+ all_testapps: build_libs build_testapps
+ build_testapps:
+@@ -548,7 +548,7 @@
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
++ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+ @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
+ do \
+ if [ -f "$$i" ]; then \
+--- openssl-1.0.2e/Makefile.shared
++++ openssl-1.0.2e/Makefile.shared
+@@ -105,6 +105,7 @@
+ SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
+ LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
+ LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
++ [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
+ LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+ $${SHAREDCMD} $${SHAREDFLAGS} \
+ -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+@@ -122,6 +123,7 @@
+ done; \
+ fi; \
+ if [ -n "$$SHLIB_SOVER" ]; then \
++ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
+ ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
+ ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
+ fi; \
+--- openssl-1.0.2e/test/Makefile
++++ openssl-1.0.2e/test/Makefile
+@@ -138,7 +138,7 @@
+ tags:
+ ctags $(SRC)
+
+-tests: exe apps $(TESTS)
++tests: exe $(TESTS)
+
+ apps:
+ @(cd ..; $(MAKE) DIRS=apps all)
+@@ -416,127 +416,127 @@
+ link_app.$${shlib_target}
+
+ $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
+- @target=$(RSATEST); $(BUILD_CMD)
++ +@target=$(RSATEST); $(BUILD_CMD)
+
+ $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
+- @target=$(BNTEST); $(BUILD_CMD)
++ +@target=$(BNTEST); $(BUILD_CMD)
+
+ $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
+- @target=$(ECTEST); $(BUILD_CMD)
++ +@target=$(ECTEST); $(BUILD_CMD)
+
+ $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
+- @target=$(EXPTEST); $(BUILD_CMD)
++ +@target=$(EXPTEST); $(BUILD_CMD)
+
+ $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
+- @target=$(IDEATEST); $(BUILD_CMD)
++ +@target=$(IDEATEST); $(BUILD_CMD)
+
+ $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
+- @target=$(MD2TEST); $(BUILD_CMD)
++ +@target=$(MD2TEST); $(BUILD_CMD)
+
+ $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
+- @target=$(SHATEST); $(BUILD_CMD)
++ +@target=$(SHATEST); $(BUILD_CMD)
+
+ $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
+- @target=$(SHA1TEST); $(BUILD_CMD)
++ +@target=$(SHA1TEST); $(BUILD_CMD)
+
+ $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
+- @target=$(SHA256TEST); $(BUILD_CMD)
++ +@target=$(SHA256TEST); $(BUILD_CMD)
+
+ $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
+- @target=$(SHA512TEST); $(BUILD_CMD)
++ +@target=$(SHA512TEST); $(BUILD_CMD)
+
+ $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
+- @target=$(RMDTEST); $(BUILD_CMD)
++ +@target=$(RMDTEST); $(BUILD_CMD)
+
+ $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
+- @target=$(MDC2TEST); $(BUILD_CMD)
++ +@target=$(MDC2TEST); $(BUILD_CMD)
+
+ $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
+- @target=$(MD4TEST); $(BUILD_CMD)
++ +@target=$(MD4TEST); $(BUILD_CMD)
+
+ $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
+- @target=$(MD5TEST); $(BUILD_CMD)
++ +@target=$(MD5TEST); $(BUILD_CMD)
+
+ $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
+- @target=$(HMACTEST); $(BUILD_CMD)
++ +@target=$(HMACTEST); $(BUILD_CMD)
+
+ $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
+- @target=$(WPTEST); $(BUILD_CMD)
++ +@target=$(WPTEST); $(BUILD_CMD)
+
+ $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
+- @target=$(RC2TEST); $(BUILD_CMD)
++ +@target=$(RC2TEST); $(BUILD_CMD)
+
+ $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
+- @target=$(BFTEST); $(BUILD_CMD)
++ +@target=$(BFTEST); $(BUILD_CMD)
+
+ $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
+- @target=$(CASTTEST); $(BUILD_CMD)
++ +@target=$(CASTTEST); $(BUILD_CMD)
+
+ $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
+- @target=$(RC4TEST); $(BUILD_CMD)
++ +@target=$(RC4TEST); $(BUILD_CMD)
+
+ $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
+- @target=$(RC5TEST); $(BUILD_CMD)
++ +@target=$(RC5TEST); $(BUILD_CMD)
+
+ $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
+- @target=$(DESTEST); $(BUILD_CMD)
++ +@target=$(DESTEST); $(BUILD_CMD)
+
+ $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
+- @target=$(RANDTEST); $(BUILD_CMD)
++ +@target=$(RANDTEST); $(BUILD_CMD)
+
+ $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
+- @target=$(DHTEST); $(BUILD_CMD)
++ +@target=$(DHTEST); $(BUILD_CMD)
+
+ $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
+- @target=$(DSATEST); $(BUILD_CMD)
++ +@target=$(DSATEST); $(BUILD_CMD)
+
+ $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
+- @target=$(METHTEST); $(BUILD_CMD)
++ +@target=$(METHTEST); $(BUILD_CMD)
+
+ $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
+- @target=$(SSLTEST); $(FIPS_BUILD_CMD)
++ +@target=$(SSLTEST); $(FIPS_BUILD_CMD)
+
+ $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
+- @target=$(ENGINETEST); $(BUILD_CMD)
++ +@target=$(ENGINETEST); $(BUILD_CMD)
+
+ $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
+- @target=$(EVPTEST); $(BUILD_CMD)
++ +@target=$(EVPTEST); $(BUILD_CMD)
+
+ $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
+- @target=$(EVPEXTRATEST); $(BUILD_CMD)
++ +@target=$(EVPEXTRATEST); $(BUILD_CMD)
+
+ $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
+- @target=$(ECDSATEST); $(BUILD_CMD)
++ +@target=$(ECDSATEST); $(BUILD_CMD)
+
+ $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
+- @target=$(ECDHTEST); $(BUILD_CMD)
++ +@target=$(ECDHTEST); $(BUILD_CMD)
+
+ $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
+- @target=$(IGETEST); $(BUILD_CMD)
++ +@target=$(IGETEST); $(BUILD_CMD)
+
+ $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
+- @target=$(JPAKETEST); $(BUILD_CMD)
++ +@target=$(JPAKETEST); $(BUILD_CMD)
+
+ $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
+- @target=$(ASN1TEST); $(BUILD_CMD)
++ +@target=$(ASN1TEST); $(BUILD_CMD)
+
+ $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
+- @target=$(SRPTEST); $(BUILD_CMD)
++ +@target=$(SRPTEST); $(BUILD_CMD)
+
+ $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
+- @target=$(V3NAMETEST); $(BUILD_CMD)
++ +@target=$(V3NAMETEST); $(BUILD_CMD)
+
+ $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
+- @target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
++ +@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
+
+ $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
+- @target=$(CONSTTIMETEST) $(BUILD_CMD)
++ +@target=$(CONSTTIMETEST) $(BUILD_CMD)
+
+ $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
+- @target=$(VERIFYEXTRATEST) $(BUILD_CMD)
++ +@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
+
+ $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
+- @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
++ +@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
+
+ #$(AESTEST).o: $(AESTEST).c
+ # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+@@ -549,7 +549,7 @@
+ # fi
+
+ dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
+- @target=dummytest; $(BUILD_CMD)
++ +@target=dummytest; $(BUILD_CMD)
+
+ # DO NOT DELETE THIS LINE -- make depend depends on it.
+
diff --git a/dev-libs/openssl/openssl-1.0.2e.ebuild b/dev-libs/openssl/openssl-1.0.2e.ebuild
index 1249476..2f7fd45 100644
--- a/dev-libs/openssl/openssl-1.0.2e.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2e.ebuild
@@ -56,7 +56,7 @@ src_prepare() {
if ! use vanilla ; then
epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
- epatch "${FILESDIR}"/${PN}-1.0.2d-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2e-parallel-build.patch
epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2015-12-03 19:58 Mike Frysinger
0 siblings, 0 replies; 36+ messages in thread
From: Mike Frysinger @ 2015-12-03 19:58 UTC (permalink / raw
To: gentoo-commits
commit: 88560c8e2a93aad3fa621c286e4adf651b119870
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 3 19:58:01 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Dec 3 19:58:06 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88560c8e
dev-libs/openssl: update manifest after upstream rebuilt releases #567476
dev-libs/openssl/Manifest | 4 +-
.../openssl/files/openssl-1.0.2e-pod2man.patch | 63 ----------------------
dev-libs/openssl/openssl-1.0.2e.ebuild | 1 -
3 files changed, 2 insertions(+), 66 deletions(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 2625dc8..9fff022 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,9 +1,9 @@
DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 06500060639930e471050474f537fcd28ec934af92ee282d78b52460fbe8f580 SHA512 c757454de321d168ac6d89fe2859966a9f07a8b28305bf697af9018db13fc457e0883346b3d35977461ab058442375563554ecb2a8756a687ff9fc2fdd9103c9 WHIRLPOOL 55ecf50a264a2ddd9b5755b5d90b9b736d2f27e0ba2fd529ccff3b68bbd726d1f60460182a0d215ae6712dbc4d3ef2df11339fb2d8424e049f54c3e904fcfab0
-DIST openssl-0.9.8zh.tar.gz 3817665 SHA256 ea1a43a47900b90e014360572d752f85617fb119fa048800872c1b37db04fad3 SHA512 dba8e9093aa8f43c9b1c2be97c505a966a8bb89d897540cec82886831000c1ef0d4146cdadcc9a8b015fd7a9d79436b2edbb166ecd4610b39fcfc0781dc54272 WHIRLPOOL 6839260c184f0cd8560fda70e15c6e45d66bdbf1bc9227457b9e082d93700b6b48dabbef3b0e3f2605008e0264177fdfd5341f20e376de61dbe55304651931ac
+DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
DIST openssl-1.0.1p.tar.gz 4560208 SHA256 bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5 WHIRLPOOL 2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819
DIST openssl-1.0.2a.tar.gz 5262089 SHA256 15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a SHA512 02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4 WHIRLPOOL a590c71794f5d29b80afa28b18621b7535e96b714b3690d793c1422a90b09a89cbcb912841d400c5982a8197bb02c13051190e96ba0e4d530509b48b43067cd7
DIST openssl-1.0.2b.tar.gz 5281009 SHA256 d5d488cc9f0a07974195a7427094ea3cab9800a4e90178b989aa621fbc238e3f SHA512 563eb662113668bb9ccf17a6e36697ad6392321ac1a32aa2cada9d8f4047651c2fa4da61f508ee3e1834fea343dbba189e09c1d6cabe5d1de5e3e6d022c31f4f WHIRLPOOL d828dc76842d25f02f211031b3ab9a2a8fd44975e9aaf87d0fd5fca9935a27b61c3e4f896a2186194f1a7b4d668fc48cafc5be9f7c670017ba342ce40113935f
DIST openssl-1.0.2c.tar.gz 5280670 SHA256 0038ba37f35a6367c58f17a7a7f687953ef8ce4f9684bbdec63e62515ed36a83 SHA512 2a68e8b017d0d3e34e4f9d33b77abd960b3d04e418f106e852684a2ff247dc8ea390b7d6a42d130fd84d821a15e84e77b68b3677433433ef5c10d156333b9dae WHIRLPOOL c59878c3bd5e8904913b97d71a15ef1eaafcfb4eb58c691ba4fb38bf81752308d0ef4a902e53aec4c6e7585677f2404d29cdea0832d14206fabf28d744af2622
DIST openssl-1.0.2d.tar.gz 5295447 SHA256 671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 SHA512 68a051e92aaed0e7a8b218c185427c534c32f30f50c45f5d2c1f5b7a26d1416e83863d2953c77486acde3b636a148f39faf48246d28a207607ec069f62b13d75 WHIRLPOOL e3d8f0784903c8d6aa05ada7b8b410517c99157a3c2f4ac34c8a9d80c77408bd6ff9e820ded47f6223ccac4a77413174aa625303166ec28fdbf8374a7d4659ec
-DIST openssl-1.0.2e.tar.gz 5255719 SHA256 eee11def03647aa2267434a779608af6fca645023c9a194ddb82f14426835537 SHA512 0c674ab90395ca28d97493dc9b99b32785b04f1ef8ed8c12122d076270de1645412003a527a3dc757ac47a9217eeceddbfbaa3b0ccd0cfd4910d254a6ca6961b WHIRLPOOL e4c16fbdf8a40fd84eb8acfa3952d5af78bca623395114420cdc6fcc7bf3bb53d5fba125e30582e2b8fefab140fe509396d5c6802ea3eadbd8266715e5fe1c67
+DIST openssl-1.0.2e.tar.gz 5256555 SHA256 e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff SHA512 b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f WHIRLPOOL 8e1c1800a66f57fa78dc391e717e4b2bdf0e6e37a837c5ac033d7a4b1a6437451c7e7540c4ec2f75f936a2d2ef4f9293b42c76f51b0c9c93706639589612f196
DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1
diff --git a/dev-libs/openssl/files/openssl-1.0.2e-pod2man.patch b/dev-libs/openssl/files/openssl-1.0.2e-pod2man.patch
deleted file mode 100644
index 076842f..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2e-pod2man.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-upstream removed the local pod2man logic in master, but didn't in the 1.0.2e
-release. yet they also dropped the pod2mantest helper in the 1.0.2e release
-which makes it uninstallable. backport part of the master changes.
-
-note: this is based on top of other Gentoo parallel patches
-
-From a4a934119dd213e16c9d8b11150a4815604c13bb Mon Sep 17 00:00:00 2001
-From: Rich Salz <rsalz@openssl.org>
-Date: Wed, 10 Dec 2014 17:10:59 -0500
-Subject: [PATCH] Remove old private pod2man
-
-Include Richard's point to remove the 'sh -c' wrapper
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
----
- Makefile.org | 9 +-
- util/pod2man.pl | 1184 --------------------------------------------------
- util/pod2mantest | 58 ---
- util/pod2mantest.pod | 15 -
- 4 files changed, 4 insertions(+), 1262 deletions(-)
- delete mode 100755 util/pod2man.pl
- delete mode 100755 util/pod2mantest
- delete mode 100644 util/pod2mantest.pod
-
-diff --git a/Makefile.org b/Makefile.org
-index 8bb7e01..7c802e8 100644
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -716,7 +716,6 @@ install_docs:
- done
-
- install_docs: install_dirs
-- @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- here="`pwd`"; \
- filecase=; \
- case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
-@@ -727,9 +726,9 @@ install_docs:
- sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
- echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
- (cd `$(PERL) util/dirname.pl $$i`; \
-- sh -c "$$pod2man \
-+ pod2man \
- --section=$$sec --center=OpenSSL \
-- --release=$(VERSION) `basename $$i`") \
-+ --release=$(VERSION) `basename $$i`) \
- > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
- $(PERL) util/extract-names.pl < $$i | \
- (grep -v $$filecase "^$$fn\$$"; true) | \
-@@ -744,9 +743,9 @@ install_docs:
- sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
- echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
- (cd `$(PERL) util/dirname.pl $$i`; \
-- sh -c "$$pod2man \
-+ pod2man \
- --section=$$sec --center=OpenSSL \
-- --release=$(VERSION) `basename $$i`") \
-+ --release=$(VERSION) `basename $$i`) \
- > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
- $(PERL) util/extract-names.pl < $$i | \
- (grep -v $$filecase "^$$fn\$$"; true) | \
---
-2.6.2
-
diff --git a/dev-libs/openssl/openssl-1.0.2e.ebuild b/dev-libs/openssl/openssl-1.0.2e.ebuild
index 2f7fd45..e8c229f 100644
--- a/dev-libs/openssl/openssl-1.0.2e.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2e.ebuild
@@ -63,7 +63,6 @@ src_prepare() {
epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
- epatch "${FILESDIR}"/${PN}-1.0.2e-pod2man.patch
epatch_user #332661
fi
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2016-01-29 6:59 Lars Wendler
0 siblings, 0 replies; 36+ messages in thread
From: Lars Wendler @ 2016-01-29 6:59 UTC (permalink / raw
To: gentoo-commits
commit: 8cc70f2b5cd0e33c1c5cb25dafd6be28c71cc7d7
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Fri Jan 29 06:54:06 2016 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri Jan 29 06:58:57 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8cc70f2b
dev-libs/openssl: Security bump to versions 1.0.1r and 1.0.2f (bug #572854).
Package-Manager: portage-2.2.27
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
dev-libs/openssl/Manifest | 2 +
dev-libs/openssl/files/openssl-1.0.1r-x32.patch | 66 ++++++
dev-libs/openssl/openssl-1.0.1r.ebuild | 256 +++++++++++++++++++++++
dev-libs/openssl/openssl-1.0.2f.ebuild | 265 ++++++++++++++++++++++++
4 files changed, 589 insertions(+)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 9fff022..17b0441 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,9 +1,11 @@
DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 06500060639930e471050474f537fcd28ec934af92ee282d78b52460fbe8f580 SHA512 c757454de321d168ac6d89fe2859966a9f07a8b28305bf697af9018db13fc457e0883346b3d35977461ab058442375563554ecb2a8756a687ff9fc2fdd9103c9 WHIRLPOOL 55ecf50a264a2ddd9b5755b5d90b9b736d2f27e0ba2fd529ccff3b68bbd726d1f60460182a0d215ae6712dbc4d3ef2df11339fb2d8424e049f54c3e904fcfab0
DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
DIST openssl-1.0.1p.tar.gz 4560208 SHA256 bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5 WHIRLPOOL 2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819
+DIST openssl-1.0.1r.tar.gz 4547786 SHA256 784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 SHA512 7a5a2efe5d9421ea6f4f86f75ed40b4459b3825355ad18da3bdba28393bc50a6f457b2e1f11a31828f1af0d62a716d258ac7868fb719c9997f3bc750a1723e86 WHIRLPOOL de9c92f5ddb9bcaac967ac735696e739f5762b7d3a0b2430dbfa0c6cd7ac021fdf3c3257255a2fe995f24aa3550d59ce3067f030f09acc5d43b61dfda627686a
DIST openssl-1.0.2a.tar.gz 5262089 SHA256 15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a SHA512 02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4 WHIRLPOOL a590c71794f5d29b80afa28b18621b7535e96b714b3690d793c1422a90b09a89cbcb912841d400c5982a8197bb02c13051190e96ba0e4d530509b48b43067cd7
DIST openssl-1.0.2b.tar.gz 5281009 SHA256 d5d488cc9f0a07974195a7427094ea3cab9800a4e90178b989aa621fbc238e3f SHA512 563eb662113668bb9ccf17a6e36697ad6392321ac1a32aa2cada9d8f4047651c2fa4da61f508ee3e1834fea343dbba189e09c1d6cabe5d1de5e3e6d022c31f4f WHIRLPOOL d828dc76842d25f02f211031b3ab9a2a8fd44975e9aaf87d0fd5fca9935a27b61c3e4f896a2186194f1a7b4d668fc48cafc5be9f7c670017ba342ce40113935f
DIST openssl-1.0.2c.tar.gz 5280670 SHA256 0038ba37f35a6367c58f17a7a7f687953ef8ce4f9684bbdec63e62515ed36a83 SHA512 2a68e8b017d0d3e34e4f9d33b77abd960b3d04e418f106e852684a2ff247dc8ea390b7d6a42d130fd84d821a15e84e77b68b3677433433ef5c10d156333b9dae WHIRLPOOL c59878c3bd5e8904913b97d71a15ef1eaafcfb4eb58c691ba4fb38bf81752308d0ef4a902e53aec4c6e7585677f2404d29cdea0832d14206fabf28d744af2622
DIST openssl-1.0.2d.tar.gz 5295447 SHA256 671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 SHA512 68a051e92aaed0e7a8b218c185427c534c32f30f50c45f5d2c1f5b7a26d1416e83863d2953c77486acde3b636a148f39faf48246d28a207607ec069f62b13d75 WHIRLPOOL e3d8f0784903c8d6aa05ada7b8b410517c99157a3c2f4ac34c8a9d80c77408bd6ff9e820ded47f6223ccac4a77413174aa625303166ec28fdbf8374a7d4659ec
DIST openssl-1.0.2e.tar.gz 5256555 SHA256 e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff SHA512 b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f WHIRLPOOL 8e1c1800a66f57fa78dc391e717e4b2bdf0e6e37a837c5ac033d7a4b1a6437451c7e7540c4ec2f75f936a2d2ef4f9293b42c76f51b0c9c93706639589612f196
+DIST openssl-1.0.2f.tar.gz 5258384 SHA256 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 WHIRLPOOL 179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835baaaa04e506fb3fbaed37d31c9
DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1
diff --git a/dev-libs/openssl/files/openssl-1.0.1r-x32.patch b/dev-libs/openssl/files/openssl-1.0.1r-x32.patch
new file mode 100644
index 0000000..9e490fd
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.1r-x32.patch
@@ -0,0 +1,66 @@
+--- openssl-1.0.1r/Configure
++++ openssl-1.0.1r/Configure
+@@ -368,6 +368,7 @@
+ "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x32", "gcc:-DL_ENDIAN -DTERMIO -O2 -pipe -g -feliminate-unused-debug-types -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ #### So called "highgprs" target for z/Architecture CPUs
+ # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
+--- openssl-1.0.1r/crypto/bn/asm/x86_64-gcc.c
++++ openssl-1.0.1r/crypto/bn/asm/x86_64-gcc.c
+@@ -55,7 +55,7 @@
+ * machine.
+ */
+
+-# ifdef _WIN64
++# ifdef _WIN64 || !defined __LP64__
+ # define BN_ULONG unsigned long long
+ # else
+ # define BN_ULONG unsigned long
+@@ -211,9 +211,9 @@
+
+ asm volatile (" subq %2,%2 \n"
+ ".p2align 4 \n"
+- "1: movq (%4,%2,8),%0 \n"
+- " adcq (%5,%2,8),%0 \n"
+- " movq %0,(%3,%2,8) \n"
++ "1: movq (%q4,%2,8),%0 \n"
++ " adcq (%q5,%2,8),%0 \n"
++ " movq %0,(%q3,%2,8) \n"
+ " leaq 1(%2),%2 \n"
+ " loop 1b \n"
+ " sbbq %0,%0 \n":"=&a" (ret), "+c"(n),
+@@ -235,9 +235,9 @@
+
+ asm volatile (" subq %2,%2 \n"
+ ".p2align 4 \n"
+- "1: movq (%4,%2,8),%0 \n"
+- " sbbq (%5,%2,8),%0 \n"
+- " movq %0,(%3,%2,8) \n"
++ "1: movq (%q4,%2,8),%0 \n"
++ " sbbq (%q5,%2,8),%0 \n"
++ " movq %0,(%q3,%2,8) \n"
+ " leaq 1(%2),%2 \n"
+ " loop 1b \n"
+ " sbbq %0,%0 \n":"=&a" (ret), "+c"(n),
+--- openssl-1.0.1r/crypto/bn/bn.h
++++ openssl-1.0.1r/crypto/bn/bn.h
+@@ -174,6 +174,16 @@
+ # endif
+
+ /*
++ * Address type.
++ */
++#ifdef _WIN64
++#define BN_ADDR unsigned long long
++#else
++#define BN_ADDR unsigned long
++#endif
++
++
++/*
+ * assuming long is 64bit - this is the DEC Alpha unsigned long long is only
+ * 64 bits :-(, don't define BN_LLONG for the DEC Alpha
+ */
diff --git a/dev-libs/openssl/openssl-1.0.1r.ebuild b/dev-libs/openssl/openssl-1.0.1r.ebuild
new file mode 100644
index 0000000..234c6cc
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.1r.ebuild
@@ -0,0 +1,256 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+REV="1.7"
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${P}.tar.gz
+ http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+# The blocks are temporary just to make sure people upgrade to a
+# version that lack runtime version checking. We'll drop them in
+# the future.
+RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140406-r3
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )
+ !<net-misc/openssh-5.9_p1-r4
+ !<net-libs/neon-0.29.6-r1"
+DEPEND="${RDEPEND}
+ sys-apps/diffutils
+ >=dev-lang/perl-5
+ test? ( sys-devel/bc )"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+ SSL_CNF_DIR="/etc/ssl"
+ sed \
+ -e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
+ -e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
+ "${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
+ > "${WORKDIR}"/c_rehash || die #416717
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+ epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+ epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
+ epatch "${FILESDIR}"/${PN}-1.0.1p-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-1.0.1r-x32.patch
+ epatch "${FILESDIR}"/${PN}-1.0.1m-ipv6.patch
+ epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
+ epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
+ epatch_user #332661
+ fi
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ Makefile.org \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ $(use_ssl !bindist rc5) \
+ enable-tlsext \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl rfc3779) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+ # rehash is needed to prep the certs/ dir; do this
+ # separately to avoid parallel build issues.
+ emake rehash
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+ dobin "${WORKDIR}"/c_rehash #333117
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+ dohtml -r doc/*
+ use rfc3779 && dodoc engines/ccgost/README.gost
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ dodir ${SSL_CNF_DIR}/certs
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
diff --git a/dev-libs/openssl/openssl-1.0.2f.ebuild b/dev-libs/openssl/openssl-1.0.2f.ebuild
new file mode 100644
index 0000000..721dde4
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2f.ebuild
@@ -0,0 +1,265 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+# The blocks are temporary just to make sure people upgrade to a
+# version that lack runtime version checking. We'll drop them in
+# the future.
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )
+ !<net-misc/openssh-5.9_p1-r4
+ !<net-libs/neon-0.29.6-r1"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+ epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+ epatch "${FILESDIR}"/${PN}-1.0.2e-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
+ epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+ epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
+
+ epatch_user #332661
+ fi
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ Makefile.org \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ enable-tlsext \
+ $(use_ssl asm) \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+ # rehash is needed to prep the certs/ dir; do this
+ # separately to avoid parallel build issues.
+ emake rehash
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+ dohtml -r doc/*
+ use rfc3779 && dodoc engines/ccgost/README.gost
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ dodir ${SSL_CNF_DIR}/certs
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2016-02-09 13:32 Jason Donenfeld
0 siblings, 0 replies; 36+ messages in thread
From: Jason Donenfeld @ 2016-02-09 13:32 UTC (permalink / raw
To: gentoo-commits
commit: 7b9d7ccecf66675e58776c2e120ad3ddea200e45
Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Tue Feb 9 13:29:31 2016 +0000
Commit: Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Tue Feb 9 13:30:33 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b9d7cce
dev-libs/openssl: carry cloudflare's chacha20poly1305 patch
.../files/openssl-1.0.2e-chacha20poly1305.patch | 4404 ++++++++++++++++++++
dev-libs/openssl/openssl-1.0.2e-r1.ebuild | 266 ++
dev-libs/openssl/openssl-1.0.2f-r1.ebuild | 266 ++
3 files changed, 4936 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.0.2e-chacha20poly1305.patch b/dev-libs/openssl/files/openssl-1.0.2e-chacha20poly1305.patch
new file mode 100644
index 0000000..e66096e
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2e-chacha20poly1305.patch
@@ -0,0 +1,4404 @@
+diff -rNu openssl-1.0.2e/Configure openssl-1.0.2e-modified/Configure
+--- openssl-1.0.2e/Configure 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/Configure 2016-02-08 16:12:00.592614754 +0100
+@@ -143,25 +143,25 @@
+ my $bits1="THIRTY_TWO_BIT ";
+ my $bits2="SIXTY_FOUR_BIT ";
+
+-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
++my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o::";
+
+ my $x86_elf_asm="$x86_asm:elf";
+
+-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o:";
+-my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
+-my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o::void";
+-my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o:::::::::::::void";
+-my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o::void";
+-my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
++my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o::chacha20_avx.o poly1305_avx.o chacha20_avx2.o poly1305_avx2.o";
++my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o:::void";
++my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o:::void";
++my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o::::::::::::::void";
++my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o:::void";
++my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o:::::::::";
+ my $mips32_asm=$mips64_asm; $mips32_asm =~ s/\s*sha512\-mips\.o//;
+-my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
+-my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o::void";
+-my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o:";
+-my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
+-my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
+-my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
++my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o::";
++my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o:::void";
++my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o::";
++my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o:::32";
++my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o:::64";
++my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o::";
+ my $ppc32_asm=$ppc64_asm;
+-my $no_asm="::::::::::::::::void";
++my $no_asm=":::::::::::::::::void";
+
+ # As for $BSDthreads. Idea is to maintain "collective" set of flags,
+ # which would cover all BSD flavors. -pthread applies to them all,
+@@ -213,7 +213,7 @@
+ "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+ "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o::des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o::des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o:::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+@@ -320,7 +320,7 @@
+ "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
+ "hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
+-"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o:::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
++"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
+
+ # More attempts at unified 10.X and 11.X targets for HP C compiler.
+ #
+@@ -577,9 +577,9 @@
+ # Visual C targets
+ #
+ # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
+-"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
++"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::::::::ghash-ia64.o::ias:win32",
+ "VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
+-"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
++"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::::::::ghash-ia64.o::ias:win32",
+ "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
+ # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
+ # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
+@@ -707,6 +707,7 @@
+ my $idx_cmll_obj = $idx++;
+ my $idx_modes_obj = $idx++;
+ my $idx_engines_obj = $idx++;
++my $idx_chapoly_obj = $idx++;
+ my $idx_perlasm_scheme = $idx++;
+ my $idx_dso_scheme = $idx++;
+ my $idx_shared_target = $idx++;
+@@ -749,6 +750,7 @@
+ my $bn_asm ="bn_asm.o";
+ my $des_enc="des_enc.o fcrypt_b.o";
+ my $aes_enc="aes_core.o aes_cbc.o";
++my $chapoly_enc="";
+ my $bf_enc ="bf_enc.o";
+ my $cast_enc="c_enc.o";
+ my $rc4_enc="rc4_enc.o rc4_skey.o";
+@@ -1207,7 +1209,7 @@
+
+ print "IsMK1MF=$IsMK1MF\n";
+
+-my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
++my @fields = split(/\s*:\s*/,$table{$target} . ":" x 31 , -1);
+ my $cc = $fields[$idx_cc];
+ # Allow environment CC to override compiler...
+ if($ENV{CC}) {
+@@ -1236,6 +1238,7 @@
+ my $cmll_obj = $fields[$idx_cmll_obj];
+ my $modes_obj = $fields[$idx_modes_obj];
+ my $engines_obj = $fields[$idx_engines_obj];
++my $chapoly_obj = $fields[$idx_chapoly_obj];
+ my $perlasm_scheme = $fields[$idx_perlasm_scheme];
+ my $dso_scheme = $fields[$idx_dso_scheme];
+ my $shared_target = $fields[$idx_shared_target];
+@@ -1402,7 +1405,7 @@
+ {
+ $cpuid_obj=$bn_obj=$ec_obj=
+ $des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=$cmll_obj=
+- $modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj="";
++ $modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj=$chapoly_obj="";
+ }
+
+ if (!$no_shared)
+@@ -1555,6 +1558,14 @@
+ $cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/);
+ $rc4_obj=$rc4_enc unless ($rc4_obj =~ /\.o$/);
+ $rc5_obj=$rc5_enc unless ($rc5_obj =~ /\.o$/);
++if ($chapoly_obj =~ /\.o$/)
++ {
++ $cflags.=" -DCHAPOLY_x86_64_ASM";
++ }
++else
++ {
++ $chapoly_obj=$chapoly_enc;
++ }
+ if ($sha1_obj =~ /\.o$/)
+ {
+ # $sha1_obj=$sha1_enc;
+@@ -1737,6 +1748,7 @@
+ s/^WP_ASM_OBJ=.*$/WP_ASM_OBJ= $wp_obj/;
+ s/^CMLL_ENC=.*$/CMLL_ENC= $cmll_obj/;
+ s/^MODES_ASM_OBJ.=*$/MODES_ASM_OBJ= $modes_obj/;
++ s/^CHAPOLY_ENC=.*$/CHAPOLY_ENC= $chapoly_obj/;
+ s/^ENGINES_ASM_OBJ.=*$/ENGINES_ASM_OBJ= $engines_obj/;
+ s/^PERLASM_SCHEME=.*$/PERLASM_SCHEME= $perlasm_scheme/;
+ s/^PROCESSOR=.*/PROCESSOR= $processor/;
+@@ -1799,6 +1811,7 @@
+ print "CMLL_ENC =$cmll_obj\n";
+ print "MODES_OBJ =$modes_obj\n";
+ print "ENGINES_OBJ =$engines_obj\n";
++print "CHAPOLY_ENC =$chapoly_obj\n";
+ print "PROCESSOR =$processor\n";
+ print "RANLIB =$ranlib\n";
+ print "ARFLAGS =$arflags\n";
+@@ -2197,7 +2210,7 @@
+ my ($cc, $cflags, $unistd, $thread_cflag, $sys_id, $lflags,
+ $bn_ops, $cpuid_obj, $bn_obj, $ec_obj, $des_obj, $aes_obj, $bf_obj,
+ $md5_obj, $sha1_obj, $cast_obj, $rc4_obj, $rmd160_obj,
+- $rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $engines_obj,
++ $rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $engines_obj, $chapoly_obj,
+ $perlasm_scheme, $dso_scheme, $shared_target, $shared_cflag,
+ $shared_ldflag, $shared_extension, $ranlib, $arflags, $multilib)=
+ split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
+@@ -2228,6 +2241,7 @@
+ \$cmll_obj = $cmll_obj
+ \$modes_obj = $modes_obj
+ \$engines_obj = $engines_obj
++\$chapoly_obj = $chapoly_obj
+ \$perlasm_scheme = $perlasm_scheme
+ \$dso_scheme = $dso_scheme
+ \$shared_target= $shared_target
+diff -rNu openssl-1.0.2e/Makefile.org openssl-1.0.2e-modified/Makefile.org
+--- openssl-1.0.2e/Makefile.org 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/Makefile.org 2016-02-08 16:12:00.593614754 +0100
+@@ -91,6 +91,7 @@
+ EC_ASM=
+ DES_ENC= des_enc.o fcrypt_b.o
+ AES_ENC= aes_core.o aes_cbc.o
++CHAPOLY_ENC=
+ BF_ENC= bf_enc.o
+ CAST_ENC= c_enc.o
+ RC4_ENC= rc4_enc.o
+@@ -148,7 +149,7 @@
+ bn ec rsa dsa ecdsa dh ecdh dso engine \
+ buffer bio stack lhash rand err \
+ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+- cms pqueue ts jpake srp store cmac
++ cms pqueue ts jpake srp store cmac chacha20poly1305
+ # keep in mind that the above list is adjusted by ./Configure
+ # according to no-xxx arguments...
+
+@@ -235,6 +236,7 @@
+ WP_ASM_OBJ='$(WP_ASM_OBJ)' \
+ MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \
+ ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)' \
++ CHAPOLY_ENC='$(CHAPOLY_ENC)' \
+ PERLASM_SCHEME='$(PERLASM_SCHEME)' \
+ FIPSLIBDIR='${FIPSLIBDIR}' \
+ FIPSDIR='${FIPSDIR}' \
+diff -rNu openssl-1.0.2e/apps/speed.c openssl-1.0.2e-modified/apps/speed.c
+--- openssl-1.0.2e/apps/speed.c 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/apps/speed.c 2016-02-08 16:12:00.594614754 +0100
+@@ -226,7 +226,7 @@
+ # endif
+
+ # undef BUFSIZE
+-# define BUFSIZE ((long)1024*8+1)
++# define BUFSIZE ((long)1024*8+16)
+ static volatile int run = 0;
+
+ static int mr = 0;
+@@ -241,7 +241,7 @@
+ static int do_multi(int multi);
+ # endif
+
+-# define ALGOR_NUM 30
++# define ALGOR_NUM 31
+ # define SIZE_NUM 5
+ # define RSA_NUM 4
+ # define DSA_NUM 3
+@@ -256,7 +256,7 @@
+ "aes-128 cbc", "aes-192 cbc", "aes-256 cbc",
+ "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc",
+ "evp", "sha256", "sha512", "whirlpool",
+- "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash"
++ "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash", "chacha20-poly1305"
+ };
+
+ static double results[ALGOR_NUM][SIZE_NUM];
+@@ -516,6 +516,7 @@
+ # define D_IGE_192_AES 27
+ # define D_IGE_256_AES 28
+ # define D_GHASH 29
++# define D_CHAPOLY 30
+ double d = 0.0;
+ long c[ALGOR_NUM][SIZE_NUM];
+ # define R_DSA_512 0
+@@ -972,6 +973,11 @@
+ doit[D_CBC_256_CML] = 1;
+ } else
+ # endif
++# ifndef OPENSSL_NO_CHACHA_POLY
++ if (strcmp(*argv,"chacha20-poly1305") == 0) {
++ doit[D_CHAPOLY] = 1;
++ } else
++# endif
+ # ifndef OPENSSL_NO_RSA
+ if (strcmp(*argv, "rsa") == 0) {
+ rsa_doit[R_RSA_512] = 1;
+@@ -1139,7 +1145,9 @@
+ BIO_printf(bio_err, "rc4");
+ # endif
+ BIO_printf(bio_err, "\n");
+-
++# ifndef OPENSSL_NO_CHACHA_POLY
++ BIO_printf(bio_err,"chacha20-poly1305\n");
++# endif
+ # ifndef OPENSSL_NO_RSA
+ BIO_printf(bio_err, "rsa512 rsa1024 rsa2048 rsa4096\n");
+ # endif
+@@ -1370,6 +1378,7 @@
+ c[D_IGE_192_AES][0] = count;
+ c[D_IGE_256_AES][0] = count;
+ c[D_GHASH][0] = count;
++ c[D_CHAPOLY][0] = count;
+
+ for (i = 1; i < SIZE_NUM; i++) {
+ c[D_MD2][i] = c[D_MD2][0] * 4 * lengths[0] / lengths[i];
+@@ -1862,6 +1871,23 @@
+ }
+ }
+ # endif
++# ifndef OPENSSL_NO_CHACHA_POLY
++ if (doit[D_CHAPOLY]) {
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ EVP_CipherInit_ex(&ctx,EVP_chacha20_poly1305(),NULL,key32,NULL,1);
++ for (j=0; j<SIZE_NUM; j++) {
++ print_message(names[D_CHAPOLY],c[D_CHAPOLY][j],lengths[j]);
++ Time_F(START);
++ for (count=0,run=1; COND(c[D_CHAPOLY][j]); count++) {
++ EVP_CIPHER_CTX_ctrl(&ctx,EVP_CTRL_AEAD_TLS1_AAD,13,buf);
++ EVP_Cipher(&ctx,buf,buf,(unsigned long)lengths[j]+16);
++ }
++ d=Time_F(STOP);
++ print_result(D_CHAPOLY,j,count,d);
++ }
++ }
++# endif
+ # ifndef OPENSSL_NO_IDEA
+ if (doit[D_CBC_IDEA]) {
+ for (j = 0; j < SIZE_NUM; j++) {
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/Makefile openssl-1.0.2e-modified/crypto/chacha20poly1305/Makefile
+--- openssl-1.0.2e/crypto/chacha20poly1305/Makefile 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/Makefile 2016-02-08 16:12:00.594614754 +0100
+@@ -0,0 +1,92 @@
++#
++# crypto/chacha20poly1305/Makefile
++#
++DIR= chacha20poly1305
++TOP= ../..
++CC= cc
++CPP= $(CC) -E
++INCLUDES=
++CFLAG=-g
++MAKEFILE= Makefile
++AR= ar r
++
++
++CHAPOLY_ENC=
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++ASFLAGS= $(INCLUDES) $(ASFLAG)
++AFLAGS= $(ASFLAGS)
++
++GENERAL=Makefile
++TEST=chapolytest.c
++APPS=
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=chacha20.c poly1305.c
++LIBOBJ=chacha20.o poly1305.o $(CHAPOLY_ENC)
++
++SRC= $(LIBSRC)
++
++EXHEADER=chacha20poly1305.h
++HEADER= $(EXHEADER)
++
++ALL= $(GENERAL) $(SRC) $(HEADER)
++
++top:
++ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all: lib
++
++lib: $(LIBOBJ)
++ $(AR) $(LIB) $(LIBOBJ)
++ $(RANLIB) $(LIB) || echo Never mind.
++ @touch lib
++
++chacha20_avx.s:asm/chacha20_avx.pl
++ $(PERL) asm/chacha20_avx.pl $(PERLASM_SCHEME) > $@
++poly1305_avx.s:asm/poly1305_avx.pl
++ $(PERL) asm/poly1305_avx.pl $(PERLASM_SCHEME) > $@
++chacha20_avx2.s:asm/chacha20_avx2.pl
++ $(PERL) asm/chacha20_avx2.pl $(PERLASM_SCHEME) > $@
++poly1305_avx2.s:asm/poly1305_avx2.pl
++ $(PERL) asm/poly1305_avx2.pl $(PERLASM_SCHEME) > $@
++
++files:
++ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++ do \
++ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++ done;
++
++tags:
++ ctags $(SRC)
++
++tests:
++
++lint:
++ lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++ mv -f Makefile.new $(MAKEFILE)
++
++clean:
++ rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
++chacha20.o: ../../include/openssl/chacha20poly1305.h chacha20.c
++poly1305.o: ../../include/openssl/chacha20poly1305.h poly1305.c
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/asm/chacha20_avx.pl openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/chacha20_avx.pl
+--- openssl-1.0.2e/crypto/chacha20poly1305/asm/chacha20_avx.pl 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/chacha20_avx.pl 2016-02-08 16:12:00.595614754 +0100
+@@ -0,0 +1,388 @@
++#!/usr/bin/env perl
++
++##############################################################################
++# #
++# Copyright 2014 Intel Corporation #
++# #
++# Licensed under the Apache License, Version 2.0 (the "License"); #
++# you may not use this file except in compliance with the License. #
++# You may obtain a copy of the License at #
++# #
++# http://www.apache.org/licenses/LICENSE-2.0 #
++# #
++# Unless required by applicable law or agreed to in writing, software #
++# distributed under the License is distributed on an "AS IS" BASIS, #
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
++# See the License for the specific language governing permissions and #
++# limitations under the License. #
++# #
++##############################################################################
++# #
++# Developers and authors: #
++# Shay Gueron (1, 2), and Vlad Krasnov (1) #
++# (1) Intel Corporation, Israel Development Center #
++# (2) University of Haifa #
++# #
++# Related work: #
++# M. Goll, S. Gueron, "Vectorization on ChaCha Stream Cipher", IEEE #
++# Proceedings of 11th International Conference on Information #
++# Technology: New Generations (ITNG 2014), 612-615 (2014). #
++# M. Goll, S. Gueron, "Vectorization on Poly1305 Message Authentication Code"#
++# to be published. #
++# A. Langley, chacha20poly1305 for the AEAD head #
++# https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9a8646510b3d0a48e950748f7a2aaa12ed40d5e0 #
++##############################################################################
++
++
++
++$flavour = shift;
++$output = shift;
++if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
++
++$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
++die "can't locate x86_64-xlate.pl";
++
++open OUT,"| \"$^X\" $xlate $flavour $output";
++*STDOUT=*OUT;
++
++if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
++ =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
++ $avx = ($1>=2.19) + ($1>=2.22);
++}
++
++if ($win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
++ `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
++ $avx = ($1>=2.09) + ($1>=2.10);
++}
++
++if ($win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
++ `ml64 2>&1` =~ /Version ([0-9]+)\./) {
++ $avx = ($1>=10) + ($1>=11);
++}
++
++if (`$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
++ my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
++ $avx = ($ver>=3.0) + ($ver>=3.01);
++}
++
++if ($avx>=1) {{
++
++sub chacha_qr {
++my ($a,$b,$c,$d,$tmp)=@_;
++$code.=<<___;
++
++ vpaddd $b, $a, $a # a += b
++ vpxor $a, $d, $d # d ^= a
++ vpshufb .rol16(%rip), $d, $d # d <<<= 16
++
++ vpaddd $d, $c, $c # c += d
++ vpxor $c, $b, $b # b ^= c
++ vpslld \$12, $b, $tmp
++ vpsrld \$20, $b, $b
++ vpxor $tmp, $b, $b # b <<<= 12
++
++ vpaddd $b, $a, $a # a += b
++ vpxor $a, $d, $d # d ^= a
++ vpshufb .rol8(%rip), $d, $d # d <<<= 8
++
++ vpaddd $d, $c, $c # c += d
++ vpxor $c, $b, $b # b ^= c
++
++ vpslld \$7, $b, $tmp
++ vpsrld \$25, $b, $b
++ vpxor $tmp, $b, $b # b <<<= 7
++___
++}
++
++
++$code.=<<___;
++.text
++.align 16
++chacha20_consts:
++.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
++.rol8:
++.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
++.rol16:
++.byte 2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13
++.avxInc:
++.quad 1,0
++___
++
++{
++my ($state_4567, $state_89ab, $state_cdef, $tmp,
++ $v0, $v1, $v2, $v3, $v4, $v5, $v6, $v7,
++ $v8, $v9, $v10, $v11)=map("%xmm$_",(0..15));
++
++my ($out, $in, $in_len, $key_ptr, $nonce_ptr, $counter, $nr)
++ =("%rdi", "%rsi", "%rdx", "%rcx", "%r8", "%r9", "%rax");
++
++$code.=<<___;
++.globl chacha_20_core_avx
++.type chacha_20_core_avx ,\@function,2
++.align 64
++chacha_20_core_avx:
++ vzeroupper
++
++ # Init state
++ vmovdqu 16*0($key_ptr), $state_4567
++ vmovdqu 16*1($key_ptr), $state_89ab
++ vmovq $counter, $state_cdef
++ vpinsrq \$1, ($nonce_ptr), $state_cdef, $state_cdef
++2:
++ cmp \$3*64, $in_len
++ jb 2f
++
++ vmovdqa chacha20_consts(%rip), $v0
++ vmovdqa chacha20_consts(%rip), $v4
++ vmovdqa chacha20_consts(%rip), $v8
++
++ vmovdqa $state_4567, $v1
++ vmovdqa $state_4567, $v5
++ vmovdqa $state_4567, $v9
++
++ vmovdqa $state_89ab, $v2
++ vmovdqa $state_89ab, $v6
++ vmovdqa $state_89ab, $v10
++
++ vmovdqa $state_cdef, $v3
++ vpaddq .avxInc(%rip), $v3, $v7
++ vpaddq .avxInc(%rip), $v7, $v11
++
++ mov \$10, $nr
++
++ 1:
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++ &chacha_qr($v4,$v5,$v6,$v7,$tmp);
++ &chacha_qr($v8,$v9,$v10,$v11,$tmp);
++$code.=<<___;
++ vpalignr \$4, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$12, $v3, $v3, $v3
++ vpalignr \$4, $v5, $v5, $v5
++ vpalignr \$8, $v6, $v6, $v6
++ vpalignr \$12, $v7, $v7, $v7
++ vpalignr \$4, $v9, $v9, $v9
++ vpalignr \$8, $v10, $v10, $v10
++ vpalignr \$12, $v11, $v11, $v11
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++ &chacha_qr($v4,$v5,$v6,$v7,$tmp);
++ &chacha_qr($v8,$v9,$v10,$v11,$tmp);
++$code.=<<___;
++ vpalignr \$12, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$4, $v3, $v3, $v3
++ vpalignr \$12, $v5, $v5, $v5
++ vpalignr \$8, $v6, $v6, $v6
++ vpalignr \$4, $v7, $v7, $v7
++ vpalignr \$12, $v9, $v9, $v9
++ vpalignr \$8, $v10, $v10, $v10
++ vpalignr \$4, $v11, $v11, $v11
++
++ dec $nr
++
++ jnz 1b
++
++ vpaddd chacha20_consts(%rip), $v0, $v0
++ vpaddd chacha20_consts(%rip), $v4, $v4
++ vpaddd chacha20_consts(%rip), $v8, $v8
++
++ vpaddd $state_4567, $v1, $v1
++ vpaddd $state_4567, $v5, $v5
++ vpaddd $state_4567, $v9, $v9
++
++ vpaddd $state_89ab, $v2, $v2
++ vpaddd $state_89ab, $v6, $v6
++ vpaddd $state_89ab, $v10, $v10
++
++ vpaddd $state_cdef, $v3, $v3
++ vpaddq .avxInc(%rip), $state_cdef, $state_cdef
++ vpaddd $state_cdef, $v7, $v7
++ vpaddq .avxInc(%rip), $state_cdef, $state_cdef
++ vpaddd $state_cdef, $v11, $v11
++ vpaddq .avxInc(%rip), $state_cdef, $state_cdef
++
++ vpxor 16*0($in), $v0, $v0
++ vpxor 16*1($in), $v1, $v1
++ vpxor 16*2($in), $v2, $v2
++ vpxor 16*3($in), $v3, $v3
++
++ vmovdqu $v0, 16*0($out)
++ vmovdqu $v1, 16*1($out)
++ vmovdqu $v2, 16*2($out)
++ vmovdqu $v3, 16*3($out)
++
++ vpxor 16*4($in), $v4, $v4
++ vpxor 16*5($in), $v5, $v5
++ vpxor 16*6($in), $v6, $v6
++ vpxor 16*7($in), $v7, $v7
++
++ vmovdqu $v4, 16*4($out)
++ vmovdqu $v5, 16*5($out)
++ vmovdqu $v6, 16*6($out)
++ vmovdqu $v7, 16*7($out)
++
++ vpxor 16*8($in), $v8, $v8
++ vpxor 16*9($in), $v9, $v9
++ vpxor 16*10($in), $v10, $v10
++ vpxor 16*11($in), $v11, $v11
++
++ vmovdqu $v8, 16*8($out)
++ vmovdqu $v9, 16*9($out)
++ vmovdqu $v10, 16*10($out)
++ vmovdqu $v11, 16*11($out)
++
++ lea 16*12($in), $in
++ lea 16*12($out), $out
++ sub \$16*12, $in_len
++
++ jmp 2b
++
++2:
++ cmp \$2*64, $in_len
++ jb 2f
++
++ vmovdqa chacha20_consts(%rip), $v0
++ vmovdqa chacha20_consts(%rip), $v4
++ vmovdqa $state_4567, $v1
++ vmovdqa $state_4567, $v5
++ vmovdqa $state_89ab, $v2
++ vmovdqa $state_89ab, $v6
++ vmovdqa $state_89ab, $v10
++ vmovdqa $state_cdef, $v3
++ vpaddq .avxInc(%rip), $v3, $v7
++
++ mov \$10, $nr
++
++ 1:
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++ &chacha_qr($v4,$v5,$v6,$v7,$tmp);
++$code.=<<___;
++ vpalignr \$4, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$12, $v3, $v3, $v3
++ vpalignr \$4, $v5, $v5, $v5
++ vpalignr \$8, $v6, $v6, $v6
++ vpalignr \$12, $v7, $v7, $v7
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++ &chacha_qr($v4,$v5,$v6,$v7,$tmp);
++$code.=<<___;
++ vpalignr \$12, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$4, $v3, $v3, $v3
++ vpalignr \$12, $v5, $v5, $v5
++ vpalignr \$8, $v6, $v6, $v6
++ vpalignr \$4, $v7, $v7, $v7
++
++ dec $nr
++
++ jnz 1b
++
++ vpaddd chacha20_consts(%rip), $v0, $v0
++ vpaddd chacha20_consts(%rip), $v4, $v4
++
++ vpaddd $state_4567, $v1, $v1
++ vpaddd $state_4567, $v5, $v5
++
++ vpaddd $state_89ab, $v2, $v2
++ vpaddd $state_89ab, $v6, $v6
++
++ vpaddd $state_cdef, $v3, $v3
++ vpaddq .avxInc(%rip), $state_cdef, $state_cdef
++ vpaddd $state_cdef, $v7, $v7
++ vpaddq .avxInc(%rip), $state_cdef, $state_cdef
++
++ vpxor 16*0($in), $v0, $v0
++ vpxor 16*1($in), $v1, $v1
++ vpxor 16*2($in), $v2, $v2
++ vpxor 16*3($in), $v3, $v3
++
++ vmovdqu $v0, 16*0($out)
++ vmovdqu $v1, 16*1($out)
++ vmovdqu $v2, 16*2($out)
++ vmovdqu $v3, 16*3($out)
++
++ vpxor 16*4($in), $v4, $v4
++ vpxor 16*5($in), $v5, $v5
++ vpxor 16*6($in), $v6, $v6
++ vpxor 16*7($in), $v7, $v7
++
++ vmovdqu $v4, 16*4($out)
++ vmovdqu $v5, 16*5($out)
++ vmovdqu $v6, 16*6($out)
++ vmovdqu $v7, 16*7($out)
++
++ lea 16*8($in), $in
++ lea 16*8($out), $out
++ sub \$16*8, $in_len
++
++ jmp 2b
++2:
++ cmp \$64, $in_len
++ jb 2f
++
++ vmovdqa chacha20_consts(%rip), $v0
++ vmovdqa $state_4567, $v1
++ vmovdqa $state_89ab, $v2
++ vmovdqa $state_cdef, $v3
++
++ mov \$10, $nr
++
++ 1:
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++$code.=<<___;
++ vpalignr \$4, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$12, $v3, $v3, $v3
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++$code.=<<___;
++ vpalignr \$12, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$4, $v3, $v3, $v3
++
++ dec $nr
++ jnz 1b
++
++ vpaddd chacha20_consts(%rip), $v0, $v0
++ vpaddd $state_4567, $v1, $v1
++ vpaddd $state_89ab, $v2, $v2
++ vpaddd $state_cdef, $v3, $v3
++ vpaddq .avxInc(%rip), $state_cdef, $state_cdef
++
++ vpxor 16*0($in), $v0, $v0
++ vpxor 16*1($in), $v1, $v1
++ vpxor 16*2($in), $v2, $v2
++ vpxor 16*3($in), $v3, $v3
++
++ vmovdqu $v0, 16*0($out)
++ vmovdqu $v1, 16*1($out)
++ vmovdqu $v2, 16*2($out)
++ vmovdqu $v3, 16*3($out)
++
++ lea 16*4($in), $in
++ lea 16*4($out), $out
++ sub \$16*4, $in_len
++ jmp 2b
++2:
++ vzeroupper
++ ret
++.size chacha_20_core_avx,.-chacha_20_core_avx
++___
++}
++}}
++
++
++$code =~ s/\`([^\`]*)\`/eval($1)/gem;
++
++print $code;
++
++close STDOUT;
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/asm/chacha20_avx2.pl openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/chacha20_avx2.pl
+--- openssl-1.0.2e/crypto/chacha20poly1305/asm/chacha20_avx2.pl 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/chacha20_avx2.pl 2016-02-08 16:12:00.595614754 +0100
+@@ -0,0 +1,424 @@
++#!/usr/bin/env perl
++
++##############################################################################
++# #
++# Copyright 2014 Intel Corporation #
++# #
++# Licensed under the Apache License, Version 2.0 (the "License"); #
++# you may not use this file except in compliance with the License. #
++# You may obtain a copy of the License at #
++# #
++# http://www.apache.org/licenses/LICENSE-2.0 #
++# #
++# Unless required by applicable law or agreed to in writing, software #
++# distributed under the License is distributed on an "AS IS" BASIS, #
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
++# See the License for the specific language governing permissions and #
++# limitations under the License. #
++# #
++##############################################################################
++# #
++# Developers and authors: #
++# Shay Gueron (1, 2), and Vlad Krasnov (1) #
++# (1) Intel Corporation, Israel Development Center #
++# (2) University of Haifa #
++# #
++# Related work: #
++# M. Goll, S. Gueron, "Vectorization on ChaCha Stream Cipher", IEEE #
++# Proceedings of 11th International Conference on Information #
++# Technology: New Generations (ITNG 2014), 612-615 (2014). #
++# M. Goll, S. Gueron, "Vectorization on Poly1305 Message Authentication Code"#
++# to be published. #
++# A. Langley, chacha20poly1305 for the AEAD head #
++# https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9a8646510b3d0a48e950748f7a2aaa12ed40d5e0 #
++##############################################################################
++
++$flavour = shift;
++$output = shift;
++if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
++
++$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
++die "can't locate x86_64-xlate.pl";
++
++open OUT,"| \"$^X\" $xlate $flavour $output";
++*STDOUT=*OUT;
++
++if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
++ =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
++ $avx = ($1>=2.19) + ($1>=2.22);
++}
++
++if ($win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
++ `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
++ $avx = ($1>=2.09) + ($1>=2.10);
++}
++
++if ($win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
++ `ml64 2>&1` =~ /Version ([0-9]+)\./) {
++ $avx = ($1>=10) + ($1>=11);
++}
++
++if (`$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
++ my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
++ $avx = ($ver>=3.0) + ($ver>=3.01);
++}
++
++if ($avx>=2) {{
++
++sub chacha_qr {
++my ($a,$b,$c,$d,$tmp)=@_;
++$code.=<<___;
++
++ vpaddd $b, $a, $a # a += b
++ vpxor $a, $d, $d # d ^= a
++ vpshufb .rol16(%rip), $d, $d # d <<<= 16
++
++ vpaddd $d, $c, $c # c += d
++ vpxor $c, $b, $b # b ^= c
++ vpslld \$12, $b, $tmp
++ vpsrld \$20, $b, $b
++ vpxor $tmp, $b, $b # b <<<= 12
++
++ vpaddd $b, $a, $a # a += b
++ vpxor $a, $d, $d # d ^= a
++ vpshufb .rol8(%rip), $d, $d # d <<<= 8
++
++ vpaddd $d, $c, $c # c += d
++ vpxor $c, $b, $b # b ^= c
++
++ vpslld \$7, $b, $tmp
++ vpsrld \$25, $b, $b
++ vpxor $tmp, $b, $b # b <<<= 7
++___
++}
++
++
++$code.=<<___;
++.text
++.align 32
++chacha20_consts:
++.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
++.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
++.rol8:
++.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
++.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
++.rol16:
++.byte 2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13
++.byte 2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13
++.avx2Init:
++.quad 0,0,1,0
++.avx2Inc:
++.quad 2,0,2,0
++___
++
++{
++my ($state_4567, $state_89ab, $state_cdef, $tmp,
++ $v0, $v1, $v2, $v3, $v4, $v5, $v6, $v7,
++ $v8, $v9, $v10, $v11)=map("%ymm$_",(0..15));
++
++my $state_cdef_xmm="%xmm2";
++
++my ($out, $in, $in_len, $key_ptr, $nonce_ptr, $counter, $nr)
++ =("%rdi", "%rsi", "%rdx", "%rcx", "%r8", "%r9", "%rax");
++
++$code.=<<___;
++.globl chacha_20_core_avx2
++.type chacha_20_core_avx2 ,\@function,2
++.align 64
++chacha_20_core_avx2:
++ vzeroupper
++
++ # Init state
++ vbroadcasti128 16*0($key_ptr), $state_4567
++ vbroadcasti128 16*1($key_ptr), $state_89ab
++ vmovq $counter, $state_cdef_xmm
++ vpinsrq \$1, ($nonce_ptr), $state_cdef_xmm, $state_cdef_xmm
++ vperm2i128 \$0x00, $state_cdef, $state_cdef, $state_cdef
++ vpaddq .avx2Init(%rip), $state_cdef, $state_cdef
++
++2:
++ cmp \$6*64, $in_len
++ jb 2f
++
++ vmovdqa chacha20_consts(%rip), $v0
++ vmovdqa chacha20_consts(%rip), $v4
++ vmovdqa chacha20_consts(%rip), $v8
++
++ vmovdqa $state_4567, $v1
++ vmovdqa $state_4567, $v5
++ vmovdqa $state_4567, $v9
++
++ vmovdqa $state_89ab, $v2
++ vmovdqa $state_89ab, $v6
++ vmovdqa $state_89ab, $v10
++
++ vmovdqa $state_cdef, $v3
++ vpaddq .avx2Inc(%rip), $v3, $v7
++ vpaddq .avx2Inc(%rip), $v7, $v11
++
++ mov \$10, $nr
++
++ 1:
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++ &chacha_qr($v4,$v5,$v6,$v7,$tmp);
++ &chacha_qr($v8,$v9,$v10,$v11,$tmp);
++$code.=<<___;
++ vpalignr \$4, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$12, $v3, $v3, $v3
++ vpalignr \$4, $v5, $v5, $v5
++ vpalignr \$8, $v6, $v6, $v6
++ vpalignr \$12, $v7, $v7, $v7
++ vpalignr \$4, $v9, $v9, $v9
++ vpalignr \$8, $v10, $v10, $v10
++ vpalignr \$12, $v11, $v11, $v11
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++ &chacha_qr($v4,$v5,$v6,$v7,$tmp);
++ &chacha_qr($v8,$v9,$v10,$v11,$tmp);
++$code.=<<___;
++ vpalignr \$12, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$4, $v3, $v3, $v3
++ vpalignr \$12, $v5, $v5, $v5
++ vpalignr \$8, $v6, $v6, $v6
++ vpalignr \$4, $v7, $v7, $v7
++ vpalignr \$12, $v9, $v9, $v9
++ vpalignr \$8, $v10, $v10, $v10
++ vpalignr \$4, $v11, $v11, $v11
++
++ dec $nr
++
++ jnz 1b
++
++ vpaddd chacha20_consts(%rip), $v0, $v0
++ vpaddd chacha20_consts(%rip), $v4, $v4
++ vpaddd chacha20_consts(%rip), $v8, $v8
++
++ vpaddd $state_4567, $v1, $v1
++ vpaddd $state_4567, $v5, $v5
++ vpaddd $state_4567, $v9, $v9
++
++ vpaddd $state_89ab, $v2, $v2
++ vpaddd $state_89ab, $v6, $v6
++ vpaddd $state_89ab, $v10, $v10
++
++ vpaddd $state_cdef, $v3, $v3
++ vpaddq .avx2Inc(%rip), $state_cdef, $state_cdef
++ vpaddd $state_cdef, $v7, $v7
++ vpaddq .avx2Inc(%rip), $state_cdef, $state_cdef
++ vpaddd $state_cdef, $v11, $v11
++ vpaddq .avx2Inc(%rip), $state_cdef, $state_cdef
++
++ vperm2i128 \$0x02, $v0, $v1, $tmp
++ vpxor 32*0($in), $tmp, $tmp
++ vmovdqu $tmp, 32*0($out)
++ vperm2i128 \$0x02, $v2, $v3, $tmp
++ vpxor 32*1($in), $tmp, $tmp
++ vmovdqu $tmp, 32*1($out)
++ vperm2i128 \$0x13, $v0, $v1, $tmp
++ vpxor 32*2($in), $tmp, $tmp
++ vmovdqu $tmp, 32*2($out)
++ vperm2i128 \$0x13, $v2, $v3, $tmp
++ vpxor 32*3($in), $tmp, $tmp
++ vmovdqu $tmp, 32*3($out)
++
++ vperm2i128 \$0x02, $v4, $v5, $v0
++ vperm2i128 \$0x02, $v6, $v7, $v1
++ vperm2i128 \$0x13, $v4, $v5, $v2
++ vperm2i128 \$0x13, $v6, $v7, $v3
++
++ vpxor 32*4($in), $v0, $v0
++ vpxor 32*5($in), $v1, $v1
++ vpxor 32*6($in), $v2, $v2
++ vpxor 32*7($in), $v3, $v3
++
++ vmovdqu $v0, 32*4($out)
++ vmovdqu $v1, 32*5($out)
++ vmovdqu $v2, 32*6($out)
++ vmovdqu $v3, 32*7($out)
++
++ vperm2i128 \$0x02, $v8, $v9, $v0
++ vperm2i128 \$0x02, $v10, $v11, $v1
++ vperm2i128 \$0x13, $v8, $v9, $v2
++ vperm2i128 \$0x13, $v10, $v11, $v3
++
++ vpxor 32*8($in), $v0, $v0
++ vpxor 32*9($in), $v1, $v1
++ vpxor 32*10($in), $v2, $v2
++ vpxor 32*11($in), $v3, $v3
++
++ vmovdqu $v0, 32*8($out)
++ vmovdqu $v1, 32*9($out)
++ vmovdqu $v2, 32*10($out)
++ vmovdqu $v3, 32*11($out)
++
++ lea 64*6($in), $in
++ lea 64*6($out), $out
++ sub \$64*6, $in_len
++
++ jmp 2b
++
++2:
++ cmp \$4*64, $in_len
++ jb 2f
++
++ vmovdqa chacha20_consts(%rip), $v0
++ vmovdqa chacha20_consts(%rip), $v4
++ vmovdqa $state_4567, $v1
++ vmovdqa $state_4567, $v5
++ vmovdqa $state_89ab, $v2
++ vmovdqa $state_89ab, $v6
++ vmovdqa $state_89ab, $v10
++ vmovdqa $state_cdef, $v3
++ vpaddq .avx2Inc(%rip), $v3, $v7
++
++ mov \$10, $nr
++
++ 1:
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++ &chacha_qr($v4,$v5,$v6,$v7,$tmp);
++$code.=<<___;
++ vpalignr \$4, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$12, $v3, $v3, $v3
++ vpalignr \$4, $v5, $v5, $v5
++ vpalignr \$8, $v6, $v6, $v6
++ vpalignr \$12, $v7, $v7, $v7
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++ &chacha_qr($v4,$v5,$v6,$v7,$tmp);
++$code.=<<___;
++ vpalignr \$12, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$4, $v3, $v3, $v3
++ vpalignr \$12, $v5, $v5, $v5
++ vpalignr \$8, $v6, $v6, $v6
++ vpalignr \$4, $v7, $v7, $v7
++
++ dec $nr
++
++ jnz 1b
++
++ vpaddd chacha20_consts(%rip), $v0, $v0
++ vpaddd chacha20_consts(%rip), $v4, $v4
++
++ vpaddd $state_4567, $v1, $v1
++ vpaddd $state_4567, $v5, $v5
++
++ vpaddd $state_89ab, $v2, $v2
++ vpaddd $state_89ab, $v6, $v6
++
++ vpaddd $state_cdef, $v3, $v3
++ vpaddq .avx2Inc(%rip), $state_cdef, $state_cdef
++ vpaddd $state_cdef, $v7, $v7
++ vpaddq .avx2Inc(%rip), $state_cdef, $state_cdef
++
++ vperm2i128 \$0x02, $v0, $v1, $v8
++ vperm2i128 \$0x02, $v2, $v3, $v9
++ vperm2i128 \$0x13, $v0, $v1, $v10
++ vperm2i128 \$0x13, $v2, $v3, $v11
++
++ vpxor 32*0($in), $v8, $v8
++ vpxor 32*1($in), $v9, $v9
++ vpxor 32*2($in), $v10, $v10
++ vpxor 32*3($in), $v11, $v11
++
++ vmovdqu $v8, 32*0($out)
++ vmovdqu $v9, 32*1($out)
++ vmovdqu $v10, 32*2($out)
++ vmovdqu $v11, 32*3($out)
++
++ vperm2i128 \$0x02, $v4, $v5, $v0
++ vperm2i128 \$0x02, $v6, $v7, $v1
++ vperm2i128 \$0x13, $v4, $v5, $v2
++ vperm2i128 \$0x13, $v6, $v7, $v3
++
++ vpxor 32*4($in), $v0, $v0
++ vpxor 32*5($in), $v1, $v1
++ vpxor 32*6($in), $v2, $v2
++ vpxor 32*7($in), $v3, $v3
++
++ vmovdqu $v0, 32*4($out)
++ vmovdqu $v1, 32*5($out)
++ vmovdqu $v2, 32*6($out)
++ vmovdqu $v3, 32*7($out)
++
++ lea 64*4($in), $in
++ lea 64*4($out), $out
++ sub \$64*4, $in_len
++
++ jmp 2b
++2:
++ cmp \$128, $in_len
++ jb 2f
++
++ vmovdqa chacha20_consts(%rip), $v0
++ vmovdqa $state_4567, $v1
++ vmovdqa $state_89ab, $v2
++ vmovdqa $state_cdef, $v3
++
++ mov \$10, $nr
++
++ 1:
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++$code.=<<___;
++ vpalignr \$4, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$12, $v3, $v3, $v3
++___
++ &chacha_qr($v0,$v1,$v2,$v3,$tmp);
++$code.=<<___;
++ vpalignr \$12, $v1, $v1, $v1
++ vpalignr \$8, $v2, $v2, $v2
++ vpalignr \$4, $v3, $v3, $v3
++
++ dec $nr
++ jnz 1b
++
++ vpaddd chacha20_consts(%rip), $v0, $v0
++ vpaddd $state_4567, $v1, $v1
++ vpaddd $state_89ab, $v2, $v2
++ vpaddd $state_cdef, $v3, $v3
++ vpaddq .avx2Inc(%rip), $state_cdef, $state_cdef
++
++ vperm2i128 \$0x02, $v0, $v1, $v8
++ vperm2i128 \$0x02, $v2, $v3, $v9
++ vperm2i128 \$0x13, $v0, $v1, $v10
++ vperm2i128 \$0x13, $v2, $v3, $v11
++
++ vpxor 32*0($in), $v8, $v8
++ vpxor 32*1($in), $v9, $v9
++ vpxor 32*2($in), $v10, $v10
++ vpxor 32*3($in), $v11, $v11
++
++ vmovdqu $v8, 32*0($out)
++ vmovdqu $v9, 32*1($out)
++ vmovdqu $v10, 32*2($out)
++ vmovdqu $v11, 32*3($out)
++
++ lea 64*2($in), $in
++ lea 64*2($out), $out
++ sub \$64*2, $in_len
++ jmp 2b
++2:
++ vzeroupper
++ ret
++.size chacha_20_core_avx2,.-chacha_20_core_avx2
++___
++}
++}}
++
++
++$code =~ s/\`([^\`]*)\`/eval($1)/gem;
++
++print $code;
++
++close STDOUT;
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/asm/poly1305_avx.pl openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/poly1305_avx.pl
+--- openssl-1.0.2e/crypto/chacha20poly1305/asm/poly1305_avx.pl 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/poly1305_avx.pl 2016-02-08 16:12:00.596614754 +0100
+@@ -0,0 +1,717 @@
++##############################################################################
++# #
++# Copyright 2014 Intel Corporation #
++# #
++# Licensed under the Apache License, Version 2.0 (the "License"); #
++# you may not use this file except in compliance with the License. #
++# You may obtain a copy of the License at #
++# #
++# http://www.apache.org/licenses/LICENSE-2.0 #
++# #
++# Unless required by applicable law or agreed to in writing, software #
++# distributed under the License is distributed on an "AS IS" BASIS, #
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
++# See the License for the specific language governing permissions and #
++# limitations under the License. #
++# #
++##############################################################################
++# #
++# Developers and authors: #
++# Shay Gueron (1, 2), and Vlad Krasnov (1) #
++# (1) Intel Corporation, Israel Development Center #
++# (2) University of Haifa #
++# #
++##############################################################################
++# state:
++# 0: r[0] || r^2[0]
++# 16: r[1] || r^2[1]
++# 32: r[2] || r^2[2]
++# 48: r[3] || r^2[3]
++# 64: r[4] || r^2[4]
++# 80: r[1]*5 || r^2[1]*5
++# 96: r[2]*5 || r^2[2]*5
++#112: r[3]*5 || r^2[3]*5
++#128: r[4]*5 || r^2[4]*5
++#144: k
++#160: A0
++#164: A1
++#168: A2
++#172: A3
++#176: A4
++#180: END
++
++$flavour = shift;
++$output = shift;
++if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
++
++$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
++die "can't locate x86_64-xlate.pl";
++
++open OUT,"| \"$^X\" $xlate $flavour $output";
++*STDOUT=*OUT;
++
++if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
++ =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
++ $avx = ($1>=2.19) + ($1>=2.22);
++}
++
++if ($win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
++ `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
++ $avx = ($1>=2.09) + ($1>=2.10);
++}
++
++if ($win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
++ `ml64 2>&1` =~ /Version ([0-9]+)\./) {
++ $avx = ($1>=10) + ($1>=11);
++}
++
++if (`$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
++ my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
++ $avx = ($ver>=3.0) + ($ver>=3.01);
++}
++
++if ($avx>=1) {{
++
++my ($_r0_, $_r1_, $_r2_, $_r3_, $_r4_, $_r1_x5, $_r2_x5, $_r3_x5, $_r4_x5, $_k_, $_A0_, $_A1_, $_A2_, $_A3_, $_A4_)
++= (0,16,32,48,64,80,96,112,128,144,160,164,168,172,176);
++
++$code.=<<___;
++.text
++.align 32
++.LandMask:
++.quad 0x3FFFFFF, 0x3FFFFFF
++.LsetBit:
++.quad 0x1000000, 0x1000000
++.LrSet:
++.quad 0xFFFFFFC0FFFFFFF, 0xFFFFFFC0FFFFFFF
++.quad 0xFFFFFFC0FFFFFFC, 0xFFFFFFC0FFFFFFC
++.Lone:
++.quad 1,0
++___
++
++
++{
++my ($A0, $A1, $A2, $A3, $A4,
++ $r0, $r1, $r2, $r3, $r4,
++ $T0, $T1, $A5, $A6, $A7, $A8)=map("%xmm$_",(0..15));
++my ($state, $key)
++ =("%rdi", "%rsi");
++
++$code.=<<___;
++################################################################################
++# void poly1305_init_avx(void *state, uint8_t key[32])
++
++.globl poly1305_init_avx
++.type poly1305_init_avx, \@function, 2
++.align 64
++poly1305_init_avx:
++ vzeroupper
++ # load and convert r
++ vmovq 8*0($key), $r0
++ vmovq 8*1($key), $T0
++ vpand .LrSet(%rip), $r0, $r0
++ vpand .LrSet+16(%rip), $T0, $T0
++
++ vpsrlq \$26, $r0, $r1
++ vpand .LandMask(%rip), $r0, $r0
++ vpsrlq \$26, $r1, $r2
++ vpand .LandMask(%rip), $r1, $r1
++ vpsllq \$12, $T0, $T1
++ vpxor $T1, $r2, $r2
++ vpsrlq \$26, $r2, $r3
++ vpsrlq \$40, $T0, $r4
++ vpand .LandMask(%rip), $r2, $r2
++ vpand .LandMask(%rip), $r3, $r3
++
++ # SQR R
++ vpmuludq $r0, $r0, $A0
++ vpmuludq $r1, $r0, $A1
++ vpmuludq $r2, $r0, $A2
++ vpmuludq $r3, $r0, $A3
++ vpmuludq $r4, $r0, $A4
++
++ vpsllq \$1, $A1, $A1
++ vpsllq \$1, $A2, $A2
++ vpmuludq $r1, $r1, $T0
++ vpaddq $T0, $A2, $A2
++ vpmuludq $r2, $r1, $T0
++ vpaddq $T0, $A3, $A3
++ vpmuludq $r3, $r1, $T0
++ vpaddq $T0, $A4, $A4
++ vpmuludq $r4, $r1, $A5
++
++ vpsllq \$1, $A3, $A3
++ vpsllq \$1, $A4, $A4
++ vpmuludq $r2, $r2, $T0
++ vpaddq $T0, $A4, $A4
++ vpmuludq $r3, $r2, $T0
++ vpaddq $T0, $A5, $A5
++ vpmuludq $r4, $r2, $A6
++
++ vpsllq \$1, $A5, $A5
++ vpsllq \$1, $A6, $A6
++ vpmuludq $r3, $r3, $T0
++ vpaddq $T0, $A6, $A6
++ vpmuludq $r4, $r3, $A7
++
++ vpsllq \$1, $A7, $A7
++ vpmuludq $r4, $r4, $A8
++
++ # Reduce
++ vpsrlq \$26, $A4, $T0
++ vpand .LandMask(%rip), $A4, $A4
++ vpaddq $T0, $A5, $A5
++
++ vpsllq \$2, $A5, $T0
++ vpaddq $T0, $A5, $A5
++ vpsllq \$2, $A6, $T0
++ vpaddq $T0, $A6, $A6
++ vpsllq \$2, $A7, $T0
++ vpaddq $T0, $A7, $A7
++ vpsllq \$2, $A8, $T0
++ vpaddq $T0, $A8, $A8
++
++ vpaddq $A5, $A0, $A0
++ vpaddq $A6, $A1, $A1
++ vpaddq $A7, $A2, $A2
++ vpaddq $A8, $A3, $A3
++
++ vpsrlq \$26, $A0, $T0
++ vpand .LandMask(%rip), $A0, $A0
++ vpaddq $T0, $A1, $A1
++ vpsrlq \$26, $A1, $T0
++ vpand .LandMask(%rip), $A1, $A1
++ vpaddq $T0, $A2, $A2
++ vpsrlq \$26, $A2, $T0
++ vpand .LandMask(%rip), $A2, $A2
++ vpaddq $T0, $A3, $A3
++ vpsrlq \$26, $A3, $T0
++ vpand .LandMask(%rip), $A3, $A3
++ vpaddq $T0, $A4, $A4
++
++ vpunpcklqdq $r0, $A0, $r0
++ vpunpcklqdq $r1, $A1, $r1
++ vpunpcklqdq $r2, $A2, $r2
++ vpunpcklqdq $r3, $A3, $r3
++ vpunpcklqdq $r4, $A4, $r4
++
++ vmovdqu $r0, $_r0_($state)
++ vmovdqu $r1, $_r1_($state)
++ vmovdqu $r2, $_r2_($state)
++ vmovdqu $r3, $_r3_($state)
++ vmovdqu $r4, $_r4_($state)
++
++ vpsllq \$2, $r1, $A1
++ vpsllq \$2, $r2, $A2
++ vpsllq \$2, $r3, $A3
++ vpsllq \$2, $r4, $A4
++
++ vpaddq $A1, $r1, $A1
++ vpaddq $A2, $r2, $A2
++ vpaddq $A3, $r3, $A3
++ vpaddq $A4, $r4, $A4
++
++ vmovdqu $A1, $_r1_x5($state)
++ vmovdqu $A2, $_r2_x5($state)
++ vmovdqu $A3, $_r3_x5($state)
++ vmovdqu $A4, $_r4_x5($state)
++ # Store k
++ vmovdqu 16*1($key), $T0
++ vmovdqu $T0, $_k_($state)
++ # Init the MAC value
++ vpxor $T0, $T0, $T0
++ vmovdqu $T0, $_A0_($state)
++ vmovd $T0, $_A4_($state)
++ vzeroupper
++ ret
++.size poly1305_init_avx,.-poly1305_init_avx
++___
++}
++
++{
++
++my ($A0, $A1, $A2, $A3, $A4,
++ $T0, $T1, $R0, $R1, $R2,
++ $R3, $R4, $AND_MASK)=map("%xmm$_",(0..12));
++
++my ($state, $in, $in_len)=("%rdi", "%rsi", "%rdx");
++
++$code.=<<___;
++
++###############################################################################
++# void* poly1305_update_avx(void* $state, void* in, uint64_t in_len)
++.globl poly1305_update_avx
++.type poly1305_update_avx, \@function, 2
++.align 64
++poly1305_update_avx:
++
++ vzeroupper
++ vmovd $_A0_($state), $A0
++ vmovd $_A1_($state), $A1
++ vmovd $_A2_($state), $A2
++ vmovd $_A3_($state), $A3
++ vmovd $_A4_($state), $A4
++ vmovdqa .LandMask(%rip), $AND_MASK
++ # Skip to single block case
++ cmp \$32, $in_len
++ jb 3f
++1:
++ cmp \$16*4, $in_len
++ jb 1f
++ sub \$16*2, $in_len
++ # load the next two blocks
++ vmovdqu 16*0($in), $R2
++ vmovdqu 16*1($in), $R3
++ add \$16*2, $in
++
++ vpunpcklqdq $R3, $R2, $R0
++ vpunpckhqdq $R3, $R2, $R1
++
++ vpsrlq \$26, $R0, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A0, $A0
++
++ vpsrlq \$26, $R2, $R0
++ vpand $AND_MASK, $R2, $R2
++ vpaddq $R2, $A1, $A1
++
++ vpsllq \$12, $R1, $R2
++ vpxor $R2, $R0, $R0
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A2, $A2
++
++ vpsrlq \$26, $R2, $R0
++ vpsrlq \$40, $R1, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpxor .LsetBit(%rip), $R2, $R2
++ vpaddq $R0, $A3, $A3
++ vpaddq $R2, $A4, $A4
++
++ # Multiply input by R[0]
++ vbroadcastss $_r0_($state), $T0
++ vpmuludq $T0, $A0, $R0
++ vpmuludq $T0, $A1, $R1
++ vpmuludq $T0, $A2, $R2
++ vpmuludq $T0, $A3, $R3
++ vpmuludq $T0, $A4, $R4
++ # Multiply input by R[1] (and R[1]*5)
++ vbroadcastss $_r1_x5($state), $T0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R0, $R0
++ vbroadcastss $_r1_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R4, $R4
++ # Etc
++ vbroadcastss $_r2_x5($state), $T0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R1, $R1
++ vbroadcastss $_r2_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R4, $R4
++
++ vbroadcastss $_r3_x5($state), $T0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R2, $R2
++ vbroadcastss $_r3_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R4, $R4
++
++ vbroadcastss $_r4_x5($state), $T0
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R3, $R3
++ vbroadcastss $_r4_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R4, $R4
++ # Reduce
++ vpsrlq \$26, $R3, $T0
++ vpaddq $T0, $R4, $R4
++ vpand $AND_MASK, $R3, $R3
++
++ vpsrlq \$26, $R4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $R0, $R0
++ vpand $AND_MASK, $R4, $R4
++
++ vpsrlq \$26, $R0, $T0
++ vpand $AND_MASK, $R0, $A0
++ vpaddq $T0, $R1, $R1
++ vpsrlq \$26, $R1, $T0
++ vpand $AND_MASK, $R1, $A1
++ vpaddq $T0, $R2, $R2
++ vpsrlq \$26, $R2, $T0
++ vpand $AND_MASK, $R2, $A2
++ vpaddq $T0, $R3, $R3
++ vpsrlq \$26, $R3, $T0
++ vpand $AND_MASK, $R3, $A3
++ vpaddq $T0, $R4, $A4
++ jmp 1b
++1:
++ cmp \$16*2, $in_len
++ jb 1f
++ sub \$16*2, $in_len
++ # load the next two blocks
++ vmovdqu 16*0($in), $R2
++ vmovdqu 16*1($in), $R3
++ add \$16*2, $in
++
++ vpunpcklqdq $R3, $R2, $R0
++ vpunpckhqdq $R3, $R2, $R1
++
++ vpsrlq \$26, $R0, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A0, $A0
++
++ vpsrlq \$26, $R2, $R0
++ vpand $AND_MASK, $R2, $R2
++ vpaddq $R2, $A1, $A1
++
++ vpsllq \$12, $R1, $R2
++ vpxor $R2, $R0, $R0
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A2, $A2
++
++ vpsrlq \$26, $R2, $R0
++ vpsrlq \$40, $R1, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpxor .LsetBit(%rip), $R2, $R2
++ vpaddq $R0, $A3, $A3
++ vpaddq $R2, $A4, $A4
++
++ # Multiply input by R[0]
++ vmovdqu $_r0_($state), $T0
++ vpmuludq $T0, $A0, $R0
++ vpmuludq $T0, $A1, $R1
++ vpmuludq $T0, $A2, $R2
++ vpmuludq $T0, $A3, $R3
++ vpmuludq $T0, $A4, $R4
++ # Multiply input by R[1] (and R[1]*5)
++ vmovdqu $_r1_x5($state), $T0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R0, $R0
++ vmovdqu $_r1_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R4, $R4
++ # Etc
++ vmovdqu $_r2_x5($state), $T0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R1, $R1
++ vmovdqu $_r2_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R4, $R4
++
++ vmovdqu $_r3_x5($state), $T0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R2, $R2
++ vmovdqu $_r3_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R4, $R4
++
++ vmovdqu $_r4_x5($state), $T0
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R3, $R3
++ vmovdqu $_r4_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R4, $R4
++1:
++ vpsrldq \$8, $R0, $A0
++ vpsrldq \$8, $R1, $A1
++ vpsrldq \$8, $R2, $A2
++ vpsrldq \$8, $R3, $A3
++ vpsrldq \$8, $R4, $A4
++
++ vpaddq $R0, $A0, $A0
++ vpaddq $R1, $A1, $A1
++ vpaddq $R2, $A2, $A2
++ vpaddq $R3, $A3, $A3
++ vpaddq $R4, $A4, $A4
++ # Reduce
++ vpsrlq \$26, $A3, $T0
++ vpaddq $T0, $A4, $A4
++ vpand $AND_MASK, $A3, $A3
++ vpsrlq \$26, $A4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $A0, $A0
++ vpand $AND_MASK, $A4, $A4
++ vpsrlq \$26, $A0, $T0
++ vpand $AND_MASK, $A0, $A0
++ vpaddq $T0, $A1, $A1
++ vpsrlq \$26, $A1, $T0
++ vpand $AND_MASK, $A1, $A1
++ vpaddq $T0, $A2, $A2
++ vpsrlq \$26, $A2, $T0
++ vpand $AND_MASK, $A2, $A2
++ vpaddq $T0, $A3, $A3
++ vpsrlq \$26, $A3, $T0
++ vpand $AND_MASK, $A3, $A3
++ vpaddq $T0, $A4, $A4
++3:
++ cmp \$16, $in_len
++ jb 1f
++
++ # load the next block
++ vmovq 8*0($in), $R0
++ vmovq 8*1($in), $R1
++ add \$16, $in
++ sub \$16, $in_len
++
++ vpsrlq \$26, $R0, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A0, $A0
++
++ vpsrlq \$26, $R2, $R0
++ vpand $AND_MASK, $R2, $R2
++ vpaddq $R2, $A1, $A1
++
++ vpsllq \$12, $R1, $R2
++ vpxor $R2, $R0, $R0
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A2, $A2
++
++ vpsrlq \$26, $R2, $R0
++ vpsrlq \$40, $R1, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpxor .LsetBit(%rip), $R2, $R2
++ vpaddq $R0, $A3, $A3
++ vpaddq $R2, $A4, $A4
++2:
++ # Multiply input by R[0]
++ vmovq $_r0_+8($state), $T0
++ vpmuludq $T0, $A0, $R0
++ vpmuludq $T0, $A1, $R1
++ vpmuludq $T0, $A2, $R2
++ vpmuludq $T0, $A3, $R3
++ vpmuludq $T0, $A4, $R4
++ # Multiply input by R[1] (and R[1]*5)
++ vmovq $_r1_x5+8($state), $T0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R0, $R0
++ vmovq $_r1_+8($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R4, $R4
++ # Etc
++ vmovq $_r2_x5+8($state), $T0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R1, $R1
++ vmovq $_r2_+8($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R4, $R4
++
++ vmovq $_r3_x5+8($state), $T0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R2, $R2
++ vmovq $_r3_+8($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R4, $R4
++
++ vmovq $_r4_x5+8($state), $T0
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R3, $R3
++ vmovq $_r4_+8($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R4, $R4
++
++ # Reduce
++ vpsrlq \$26, $R3, $T0
++ vpaddq $T0, $R4, $R4
++ vpand $AND_MASK, $R3, $R3
++ vpsrlq \$26, $R4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $R0, $R0
++ vpand $AND_MASK, $R4, $R4
++ vpsrlq \$26, $R0, $T0
++ vpand $AND_MASK, $R0, $A0
++ vpaddq $T0, $R1, $R1
++ vpsrlq \$26, $R1, $T0
++ vpand $AND_MASK, $R1, $A1
++ vpaddq $T0, $R2, $R2
++ vpsrlq \$26, $R2, $T0
++ vpand $AND_MASK, $R2, $A2
++ vpaddq $T0, $R3, $R3
++ vpsrlq \$26, $R3, $T0
++ vpand $AND_MASK, $R3, $A3
++ vpaddq $T0, $R4, $A4
++
++1:
++ test $in_len, $in_len
++ jz 1f
++
++ vmovdqa .Lone(%rip), $R0
++3:
++ dec $in_len
++ vpslldq \$1, $R0, $R0
++ vpinsrb \$0, ($in, $in_len), $R0, $R0
++ test $in_len, $in_len
++ jnz 3b
++
++ vpsrldq \$8, $R0, $R1
++ vpsrlq \$26, $R0, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A0, $A0
++
++ vpsrlq \$26, $R2, $R0
++ vpand $AND_MASK, $R2, $R2
++ vpaddq $R2, $A1, $A1
++
++ vpsllq \$12, $R1, $R2
++ vpxor $R2, $R0, $R0
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A2, $A2
++
++ vpsrlq \$26, $R2, $R0
++ vpsrlq \$40, $R1, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A3, $A3
++ vpaddq $R2, $A4, $A4
++ xor $in_len, $in_len
++ jmp 2b
++1:
++ vmovd $A0, $_A0_($state)
++ vmovd $A1, $_A1_($state)
++ vmovd $A2, $_A2_($state)
++ vmovd $A3, $_A3_($state)
++ vmovd $A4, $_A4_($state)
++
++
++ mov $in, %rax
++ vzeroupper
++ ret
++.size poly1305_update_avx,.-poly1305_update_avx
++###############################################################################
++# void poly1305_finish_avx(void* $state, uint64_t mac[2]);
++.type poly1305_finish_avx,\@function, 2
++.globl poly1305_finish_avx
++poly1305_finish_avx:
++___
++my $mac="%rsi";
++$code.=<<___;
++ vzeroupper
++ vmovd $_A0_($state), $A0
++ vmovd $_A1_($state), $A1
++ vmovd $_A2_($state), $A2
++ vmovd $_A3_($state), $A3
++ vmovd $_A4_($state), $A4
++ # Reduce one last time in case there was a carry from 130 bit
++ vpsrlq \$26, $A4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $A0, $A0
++ vpand .LandMask(%rip), $A4, $A4
++
++ vpsrlq \$26, $A0, $T0
++ vpand .LandMask(%rip), $A0, $A0
++ vpaddq $T0, $A1, $A1
++ vpsrlq \$26, $A1, $T0
++ vpand .LandMask(%rip), $A1, $A1
++ vpaddq $T0, $A2, $A2
++ vpsrlq \$26, $A2, $T0
++ vpand .LandMask(%rip), $A2, $A2
++ vpaddq $T0, $A3, $A3
++ vpsrlq \$26, $A3, $T0
++ vpand .LandMask(%rip), $A3, $A3
++ vpaddq $T0, $A4, $A4
++ # Convert to normal
++ vpsllq \$26, $A1, $T0
++ vpxor $T0, $A0, $A0
++ vpsllq \$52, $A2, $T0
++ vpxor $T0, $A0, $A0
++ vpsrlq \$12, $A2, $A1
++ vpsllq \$14, $A3, $T0
++ vpxor $T0, $A1, $A1
++ vpsllq \$40, $A4, $T0
++ vpxor $T0, $A1, $A1
++ vmovq $A0, %rax
++ vmovq $A1, %rdx
++
++ add $_k_($state), %rax
++ adc $_k_+8($state), %rdx
++ mov %rax, ($mac)
++ mov %rdx, 8($mac)
++ vzeroupper
++ ret
++.size poly1305_finish_avx,.-poly1305_finish_avx
++___
++}
++}}
++
++$code =~ s/\`([^\`]*)\`/eval($1)/gem;
++print $code;
++close STDOUT;
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/asm/poly1305_avx2.pl openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/poly1305_avx2.pl
+--- openssl-1.0.2e/crypto/chacha20poly1305/asm/poly1305_avx2.pl 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/poly1305_avx2.pl 2016-02-08 16:12:00.597614755 +0100
+@@ -0,0 +1,918 @@
++##############################################################################
++# #
++# Copyright 2014 Intel Corporation #
++# #
++# Licensed under the Apache License, Version 2.0 (the "License"); #
++# you may not use this file except in compliance with the License. #
++# You may obtain a copy of the License at #
++# #
++# http://www.apache.org/licenses/LICENSE-2.0 #
++# #
++# Unless required by applicable law or agreed to in writing, software #
++# distributed under the License is distributed on an "AS IS" BASIS, #
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
++# See the License for the specific language governing permissions and #
++# limitations under the License. #
++# #
++##############################################################################
++# #
++# Developers and authors: #
++# Shay Gueron (1, 2), and Vlad Krasnov (1) #
++# (1) Intel Corporation, Israel Development Center #
++# (2) University of Haifa #
++# #
++##############################################################################
++# state:
++# 0: r[0] || r^2[0]
++# 16: r[1] || r^2[1]
++# 32: r[2] || r^2[2]
++# 48: r[3] || r^2[3]
++# 64: r[4] || r^2[4]
++# 80: r[1]*5 || r^2[1]*5
++# 96: r[2]*5 || r^2[2]*5
++#112: r[3]*5 || r^2[3]*5
++#128: r[4]*5 || r^2[4]*5
++#144: k
++#160: A0
++#164: A1
++#168: A2
++#172: A3
++#176: A4
++#180: END
++
++$flavour = shift;
++$output = shift;
++if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
++
++$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
++die "can't locate x86_64-xlate.pl";
++
++open OUT,"| \"$^X\" $xlate $flavour $output";
++*STDOUT=*OUT;
++
++if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
++ =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
++ $avx = ($1>=2.19) + ($1>=2.22);
++}
++
++if ($win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
++ `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
++ $avx = ($1>=2.09) + ($1>=2.10);
++}
++
++if ($win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
++ `ml64 2>&1` =~ /Version ([0-9]+)\./) {
++ $avx = ($1>=10) + ($1>=11);
++}
++
++if (`$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
++ my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
++ $avx = ($ver>=3.0) + ($ver>=3.01);
++}
++
++if ($avx>=1) {{
++
++my ($_r0_, $_r1_, $_r2_, $_r3_, $_r4_, $_r1_x5, $_r2_x5, $_r3_x5, $_r4_x5, $_k_, $_A0_, $_A1_, $_A2_, $_A3_, $_A4_)
++= (0,32,64,96,128,160,192,224,256,288,304,308,312,316,320);
++
++$code.=<<___;
++.text
++.align 32
++.LandMask:
++.quad 0x3FFFFFF, 0x3FFFFFF, 0x3FFFFFF, 0x3FFFFFF
++.LsetBit:
++.quad 0x1000000, 0x1000000, 0x1000000, 0x1000000
++.LrSet:
++.quad 0xFFFFFFC0FFFFFFF, 0xFFFFFFC0FFFFFFF, 0xFFFFFFC0FFFFFFF, 0xFFFFFFC0FFFFFFF
++.quad 0xFFFFFFC0FFFFFFC, 0xFFFFFFC0FFFFFFC, 0xFFFFFFC0FFFFFFC, 0xFFFFFFC0FFFFFFC
++
++.LpermFix:
++.long 6,7,6,7,6,7,6,7
++.long 4,5,6,7,6,7,6,7
++.long 2,3,6,7,4,5,6,7
++.long 0,1,4,5,2,3,6,7
++___
++
++
++{
++my ($A0, $A1, $A2, $A3, $A4,
++ $r0, $r1, $r2, $r3, $r4,
++ $T0, $T1, $A5, $A6, $A7, $A8)=map("%xmm$_",(0..15));
++my ($A0_y, $A1_y, $A2_y, $A3_y, $A4_y,
++ $r0_y, $r1_y, $r2_y, $r3_y, $r4_y)=map("%ymm$_",(0..9));
++my ($state, $key)
++ =("%rdi", "%rsi");
++
++$code.=<<___;
++################################################################################
++# void poly1305_init_avx2(void *state, uint8_t key[32])
++
++.globl poly1305_init_avx2
++.type poly1305_init_avx2, \@function, 2
++.align 64
++poly1305_init_avx2:
++ vzeroupper
++
++ # Store k
++ vmovdqu 16*1($key), $T0
++ vmovdqu $T0, $_k_($state)
++ # Init the MAC value
++ vpxor $T0, $T0, $T0
++ vmovdqu $T0, $_A0_($state)
++ vmovd $T0, $_A4_($state)
++ # load and convert r
++ vmovq 8*0($key), $r0
++ vmovq 8*1($key), $T0
++ vpand .LrSet(%rip), $r0, $r0
++ vpand .LrSet+32(%rip), $T0, $T0
++
++ vpsrlq \$26, $r0, $r1
++ vpand .LandMask(%rip), $r0, $r0
++ vpsrlq \$26, $r1, $r2
++ vpand .LandMask(%rip), $r1, $r1
++ vpsllq \$12, $T0, $T1
++ vpxor $T1, $r2, $r2
++ vpsrlq \$26, $r2, $r3
++ vpsrlq \$40, $T0, $r4
++ vpand .LandMask(%rip), $r2, $r2
++ vpand .LandMask(%rip), $r3, $r3
++ # SQR R
++ vpmuludq $r0, $r0, $A0
++ vpmuludq $r1, $r0, $A1
++ vpmuludq $r2, $r0, $A2
++ vpmuludq $r3, $r0, $A3
++ vpmuludq $r4, $r0, $A4
++
++ vpsllq \$1, $A1, $A1
++ vpsllq \$1, $A2, $A2
++ vpmuludq $r1, $r1, $T0
++ vpaddq $T0, $A2, $A2
++ vpmuludq $r2, $r1, $T0
++ vpaddq $T0, $A3, $A3
++ vpmuludq $r3, $r1, $T0
++ vpaddq $T0, $A4, $A4
++ vpmuludq $r4, $r1, $A5
++
++ vpsllq \$1, $A3, $A3
++ vpsllq \$1, $A4, $A4
++ vpmuludq $r2, $r2, $T0
++ vpaddq $T0, $A4, $A4
++ vpmuludq $r3, $r2, $T0
++ vpaddq $T0, $A5, $A5
++ vpmuludq $r4, $r2, $A6
++
++ vpsllq \$1, $A5, $A5
++ vpsllq \$1, $A6, $A6
++ vpmuludq $r3, $r3, $T0
++ vpaddq $T0, $A6, $A6
++ vpmuludq $r4, $r3, $A7
++
++ vpsllq \$1, $A7, $A7
++ vpmuludq $r4, $r4, $A8
++
++ # Reduce
++ vpsrlq \$26, $A4, $T0
++ vpand .LandMask(%rip), $A4, $A4
++ vpaddq $T0, $A5, $A5
++
++ vpsllq \$2, $A5, $T0
++ vpaddq $T0, $A5, $A5
++ vpsllq \$2, $A6, $T0
++ vpaddq $T0, $A6, $A6
++ vpsllq \$2, $A7, $T0
++ vpaddq $T0, $A7, $A7
++ vpsllq \$2, $A8, $T0
++ vpaddq $T0, $A8, $A8
++
++ vpaddq $A5, $A0, $A0
++ vpaddq $A6, $A1, $A1
++ vpaddq $A7, $A2, $A2
++ vpaddq $A8, $A3, $A3
++
++ vpsrlq \$26, $A0, $T0
++ vpand .LandMask(%rip), $A0, $A0
++ vpaddq $T0, $A1, $A1
++ vpsrlq \$26, $A1, $T0
++ vpand .LandMask(%rip), $A1, $A1
++ vpaddq $T0, $A2, $A2
++ vpsrlq \$26, $A2, $T0
++ vpand .LandMask(%rip), $A2, $A2
++ vpaddq $T0, $A3, $A3
++ vpsrlq \$26, $A3, $T0
++ vpand .LandMask(%rip), $A3, $A3
++ vpaddq $T0, $A4, $A4
++
++ vpunpcklqdq $r0, $A0, $r0
++ vpunpcklqdq $r1, $A1, $r1
++ vpunpcklqdq $r2, $A2, $r2
++ vpunpcklqdq $r3, $A3, $r3
++ vpunpcklqdq $r4, $A4, $r4
++
++ vmovdqu $r0, $_r0_+16($state)
++ vmovdqu $r1, $_r1_+16($state)
++ vmovdqu $r2, $_r2_+16($state)
++ vmovdqu $r3, $_r3_+16($state)
++ vmovdqu $r4, $_r4_+16($state)
++
++ vpsllq \$2, $r1, $A1
++ vpsllq \$2, $r2, $A2
++ vpsllq \$2, $r3, $A3
++ vpsllq \$2, $r4, $A4
++
++ vpaddq $A1, $r1, $A1
++ vpaddq $A2, $r2, $A2
++ vpaddq $A3, $r3, $A3
++ vpaddq $A4, $r4, $A4
++
++ vmovdqu $A1, $_r1_x5+16($state)
++ vmovdqu $A2, $_r2_x5+16($state)
++ vmovdqu $A3, $_r3_x5+16($state)
++ vmovdqu $A4, $_r4_x5+16($state)
++
++ # Compute r^3 and r^4
++ vpshufd \$0x44, $r0, $A0
++ vpshufd \$0x44, $r1, $A1
++ vpshufd \$0x44, $r2, $A2
++ vpshufd \$0x44, $r3, $A3
++ vpshufd \$0x44, $r4, $A4
++
++ # Multiply input by R[0]
++ vmovdqu $_r0_+16($state), $T0
++ vpmuludq $T0, $A0, $r0
++ vpmuludq $T0, $A1, $r1
++ vpmuludq $T0, $A2, $r2
++ vpmuludq $T0, $A3, $r3
++ vpmuludq $T0, $A4, $r4
++ # Multiply input by R[1] (and R[1]*5)
++ vmovdqu $_r1_x5+16($state), $T0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $r0, $r0
++ vmovdqu $_r1_+16($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $r1, $r1
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $r2, $r2
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $r3, $r3
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $r4, $r4
++ # Etc
++ vmovdqu $_r2_x5+16($state), $T0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $r0, $r0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $r1, $r1
++ vmovdqu $_r2_+16($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $r2, $r2
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $r3, $r3
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $r4, $r4
++
++ vmovdqu $_r3_x5+16($state), $T0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $r0, $r0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $r1, $r1
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $r2, $r2
++ vmovdqu $_r3_+16($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $r3, $r3
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $r4, $r4
++
++ vmovdqu $_r4_x5+16($state), $T0
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $r0, $r0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $r1, $r1
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $r2, $r2
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $r3, $r3
++ vmovdqu $_r4_+16($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $r4, $r4
++ # Reduce
++ vpsrlq \$26, $r3, $T0
++ vpaddq $T0, $r4, $r4
++ vpand .LandMask(%rip), $r3, $r3
++ vpsrlq \$26, $r4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $r0, $r0
++ vpand .LandMask(%rip), $r4, $r4
++ vpsrlq \$26, $r0, $T0
++ vpand .LandMask(%rip), $r0, $r0
++ vpaddq $T0, $r1, $r1
++ vpsrlq \$26, $r1, $T0
++ vpand .LandMask(%rip), $r1, $r1
++ vpaddq $T0, $r2, $r2
++ vpsrlq \$26, $r2, $T0
++ vpand .LandMask(%rip), $r2, $r2
++ vpaddq $T0, $r3, $r3
++ vpsrlq \$26, $r3, $T0
++ vpand .LandMask(%rip), $r3, $r3
++ vpaddq $T0, $r4, $r4
++
++ vmovdqu $r0, $_r0_($state)
++ vmovdqu $r1, $_r1_($state)
++ vmovdqu $r2, $_r2_($state)
++ vmovdqu $r3, $_r3_($state)
++ vmovdqu $r4, $_r4_($state)
++
++ vpsllq \$2, $r1, $A1
++ vpsllq \$2, $r2, $A2
++ vpsllq \$2, $r3, $A3
++ vpsllq \$2, $r4, $A4
++
++ vpaddq $A1, $r1, $A1
++ vpaddq $A2, $r2, $A2
++ vpaddq $A3, $r3, $A3
++ vpaddq $A4, $r4, $A4
++
++ vmovdqu $A1, $_r1_x5($state)
++ vmovdqu $A2, $_r2_x5($state)
++ vmovdqu $A3, $_r3_x5($state)
++ vmovdqu $A4, $_r4_x5($state)
++
++ ret
++.size poly1305_init_avx2,.-poly1305_init_avx2
++___
++}
++
++{
++
++my ($A0, $A1, $A2, $A3, $A4,
++ $T0, $T1, $R0, $R1, $R2,
++ $R3, $R4, $AND_MASK, $PERM_MASK, $SET_MASK)=map("%ymm$_",(0..14));
++
++my ($A0_x, $A1_x, $A2_x, $A3_x, $A4_x,
++ $T0_x, $T1_x, $R0_x, $R1_x, $R2_x,
++ $R3_x, $R4_x, $AND_MASK_x, $PERM_MASK_x, $SET_MASK_x)=map("%xmm$_",(0..14));
++
++my ($state, $in, $in_len, $hlp, $rsp_save)=("%rdi", "%rsi", "%rdx", "%rcx", "%rax");
++
++$code.=<<___;
++
++###############################################################################
++# void poly1305_update_avx2(void* $state, void* in, uint64_t in_len2)
++.globl poly1305_update_avx2
++.type poly1305_update_avx2, \@function, 2
++.align 64
++poly1305_update_avx2:
++
++ vmovd $_A0_($state), $A0_x
++ vmovd $_A1_($state), $A1_x
++ vmovd $_A2_($state), $A2_x
++ vmovd $_A3_($state), $A3_x
++ vmovd $_A4_($state), $A4_x
++
++ vmovdqa .LandMask(%rip), $AND_MASK
++1:
++ cmp \$32*4, $in_len
++ jb 1f
++ sub \$32*2, $in_len
++
++ # load the next four blocks
++ vmovdqu 32*0($in), $R2
++ vmovdqu 32*1($in), $R3
++ add \$32*2, $in
++
++ vpunpcklqdq $R3, $R2, $R0
++ vpunpckhqdq $R3, $R2, $R1
++
++ vpermq \$0xD8, $R0, $R0 # it is possible to rearrange the precomputations, and save this shuffle
++ vpermq \$0xD8, $R1, $R1
++
++ vpsrlq \$26, $R0, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A0, $A0
++
++ vpsrlq \$26, $R2, $R0
++ vpand $AND_MASK, $R2, $R2
++ vpaddq $R2, $A1, $A1
++
++ vpsllq \$12, $R1, $R2
++ vpxor $R2, $R0, $R0
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A2, $A2
++
++ vpsrlq \$26, $R2, $R0
++ vpsrlq \$40, $R1, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpxor .LsetBit(%rip), $R2, $R2
++ vpaddq $R0, $A3, $A3
++ vpaddq $R2, $A4, $A4
++
++ # Multiply input by R[0]
++ vpbroadcastq $_r0_($state), $T0
++ vpmuludq $T0, $A0, $R0
++ vpmuludq $T0, $A1, $R1
++ vpmuludq $T0, $A2, $R2
++ vpmuludq $T0, $A3, $R3
++ vpmuludq $T0, $A4, $R4
++ # Multiply input by R[1] (and R[1]*5)
++ vpbroadcastq $_r1_x5($state), $T0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R0, $R0
++ vpbroadcastq $_r1_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R4, $R4
++ # Etc
++ vpbroadcastq $_r2_x5($state), $T0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R1, $R1
++ vpbroadcastq $_r2_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R4, $R4
++
++ vpbroadcastq $_r3_x5($state), $T0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R2, $R2
++ vpbroadcastq $_r3_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R4, $R4
++
++ vpbroadcastq $_r4_x5($state), $T0
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R3, $R3
++ vpbroadcastq $_r4_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R4, $R4
++ # Reduce
++ vpsrlq \$26, $R3, $T0
++ vpaddq $T0, $R4, $R4
++ vpand $AND_MASK, $R3, $R3
++
++ vpsrlq \$26, $R4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $R0, $R0
++ vpand $AND_MASK, $R4, $R4
++
++ vpsrlq \$26, $R0, $T0
++ vpand $AND_MASK, $R0, $A0
++ vpaddq $T0, $R1, $R1
++ vpsrlq \$26, $R1, $T0
++ vpand $AND_MASK, $R1, $A1
++ vpaddq $T0, $R2, $R2
++ vpsrlq \$26, $R2, $T0
++ vpand $AND_MASK, $R2, $A2
++ vpaddq $T0, $R3, $R3
++ vpsrlq \$26, $R3, $T0
++ vpand $AND_MASK, $R3, $A3
++ vpaddq $T0, $R4, $A4
++ jmp 1b
++1:
++
++ cmp \$32*2, $in_len
++ jb 1f
++ sub \$32*2, $in_len
++ # load the next four blocks
++ vmovdqu 32*0($in), $R2
++ vmovdqu 32*1($in), $R3
++ add \$32*2, $in
++
++ vpunpcklqdq $R3, $R2, $R0
++ vpunpckhqdq $R3, $R2, $R1
++
++ vpermq \$0xD8, $R0, $R0
++ vpermq \$0xD8, $R1, $R1
++
++ vpsrlq \$26, $R0, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A0, $A0
++
++ vpsrlq \$26, $R2, $R0
++ vpand $AND_MASK, $R2, $R2
++ vpaddq $R2, $A1, $A1
++
++ vpsllq \$12, $R1, $R2
++ vpxor $R2, $R0, $R0
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A2, $A2
++
++ vpsrlq \$26, $R2, $R0
++ vpsrlq \$40, $R1, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpxor .LsetBit(%rip), $R2, $R2
++ vpaddq $R0, $A3, $A3
++ vpaddq $R2, $A4, $A4
++
++ # Multiply input by R[0]
++ vmovdqu $_r0_($state), $T0
++ vpmuludq $T0, $A0, $R0
++ vpmuludq $T0, $A1, $R1
++ vpmuludq $T0, $A2, $R2
++ vpmuludq $T0, $A3, $R3
++ vpmuludq $T0, $A4, $R4
++ # Multiply input by R[1] (and R[1]*5)
++ vmovdqu $_r1_x5($state), $T0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R0, $R0
++ vmovdqu $_r1_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R4, $R4
++ # Etc
++ vmovdqu $_r2_x5($state), $T0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R1, $R1
++ vmovdqu $_r2_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R4, $R4
++
++ vmovdqu $_r3_x5($state), $T0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R2, $R2
++ vmovdqu $_r3_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R4, $R4
++
++ vmovdqu $_r4_x5($state), $T0
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R3, $R3
++ vmovdqu $_r4_($state), $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R4, $R4
++ # Reduce
++ vpsrlq \$26, $R3, $T0
++ vpaddq $T0, $R4, $R4
++ vpand $AND_MASK, $R3, $R3
++ vpsrlq \$26, $R4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $R0, $R0
++ vpand $AND_MASK, $R4, $R4
++ vpsrlq \$26, $R0, $T0
++ vpand $AND_MASK, $R0, $A0
++ vpaddq $T0, $R1, $R1
++ vpsrlq \$26, $R1, $T0
++ vpand $AND_MASK, $R1, $A1
++ vpaddq $T0, $R2, $R2
++ vpsrlq \$26, $R2, $T0
++ vpand $AND_MASK, $R2, $A2
++ vpaddq $T0, $R3, $R3
++ vpsrlq \$26, $R3, $T0
++ vpand $AND_MASK, $R3, $A3
++ vpaddq $T0, $R4, $A4
++
++ vpsrldq \$8, $A0, $R0
++ vpsrldq \$8, $A1, $R1
++ vpsrldq \$8, $A2, $R2
++ vpsrldq \$8, $A3, $R3
++ vpsrldq \$8, $A4, $R4
++
++ vpaddq $R0, $A0, $A0
++ vpaddq $R1, $A1, $A1
++ vpaddq $R2, $A2, $A2
++ vpaddq $R3, $A3, $A3
++ vpaddq $R4, $A4, $A4
++
++ vpermq \$0xAA, $A0, $R0
++ vpermq \$0xAA, $A1, $R1
++ vpermq \$0xAA, $A2, $R2
++ vpermq \$0xAA, $A3, $R3
++ vpermq \$0xAA, $A4, $R4
++
++ vpaddq $R0, $A0, $A0
++ vpaddq $R1, $A1, $A1
++ vpaddq $R2, $A2, $A2
++ vpaddq $R3, $A3, $A3
++ vpaddq $R4, $A4, $A4
++1:
++ test $in_len, $in_len
++ jz 5f
++ # In case 1,2 or 3 blocks remain, we want to multiply them correctly
++ vmovq $A0_x, $A0_x
++ vmovq $A1_x, $A1_x
++ vmovq $A2_x, $A2_x
++ vmovq $A3_x, $A3_x
++ vmovq $A4_x, $A4_x
++
++ mov .LsetBit(%rip), $hlp
++ mov %rsp, $rsp_save
++ test \$15, $in_len
++ jz 1f
++ xor $hlp, $hlp
++ sub \$64, %rsp
++ vpxor $R0, $R0, $R0
++ vmovdqu $R0, (%rsp)
++ vmovdqu $R0, 32(%rsp)
++3:
++ movb ($in, $hlp), %r8b
++ movb %r8b, (%rsp, $hlp)
++ inc $hlp
++ cmp $hlp, $in_len
++ jne 3b
++
++ movb \$1, (%rsp, $hlp)
++ xor $hlp, $hlp
++ mov %rsp, $in
++
++1:
++
++ cmp \$16, $in_len
++ ja 2f
++ vmovq 8*0($in), $R0_x
++ vmovq 8*1($in), $R1_x
++ vmovq $hlp, $SET_MASK_x
++ vmovdqa .LpermFix(%rip), $PERM_MASK
++ jmp 1f
++2:
++ cmp \$32, $in_len
++ ja 2f
++ vmovdqu 16*0($in), $R2_x
++ vmovdqu 16*1($in), $R3_x
++ vmovq .LsetBit(%rip), $SET_MASK_x
++ vpinsrq \$1, $hlp, $SET_MASK_x, $SET_MASK_x
++ vmovdqa .LpermFix+32(%rip), $PERM_MASK
++
++ vpunpcklqdq $R3, $R2, $R0
++ vpunpckhqdq $R3, $R2, $R1
++ jmp 1f
++2:
++ cmp \$48, $in_len
++ ja 2f
++ vmovdqu 32*0($in), $R2
++ vmovdqu 32*1($in), $R3_x
++ vmovq .LsetBit(%rip), $SET_MASK_x
++ vpinsrq \$1, $hlp, $SET_MASK_x, $SET_MASK_x
++ vpermq \$0xc4, $SET_MASK, $SET_MASK
++ vmovdqa .LpermFix+64(%rip), $PERM_MASK
++
++ vpunpcklqdq $R3, $R2, $R0
++ vpunpckhqdq $R3, $R2, $R1
++ jmp 1f
++2:
++ vmovdqu 32*0($in), $R2
++ vmovdqu 32*1($in), $R3
++ vmovq .LsetBit(%rip), $SET_MASK_x
++ vpinsrq \$1, $hlp, $SET_MASK_x, $SET_MASK_x
++ vpermq \$0x40, $SET_MASK, $SET_MASK
++ vmovdqa .LpermFix+96(%rip), $PERM_MASK
++
++ vpunpcklqdq $R3, $R2, $R0
++ vpunpckhqdq $R3, $R2, $R1
++
++1:
++ mov $rsp_save, %rsp
++
++ vpsrlq \$26, $R0, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A0, $A0
++
++ vpsrlq \$26, $R2, $R0
++ vpand $AND_MASK, $R2, $R2
++ vpaddq $R2, $A1, $A1
++
++ vpsllq \$12, $R1, $R2
++ vpxor $R2, $R0, $R0
++ vpand $AND_MASK, $R0, $R0
++ vpaddq $R0, $A2, $A2
++
++ vpsrlq \$26, $R2, $R0
++ vpsrlq \$40, $R1, $R2
++ vpand $AND_MASK, $R0, $R0
++ vpxor $SET_MASK, $R2, $R2
++ vpaddq $R0, $A3, $A3
++ vpaddq $R2, $A4, $A4
++
++ # Multiply input by R[0]
++ vmovdqu $_r0_($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A0, $R0
++ vpmuludq $T0, $A1, $R1
++ vpmuludq $T0, $A2, $R2
++ vpmuludq $T0, $A3, $R3
++ vpmuludq $T0, $A4, $R4
++ # Multiply input by R[1] (and R[1]*5)
++ vmovdqu $_r1_x5($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R0, $R0
++ vmovdqu $_r1_($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R4, $R4
++ # Etc
++ vmovdqu $_r2_x5($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R1, $R1
++ vmovdqu $_r2_($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R4, $R4
++
++ vmovdqu $_r3_x5($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R2, $R2
++ vmovdqu $_r3_($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R3, $R3
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R4, $R4
++
++ vmovdqu $_r4_x5($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A1, $T1
++ vpaddq $T1, $R0, $R0
++ vpmuludq $T0, $A2, $T1
++ vpaddq $T1, $R1, $R1
++ vpmuludq $T0, $A3, $T1
++ vpaddq $T1, $R2, $R2
++ vpmuludq $T0, $A4, $T1
++ vpaddq $T1, $R3, $R3
++ vmovdqu $_r4_($state), $T0
++ vpermd $T0, $PERM_MASK, $T0
++ vpmuludq $T0, $A0, $T1
++ vpaddq $T1, $R4, $R4
++ # Reduce
++ vpsrlq \$26, $R3, $T0
++ vpaddq $T0, $R4, $R4
++ vpand $AND_MASK, $R3, $R3
++ vpsrlq \$26, $R4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $R0, $R0
++ vpand $AND_MASK, $R4, $R4
++ vpsrlq \$26, $R0, $T0
++ vpand $AND_MASK, $R0, $A0
++ vpaddq $T0, $R1, $R1
++ vpsrlq \$26, $R1, $T0
++ vpand $AND_MASK, $R1, $A1
++ vpaddq $T0, $R2, $R2
++ vpsrlq \$26, $R2, $T0
++ vpand $AND_MASK, $R2, $A2
++ vpaddq $T0, $R3, $R3
++ vpsrlq \$26, $R3, $T0
++ vpand $AND_MASK, $R3, $A3
++ vpaddq $T0, $R4, $A4
++
++ vpsrldq \$8, $A0, $R0
++ vpsrldq \$8, $A1, $R1
++ vpsrldq \$8, $A2, $R2
++ vpsrldq \$8, $A3, $R3
++ vpsrldq \$8, $A4, $R4
++
++ vpaddq $R0, $A0, $A0
++ vpaddq $R1, $A1, $A1
++ vpaddq $R2, $A2, $A2
++ vpaddq $R3, $A3, $A3
++ vpaddq $R4, $A4, $A4
++
++ vpermq \$0xAA, $A0, $R0
++ vpermq \$0xAA, $A1, $R1
++ vpermq \$0xAA, $A2, $R2
++ vpermq \$0xAA, $A3, $R3
++ vpermq \$0xAA, $A4, $R4
++
++ vpaddq $R0, $A0, $A0
++ vpaddq $R1, $A1, $A1
++ vpaddq $R2, $A2, $A2
++ vpaddq $R3, $A3, $A3
++ vpaddq $R4, $A4, $A4
++
++5:
++ vmovd $A0_x, $_A0_($state)
++ vmovd $A1_x, $_A1_($state)
++ vmovd $A2_x, $_A2_($state)
++ vmovd $A3_x, $_A3_($state)
++ vmovd $A4_x, $_A4_($state)
++
++ ret
++.size poly1305_update_avx2,.-poly1305_update_avx2
++###############################################################################
++# void poly1305_finish_avx2(void* $state, uint8_t mac[16]);
++.type poly1305_finish_avx2,\@function,2
++.globl poly1305_finish_avx2
++poly1305_finish_avx2:
++___
++my $mac="%rsi";
++my ($A0, $A1, $A2, $A3, $A4, $T0, $T1)=map("%xmm$_",(0..6));
++
++$code.=<<___;
++ vmovd $_A0_($state), $A0
++ vmovd $_A1_($state), $A1
++ vmovd $_A2_($state), $A2
++ vmovd $_A3_($state), $A3
++ vmovd $_A4_($state), $A4
++ # Reduce one last time in case there was a carry from 130 bit
++ vpsrlq \$26, $A4, $T0
++ vpsllq \$2, $T0, $T1
++ vpaddq $T1, $T0, $T0
++ vpaddq $T0, $A0, $A0
++ vpand .LandMask(%rip), $A4, $A4
++
++ vpsrlq \$26, $A0, $T0
++ vpand .LandMask(%rip), $A0, $A0
++ vpaddq $T0, $A1, $A1
++ vpsrlq \$26, $A1, $T0
++ vpand .LandMask(%rip), $A1, $A1
++ vpaddq $T0, $A2, $A2
++ vpsrlq \$26, $A2, $T0
++ vpand .LandMask(%rip), $A2, $A2
++ vpaddq $T0, $A3, $A3
++ vpsrlq \$26, $A3, $T0
++ vpand .LandMask(%rip), $A3, $A3
++ vpaddq $T0, $A4, $A4
++ # Convert to normal
++ vpsllq \$26, $A1, $T0
++ vpxor $T0, $A0, $A0
++ vpsllq \$52, $A2, $T0
++ vpxor $T0, $A0, $A0
++ vpsrlq \$12, $A2, $A1
++ vpsllq \$14, $A3, $T0
++ vpxor $T0, $A1, $A1
++ vpsllq \$40, $A4, $T0
++ vpxor $T0, $A1, $A1
++ vmovq $A0, %rax
++ vmovq $A1, %rdx
++
++ add $_k_($state), %rax
++ adc $_k_+8($state), %rdx
++ mov %rax, ($mac)
++ mov %rdx, 8($mac)
++
++ ret
++.size poly1305_finish_avx2,.-poly1305_finish_avx2
++___
++}
++}}
++
++$code =~ s/\`([^\`]*)\`/eval(\$1)/gem;
++print $code;
++close STDOUT;
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/chacha20.c openssl-1.0.2e-modified/crypto/chacha20poly1305/chacha20.c
+--- openssl-1.0.2e/crypto/chacha20poly1305/chacha20.c 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/chacha20.c 2016-02-08 16:12:00.597614755 +0100
+@@ -0,0 +1,157 @@
++/* Copyright (c) 2014, Google Inc.
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
++
++/* Adapted from the public domain, estream code by D. Bernstein. */
++
++#include <openssl/chacha20poly1305.h>
++
++/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
++static const char sigma[16] = "expand 32-byte k";
++
++#define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n))))
++#define XOR(v, w) ((v) ^ (w))
++#define PLUS(x, y) ((x) + (y))
++#define PLUSONE(v) (PLUS((v), 1))
++
++#define U32TO8_LITTLE(p, v) \
++ { \
++ (p)[0] = (v >> 0) & 0xff; \
++ (p)[1] = (v >> 8) & 0xff; \
++ (p)[2] = (v >> 16) & 0xff; \
++ (p)[3] = (v >> 24) & 0xff; \
++ }
++
++#define U8TO32_LITTLE(p) \
++ (((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) | \
++ ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24))
++
++/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
++#define QUARTERROUND(a,b,c,d) \
++ x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]),16); \
++ x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]),12); \
++ x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]), 8); \
++ x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]), 7);
++
++/* chacha_core performs |num_rounds| rounds of ChaCha20 on the input words in
++ * |input| and writes the 64 output bytes to |output|. */
++static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
++ uint32_t x[16];
++ int i;
++
++ memcpy(x, input, sizeof(uint32_t) * 16);
++ for (i = 20; i > 0; i -= 2) {
++ QUARTERROUND(0, 4, 8, 12)
++ QUARTERROUND(1, 5, 9, 13)
++ QUARTERROUND(2, 6, 10, 14)
++ QUARTERROUND(3, 7, 11, 15)
++ QUARTERROUND(0, 5, 10, 15)
++ QUARTERROUND(1, 6, 11, 12)
++ QUARTERROUND(2, 7, 8, 13)
++ QUARTERROUND(3, 4, 9, 14)
++ }
++
++ for (i = 0; i < 16; ++i) {
++ x[i] = PLUS(x[i], input[i]);
++ }
++ for (i = 0; i < 16; ++i) {
++ U32TO8_LITTLE(output + 4 * i, x[i]);
++ }
++}
++
++void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
++ const uint8_t key[32], const uint8_t nonce[8],
++ size_t counter) {
++#ifdef CHAPOLY_x86_64_ASM
++ uint8_t buf[256];
++ size_t buf_size, ctr_msk;
++ void (*core_func)(uint8_t *out, const uint8_t *in, size_t in_len,
++ const uint8_t key[32], const uint8_t nonce[8],
++ size_t counter) = NULL;
++#else
++ uint8_t buf[64];
++#endif
++ uint32_t input[16];
++ size_t todo, i;
++
++#ifdef CHAPOLY_x86_64_ASM
++
++ if ((OPENSSL_ia32cap_loc()[2] >> 5) & 1)
++ {
++ buf_size = 128;
++ core_func = chacha_20_core_avx2;
++ ctr_msk = -2;
++ }
++ else if ((OPENSSL_ia32cap_loc()[1] >> 28) & 1)
++ {
++ buf_size = 64;
++ core_func = chacha_20_core_avx;
++ ctr_msk = -1;
++ }
++ else goto do_legacy;
++
++ core_func(out, in, in_len, key, nonce, counter);
++ todo = in_len & (~(-buf_size));
++ if(todo)
++ {
++ out += in_len&(-buf_size);
++ in += in_len&(-buf_size);
++ counter += (in_len/64) & ctr_msk;
++ memcpy(buf, in, todo);
++ core_func(buf, buf, buf_size, key, nonce, counter);
++ memcpy(out, buf, todo);
++ memset(buf, 0, buf_size);
++ }
++ return;
++
++do_legacy:
++#endif
++
++ input[0] = U8TO32_LITTLE(sigma + 0);
++ input[1] = U8TO32_LITTLE(sigma + 4);
++ input[2] = U8TO32_LITTLE(sigma + 8);
++ input[3] = U8TO32_LITTLE(sigma + 12);
++
++ input[4] = U8TO32_LITTLE(key + 0);
++ input[5] = U8TO32_LITTLE(key + 4);
++ input[6] = U8TO32_LITTLE(key + 8);
++ input[7] = U8TO32_LITTLE(key + 12);
++
++ input[8] = U8TO32_LITTLE(key + 16);
++ input[9] = U8TO32_LITTLE(key + 20);
++ input[10] = U8TO32_LITTLE(key + 24);
++ input[11] = U8TO32_LITTLE(key + 28);
++
++ input[12] = counter;
++ input[13] = (uint64_t)counter >> 32;
++ input[14] = U8TO32_LITTLE(nonce + 0);
++ input[15] = U8TO32_LITTLE(nonce + 4);
++
++ while (in_len > 0) {
++ todo = 64;
++ if (in_len < todo) {
++ todo = in_len;
++ }
++
++ chacha_core(buf, input);
++ for (i = 0; i < todo; i++) {
++ out[i] = in[i] ^ buf[i];
++ }
++
++ out += todo;
++ in += todo;
++ in_len -= todo;
++
++ ((uint64_t*)input)[6]++;
++ }
++}
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/chacha20poly1305.h openssl-1.0.2e-modified/crypto/chacha20poly1305/chacha20poly1305.h
+--- openssl-1.0.2e/crypto/chacha20poly1305/chacha20poly1305.h 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/chacha20poly1305.h 2016-02-08 16:12:00.597614755 +0100
+@@ -0,0 +1,63 @@
++#ifndef OPENSSL_HEADER_POLY1305_H
++#define OPENSSL_HEADER_POLY1305_H
++
++#include <stdint.h>
++#include <stddef.h>
++#include <string.h>
++#include "crypto.h"
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++#define POLY1305_MAC_LEN (16)
++
++typedef unsigned char poly1305_state[512];
++
++
++/* CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an
++ * authentication tag with the one-time key |key|. Note that |key| is a
++ * one-time key and therefore there is no `reset' method because that would
++ * enable several messages to be authenticated with the same key. */
++void CRYPTO_poly1305_init(poly1305_state* state, const uint8_t key[32]);
++
++/* CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called
++ * zero or more times after poly1305_init. */
++void CRYPTO_poly1305_update(poly1305_state* state, const uint8_t* in,
++ size_t in_len);
++
++/* CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16
++ * byte authentication tag to |mac|. */
++void CRYPTO_poly1305_finish(poly1305_state* state, uint8_t mac[16]);
++
++/* CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
++ * nonce and writes the result to |out|, which may be equal to |in|. The
++ * initial block counter is specified by |counter|. */
++void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
++ const uint8_t key[32], const uint8_t nonce[8],
++ size_t counter);
++
++#ifdef CHAPOLY_x86_64_ASM
++void poly1305_init_avx(poly1305_state* state, const uint8_t key[32]);
++void poly1305_update_avx(poly1305_state* state, const uint8_t *in, size_t in_len);
++void poly1305_finish_avx(poly1305_state* state, uint8_t mac[16]);
++
++void poly1305_init_avx2(poly1305_state* state, const uint8_t key[32]);
++void poly1305_update_avx2(poly1305_state* state, const uint8_t *in, size_t in_len);
++void poly1305_finish_avx2(poly1305_state* state, uint8_t mac[16]);
++
++void chacha_20_core_avx(uint8_t *out, const uint8_t *in, size_t in_len,
++ const uint8_t key[32], const uint8_t nonce[8],
++ size_t counter);
++
++void chacha_20_core_avx2(uint8_t *out, const uint8_t *in, size_t in_len,
++ const uint8_t key[32], const uint8_t nonce[8],
++ size_t counter);
++#endif
++
++
++#if defined(__cplusplus)
++} /* extern C */
++#endif
++
++#endif /* OPENSSL_HEADER_POLY1305_H */
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/chapolytest.c openssl-1.0.2e-modified/crypto/chacha20poly1305/chapolytest.c
+--- openssl-1.0.2e/crypto/chacha20poly1305/chapolytest.c 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/chapolytest.c 2016-02-08 16:12:00.598614755 +0100
+@@ -0,0 +1,287 @@
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <stdint.h>
++
++#include <openssl/chacha20poly1305.h>
++
++struct chacha_test {
++ const char *keyhex;
++ const char *noncehex;
++ const char *outhex;
++};
++
++struct poly1305_test
++ {
++ const char *inputhex;
++ const char *keyhex;
++ const char *outhex;
++ };
++
++static const struct chacha_test chacha_tests[] = {
++ {
++ "0000000000000000000000000000000000000000000000000000000000000000",
++ "0000000000000000",
++ "76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586",
++ },
++ {
++ "0000000000000000000000000000000000000000000000000000000000000001",
++ "0000000000000000",
++ "4540f05a9f1fb296d7736e7b208e3c96eb4fe1834688d2604f450952ed432d41bbe2a0b6ea7566d2a5d1e7e20d42af2c53d792b1c43fea817e9ad275ae546963",
++ },
++ {
++ "0000000000000000000000000000000000000000000000000000000000000000",
++ "0000000000000001",
++ "de9cba7bf3d69ef5e786dc63973f653a0b49e015adbff7134fcb7df137821031e85a050278a7084527214f73efc7fa5b5277062eb7a0433e445f41e31afab757",
++ },
++ {
++ "0000000000000000000000000000000000000000000000000000000000000000",
++ "0100000000000000",
++ "ef3fdfd6c61578fbf5cf35bd3dd33b8009631634d21e42ac33960bd138e50d32111e4caf237ee53ca8ad6426194a88545ddc497a0b466e7d6bbdb0041b2f586b",
++ },
++ {
++ "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
++ "0001020304050607",
++ "f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb",
++ },
++};
++
++static const struct poly1305_test poly1305_tests[] = {
++ {
++ "",
++ "c8afaac331ee372cd6082de134943b174710130e9f6fea8d72293850a667d86c",
++ "4710130e9f6fea8d72293850a667d86c",
++ },
++ {
++ "48656c6c6f20776f726c6421",
++ "746869732069732033322d62797465206b657920666f7220506f6c7931333035",
++ "a6f745008f81c916a20dcc74eef2b2f0",
++ },
++ {
++ "0000000000000000000000000000000000000000000000000000000000000000",
++ "746869732069732033322d62797465206b657920666f7220506f6c7931333035",
++ "49ec78090e481ec6c26b33b91ccc0307",
++ },
++};
++
++static unsigned char hex_digit(char h)
++ {
++ if (h >= '0' && h <= '9')
++ return h - '0';
++ else if (h >= 'a' && h <= 'f')
++ return h - 'a' + 10;
++ else if (h >= 'A' && h <= 'F')
++ return h - 'A' + 10;
++ else
++ abort();
++ }
++
++static void hex_decode(unsigned char *out, const char* hex)
++ {
++ size_t j = 0;
++
++ while (*hex != 0)
++ {
++ unsigned char v = hex_digit(*hex++);
++ v <<= 4;
++ v |= hex_digit(*hex++);
++ out[j++] = v;
++ }
++ }
++
++static void hexdump(unsigned char *a, size_t len)
++ {
++ size_t i;
++
++ for (i = 0; i < len; i++)
++ printf("%02x", a[i]);
++ }
++
++/* misalign returns a pointer that points 0 to 15 bytes into |in| such that the
++ * returned pointer has alignment 1 mod 16. */
++static void* misalign(void* in)
++ {
++ intptr_t x = (intptr_t) in;
++ x += (17 - (x % 16)) % 16;
++ return (void*) x;
++ }
++
++int main()
++ {
++ unsigned num_tests =
++ sizeof(chacha_tests) / sizeof(struct chacha_test);
++ unsigned i;
++ unsigned char key_bytes[32 + 16];
++ unsigned char nonce_bytes[8 + 16] = {0};
++
++
++ for (i = 0; i < num_tests; i++)
++ {
++ unsigned char *key = misalign(key_bytes);
++ unsigned char *nonce = misalign(nonce_bytes);
++
++ printf("ChaCha20 test #%d\n", i);
++ const struct chacha_test *test = &chacha_tests[i];
++ unsigned char *expected, *out_bytes, *zero_bytes, *out, *zeros;
++ size_t len = strlen(test->outhex);
++
++ if (strlen(test->keyhex) != 32*2 ||
++ strlen(test->noncehex) != 8*2 ||
++ (len & 1) == 1)
++ return 1;
++
++ len /= 2;
++
++ hex_decode(key, test->keyhex);
++ hex_decode(nonce, test->noncehex);
++
++ expected = malloc(len);
++ out_bytes = malloc(len+16);
++ zero_bytes = malloc(len+16);
++ /* Attempt to test unaligned inputs. */
++ out = misalign(out_bytes);
++ zeros = misalign(zero_bytes);
++ memset(zeros, 0, len);
++
++ hex_decode(expected, test->outhex);
++ CRYPTO_chacha_20(out, zeros, len, key, nonce, 0);
++
++ if (memcmp(out, expected, len) != 0)
++ {
++ printf("ChaCha20 test #%d failed.\n", i);
++ printf("got: ");
++ hexdump(out, len);
++ printf("\nexpected: ");
++ hexdump(expected, len);
++ printf("\n");
++ return 1;
++ }
++
++ /* The last test has a large output. We test whether the
++ * counter works as expected by skipping the first 64 bytes of
++ * it. */
++ if (i == num_tests - 1)
++ {
++ CRYPTO_chacha_20(out, zeros, len - 64, key, nonce, 1);
++ if (memcmp(out, expected + 64, len - 64) != 0)
++ {
++ printf("ChaCha20 skip test failed.\n");
++ return 1;
++ }
++ }
++
++ free(expected);
++ free(zero_bytes);
++ free(out_bytes);
++ }
++ num_tests =
++ sizeof(poly1305_tests) / sizeof(struct poly1305_test);
++ unsigned char key[32], out[16], expected[16];
++ poly1305_state poly1305;
++
++ for (i = 0; i < num_tests; i++)
++ {
++ printf("Poly1305 test #%d\n", i);
++ const struct poly1305_test *test = &poly1305_tests[i];
++ unsigned char *in;
++ size_t inlen = strlen(test->inputhex);
++
++ if (strlen(test->keyhex) != sizeof(key)*2 ||
++ strlen(test->outhex) != sizeof(out)*2 ||
++ (inlen & 1) == 1)
++ return 1;
++
++ inlen /= 2;
++
++ hex_decode(key, test->keyhex);
++ hex_decode(expected, test->outhex);
++
++ in = malloc(inlen);
++
++ hex_decode(in, test->inputhex);
++
++#ifdef CHAPOLY_x86_64_ASM
++ if((OPENSSL_ia32cap_loc()[1] >> 5) & 1) {
++ poly1305_init_avx2(&poly1305, key);
++ poly1305_update_avx2(&poly1305, in, inlen);
++ poly1305_finish_avx2(&poly1305, out);
++ }
++ else if ((OPENSSL_ia32cap_loc()[0] >> 60) & 1) {
++ poly1305_init_avx(&poly1305, key);
++ poly1305_update_avx(&poly1305, in, inlen);
++ poly1305_finish_avx(&poly1305, out);
++ }
++ else
++#endif
++ {
++ CRYPTO_poly1305_init(&poly1305, key);
++ CRYPTO_poly1305_update(&poly1305, in, inlen);
++ CRYPTO_poly1305_finish(&poly1305, out);
++ }
++ if (memcmp(out, expected, sizeof(expected)) != 0)
++ {
++ printf("Poly1305 test #%d failed.\n", i);
++ printf("got: ");
++ hexdump(out, sizeof(out));
++ printf("\nexpected: ");
++ hexdump(expected, sizeof(expected));
++ printf("\n");
++ return 1;
++ }
++
++ free(in);
++ }
++
++ printf("PASS\n");
++ return 0;
++ }
+diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/poly1305.c openssl-1.0.2e-modified/crypto/chacha20poly1305/poly1305.c
+--- openssl-1.0.2e/crypto/chacha20poly1305/poly1305.c 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/chacha20poly1305/poly1305.c 2016-02-08 16:12:00.598614755 +0100
+@@ -0,0 +1,285 @@
++/* Copyright (c) 2014, Google Inc.
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
++
++/* This implementation of poly1305 is by Andrew Moon
++ * (https://github.com/floodyberry/poly1305-donna) and released as public
++ * domain. */
++
++#include <openssl/chacha20poly1305.h>
++#include <string.h>
++
++#if !defined(B_ENDIAN)
++/* We can assume little-endian. */
++static uint32_t U8TO32_LE(const uint8_t *m) {
++ uint32_t r;
++ memcpy(&r, m, sizeof(r));
++ return r;
++}
++
++static void U32TO8_LE(uint8_t *m, uint32_t v) { memcpy(m, &v, sizeof(v)); }
++#else
++static uint32_t U8TO32_LE(const uint8_t *m) {
++ return (uint32_t)m[0] | (uint32_t)m[1] << 8 | (uint32_t)m[2] << 16 |
++ (uint32_t)m[3] << 24;
++}
++
++static void U32TO8_LE(uint8_t *m, uint32_t v) {
++ m[0] = v;
++ m[1] = v >> 8;
++ m[2] = v >> 16;
++ m[3] = v >> 24;
++}
++#endif
++
++static uint64_t mul32x32_64(uint32_t a, uint32_t b) { return (uint64_t)a * b; }
++
++struct poly1305_state_st {
++ uint32_t r0, r1, r2, r3, r4;
++ uint32_t s1, s2, s3, s4;
++ uint32_t h0, h1, h2, h3, h4;
++ uint8_t buf[16];
++ unsigned int buf_used;
++ uint8_t key[16];
++};
++
++/* poly1305_blocks updates |state| given some amount of input data. This
++ * function may only be called with a |len| that is not a multiple of 16 at the
++ * end of the data. Otherwise the input must be buffered into 16 byte blocks. */
++static void poly1305_update(struct poly1305_state_st *state, const uint8_t *in,
++ size_t len) {
++ uint32_t t0, t1, t2, t3;
++ uint64_t t[5];
++ uint32_t b;
++ uint64_t c;
++ size_t j;
++ uint8_t mp[16];
++
++ if (len < 16) {
++ goto poly1305_donna_atmost15bytes;
++ }
++
++poly1305_donna_16bytes:
++ t0 = U8TO32_LE(in);
++ t1 = U8TO32_LE(in + 4);
++ t2 = U8TO32_LE(in + 8);
++ t3 = U8TO32_LE(in + 12);
++
++ in += 16;
++ len -= 16;
++
++ state->h0 += t0 & 0x3ffffff;
++ state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
++ state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
++ state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
++ state->h4 += (t3 >> 8) | (1 << 24);
++
++poly1305_donna_mul:
++ t[0] = mul32x32_64(state->h0, state->r0) + mul32x32_64(state->h1, state->s4) +
++ mul32x32_64(state->h2, state->s3) + mul32x32_64(state->h3, state->s2) +
++ mul32x32_64(state->h4, state->s1);
++ t[1] = mul32x32_64(state->h0, state->r1) + mul32x32_64(state->h1, state->r0) +
++ mul32x32_64(state->h2, state->s4) + mul32x32_64(state->h3, state->s3) +
++ mul32x32_64(state->h4, state->s2);
++ t[2] = mul32x32_64(state->h0, state->r2) + mul32x32_64(state->h1, state->r1) +
++ mul32x32_64(state->h2, state->r0) + mul32x32_64(state->h3, state->s4) +
++ mul32x32_64(state->h4, state->s3);
++ t[3] = mul32x32_64(state->h0, state->r3) + mul32x32_64(state->h1, state->r2) +
++ mul32x32_64(state->h2, state->r1) + mul32x32_64(state->h3, state->r0) +
++ mul32x32_64(state->h4, state->s4);
++ t[4] = mul32x32_64(state->h0, state->r4) + mul32x32_64(state->h1, state->r3) +
++ mul32x32_64(state->h2, state->r2) + mul32x32_64(state->h3, state->r1) +
++ mul32x32_64(state->h4, state->r0);
++
++ state->h0 = (uint32_t)t[0] & 0x3ffffff;
++ c = (t[0] >> 26);
++ t[1] += c;
++ state->h1 = (uint32_t)t[1] & 0x3ffffff;
++ b = (uint32_t)(t[1] >> 26);
++ t[2] += b;
++ state->h2 = (uint32_t)t[2] & 0x3ffffff;
++ b = (uint32_t)(t[2] >> 26);
++ t[3] += b;
++ state->h3 = (uint32_t)t[3] & 0x3ffffff;
++ b = (uint32_t)(t[3] >> 26);
++ t[4] += b;
++ state->h4 = (uint32_t)t[4] & 0x3ffffff;
++ b = (uint32_t)(t[4] >> 26);
++ state->h0 += b * 5;
++
++ if (len >= 16)
++ goto poly1305_donna_16bytes;
++
++/* final bytes */
++poly1305_donna_atmost15bytes:
++ if (!len)
++ return;
++
++ for (j = 0; j < len; j++)
++ mp[j] = in[j];
++ mp[j++] = 1;
++ for (; j < 16; j++)
++ mp[j] = 0;
++ len = 0;
++
++ t0 = U8TO32_LE(mp + 0);
++ t1 = U8TO32_LE(mp + 4);
++ t2 = U8TO32_LE(mp + 8);
++ t3 = U8TO32_LE(mp + 12);
++
++ state->h0 += t0 & 0x3ffffff;
++ state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
++ state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
++ state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
++ state->h4 += (t3 >> 8);
++
++ goto poly1305_donna_mul;
++}
++
++void CRYPTO_poly1305_init(poly1305_state *statep, const uint8_t key[32]) {
++ struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
++ uint32_t t0, t1, t2, t3;
++
++ t0 = U8TO32_LE(key + 0);
++ t1 = U8TO32_LE(key + 4);
++ t2 = U8TO32_LE(key + 8);
++ t3 = U8TO32_LE(key + 12);
++
++ /* precompute multipliers */
++ state->r0 = t0 & 0x3ffffff;
++ t0 >>= 26;
++ t0 |= t1 << 6;
++ state->r1 = t0 & 0x3ffff03;
++ t1 >>= 20;
++ t1 |= t2 << 12;
++ state->r2 = t1 & 0x3ffc0ff;
++ t2 >>= 14;
++ t2 |= t3 << 18;
++ state->r3 = t2 & 0x3f03fff;
++ t3 >>= 8;
++ state->r4 = t3 & 0x00fffff;
++
++ state->s1 = state->r1 * 5;
++ state->s2 = state->r2 * 5;
++ state->s3 = state->r3 * 5;
++ state->s4 = state->r4 * 5;
++
++ /* init state */
++ state->h0 = 0;
++ state->h1 = 0;
++ state->h2 = 0;
++ state->h3 = 0;
++ state->h4 = 0;
++
++ state->buf_used = 0;
++ memcpy(state->key, key + 16, sizeof(state->key));
++}
++
++void CRYPTO_poly1305_update(poly1305_state *statep, const uint8_t *in,
++ size_t in_len) {
++ unsigned int i;
++ struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
++
++ if (state->buf_used) {
++ unsigned int todo = 16 - state->buf_used;
++ if (todo > in_len)
++ todo = in_len;
++ for (i = 0; i < todo; i++)
++ state->buf[state->buf_used + i] = in[i];
++ state->buf_used += todo;
++ in_len -= todo;
++ in += todo;
++
++ if (state->buf_used == 16) {
++ poly1305_update(state, state->buf, 16);
++ state->buf_used = 0;
++ }
++ }
++
++ if (in_len >= 16) {
++ size_t todo = in_len & ~0xf;
++ poly1305_update(state, in, todo);
++ in += todo;
++ in_len &= 0xf;
++ }
++
++ if (in_len) {
++ for (i = 0; i < in_len; i++)
++ state->buf[i] = in[i];
++ state->buf_used = in_len;
++ }
++}
++
++void CRYPTO_poly1305_finish(poly1305_state *statep, uint8_t mac[16]) {
++ struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
++ uint64_t f0, f1, f2, f3;
++ uint32_t g0, g1, g2, g3, g4;
++ uint32_t b, nb;
++
++ if (state->buf_used)
++ poly1305_update(state, state->buf, state->buf_used);
++
++ b = state->h0 >> 26;
++ state->h0 = state->h0 & 0x3ffffff;
++ state->h1 += b;
++ b = state->h1 >> 26;
++ state->h1 = state->h1 & 0x3ffffff;
++ state->h2 += b;
++ b = state->h2 >> 26;
++ state->h2 = state->h2 & 0x3ffffff;
++ state->h3 += b;
++ b = state->h3 >> 26;
++ state->h3 = state->h3 & 0x3ffffff;
++ state->h4 += b;
++ b = state->h4 >> 26;
++ state->h4 = state->h4 & 0x3ffffff;
++ state->h0 += b * 5;
++
++ g0 = state->h0 + 5;
++ b = g0 >> 26;
++ g0 &= 0x3ffffff;
++ g1 = state->h1 + b;
++ b = g1 >> 26;
++ g1 &= 0x3ffffff;
++ g2 = state->h2 + b;
++ b = g2 >> 26;
++ g2 &= 0x3ffffff;
++ g3 = state->h3 + b;
++ b = g3 >> 26;
++ g3 &= 0x3ffffff;
++ g4 = state->h4 + b - (1 << 26);
++
++ b = (g4 >> 31) - 1;
++ nb = ~b;
++ state->h0 = (state->h0 & nb) | (g0 & b);
++ state->h1 = (state->h1 & nb) | (g1 & b);
++ state->h2 = (state->h2 & nb) | (g2 & b);
++ state->h3 = (state->h3 & nb) | (g3 & b);
++ state->h4 = (state->h4 & nb) | (g4 & b);
++
++ f0 = ((state->h0) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
++ f1 = ((state->h1 >> 6) | (state->h2 << 20)) +
++ (uint64_t)U8TO32_LE(&state->key[4]);
++ f2 = ((state->h2 >> 12) | (state->h3 << 14)) +
++ (uint64_t)U8TO32_LE(&state->key[8]);
++ f3 = ((state->h3 >> 18) | (state->h4 << 8)) +
++ (uint64_t)U8TO32_LE(&state->key[12]);
++
++ U32TO8_LE(&mac[0], f0);
++ f1 += (f0 >> 32);
++ U32TO8_LE(&mac[4], f1);
++ f2 += (f1 >> 32);
++ U32TO8_LE(&mac[8], f2);
++ f3 += (f2 >> 32);
++ U32TO8_LE(&mac[12], f3);
++}
+diff -rNu openssl-1.0.2e/crypto/cryptlib.c openssl-1.0.2e-modified/crypto/cryptlib.c
+--- openssl-1.0.2e/crypto/cryptlib.c 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/cryptlib.c 2016-02-08 16:12:00.599614755 +0100
+@@ -654,19 +654,9 @@
+ defined(_M_AMD64) || defined(_M_X64)
+
+ extern unsigned int OPENSSL_ia32cap_P[4];
+-unsigned long *OPENSSL_ia32cap_loc(void)
++unsigned int *OPENSSL_ia32cap_loc(void)
+ {
+- if (sizeof(long) == 4)
+- /*
+- * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
+- * clear second element to maintain the illusion that vector
+- * is 32-bit.
+- */
+- OPENSSL_ia32cap_P[1] = 0;
+-
+- OPENSSL_ia32cap_P[2] = 0;
+-
+- return (unsigned long *)OPENSSL_ia32cap_P;
++ return OPENSSL_ia32cap_P;
+ }
+
+ # if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
+diff -rNu openssl-1.0.2e/crypto/crypto.h openssl-1.0.2e-modified/crypto/crypto.h
+--- openssl-1.0.2e/crypto/crypto.h 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/crypto.h 2016-02-08 16:12:00.599614755 +0100
+@@ -590,7 +590,7 @@
+ void OpenSSLDie(const char *file, int line, const char *assertion);
+ # define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
+
+-unsigned long *OPENSSL_ia32cap_loc(void);
++unsigned int *OPENSSL_ia32cap_loc(void);
+ # define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+ int OPENSSL_isservice(void);
+
+diff -rNu openssl-1.0.2e/crypto/evp/Makefile openssl-1.0.2e-modified/crypto/evp/Makefile
+--- openssl-1.0.2e/crypto/evp/Makefile 2015-12-03 15:44:23.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/evp/Makefile 2016-02-08 16:12:00.600614755 +0100
+@@ -29,7 +29,8 @@
+ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
+ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
+ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
+- e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c
++ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
++ e_chacha20poly1305.c
+
+ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
+ e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
+@@ -42,7 +43,8 @@
+ c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
+ evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
+ e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
+- e_aes_cbc_hmac_sha1.o e_aes_cbc_hmac_sha256.o e_rc4_hmac_md5.o
++ e_aes_cbc_hmac_sha1.o e_aes_cbc_hmac_sha256.o e_rc4_hmac_md5.o \
++ e_chacha20poly1305.o
+
+ SRC= $(LIBSRC)
+
+@@ -263,6 +265,7 @@
+ e_cast.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ e_cast.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ e_cast.o: ../../include/openssl/symhacks.h ../cryptlib.h e_cast.c evp_locl.h
++e_chacha20poly1305.o: ../../include/openssl/chacha20poly1305.h e_chacha20poly1305.c
+ e_des.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ e_des.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ e_des.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+diff -rNu openssl-1.0.2e/crypto/evp/e_chacha20poly1305.c openssl-1.0.2e-modified/crypto/evp/e_chacha20poly1305.c
+--- openssl-1.0.2e/crypto/evp/e_chacha20poly1305.c 1970-01-01 01:00:00.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/evp/e_chacha20poly1305.c 2016-02-08 16:12:00.601614755 +0100
+@@ -0,0 +1,323 @@
++/* ====================================================================
++ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#include <openssl/opensslconf.h>
++#ifndef OPENSSL_NO_CHACHA_POLY
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/chacha20poly1305.h>
++#include "evp_locl.h"
++#include <openssl/rand.h>
++
++typedef struct
++ {
++ uint8_t key[32];
++ /* uint8_t salt[4] */;
++ uint8_t nonce[8];
++ poly1305_state poly_state;
++ size_t aad_l;
++ size_t ct_l;
++ int valid;
++#ifdef CHAPOLY_x86_64_ASM
++ void (*poly1305_init_ptr)(poly1305_state *, const uint8_t *);
++ void (*poly1305_update_ptr)(poly1305_state *, const uint8_t *, size_t);
++ void (*poly1305_finish_ptr)(poly1305_state *, uint8_t *);
++ #define poly_init aead_ctx->poly1305_init_ptr
++ #define poly_update poly1305_update_wrapper
++ #define poly_finish poly1305_finish_wrapper
++ #define FILL_BUFFER ((size_t)128)
++ uint8_t poly_buffer[FILL_BUFFER];
++ uint8_t chacha_buffer[FILL_BUFFER];
++ uint8_t poly_buffer_used;
++ uint8_t chacha_used;
++#else
++ #define poly_init CRYPTO_poly1305_init
++ #define poly_update(c,i,l) CRYPTO_poly1305_update(&c->poly_state,i,l)
++ #define poly_finish(c,m) CRYPTO_poly1305_finish(&c->poly_state,m)
++#endif
++ } EVP_CHACHA20_POLY1305_CTX;
++
++#ifdef CHAPOLY_x86_64_ASM
++static void poly1305_update_wrapper(EVP_CHACHA20_POLY1305_CTX *ctx, const uint8_t *in, size_t in_len)
++ {
++ int todo;
++ /* Attempt to fill as many bytes as possible before calling the update function */
++ if(in_len < FILL_BUFFER || ctx->poly_buffer_used)
++ {
++ todo = FILL_BUFFER - ctx->poly_buffer_used;
++ todo = in_len < todo? in_len : todo;
++ memcpy(ctx->poly_buffer + ctx->poly_buffer_used, in, todo);
++ ctx->poly_buffer_used += todo;
++ in += todo;
++ in_len -= todo;
++ if(ctx->poly_buffer_used == FILL_BUFFER)
++ {
++ ctx->poly1305_update_ptr(&ctx->poly_state, ctx->poly_buffer, FILL_BUFFER);
++ ctx->poly_buffer_used = 0;
++ }
++ }
++ if(in_len >= FILL_BUFFER)
++ {
++ ctx->poly1305_update_ptr(&ctx->poly_state, in, in_len&(-FILL_BUFFER));
++ in += in_len&(-FILL_BUFFER);
++ in_len &= (FILL_BUFFER-1);
++ }
++ if(in_len)
++ {
++ memcpy(ctx->poly_buffer, in, in_len);
++ ctx->poly_buffer_used = in_len;
++ }
++ }
++
++static void poly1305_finish_wrapper(EVP_CHACHA20_POLY1305_CTX *ctx, uint8_t mac[16])
++ {
++ if(ctx->poly_buffer_used)
++ {
++ if(ctx->poly_buffer_used % 16)
++ {
++ memset(ctx->poly_buffer + ctx->poly_buffer_used, 0, 16 - (ctx->poly_buffer_used%16));
++ }
++ ctx->poly1305_update_ptr(&ctx->poly_state, ctx->poly_buffer, ctx->poly_buffer_used);
++ }
++ ctx->poly1305_finish_ptr(&ctx->poly_state, mac);
++ memset(ctx->poly_buffer, 0 ,FILL_BUFFER);
++ }
++#endif
++
++static int EVP_chacha20_poly1305_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc)
++ {
++ EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
++ /* simply copy the chacha key and iv*/
++ memcpy(aead_ctx->key, key, 32);
++ /* memcpy(aead_ctx->salt, iv, 4); */
++ aead_ctx->valid = 0;
++ return 1;
++ }
++
++static int EVP_chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl)
++ {
++ EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
++ uint8_t poly_block[16];
++ uint64_t cl;
++ if(!aead_ctx->valid)
++ return 0;
++ if (inl < 16)
++ return -1;
++ /* Fix for MAC */
++ inl -= 16;
++ /* Encryption */
++ if(ctx->encrypt)
++ {
++#ifdef FILL_BUFFER
++ /* we can use the buffer we already accumulated during the parallel computation in init */
++ if(inl<=FILL_BUFFER-64)
++ {
++ int i;
++ for(i=0; i<inl; i++)
++ out[i] = in[i] ^ aead_ctx->chacha_buffer[i+64];
++ }
++ else
++#endif
++ CRYPTO_chacha_20(out, in, inl, aead_ctx->key, aead_ctx->nonce, 1);
++ poly_update(aead_ctx, out, inl);
++ aead_ctx->ct_l += inl;
++ cl = aead_ctx->ct_l;
++ poly_update(aead_ctx, (uint8_t*)&cl, sizeof(cl));
++ poly_finish(aead_ctx, &out[inl]);
++ aead_ctx->valid = 0;
++ return inl+16;
++ }
++ /* Decryption */
++ else
++ {
++ /* Fix to accommodate for the MAC */
++ poly_update(aead_ctx, in, inl);
++#ifdef FILL_BUFFER
++ /* we can use the buffer we already accumulated during the parallel computation in init */
++ if(inl<=FILL_BUFFER-64)
++ {
++ int i;
++ for(i=0; i<inl; i++)
++ out[i] = in[i] ^ aead_ctx->chacha_buffer[i+64];
++ }
++ else
++#endif
++ CRYPTO_chacha_20(out, in, inl, aead_ctx->key, aead_ctx->nonce, 1);
++ aead_ctx->ct_l += inl;
++ cl = aead_ctx->ct_l;
++ poly_update(aead_ctx, (uint8_t*)&cl, sizeof(cl));
++ poly_finish(aead_ctx, poly_block);
++
++ uint64_t cmp = ((uint64_t*)poly_block)[0] ^ ((uint64_t*)(in + inl))[0];
++ cmp |= ((uint64_t*)poly_block)[1] ^ ((uint64_t*)(in + inl))[1];
++
++ /*if (memcmp(poly_block, in + inl, POLY1305_MAC_LEN)) */
++ if (cmp)
++ {
++ OPENSSL_cleanse(out, inl);
++ aead_ctx->valid = 0;
++ return -1;
++ }
++ aead_ctx->valid = 0;
++ return inl;
++ }
++ return 0;
++ }
++
++static int EVP_chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
++ {
++ return 1;
++ }
++
++static int EVP_chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
++ {
++ EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
++#ifndef FILL_BUFFER
++ uint8_t poly1305_key[32];
++#endif
++ uint8_t aad[13 + 8];
++ uint64_t thirteen = 13;
++
++ switch(type)
++ {
++ case EVP_CTRL_AEAD_TLS1_AAD:
++ if(arg!=13)
++ return 0;
++ /* Initialize poly keys */
++#ifndef FILL_BUFFER
++ memset(poly1305_key, 0, sizeof(poly1305_key));
++#else
++ memset(aead_ctx->chacha_buffer, 0, FILL_BUFFER);
++#endif
++ /* Salt is the IV (not in draft) */
++ /* memcpy(aead_ctx->nonce, aead_ctx->salt, 4); */
++ /* Take sequence number from AAD */
++ /* memcpy(&aead_ctx->nonce[4], ptr, 8); */
++ memcpy(aead_ctx->nonce, ptr, 8);
++
++#ifdef CHAPOLY_x86_64_ASM
++ aead_ctx->poly_buffer_used = 0;
++ if((OPENSSL_ia32cap_loc()[2] >> 5) & 1) /* AVX2 */
++ {
++ aead_ctx->poly1305_init_ptr = poly1305_init_avx2;
++ aead_ctx->poly1305_update_ptr = poly1305_update_avx2;
++ aead_ctx->poly1305_finish_ptr = poly1305_finish_avx2;
++ }
++ else if ((OPENSSL_ia32cap_loc()[1] >> 28) & 1) /* AVX */
++ {
++ aead_ctx->poly1305_init_ptr = poly1305_init_avx;
++ aead_ctx->poly1305_update_ptr = poly1305_update_avx;
++ aead_ctx->poly1305_finish_ptr = poly1305_finish_avx;
++ }
++ else /*C*/
++ {
++ aead_ctx->poly1305_init_ptr = CRYPTO_poly1305_init;
++ aead_ctx->poly1305_update_ptr = CRYPTO_poly1305_update;
++ aead_ctx->poly1305_finish_ptr = CRYPTO_poly1305_finish;
++ }
++
++#endif
++#ifndef FILL_BUFFER
++ CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), aead_ctx->key, aead_ctx->nonce, 0);
++ poly_init(&aead_ctx->poly_state, poly1305_key);
++#else
++ CRYPTO_chacha_20(aead_ctx->chacha_buffer, aead_ctx->chacha_buffer, FILL_BUFFER, aead_ctx->key, aead_ctx->nonce, 0);
++ poly_init(&aead_ctx->poly_state, aead_ctx->chacha_buffer);
++ aead_ctx->chacha_used = 64; /* We keep 64 byte for future use, to accelerate for very short messages */
++#endif
++ aead_ctx->aad_l = 0;
++ aead_ctx->ct_l = 0;
++ /* Absorb AAD */
++ memcpy(aad, ptr, arg);
++ memcpy(&aad[arg], &thirteen, sizeof(thirteen));
++ /* If decrypting fix length for tag */
++ if (!ctx->encrypt)
++ {
++ unsigned int len=aad[arg-2]<<8|aad[arg-1];
++ len -= POLY1305_MAC_LEN;
++ aad[arg-2] = len>>8;
++ aad[arg-1] = len & 0xff;
++ }
++ poly_update(aead_ctx, aad, arg + sizeof(thirteen));
++ /* aead_ctx->aad_l += arg; */
++ aead_ctx->valid = 1;
++ return POLY1305_MAC_LEN;
++ break;
++ default:
++ return 0;
++ break;
++ }
++ return 0;
++ }
++
++#define CUSTOM_FLAGS (\
++ EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
++ | EVP_CIPH_ALWAYS_CALL_INIT \
++ | EVP_CIPH_CUSTOM_COPY)
++
++static const EVP_CIPHER chacha20_poly1305 = {
++ NID_chacha20_poly1305, /* nid */
++ 1, /* block size, sorta */
++ 32, /* key len */
++ 0, /* iv len */
++ CUSTOM_FLAGS|EVP_CIPH_FLAG_AEAD_CIPHER, /* flags */
++ EVP_chacha20_poly1305_init,
++ EVP_chacha20_poly1305_cipher,
++ EVP_chacha20_poly1305_cleanup,
++ sizeof(EVP_CHACHA20_POLY1305_CTX), /* ctx size */
++ NULL, NULL,
++ EVP_chacha20_poly1305_ctrl,
++ NULL
++ };
++
++const EVP_CIPHER *EVP_chacha20_poly1305(void)
++{ return &chacha20_poly1305; }
++
++#endif
+diff -rNu openssl-1.0.2e/crypto/evp/evp.h openssl-1.0.2e-modified/crypto/evp/evp.h
+--- openssl-1.0.2e/crypto/evp/evp.h 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/evp/evp.h 2016-02-08 16:12:00.601614755 +0100
+@@ -893,6 +893,9 @@
+ # define EVP_camellia_256_cfb EVP_camellia_256_cfb128
+ const EVP_CIPHER *EVP_camellia_256_ofb(void);
+ # endif
++# ifndef OPENSSL_NO_CHACHA_POLY
++const EVP_CIPHER *EVP_chacha20_poly1305(void);
++# endif
+
+ # ifndef OPENSSL_NO_SEED
+ const EVP_CIPHER *EVP_seed_ecb(void);
+diff -rNu openssl-1.0.2e/crypto/objects/obj_dat.h openssl-1.0.2e-modified/crypto/objects/obj_dat.h
+--- openssl-1.0.2e/crypto/objects/obj_dat.h 2015-12-03 15:41:29.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/objects/obj_dat.h 2016-02-08 16:12:00.603614755 +0100
+@@ -62,9 +62,9 @@
+ * [including the GNU Public Licence.]
+ */
+
+-#define NUM_NID 958
+-#define NUM_SN 951
+-#define NUM_LN 951
++#define NUM_NID 959
++#define NUM_SN 952
++#define NUM_LN 952
+ #define NUM_OBJ 890
+
+ static const unsigned char lvalues[6255]={
+@@ -2514,6 +2514,8 @@
+ NID_jurisdictionStateOrProvinceName,11,&(lvalues[6232]),0},
+ {"jurisdictionC","jurisdictionCountryName",
+ NID_jurisdictionCountryName,11,&(lvalues[6243]),0},
++{"id-chacha20-poly1305","chacha20-poly1305",NID_chacha20_poly1305,0,
++ NULL,0},
+ };
+
+ static const unsigned int sn_objs[NUM_SN]={
+@@ -2954,6 +2956,7 @@
+ 362, /* "id-cct-PKIResponse" */
+ 360, /* "id-cct-crs" */
+ 81, /* "id-ce" */
++958, /* "id-chacha20-poly1305" */
+ 680, /* "id-characteristic-two-basis" */
+ 263, /* "id-cmc" */
+ 334, /* "id-cmc-addExtensions" */
+@@ -3728,6 +3731,7 @@
+ 677, /* "certicom-arc" */
+ 517, /* "certificate extensions" */
+ 883, /* "certificateRevocationList" */
++958, /* "chacha20-poly1305" */
+ 54, /* "challengePassword" */
+ 407, /* "characteristic-two-field" */
+ 395, /* "clearance" */
+diff -rNu openssl-1.0.2e/crypto/objects/obj_mac.h openssl-1.0.2e-modified/crypto/objects/obj_mac.h
+--- openssl-1.0.2e/crypto/objects/obj_mac.h 2015-12-03 15:41:28.000000000 +0100
++++ openssl-1.0.2e-modified/crypto/objects/obj_mac.h 2016-02-08 16:12:00.604614755 +0100
+@@ -4192,3 +4192,7 @@
+ #define LN_jurisdictionCountryName "jurisdictionCountryName"
+ #define NID_jurisdictionCountryName 957
+ #define OBJ_jurisdictionCountryName 1L,3L,6L,1L,4L,1L,311L,60L,2L,1L,3L
++
++#define SN_chacha20_poly1305 "id-chacha20-poly1305"
++#define LN_chacha20_poly1305 "chacha20-poly1305"
++#define NID_chacha20_poly1305 958
+diff -rNu openssl-1.0.2e/ssl/s3_lib.c openssl-1.0.2e-modified/ssl/s3_lib.c
+--- openssl-1.0.2e/ssl/s3_lib.c 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/ssl/s3_lib.c 2016-02-08 16:12:00.605614755 +0100
+@@ -2891,6 +2891,53 @@
+ 256},
+ #endif
+
++ /* Chacha20-Poly1305 draft cipher suites */
++#if !defined(OPENSSL_NO_CHACHA_POLY)
++ {
++ 1,
++ TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
++ TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
++ SSL_kEECDH,
++ SSL_aRSA,
++ SSL_CHACHA20POLY1305,
++ SSL_AEAD,
++ SSL_TLSV1_2,
++ SSL_NOT_EXP|SSL_HIGH,
++ SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++ 256,
++ 0,
++ },
++
++ {
++ 1,
++ TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
++ TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
++ SSL_kEECDH,
++ SSL_aECDSA,
++ SSL_CHACHA20POLY1305,
++ SSL_AEAD,
++ SSL_TLSV1_2,
++ SSL_NOT_EXP|SSL_HIGH,
++ SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++ 256,
++ 0,
++ },
++
++ {
++ 1,
++ TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
++ TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
++ SSL_kEDH,
++ SSL_aRSA,
++ SSL_CHACHA20POLY1305,
++ SSL_AEAD,
++ SSL_TLSV1_2,
++ SSL_NOT_EXP|SSL_HIGH,
++ SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
++ 256,
++ 0,
++ },
++#endif
+ /* end of list */
+ };
+
+@@ -4047,6 +4094,7 @@
+ int i, ii, ok;
+ CERT *cert;
+ unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
++ int use_chacha = 0;
+
+ /* Let's see which ciphers we can support */
+ cert = s->cert;
+@@ -4080,9 +4128,16 @@
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
+ prio = srvr;
+ allow = clnt;
++ /* Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */
++ if (sk_SSL_CIPHER_num(clnt) > 0) {
++ c = sk_SSL_CIPHER_value(clnt, 0);
++ if (c->algorithm_enc == SSL_CHACHA20POLY1305)
++ use_chacha = 1;
++ }
+ } else {
+ prio = clnt;
+ allow = srvr;
++ use_chacha = 1;
+ }
+
+ tls1_set_cert_validity(s);
+@@ -4094,6 +4149,11 @@
+ if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
+ continue;
+
++ /* Skip ChaCha unless top client priority */
++ if ((c->algorithm_enc == SSL_CHACHA20POLY1305) &&
++ !use_chacha)
++ continue;
++
+ ssl_set_cert_masks(cert, c);
+ mask_k = cert->mask_k;
+ mask_a = cert->mask_a;
+diff -rNu openssl-1.0.2e/ssl/ssl.h openssl-1.0.2e-modified/ssl/ssl.h
+--- openssl-1.0.2e/ssl/ssl.h 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/ssl/ssl.h 2016-02-08 16:12:00.606614755 +0100
+@@ -297,6 +297,7 @@
+ # define SSL_TXT_CAMELLIA128 "CAMELLIA128"
+ # define SSL_TXT_CAMELLIA256 "CAMELLIA256"
+ # define SSL_TXT_CAMELLIA "CAMELLIA"
++# define SSL_TXT_CHACHA20 "CHACHA20"
+
+ # define SSL_TXT_MD5 "MD5"
+ # define SSL_TXT_SHA1 "SHA1"
+diff -rNu openssl-1.0.2e/ssl/ssl_algs.c openssl-1.0.2e-modified/ssl/ssl_algs.c
+--- openssl-1.0.2e/ssl/ssl_algs.c 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/ssl/ssl_algs.c 2016-02-08 16:12:00.606614755 +0100
+@@ -106,6 +106,10 @@
+ EVP_add_cipher(EVP_camellia_256_cbc());
+ #endif
+
++#ifndef OPENSSL_NO_CHACHA_POLY
++ EVP_add_cipher(EVP_chacha20_poly1305());
++#endif
++
+ #ifndef OPENSSL_NO_SEED
+ EVP_add_cipher(EVP_seed_cbc());
+ #endif
+diff -rNu openssl-1.0.2e/ssl/ssl_ciph.c openssl-1.0.2e-modified/ssl/ssl_ciph.c
+--- openssl-1.0.2e/ssl/ssl_ciph.c 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/ssl/ssl_ciph.c 2016-02-08 16:12:00.607614755 +0100
+@@ -164,7 +164,8 @@
+ #define SSL_ENC_SEED_IDX 11
+ #define SSL_ENC_AES128GCM_IDX 12
+ #define SSL_ENC_AES256GCM_IDX 13
+-#define SSL_ENC_NUM_IDX 14
++#define SSL_ENC_CHACHA20POLY1305_IDX 14
++#define SSL_ENC_NUM_IDX 15
+
+ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+@@ -316,6 +317,7 @@
+ {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA128 | SSL_CAMELLIA256, 0, 0, 0,
+ 0, 0, 0},
++ {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 0, 0, 0},
+
+ /* MAC aliases */
+ {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0},
+@@ -432,6 +434,9 @@
+ ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] =
+ EVP_get_cipherbyname(SN_aes_256_gcm);
+
++ ssl_cipher_methods[SSL_ENC_CHACHA20POLY1305_IDX] =
++ EVP_get_cipherbyname(SN_chacha20_poly1305);
++
+ ssl_digest_methods[SSL_MD_MD5_IDX] = EVP_get_digestbyname(SN_md5);
+ ssl_mac_secret_size[SSL_MD_MD5_IDX] =
+ EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
+@@ -582,6 +587,9 @@
+ case SSL_AES256GCM:
+ i = SSL_ENC_AES256GCM_IDX;
+ break;
++ case SSL_CHACHA20POLY1305:
++ i = SSL_ENC_CHACHA20POLY1305_IDX;
++ break;
+ default:
+ i = -1;
+ break;
+@@ -806,6 +814,8 @@
+ (ssl_cipher_methods[SSL_ENC_GOST89_IDX] ==
+ NULL) ? SSL_eGOST2814789CNT : 0;
+ *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED : 0;
++ *enc |= (ssl_cipher_methods[SSL_ENC_CHACHA20POLY1305_IDX] ==
++ NULL) ? SSL_CHACHA20POLY1305 : 0;
+
+ *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX] == NULL) ? SSL_MD5 : 0;
+ *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
+@@ -1824,6 +1834,9 @@
+ case SSL_eGOST2814789CNT:
+ enc = "GOST89(256)";
+ break;
++ case SSL_CHACHA20POLY1305:
++ enc = "CHACHA20-POLY1305(256)";
++ break;
+ default:
+ enc = "unknown";
+ break;
+diff -rNu openssl-1.0.2e/ssl/ssl_locl.h openssl-1.0.2e-modified/ssl/ssl_locl.h
+--- openssl-1.0.2e/ssl/ssl_locl.h 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/ssl/ssl_locl.h 2016-02-08 16:12:00.608614755 +0100
+@@ -354,6 +354,7 @@
+ # define SSL_SEED 0x00000800L
+ # define SSL_AES128GCM 0x00001000L
+ # define SSL_AES256GCM 0x00002000L
++# define SSL_CHACHA20POLY1305 0x00004000L
+
+ # define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
+ # define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
+diff -rNu openssl-1.0.2e/ssl/tls1.h openssl-1.0.2e-modified/ssl/tls1.h
+--- openssl-1.0.2e/ssl/tls1.h 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e-modified/ssl/tls1.h 2016-02-08 16:12:00.608614755 +0100
+@@ -563,6 +563,11 @@
+ # define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256 0x0300C031
+ # define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032
+
++/* ChaCha20-Poly1305 ciphersuites draft-agl-tls-chacha20poly1305-01 */
++# define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CC13
++# define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CC14
++# define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CC15
++
+ /*
+ * XXX * Backward compatibility alert: + * Older versions of OpenSSL gave
+ * some DHE ciphers names with "EDH" + * instead of "DHE". Going forward, we
+@@ -713,6 +718,11 @@
+ # define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256 "ECDH-RSA-AES128-GCM-SHA256"
+ # define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384"
+
++/* ChaCha20-Poly1305 ciphersuites draft-agl-tls-chacha20poly1305-01 */
++#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305"
++#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
++#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
++
+ # define TLS_CT_RSA_SIGN 1
+ # define TLS_CT_DSS_SIGN 2
+ # define TLS_CT_RSA_FIXED_DH 3
+diff -rNu openssl-1.0.2e/test/Makefile openssl-1.0.2e-modified/test/Makefile
+--- openssl-1.0.2e/test/Makefile 2015-12-03 15:44:31.000000000 +0100
++++ openssl-1.0.2e-modified/test/Makefile 2016-02-08 16:12:00.608614755 +0100
+@@ -70,6 +70,7 @@
+ CONSTTIMETEST= constant_time_test
+ VERIFYEXTRATEST= verify_extra_test
+ CLIENTHELLOTEST= clienthellotest
++CHAPOLYTEST= chapolytest
+
+ TESTS= alltests
+
+@@ -83,7 +84,7 @@
+ $(EVPTEST)$(EXE_EXT) $(EVPEXTRATEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \
+ $(ASN1TEST)$(EXE_EXT) $(V3NAMETEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) \
+ $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \
+- $(CLIENTHELLOTEST)$(EXE_EXT)
++ $(CLIENTHELLOTEST)$(EXE_EXT) $(CHAPOLYTEST)$(EXE_EXT)
+
+ # $(METHTEST)$(EXE_EXT)
+
+@@ -97,7 +98,7 @@
+ $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \
+ $(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \
+ $(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \
+- $(CLIENTHELLOTEST).o
++ $(CLIENTHELLOTEST).o $(CHAPOLYTEST).o
+
+ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
+ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \
+@@ -108,7 +109,7 @@
+ $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \
+ $(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \
+ $(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \
+- $(CLIENTHELLOTEST).c
++ $(CLIENTHELLOTEST).c $(CHAPOLYTEST).c
+
+ EXHEADER=
+ HEADER= testutil.h $(EXHEADER)
+@@ -144,7 +145,7 @@
+ @(cd ..; $(MAKE) DIRS=apps all)
+
+ alltests: \
+- test_des test_idea test_sha test_md4 test_md5 test_hmac \
++ test_des test_idea test_sha test_md4 test_md5 test_hmac test_chapoly \
+ test_md2 test_mdc2 test_wp \
+ test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \
+ test_rand test_bn test_ec test_ecdsa test_ecdh \
+@@ -361,6 +362,10 @@
+ @echo $(START) $@
+ ../util/shlib_wrap.sh ./$(CLIENTHELLOTEST)
+
++test_chapoly: $(CHAPOLYTEST)$(EXE_EXT)
++ @echo "Test ChaCha20 and Poly1305"
++ ../util/shlib_wrap.sh ./$(CHAPOLYTEST)
++
+ lint:
+ lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+@@ -538,6 +543,9 @@
+ $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
+ @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
+
++$(CHAPOLYTEST)$(EXE_EXT): $(CHAPOLYTEST).o
++ @target=$(CHAPOLYTEST); $(BUILD_CMD)
++
+ #$(AESTEST).o: $(AESTEST).c
+ # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+
+@@ -606,6 +614,7 @@
+ constant_time_test.o: ../crypto/constant_time_locl.h ../e_os.h
+ constant_time_test.o: ../include/openssl/e_os2.h
+ constant_time_test.o: ../include/openssl/opensslconf.h constant_time_test.c
++chapolytest.o: ../include/openssl/chacha20poly1305.h chapolytest.c
+ destest.o: ../include/openssl/des.h ../include/openssl/des_old.h
+ destest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+ destest.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
diff --git a/dev-libs/openssl/openssl-1.0.2e-r1.ebuild b/dev-libs/openssl/openssl-1.0.2e-r1.ebuild
new file mode 100644
index 0000000..ecba596
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2e-r1.ebuild
@@ -0,0 +1,266 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+# The blocks are temporary just to make sure people upgrade to a
+# version that lack runtime version checking. We'll drop them in
+# the future.
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )
+ !<net-misc/openssh-5.9_p1-r4
+ !<net-libs/neon-0.29.6-r1"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+ epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+ epatch "${FILESDIR}"/${PN}-1.0.2e-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
+ epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+ epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
+ epatch "${FILESDIR}"/${PN}-1.0.2e-chacha20poly1305.patch
+
+ epatch_user #332661
+ fi
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ Makefile.org \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ enable-tlsext \
+ $(use_ssl asm) \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+ # rehash is needed to prep the certs/ dir; do this
+ # separately to avoid parallel build issues.
+ emake rehash
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+ dohtml -r doc/*
+ use rfc3779 && dodoc engines/ccgost/README.gost
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ dodir ${SSL_CNF_DIR}/certs
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
diff --git a/dev-libs/openssl/openssl-1.0.2f-r1.ebuild b/dev-libs/openssl/openssl-1.0.2f-r1.ebuild
new file mode 100644
index 0000000..f5089f5
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2f-r1.ebuild
@@ -0,0 +1,266 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+# The blocks are temporary just to make sure people upgrade to a
+# version that lack runtime version checking. We'll drop them in
+# the future.
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )
+ !<net-misc/openssh-5.9_p1-r4
+ !<net-libs/neon-0.29.6-r1"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+ epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+ epatch "${FILESDIR}"/${PN}-1.0.2e-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
+ epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+ epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
+ epatch "${FILESDIR}"/${PN}-1.0.2e-chacha20poly1305.patch
+
+ epatch_user #332661
+ fi
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ Makefile.org \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ enable-tlsext \
+ $(use_ssl asm) \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+ # rehash is needed to prep the certs/ dir; do this
+ # separately to avoid parallel build issues.
+ emake rehash
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+ dohtml -r doc/*
+ use rfc3779 && dodoc engines/ccgost/README.gost
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ dodir ${SSL_CNF_DIR}/certs
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2016-02-26 22:46 Doug Goldstein
0 siblings, 0 replies; 36+ messages in thread
From: Doug Goldstein @ 2016-02-26 22:46 UTC (permalink / raw
To: gentoo-commits
commit: e47b9611f34d6141b0e389e94e0b84135afa25ba
Author: Doug Goldstein <cardoe <AT> gentoo <DOT> org>
AuthorDate: Fri Feb 26 22:45:58 2016 +0000
Commit: Doug Goldstein <cardoe <AT> gentoo <DOT> org>
CommitDate: Fri Feb 26 22:45:58 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e47b9611
dev-libs/openssl: remove vulnerable versions
Due to multiple vulnerabilities remove outdated versions of OpenSSL.
Gentoo-Bug: 567476
Package-Manager: portage-2.2.26
Signed-off-by: Doug Goldstein <cardoe <AT> gentoo.org>
dev-libs/openssl/Manifest | 4 -
.../openssl/files/openssl-1.0.0h-pkg-config.patch | 34 --
...enssl-1.0.1f-revert-alpha-perl-generation.patch | 84 ---
dev-libs/openssl/files/openssl-1.0.1m-ipv6.patch | 618 ---------------------
dev-libs/openssl/files/openssl-1.0.1m-x32.patch | 66 ---
.../files/openssl-1.0.1p-parallel-build.patch | 359 ------------
dev-libs/openssl/files/openssl-1.0.1r-x32.patch | 66 ---
dev-libs/openssl/openssl-1.0.1p.ebuild | 259 ---------
dev-libs/openssl/openssl-1.0.1r.ebuild | 256 ---------
dev-libs/openssl/openssl-1.0.2e.ebuild | 265 ---------
10 files changed, 2011 deletions(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index ddc4c31..5decc0a 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,7 +1,3 @@
DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 06500060639930e471050474f537fcd28ec934af92ee282d78b52460fbe8f580 SHA512 c757454de321d168ac6d89fe2859966a9f07a8b28305bf697af9018db13fc457e0883346b3d35977461ab058442375563554ecb2a8756a687ff9fc2fdd9103c9 WHIRLPOOL 55ecf50a264a2ddd9b5755b5d90b9b736d2f27e0ba2fd529ccff3b68bbd726d1f60460182a0d215ae6712dbc4d3ef2df11339fb2d8424e049f54c3e904fcfab0
DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
-DIST openssl-1.0.1p.tar.gz 4560208 SHA256 bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5 WHIRLPOOL 2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819
-DIST openssl-1.0.1r.tar.gz 4547786 SHA256 784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 SHA512 7a5a2efe5d9421ea6f4f86f75ed40b4459b3825355ad18da3bdba28393bc50a6f457b2e1f11a31828f1af0d62a716d258ac7868fb719c9997f3bc750a1723e86 WHIRLPOOL de9c92f5ddb9bcaac967ac735696e739f5762b7d3a0b2430dbfa0c6cd7ac021fdf3c3257255a2fe995f24aa3550d59ce3067f030f09acc5d43b61dfda627686a
-DIST openssl-1.0.2e.tar.gz 5256555 SHA256 e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff SHA512 b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f WHIRLPOOL 8e1c1800a66f57fa78dc391e717e4b2bdf0e6e37a837c5ac033d7a4b1a6437451c7e7540c4ec2f75f936a2d2ef4f9293b42c76f51b0c9c93706639589612f196
DIST openssl-1.0.2f.tar.gz 5258384 SHA256 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 WHIRLPOOL 179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835baaaa04e506fb3fbaed37d31c9
-DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1
diff --git a/dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch b/dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch
deleted file mode 100644
index 66fd822..0000000
--- a/dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=3332&user=guest&pass=guest
-
-depend on other pc files rather than encoding library info directly in
-every pkg-config file
-
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -335,11 +335,11 @@ libssl.pc: Makefile
- echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
- echo 'includedir=$${prefix}/include'; \
- echo ''; \
-- echo 'Name: OpenSSL'; \
-+ echo 'Name: OpenSSL-libssl'; \
- echo 'Description: Secure Sockets Layer and cryptography libraries'; \
- echo 'Version: '$(VERSION); \
-- echo 'Requires: '; \
-- echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
-+ echo 'Requires.private: libcrypto'; \
-+ echo 'Libs: -L$${libdir} -lssl'; \
- echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
-
-@@ -352,10 +353,7 @@ openssl.pc: Makefile
- echo 'Name: OpenSSL'; \
- echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
- echo 'Version: '$(VERSION); \
-- echo 'Requires: '; \
-- echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
-- echo 'Libs.private: $(EX_LIBS)'; \
-- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
-+ echo 'Requires: libssl libcrypto' ) > openssl.pc
-
- Makefile: Makefile.org Configure config
- @echo "Makefile is older than Makefile.org, Configure or config."
diff --git a/dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch b/dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch
deleted file mode 100644
index 1a942d2..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-https://bugs.gentoo.org/499086
-https://rt.openssl.org/Ticket/Display.html?id=3333&user=guest&pass=guest
-
-when gcc is given a .s file and told to preprocess it, it outputs nothing
-
-From a2976461784ce463fc7f336cd0dce607d21c2fad Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 25 Jan 2014 05:44:47 -0500
-Subject: [PATCH] Revert "Make Makefiles OSF-make-friendly."
-
-This reverts commit d1cf23ac86c05b22b8780e2c03b67230564d2d34.
----
- crypto/Makefile | 4 +---
- crypto/bn/Makefile | 4 +---
- crypto/evp/Makefile | 2 +-
- crypto/modes/Makefile | 5 +----
- crypto/sha/Makefile | 4 +---
- util/shlib_wrap.sh | 6 +-----
- 6 files changed, 6 insertions(+), 19 deletions(-)
-
-diff --git a/crypto/Makefile b/crypto/Makefile
-index b253f50..1de9d5f 100644
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -86,9 +86,7 @@ ia64cpuid.s: ia64cpuid.S; $(CC) $(CFLAGS) -E ia64cpuid.S > $@
- ppccpuid.s: ppccpuid.pl; $(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
- pariscid.s: pariscid.pl; $(PERL) pariscid.pl $(PERLASM_SCHEME) $@
- alphacpuid.s: alphacpuid.pl
-- (preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
-- $(PERL) alphacpuid.pl > $$preproc && \
-- $(CC) -E $$preproc > $@ && rm $$preproc)
-+ $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
-
- subdirs:
- @target=all; $(RECURSIVE_MAKE)
-diff --git a/crypto/bn/Makefile b/crypto/bn/Makefile
-index b62b676..6c03363 100644
---- a/crypto/bn/Makefile
-+++ b/crypto/bn/Makefile
-@@ -136,9 +136,7 @@ ppc-mont.s: asm/ppc-mont.pl;$(PERL) asm/ppc-mont.pl $(PERLASM_SCHEME) $@
- ppc64-mont.s: asm/ppc64-mont.pl;$(PERL) asm/ppc64-mont.pl $(PERLASM_SCHEME) $@
-
- alpha-mont.s: asm/alpha-mont.pl
-- (preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
-- $(PERL) asm/alpha-mont.pl > $$preproc && \
-- $(CC) -E $$preproc > $@ && rm $$preproc)
-+ $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
-
- # GNU make "catch all"
- %-mont.S: asm/%-mont.pl; $(PERL) $< $(PERLASM_SCHEME) $@
-diff --git a/crypto/modes/Makefile b/crypto/modes/Makefile
-index ce0dcd6..88ac65e 100644
---- a/crypto/modes/Makefile
-+++ b/crypto/modes/Makefile
-@@ -55,10 +55,7 @@ aesni-gcm-x86_64.s: asm/aesni-gcm-x86_64.pl
- ghash-sparcv9.s: asm/ghash-sparcv9.pl
- $(PERL) asm/ghash-sparcv9.pl $@ $(CFLAGS)
- ghash-alpha.s: asm/ghash-alpha.pl
-- (preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
-- $(PERL) asm/ghash-alpha.pl > $$preproc && \
-- $(CC) -E $$preproc > $@ && rm $$preproc)
--
-+ $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
- ghash-parisc.s: asm/ghash-parisc.pl
- $(PERL) asm/ghash-parisc.pl $(PERLASM_SCHEME) $@
-
-diff --git a/crypto/sha/Makefile b/crypto/sha/Makefile
-index 64eab6c..63fba69 100644
---- a/crypto/sha/Makefile
-+++ b/crypto/sha/Makefile
-@@ -60,9 +60,7 @@ sha256-armv4.S: asm/sha256-armv4.pl
- $(PERL) $< $(PERLASM_SCHEME) $@
-
- sha1-alpha.s: asm/sha1-alpha.pl
-- (preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
-- $(PERL) asm/sha1-alpha.pl > $$preproc && \
-- $(CC) -E $$preproc > $@ && rm $$preproc)
-+ $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
-
- # Solaris make has to be explicitly told
- sha1-x86_64.s: asm/sha1-x86_64.pl; $(PERL) asm/sha1-x86_64.pl $(PERLASM_SCHEME) > $@
---
-1.8.5.3
-
diff --git a/dev-libs/openssl/files/openssl-1.0.1m-ipv6.patch b/dev-libs/openssl/files/openssl-1.0.1m-ipv6.patch
deleted file mode 100644
index 34a7e53..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1m-ipv6.patch
+++ /dev/null
@@ -1,618 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=2051&user=guest&pass=guest
-
-Forward ported from openssl-1.0.1h-ipv6.patch
-
-Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
-
---- openssl-1.0.1m/apps/s_apps.h
-+++ openssl-1.0.1m/apps/s_apps.h
-@@ -153,7 +153,7 @@ typedef fd_mask fd_set;
-
- int do_server(int port, int type, int *ret,
- int (*cb) (char *hostname, int s, unsigned char *context),
-- unsigned char *context);
-+ unsigned char *context, int use_ipv4, int use_ipv6);
- #ifdef HEADER_X509_H
- int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
- #endif
-@@ -161,7 +161,8 @@ int MS_CALLBACK verify_callback(int ok,
- int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
- int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
- #endif
--int init_client(int *sock, char *server, int port, int type);
-+int init_client(int *sock, char *server, int port, int type,
-+ int use_ipv4, int use_ipv6);
- int should_retry(int i);
- int extract_port(char *str, short *port_ptr);
- int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
---- openssl-1.0.1m/apps/s_client.c
-+++ openssl-1.0.1m/apps/s_client.c
-@@ -299,6 +299,10 @@ static void sc_usage(void)
- {
- BIO_printf(bio_err, "usage: s_client args\n");
- BIO_printf(bio_err, "\n");
-+ BIO_printf(bio_err," -4 - use IPv4 only\n");
-+#if OPENSSL_USE_IPV6
-+ BIO_printf(bio_err," -6 - use IPv6 only\n");
-+#endif
- BIO_printf(bio_err, " -host host - use -connect instead\n");
- BIO_printf(bio_err, " -port port - use -connect instead\n");
- BIO_printf(bio_err,
-@@ -629,6 +633,7 @@ int MAIN(int argc, char **argv)
- int sbuf_len, sbuf_off;
- fd_set readfds, writefds;
- short port = PORT;
-+ int use_ipv4, use_ipv6;
- int full_log = 1;
- char *host = SSL_HOST_NAME;
- char *cert_file = NULL, *key_file = NULL;
-@@ -673,7 +678,11 @@ int MAIN(int argc, char **argv)
- #endif
- char *sess_in = NULL;
- char *sess_out = NULL;
-- struct sockaddr peer;
-+#if OPENSSL_USE_IPV6
-+ struct sockaddr_storage peer;
-+#else
-+ struct sockaddr_in peer;
-+#endif
- int peerlen = sizeof(peer);
- int fallback_scsv = 0;
- int enable_timeouts = 0;
-@@ -689,6 +698,13 @@ int MAIN(int argc, char **argv)
-
- meth = SSLv23_client_method();
-
-+ use_ipv4 = 1;
-+#if OPENSSL_USE_IPV6
-+ use_ipv6 = 1;
-+#else
-+ use_ipv6 = 0;
-+#endif
-+
- apps_startup();
- c_Pause = 0;
- c_quiet = 0;
-@@ -985,6 +1001,16 @@ int MAIN(int argc, char **argv)
- jpake_secret = *++argv;
- }
- #endif
-+ else if (strcmp(*argv,"-4") == 0) {
-+ use_ipv4 = 1;
-+ use_ipv6 = 0;
-+ }
-+#if OPENSSL_USE_IPV6
-+ else if (strcmp(*argv,"-6") == 0) {
-+ use_ipv4 = 0;
-+ use_ipv6 = 1;
-+ }
-+#endif
- #ifndef OPENSSL_NO_SRTP
- else if (strcmp(*argv, "-use_srtp") == 0) {
- if (--argc < 1)
-@@ -1256,7 +1282,7 @@ int MAIN(int argc, char **argv)
-
- re_start:
-
-- if (init_client(&s, host, port, socket_type) == 0) {
-+ if (init_client(&s, host, port, socket_type, use_ipv4, use_ipv6) == 0) {
- BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
- SHUTDOWN(s);
- goto end;
-@@ -1279,7 +1305,7 @@ int MAIN(int argc, char **argv)
- if (SSL_version(con) == DTLS1_VERSION) {
-
- sbio = BIO_new_dgram(s, BIO_NOCLOSE);
-- if (getsockname(s, &peer, (void *)&peerlen) < 0) {
-+ if (getsockname(s, (struct sockaddr *)&peer, (void *)&peerlen) < 0) {
- BIO_printf(bio_err, "getsockname:errno=%d\n",
- get_last_socket_error());
- SHUTDOWN(s);
---- openssl-1.0.1m/apps/s_server.c
-+++ openssl-1.0.1m/apps/s_server.c
-@@ -609,6 +609,10 @@ static void sv_usage(void)
- " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
- # endif
- #endif
-+ BIO_printf(bio_err," -4 - use IPv4 only\n");
-+#if OPENSSL_USE_IPV6
-+ BIO_printf(bio_err," -6 - use IPv6 only\n");
-+#endif
- BIO_printf(bio_err,
- " -keymatexport label - Export keying material using label\n");
- BIO_printf(bio_err,
-@@ -1003,6 +1007,7 @@ int MAIN(int argc, char *argv[])
- int state = 0;
- const SSL_METHOD *meth = NULL;
- int socket_type = SOCK_STREAM;
-+ int use_ipv4, use_ipv6;
- ENGINE *e = NULL;
- char *inrand = NULL;
- int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
-@@ -1031,6 +1036,13 @@ int MAIN(int argc, char *argv[])
- #endif
- meth = SSLv23_server_method();
-
-+ use_ipv4 = 1;
-+#if OPENSSL_USE_IPV6
-+ use_ipv6 = 1;
-+#else
-+ use_ipv6 = 0;
-+#endif
-+
- local_argc = argc;
- local_argv = argv;
-
-@@ -1356,6 +1368,16 @@ int MAIN(int argc, char *argv[])
- jpake_secret = *(++argv);
- }
- #endif
-+ else if (strcmp(*argv,"-4") == 0) {
-+ use_ipv4 = 1;
-+ use_ipv6 = 0;
-+ }
-+#if OPENSSL_USE_IPV6
-+ else if (strcmp(*argv,"-6") == 0) {
-+ use_ipv4 = 0;
-+ use_ipv6 = 1;
-+ }
-+#endif
- #ifndef OPENSSL_NO_SRTP
- else if (strcmp(*argv, "-use_srtp") == 0) {
- if (--argc < 1)
-@@ -1850,9 +1872,11 @@ int MAIN(int argc, char *argv[])
- BIO_printf(bio_s_out, "ACCEPT\n");
- (void)BIO_flush(bio_s_out);
- if (www)
-- do_server(port, socket_type, &accept_socket, www_body, context);
-+ do_server(port, socket_type, &accept_socket, www_body, context,
-+ use_ipv4, use_ipv6);
- else
-- do_server(port, socket_type, &accept_socket, sv_body, context);
-+ do_server(port, socket_type, &accept_socket, sv_body, context,
-+ use_ipv4, use_ipv6);
- print_stats(bio_s_out, ctx);
- ret = 0;
- end:
---- openssl-1.0.1m/apps/s_socket.c
-+++ openssl-1.0.1m/apps/s_socket.c
-@@ -101,16 +101,16 @@ typedef unsigned int u_int;
- # include "netdb.h"
- # endif
-
--static struct hostent *GetHostByName(char *name);
-+static struct hostent *GetHostByName(char *name, int domain);
- # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
- static void ssl_sock_cleanup(void);
- # endif
- static int ssl_sock_init(void);
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
--static int init_server(int *sock, int port, int type);
--static int init_server_long(int *sock, int port, char *ip, int type);
-+static int init_client_ip(int *sock, unsigned char *ip, int port, int type, int domain);
-+static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6);
-+static int init_server_long(int *sock, int port, char *ip, int type, int use_ipv4, int use_ipv6);
- static int do_accept(int acc_sock, int *sock, char **host);
--static int host_ip(char *str, unsigned char ip[4]);
-+static int host_ip(char *str, unsigned char *ip, int domain);
-
- # ifdef OPENSSL_SYS_WIN16
- # define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
-@@ -231,38 +231,66 @@ static int ssl_sock_init(void)
- return (1);
- }
-
--int init_client(int *sock, char *host, int port, int type)
-+int init_client(int *sock, char *host, int port, int type, int use_ipv4, int use_ipv6)
- {
-+#if OPENSSL_USE_IPV6
-+ unsigned char ip[16];
-+#else
- unsigned char ip[4];
-+#endif
-
-- memset(ip, '\0', sizeof ip);
-- if (!host_ip(host, &(ip[0])))
-- return 0;
-- return init_client_ip(sock, ip, port, type);
--}
--
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
--{
-- unsigned long addr;
-+ if (use_ipv4)
-+ if (host_ip(host,ip,AF_INET))
-+ return(init_client_ip(sock,ip,port,type,AF_INET));
-+#if OPENSSL_USE_IPV6
-+ if (use_ipv6)
-+ if (host_ip(host,ip,AF_INET6))
-+ return(init_client_ip(sock,ip,port,type,AF_INET6));
-+#endif
-+ return 0;
-+}
-+
-+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type, int domain)
-+{
-+#if OPENSSL_USE_IPV6
-+ struct sockaddr_storage them;
-+ struct sockaddr_in *them_in = (struct sockaddr_in *)&them;
-+ struct sockaddr_in6 *them_in6 = (struct sockaddr_in6 *)&them;
-+#else
- struct sockaddr_in them;
-+ struct sockaddr_in *them_in = &them;
-+#endif
-+ socklen_t addr_len;
- int s, i;
-
- if (!ssl_sock_init())
- return (0);
-
- memset((char *)&them, 0, sizeof(them));
-- them.sin_family = AF_INET;
-- them.sin_port = htons((unsigned short)port);
-- addr = (unsigned long)
-- ((unsigned long)ip[0] << 24L) |
-- ((unsigned long)ip[1] << 16L) |
-- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
-- them.sin_addr.s_addr = htonl(addr);
-+ if (domain == AF_INET) {
-+ addr_len = (socklen_t)sizeof(struct sockaddr_in);
-+ them_in->sin_family=AF_INET;
-+ them_in->sin_port=htons((unsigned short)port);
-+#ifndef BIT_FIELD_LIMITS
-+ memcpy(&them_in->sin_addr.s_addr, ip, 4);
-+#else
-+ memcpy(&them_in->sin_addr, ip, 4);
-+#endif
-+ } else {
-+#if OPENSSL_USE_IPV6
-+ addr_len = (socklen_t)sizeof(struct sockaddr_in6);
-+ them_in6->sin6_family=AF_INET6;
-+ them_in6->sin6_port=htons((unsigned short)port);
-+ memcpy(&(them_in6->sin6_addr), ip, sizeof(struct in6_addr));
-+ }
-+#else
-+ return(0);
-+#endif
-
- if (type == SOCK_STREAM)
-- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
-+ s = socket(domain, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* ( type == SOCK_DGRAM) */
-- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-+ s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-
- if (s == INVALID_SOCKET) {
- perror("socket");
-@@ -280,7 +308,7 @@ static int init_client_ip(int *sock, uns
- }
- # endif
-
-- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
-+ if (connect(s, (struct sockaddr *)&them, addr_len) == -1) {
- closesocket(s);
- perror("connect");
- return (0);
-@@ -291,14 +319,14 @@ static int init_client_ip(int *sock, uns
-
- int do_server(int port, int type, int *ret,
- int (*cb) (char *hostname, int s, unsigned char *context),
-- unsigned char *context)
-+ unsigned char *context, int use_ipv4, int use_ipv6)
- {
- int sock;
- char *name = NULL;
- int accept_socket = 0;
- int i;
-
-- if (!init_server(&accept_socket, port, type))
-+ if (!init_server(&accept_socket, port, type, use_ipv4, use_ipv6))
- return (0);
-
- if (ret != NULL) {
-@@ -325,32 +353,45 @@ int do_server(int port, int type, int *r
- }
- }
-
--static int init_server_long(int *sock, int port, char *ip, int type)
-+static int init_server_long(int *sock, int port, char *ip, int type,
-+ int use_ipv4, int use_ipv6)
- {
- int ret = 0;
-+ int domain;
-+#if OPENSSL_USE_IPV6
-+ struct sockaddr_storage server;
-+ struct sockaddr_in *server_in = (struct sockaddr_in *)&server;
-+ struct sockaddr_in6 *server_in6 = (struct sockaddr_in6 *)&server;
-+#else
- struct sockaddr_in server;
-+ struct sockaddr_in *server_in = &server;
-+#endif
-+ socklen_t addr_len;
- int s = -1;
-
-+ if (!use_ipv4 && !use_ipv6)
-+ goto err;
-+#if OPENSSL_USE_IPV6
-+ /*
-+ * we are fine here
-+ */
-+#else
-+ if (use_ipv6)
-+ goto err;
-+#endif
- if (!ssl_sock_init())
- return (0);
-
-- memset((char *)&server, 0, sizeof(server));
-- server.sin_family = AF_INET;
-- server.sin_port = htons((unsigned short)port);
-- if (ip == NULL)
-- server.sin_addr.s_addr = INADDR_ANY;
-- else
--/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
--# ifndef BIT_FIELD_LIMITS
-- memcpy(&server.sin_addr.s_addr, ip, 4);
-+#if OPENSSL_USE_IPV6
-+ domain = use_ipv6 ? AF_INET6 : AF_INET;
- # else
-- memcpy(&server.sin_addr, ip, 4);
-+ domain = AF_INET;
- # endif
-
- if (type == SOCK_STREAM)
-- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
-+ s = socket(domain, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* type == SOCK_DGRAM */
-- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-+ s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-
- if (s == INVALID_SOCKET)
- goto err;
-@@ -360,7 +401,44 @@ static int init_server_long(int *sock, i
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
- }
- # endif
-- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
-+#if OPENSSL_USE_IPV6
-+ if ((use_ipv4 == 0) && (use_ipv6 == 1)) {
-+ const int on = 1;
-+
-+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-+ (const void *) &on, sizeof(int));
-+ }
-+#endif
-+ if (domain == AF_INET) {
-+ addr_len = (socklen_t)sizeof(struct sockaddr_in);
-+ memset(server_in, 0, sizeof(struct sockaddr_in));
-+ server_in->sin_family=AF_INET;
-+ server_in->sin_port = htons((unsigned short)port);
-+ if (ip == NULL)
-+ server_in->sin_addr.s_addr = htonl(INADDR_ANY);
-+ else
-+/*
-+ * Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov)
-+ */
-+#ifndef BIT_FIELD_LIMITS
-+ memcpy(&server_in->sin_addr.s_addr, ip, 4);
-+#else
-+ memcpy(&server_in->sin_addr, ip, 4);
-+#endif
-+ }
-+#if OPENSSL_USE_IPV6
-+ else {
-+ addr_len = (socklen_t)sizeof(struct sockaddr_in6);
-+ memset(server_in6, 0, sizeof(struct sockaddr_in6));
-+ server_in6->sin6_family = AF_INET6;
-+ server_in6->sin6_port = htons((unsigned short)port);
-+ if (ip == NULL)
-+ server_in6->sin6_addr = in6addr_any;
-+ else
-+ memcpy(&server_in6->sin6_addr, ip, sizeof(struct in6_addr));
-+ }
-+#endif
-+ if (bind(s, (struct sockaddr *)&server, addr_len) == -1) {
- # ifndef OPENSSL_SYS_WINDOWS
- perror("bind");
- # endif
-@@ -378,16 +456,24 @@ static int init_server_long(int *sock, i
- return (ret);
- }
-
--static int init_server(int *sock, int port, int type)
-+static int init_server(int *sock, int port, int type,
-+ int use_ipv4, int use_ipv6)
- {
-- return (init_server_long(sock, port, NULL, type));
-+ return (init_server_long(sock, port, NULL, type, use_ipv4, use_ipv6));
- }
-
- static int do_accept(int acc_sock, int *sock, char **host)
- {
- int ret;
- struct hostent *h1, *h2;
-+#if OPENSSL_USE_IPV6
-+ struct sockaddr_storage from;
-+ struct sockaddr_in *from_in = (struct sockaddr_in *)&from;
-+ struct sockaddr_in6 *from_in6 = (struct sockaddr_in6 *)&from;
-+#else
- static struct sockaddr_in from;
-+ struct sockaddr_in *from_in = &from;
-+#endif
- int len;
- /* struct linger ling; */
-
-@@ -437,14 +523,24 @@ static int do_accept(int acc_sock, int *
-
- if (host == NULL)
- goto end;
-+#if OPENSSL_USE_IPV6
-+ if (from.ss_family == AF_INET)
-+#else
-+ if (from.sin_family == AF_INET)
-+#endif
- # ifndef BIT_FIELD_LIMITS
- /* I should use WSAAsyncGetHostByName() under windows */
-- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
-- sizeof(from.sin_addr.s_addr), AF_INET);
-+ h1 = gethostbyaddr((char *)&from_in->sin_addr.s_addr,
-+ sizeof(from_in->sin_addr.s_addr), AF_INET);
- # else
-- h1 = gethostbyaddr((char *)&from.sin_addr,
-+ h1 = gethostbyaddr((char *)&from_in->sin_addr,
- sizeof(struct in_addr), AF_INET);
- # endif
-+#if OPENSSL_USE_IPV6
-+ else
-+ h1 = gethostbyaddr((char *)&from_in6->sin6_addr,
-+ sizeof(struct in6_addr), AF_INET6);
-+#endif
- if (h1 == NULL) {
- BIO_printf(bio_err, "bad gethostbyaddr\n");
- *host = NULL;
-@@ -457,14 +553,23 @@ static int do_accept(int acc_sock, int *
- }
- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
-
-- h2 = GetHostByName(*host);
-+#if OPENSSL_USE_IPV6
-+ h2 = GetHostByName(*host, from.ss_family);
-+#else
-+ h2 = GetHostByName(*host, from.sin_family);
-+#endif
-+
- if (h2 == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- closesocket(ret);
- return (0);
- }
-- if (h2->h_addrtype != AF_INET) {
-- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
-+#if OPENSSL_USE_IPV6
-+ if (h2->h_addrtype != from.ss_family) {
-+#else
-+ if (h2->h_addrtype != from.sin_family) {
-+#endif
-+ BIO_printf(bio_err, "gethostbyname addr address is not correct\n");
- closesocket(ret);
- return (0);
- }
-@@ -480,14 +585,14 @@ int extract_host_port(char *str, char **
- char *h, *p;
-
- h = str;
-- p = strchr(str, ':');
-+ p = strrchr(str, ':');
- if (p == NULL) {
- BIO_printf(bio_err, "no port defined\n");
- return (0);
- }
- *(p++) = '\0';
-
-- if ((ip != NULL) && !host_ip(str, ip))
-+ if ((ip != NULL) && !host_ip(str, ip, AF_INET))
- goto err;
- if (host_ptr != NULL)
- *host_ptr = h;
-@@ -499,44 +604,54 @@ int extract_host_port(char *str, char **
- return (0);
- }
-
--static int host_ip(char *str, unsigned char ip[4])
-+static int host_ip(char *str, unsigned char *ip, int domain)
- {
- unsigned int in[4];
-+ unsigned long l;
- int i;
-
-- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
-- 4) {
-+ if ((domain == AF_INET) &&
-+ (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
-+ 4)) {
- for (i = 0; i < 4; i++)
- if (in[i] > 255) {
- BIO_printf(bio_err, "invalid IP address\n");
- goto err;
- }
-- ip[0] = in[0];
-- ip[1] = in[1];
-- ip[2] = in[2];
-- ip[3] = in[3];
-- } else { /* do a gethostbyname */
-+ l=htonl((in[0]<<24L)|(in[1]<<16L)|(in[2]<<8L)|in[3]);
-+ memcpy(ip, &l, 4);
-+ return 1;
-+ }
-+#if OPENSSL_USE_IPV6
-+ else if ((domain == AF_INET6) &&
-+ (inet_pton(AF_INET6, str, ip) == 1))
-+ return 1;
-+#endif
-+ else { /* do a gethostbyname */
- struct hostent *he;
-
- if (!ssl_sock_init())
- return (0);
-
-- he = GetHostByName(str);
-+ he = GetHostByName(str, domain);
- if (he == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- goto err;
- }
- /* cast to short because of win16 winsock definition */
-- if ((short)he->h_addrtype != AF_INET) {
-- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
-+ if ((short)he->h_addrtype != domain) {
-+ BIO_printf(bio_err, "gethostbyname addr family is not correct\n");
- return (0);
- }
-- ip[0] = he->h_addr_list[0][0];
-- ip[1] = he->h_addr_list[0][1];
-- ip[2] = he->h_addr_list[0][2];
-- ip[3] = he->h_addr_list[0][3];
-+ if (domain == AF_INET)
-+ memset(ip, 0, 4);
-+#if OPENSSL_USE_IPV6
-+ else
-+ memset(ip, 0, 16);
-+#endif
-+ memcpy(ip, he->h_addr_list[0], he->h_length);
-+ return 1;
- }
-- return (1);
- err:
- return (0);
- }
-@@ -570,7 +685,7 @@ static struct ghbn_cache_st {
- static unsigned long ghbn_hits = 0L;
- static unsigned long ghbn_miss = 0L;
-
--static struct hostent *GetHostByName(char *name)
-+static struct hostent *GetHostByName(char *name, int domain)
- {
- struct hostent *ret;
- int i, lowi = 0;
-@@ -582,13 +697,19 @@ static struct hostent *GetHostByName(cha
- lowi = i;
- }
- if (ghbn_cache[i].order > 0) {
-- if (strncmp(name, ghbn_cache[i].name, 128) == 0)
-+ if ((strncmp(name, ghbn_cache[i].name, 128) == 0) &&
-+ (ghbn_cache[i].ent.h_addrtype == domain))
- break;
- }
- }
- if (i == GHBN_NUM) { /* no hit */
- ghbn_miss++;
-- ret = gethostbyname(name);
-+ if (domain == AF_INET)
-+ ret = gethostbyname(name);
-+#if OPENSSL_USE_IPV6
-+ else
-+ ret=gethostbyname2(name, AF_INET6);
-+#endif
- if (ret == NULL)
- return (NULL);
- /* else add to cache */
diff --git a/dev-libs/openssl/files/openssl-1.0.1m-x32.patch b/dev-libs/openssl/files/openssl-1.0.1m-x32.patch
deleted file mode 100644
index 48717a5..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1m-x32.patch
+++ /dev/null
@@ -1,66 +0,0 @@
---- openssl-1.0.1m/Configure
-+++ openssl-1.0.1m/Configure
-@@ -361,6 +361,7 @@ my %table=(
- "linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x32", "gcc:-DL_ENDIAN -DTERMIO -O2 -pipe -g -feliminate-unused-debug-types -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- #### So called "highgprs" target for z/Architecture CPUs
- # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
---- openssl-1.0.1m/crypto/bn/asm/x86_64-gcc.c
-+++ openssl-1.0.1m/crypto/bn/asm/x86_64-gcc.c
-@@ -55,7 +55,7 @@
- * machine.
- */
-
--# ifdef _WIN64
-+# if defined _WIN64 || !defined __LP64__
- # define BN_ULONG unsigned long long
- # else
- # define BN_ULONG unsigned long
-@@ -211,9 +211,9 @@ BN_ULONG bn_add_words(BN_ULONG *rp, cons
-
- asm volatile (" subq %2,%2 \n"
- ".p2align 4 \n"
-- "1: movq (%4,%2,8),%0 \n"
-- " adcq (%5,%2,8),%0 \n"
-- " movq %0,(%3,%2,8) \n"
-+ "1: movq (%q4,%2,8),%0 \n"
-+ " adcq (%q5,%2,8),%0 \n"
-+ " movq %0,(%q3,%2,8) \n"
- " leaq 1(%2),%2 \n"
- " loop 1b \n"
- " sbbq %0,%0 \n":"=&a" (ret), "+c"(n),
-@@ -235,9 +235,9 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, cons
-
- asm volatile (" subq %2,%2 \n"
- ".p2align 4 \n"
-- "1: movq (%4,%2,8),%0 \n"
-- " sbbq (%5,%2,8),%0 \n"
-- " movq %0,(%3,%2,8) \n"
-+ "1: movq (%q4,%2,8),%0 \n"
-+ " sbbq (%q5,%2,8),%0 \n"
-+ " movq %0,(%q3,%2,8) \n"
- " leaq 1(%2),%2 \n"
- " loop 1b \n"
- " sbbq %0,%0 \n":"=&a" (ret), "+c"(n),
---- openssl-1.0.1m/crypto/bn/bn.h
-+++ openssl-1.0.1m/crypto/bn/bn.h
-@@ -174,6 +174,16 @@ extern "C" {
- # endif
-
- /*
-+ * Address type.
-+ */
-+#ifdef _WIN64
-+#define BN_ADDR unsigned long long
-+#else
-+#define BN_ADDR unsigned long
-+#endif
-+
-+
-+/*
- * assuming long is 64bit - this is the DEC Alpha unsigned long long is only
- * 64 bits :-(, don't define BN_LLONG for the DEC Alpha
- */
diff --git a/dev-libs/openssl/files/openssl-1.0.1p-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.1p-parallel-build.patch
deleted file mode 100644
index dfefd56..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1p-parallel-build.patch
+++ /dev/null
@@ -1,359 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=2084
-
---- openssl-1.0.1p/crypto/Makefile
-+++ openssl-1.0.1p/crypto/Makefile
-@@ -85,11 +85,11 @@
- @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
-
- subdirs:
-- @target=all; $(RECURSIVE_MAKE)
-+ +@target=all; $(RECURSIVE_MAKE)
-
- files:
- $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-- @target=files; $(RECURSIVE_MAKE)
-+ +@target=files; $(RECURSIVE_MAKE)
-
- links:
- @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib: $(LIB)
- @touch lib
--$(LIB): $(LIBOBJ)
-+$(LIB): $(LIBOBJ) | subdirs
- $(AR) $(LIB) $(LIBOBJ)
- [ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- $(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@
- fi
-
- libs:
-- @target=lib; $(RECURSIVE_MAKE)
-+ +@target=lib; $(RECURSIVE_MAKE)
-
- install:
- @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-- @target=install; $(RECURSIVE_MAKE)
-+ +@target=install; $(RECURSIVE_MAKE)
-
- lint:
- @target=lint; $(RECURSIVE_MAKE)
---- openssl-1.0.1p/crypto/objects/Makefile
-+++ openssl-1.0.1p/crypto/objects/Makefile
-@@ -44,11 +44,11 @@
- # objects.pl both reads and writes obj_mac.num
- obj_mac.h: objects.pl objects.txt obj_mac.num
- $(PERL) objects.pl objects.txt obj_mac.num obj_mac.h
-- @sleep 1; touch obj_mac.h; sleep 1
-
--obj_xref.h: objxref.pl obj_xref.txt obj_mac.num
-+# This doesn't really need obj_mac.h, but since that rule reads & writes
-+# obj_mac.num, we can't run in parallel with it.
-+obj_xref.h: objxref.pl obj_xref.txt obj_mac.num obj_mac.h
- $(PERL) objxref.pl obj_mac.num obj_xref.txt > obj_xref.h
-- @sleep 1; touch obj_xref.h; sleep 1
-
- files:
- $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
---- openssl-1.0.1p/engines/Makefile
-+++ openssl-1.0.1p/engines/Makefile
-@@ -72,7 +72,7 @@
-
- all: lib subdirs
-
--lib: $(LIBOBJ)
-+lib: $(LIBOBJ) | subdirs
- @if [ -n "$(SHARED_LIBS)" ]; then \
- set -e; \
- for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
-
- subdirs:
- echo $(EDIRS)
-- @target=all; $(RECURSIVE_MAKE)
-+ +@target=all; $(RECURSIVE_MAKE)
-
- files:
- $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- done; \
- fi
-- @target=install; $(RECURSIVE_MAKE)
-+ +@target=install; $(RECURSIVE_MAKE)
-
- tags:
- ctags $(SRC)
---- openssl-1.0.1p/Makefile.org
-+++ openssl-1.0.1p/Makefile.org
-@@ -273,17 +273,17 @@
- build_libs: build_crypto build_ssl build_engines
-
- build_crypto:
-- @dir=crypto; target=all; $(BUILD_ONE_CMD)
-+ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
-- @dir=ssl; target=all; $(BUILD_ONE_CMD)
-+ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
-- @dir=engines; target=all; $(BUILD_ONE_CMD)
-+ +@dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
-- @dir=apps; target=all; $(BUILD_ONE_CMD)
-+ +@dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
-- @dir=test; target=all; $(BUILD_ONE_CMD)
-+ +@dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
-- @dir=tools; target=all; $(BUILD_ONE_CMD)
-+ +@dir=tools; target=all; $(BUILD_ONE_CMD)
-
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -538,9 +538,9 @@
- dist_pem_h:
- (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
-
--install: all install_docs install_sw
-+install: install_docs install_sw
-
--install_sw:
-+install_dirs:
- @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -549,12 +549,19 @@
- $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
- $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
- $(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+ @$(PERL) $(TOP)/util/mkdir-p.pl \
-+ $(INSTALL_PREFIX)$(MANDIR)/man1 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man3 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man5 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
- @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- do \
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- do \
- if [ -f "$$i" ]; then \
-@@ -634,12 +641,7 @@
- done; \
- done
-
--install_docs:
-- @$(PERL) $(TOP)/util/mkdir-p.pl \
-- $(INSTALL_PREFIX)$(MANDIR)/man1 \
-- $(INSTALL_PREFIX)$(MANDIR)/man3 \
-- $(INSTALL_PREFIX)$(MANDIR)/man5 \
-- $(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
- @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- here="`pwd`"; \
- filecase=; \
---- openssl-1.0.1p/Makefile.shared
-+++ openssl-1.0.1p/Makefile.shared
-@@ -105,6 +105,7 @@
- SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
- LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
- LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+ [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
- $${SHAREDCMD} $${SHAREDFLAGS} \
- -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +123,7 @@
- done; \
- fi; \
- if [ -n "$$SHLIB_SOVER" ]; then \
-+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- fi; \
---- openssl-1.0.1p/test/Makefile
-+++ openssl-1.0.1p/test/Makefile
-@@ -130,7 +130,7 @@
- tags:
- ctags $(SRC)
-
--tests: exe apps $(TESTS)
-+tests: exe $(TESTS)
-
- apps:
- @(cd ..; $(MAKE) DIRS=apps all)
-@@ -388,118 +388,118 @@
- link_app.$${shlib_target}
-
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
-- @target=$(RSATEST); $(BUILD_CMD)
-+ +@target=$(RSATEST); $(BUILD_CMD)
-
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
-- @target=$(BNTEST); $(BUILD_CMD)
-+ +@target=$(BNTEST); $(BUILD_CMD)
-
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
-- @target=$(ECTEST); $(BUILD_CMD)
-+ +@target=$(ECTEST); $(BUILD_CMD)
-
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
-- @target=$(EXPTEST); $(BUILD_CMD)
-+ +@target=$(EXPTEST); $(BUILD_CMD)
-
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
-- @target=$(IDEATEST); $(BUILD_CMD)
-+ +@target=$(IDEATEST); $(BUILD_CMD)
-
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
-- @target=$(MD2TEST); $(BUILD_CMD)
-+ +@target=$(MD2TEST); $(BUILD_CMD)
-
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
-- @target=$(SHATEST); $(BUILD_CMD)
-+ +@target=$(SHATEST); $(BUILD_CMD)
-
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
-- @target=$(SHA1TEST); $(BUILD_CMD)
-+ +@target=$(SHA1TEST); $(BUILD_CMD)
-
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
-- @target=$(SHA256TEST); $(BUILD_CMD)
-+ +@target=$(SHA256TEST); $(BUILD_CMD)
-
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
-- @target=$(SHA512TEST); $(BUILD_CMD)
-+ +@target=$(SHA512TEST); $(BUILD_CMD)
-
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
-- @target=$(RMDTEST); $(BUILD_CMD)
-+ +@target=$(RMDTEST); $(BUILD_CMD)
-
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
-- @target=$(MDC2TEST); $(BUILD_CMD)
-+ +@target=$(MDC2TEST); $(BUILD_CMD)
-
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
-- @target=$(MD4TEST); $(BUILD_CMD)
-+ +@target=$(MD4TEST); $(BUILD_CMD)
-
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
-- @target=$(MD5TEST); $(BUILD_CMD)
-+ +@target=$(MD5TEST); $(BUILD_CMD)
-
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
-- @target=$(HMACTEST); $(BUILD_CMD)
-+ +@target=$(HMACTEST); $(BUILD_CMD)
-
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
-- @target=$(WPTEST); $(BUILD_CMD)
-+ +@target=$(WPTEST); $(BUILD_CMD)
-
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
-- @target=$(RC2TEST); $(BUILD_CMD)
-+ +@target=$(RC2TEST); $(BUILD_CMD)
-
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
-- @target=$(BFTEST); $(BUILD_CMD)
-+ +@target=$(BFTEST); $(BUILD_CMD)
-
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
-- @target=$(CASTTEST); $(BUILD_CMD)
-+ +@target=$(CASTTEST); $(BUILD_CMD)
-
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
-- @target=$(RC4TEST); $(BUILD_CMD)
-+ +@target=$(RC4TEST); $(BUILD_CMD)
-
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
-- @target=$(RC5TEST); $(BUILD_CMD)
-+ +@target=$(RC5TEST); $(BUILD_CMD)
-
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
-- @target=$(DESTEST); $(BUILD_CMD)
-+ +@target=$(DESTEST); $(BUILD_CMD)
-
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
-- @target=$(RANDTEST); $(BUILD_CMD)
-+ +@target=$(RANDTEST); $(BUILD_CMD)
-
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
-- @target=$(DHTEST); $(BUILD_CMD)
-+ +@target=$(DHTEST); $(BUILD_CMD)
-
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
-- @target=$(DSATEST); $(BUILD_CMD)
-+ +@target=$(DSATEST); $(BUILD_CMD)
-
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
-- @target=$(METHTEST); $(BUILD_CMD)
-+ +@target=$(METHTEST); $(BUILD_CMD)
-
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
-- @target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+ +@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
-- @target=$(ENGINETEST); $(BUILD_CMD)
-+ +@target=$(ENGINETEST); $(BUILD_CMD)
-
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
-- @target=$(EVPTEST); $(BUILD_CMD)
-+ +@target=$(EVPTEST); $(BUILD_CMD)
-
- $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
-- @target=$(EVPEXTRATEST); $(BUILD_CMD)
-+ +@target=$(EVPEXTRATEST); $(BUILD_CMD)
-
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
-- @target=$(ECDSATEST); $(BUILD_CMD)
-+ +@target=$(ECDSATEST); $(BUILD_CMD)
-
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
-- @target=$(ECDHTEST); $(BUILD_CMD)
-+ +@target=$(ECDHTEST); $(BUILD_CMD)
-
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
-- @target=$(IGETEST); $(BUILD_CMD)
-+ +@target=$(IGETEST); $(BUILD_CMD)
-
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
-- @target=$(JPAKETEST); $(BUILD_CMD)
-+ +@target=$(JPAKETEST); $(BUILD_CMD)
-
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
-- @target=$(ASN1TEST); $(BUILD_CMD)
-+ +@target=$(ASN1TEST); $(BUILD_CMD)
-
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
-- @target=$(SRPTEST); $(BUILD_CMD)
-+ +@target=$(SRPTEST); $(BUILD_CMD)
-
- $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
-- @target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-+ +@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-
- $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
-- @target=$(CONSTTIMETEST) $(BUILD_CMD)
-+ +@target=$(CONSTTIMETEST) $(BUILD_CMD)
-
- #$(AESTEST).o: $(AESTEST).c
- # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -512,7 +512,7 @@
- # fi
-
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
-- @target=dummytest; $(BUILD_CMD)
-+ +@target=dummytest; $(BUILD_CMD)
-
- # DO NOT DELETE THIS LINE -- make depend depends on it.
-
diff --git a/dev-libs/openssl/files/openssl-1.0.1r-x32.patch b/dev-libs/openssl/files/openssl-1.0.1r-x32.patch
deleted file mode 100644
index 9e490fd..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1r-x32.patch
+++ /dev/null
@@ -1,66 +0,0 @@
---- openssl-1.0.1r/Configure
-+++ openssl-1.0.1r/Configure
-@@ -368,6 +368,7 @@
- "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- "linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x32", "gcc:-DL_ENDIAN -DTERMIO -O2 -pipe -g -feliminate-unused-debug-types -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- #### So called "highgprs" target for z/Architecture CPUs
- # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
---- openssl-1.0.1r/crypto/bn/asm/x86_64-gcc.c
-+++ openssl-1.0.1r/crypto/bn/asm/x86_64-gcc.c
-@@ -55,7 +55,7 @@
- * machine.
- */
-
--# ifdef _WIN64
-+# ifdef _WIN64 || !defined __LP64__
- # define BN_ULONG unsigned long long
- # else
- # define BN_ULONG unsigned long
-@@ -211,9 +211,9 @@
-
- asm volatile (" subq %2,%2 \n"
- ".p2align 4 \n"
-- "1: movq (%4,%2,8),%0 \n"
-- " adcq (%5,%2,8),%0 \n"
-- " movq %0,(%3,%2,8) \n"
-+ "1: movq (%q4,%2,8),%0 \n"
-+ " adcq (%q5,%2,8),%0 \n"
-+ " movq %0,(%q3,%2,8) \n"
- " leaq 1(%2),%2 \n"
- " loop 1b \n"
- " sbbq %0,%0 \n":"=&a" (ret), "+c"(n),
-@@ -235,9 +235,9 @@
-
- asm volatile (" subq %2,%2 \n"
- ".p2align 4 \n"
-- "1: movq (%4,%2,8),%0 \n"
-- " sbbq (%5,%2,8),%0 \n"
-- " movq %0,(%3,%2,8) \n"
-+ "1: movq (%q4,%2,8),%0 \n"
-+ " sbbq (%q5,%2,8),%0 \n"
-+ " movq %0,(%q3,%2,8) \n"
- " leaq 1(%2),%2 \n"
- " loop 1b \n"
- " sbbq %0,%0 \n":"=&a" (ret), "+c"(n),
---- openssl-1.0.1r/crypto/bn/bn.h
-+++ openssl-1.0.1r/crypto/bn/bn.h
-@@ -174,6 +174,16 @@
- # endif
-
- /*
-+ * Address type.
-+ */
-+#ifdef _WIN64
-+#define BN_ADDR unsigned long long
-+#else
-+#define BN_ADDR unsigned long
-+#endif
-+
-+
-+/*
- * assuming long is 64bit - this is the DEC Alpha unsigned long long is only
- * 64 bits :-(, don't define BN_LLONG for the DEC Alpha
- */
diff --git a/dev-libs/openssl/openssl-1.0.1p.ebuild b/dev-libs/openssl/openssl-1.0.1p.ebuild
deleted file mode 100644
index 40a538f..0000000
--- a/dev-libs/openssl/openssl-1.0.1p.ebuild
+++ /dev/null
@@ -1,259 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${P}.tar.gz
- http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking. We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
- abi_x86_32? (
- !<=app-emulation/emul-linux-x86-baselibs-20140406-r3
- !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
- )
- !<net-misc/openssh-5.9_p1-r4
- !<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
- sys-apps/diffutils
- >=dev-lang/perl-5
- test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-src_unpack() {
- unpack ${P}.tar.gz
- SSL_CNF_DIR="/etc/ssl"
- sed \
- -e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
- -e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
- "${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
- > "${WORKDIR}"/c_rehash || die #416717
-}
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
- epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
- epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
- epatch "${FILESDIR}"/${PN}-1.0.1p-parallel-build.patch
- epatch "${FILESDIR}"/${PN}-1.0.1m-x32.patch
- epatch "${FILESDIR}"/${PN}-1.0.1m-ipv6.patch
- epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
- epatch_user #332661
- fi
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
- chmod a+rx gentoo.config
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
- # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- $(use_ssl !bindist ec) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- $(use_ssl !bindist rc5) \
- enable-tlsext \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- dobin "${WORKDIR}"/c_rehash #333117
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
- dohtml -r doc/*
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
- has_version ${CATEGORY}/${PN}:0.9.8 && return 0
- preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-
- has_version ${CATEGORY}/${PN}:0.9.8 && return 0
- preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
diff --git a/dev-libs/openssl/openssl-1.0.1r.ebuild b/dev-libs/openssl/openssl-1.0.1r.ebuild
deleted file mode 100644
index 8d590fa..0000000
--- a/dev-libs/openssl/openssl-1.0.1r.ebuild
+++ /dev/null
@@ -1,256 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${P}.tar.gz
- http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking. We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
- abi_x86_32? (
- !<=app-emulation/emul-linux-x86-baselibs-20140406-r3
- !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
- )
- !<net-misc/openssh-5.9_p1-r4
- !<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
- sys-apps/diffutils
- >=dev-lang/perl-5
- test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- SSL_CNF_DIR="/etc/ssl"
- sed \
- -e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
- -e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
- "${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
- > "${WORKDIR}"/c_rehash || die #416717
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
- epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
- epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
- epatch "${FILESDIR}"/${PN}-1.0.1p-parallel-build.patch
- epatch "${FILESDIR}"/${PN}-1.0.1r-x32.patch
- epatch "${FILESDIR}"/${PN}-1.0.1m-ipv6.patch
- epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
- epatch_user #332661
- fi
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
- chmod a+rx gentoo.config
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
- # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- $(use_ssl !bindist ec) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- $(use_ssl !bindist rc5) \
- enable-tlsext \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- dobin "${WORKDIR}"/c_rehash #333117
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
- dohtml -r doc/*
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
- has_version ${CATEGORY}/${PN}:0.9.8 && return 0
- preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-
- has_version ${CATEGORY}/${PN}:0.9.8 && return 0
- preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
diff --git a/dev-libs/openssl/openssl-1.0.2e.ebuild b/dev-libs/openssl/openssl-1.0.2e.ebuild
deleted file mode 100644
index 444743d..0000000
--- a/dev-libs/openssl/openssl-1.0.2e.ebuild
+++ /dev/null
@@ -1,265 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking. We'll drop them in
-# the future.
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
- abi_x86_32? (
- !<=app-emulation/emul-linux-x86-baselibs-20140508
- !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
- )
- !<net-misc/openssh-5.9_p1-r4
- !<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
- epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
- epatch "${FILESDIR}"/${PN}-1.0.2e-parallel-build.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
- epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
- epatch_user #332661
- fi
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired http://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- $(use_ssl !bindist ec) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- enable-tlsext \
- $(use_ssl asm) \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
- dohtml -r doc/*
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
- has_version ${CATEGORY}/${PN}:0.9.8 && return 0
- preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-
- has_version ${CATEGORY}/${PN}:0.9.8 && return 0
- preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2016-05-03 14:21 Lars Wendler
0 siblings, 0 replies; 36+ messages in thread
From: Lars Wendler @ 2016-05-03 14:21 UTC (permalink / raw
To: gentoo-commits
commit: 4ccd01d073a744eb69271f5e5f252af9a3fc5ecb
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue May 3 14:21:15 2016 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue May 3 14:21:15 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ccd01d0
dev-libs/openssl: Removed old.
Package-Manager: portage-2.2.28
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
dev-libs/openssl/Manifest | 1 -
.../files/openssl-1.0.2e-parallel-build.patch | 314 ---------------------
dev-libs/openssl/openssl-1.0.2f.ebuild | 265 -----------------
3 files changed, 580 deletions(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index e2c25ea..7ca6bf7 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,4 +1,3 @@
DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
-DIST openssl-1.0.2f.tar.gz 5258384 SHA256 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 WHIRLPOOL 179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835baaaa04e506fb3fbaed37d31c9
DIST openssl-1.0.2g.tar.gz 5266102 SHA256 b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735 WHIRLPOOL aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb
DIST openssl-1.0.2h.tar.gz 5274412 SHA256 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 WHIRLPOOL 41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6
diff --git a/dev-libs/openssl/files/openssl-1.0.2e-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2e-parallel-build.patch
deleted file mode 100644
index 53d4baa..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2e-parallel-build.patch
+++ /dev/null
@@ -1,314 +0,0 @@
---- openssl-1.0.2e/crypto/Makefile
-+++ openssl-1.0.2e/crypto/Makefile
-@@ -85,11 +85,11 @@
- @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
-
- subdirs:
-- @target=all; $(RECURSIVE_MAKE)
-+ +@target=all; $(RECURSIVE_MAKE)
-
- files:
- $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
-- @target=files; $(RECURSIVE_MAKE)
-+ +@target=files; $(RECURSIVE_MAKE)
-
- links:
- @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib: $(LIB)
- @touch lib
--$(LIB): $(LIBOBJ)
-+$(LIB): $(LIBOBJ) | subdirs
- $(AR) $(LIB) $(LIBOBJ)
- test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- $(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@
- fi
-
- libs:
-- @target=lib; $(RECURSIVE_MAKE)
-+ +@target=lib; $(RECURSIVE_MAKE)
-
- install:
- @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-- @target=install; $(RECURSIVE_MAKE)
-+ +@target=install; $(RECURSIVE_MAKE)
-
- lint:
- @target=lint; $(RECURSIVE_MAKE)
---- openssl-1.0.2e/engines/Makefile
-+++ openssl-1.0.2e/engines/Makefile
-@@ -72,7 +72,7 @@
-
- all: lib subdirs
-
--lib: $(LIBOBJ)
-+lib: $(LIBOBJ) | subdirs
- @if [ -n "$(SHARED_LIBS)" ]; then \
- set -e; \
- for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
-
- subdirs:
- echo $(EDIRS)
-- @target=all; $(RECURSIVE_MAKE)
-+ +@target=all; $(RECURSIVE_MAKE)
-
- files:
- $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- done; \
- fi
-- @target=install; $(RECURSIVE_MAKE)
-+ +@target=install; $(RECURSIVE_MAKE)
-
- tags:
- ctags $(SRC)
---- openssl-1.0.2e/Makefile.org
-+++ openssl-1.0.2e/Makefile.org
-@@ -280,17 +280,17 @@
- build_libssl: build_ssl libssl.pc
-
- build_crypto:
-- @dir=crypto; target=all; $(BUILD_ONE_CMD)
-+ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
-- @dir=ssl; target=all; $(BUILD_ONE_CMD)
-+ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
-- @dir=engines; target=all; $(BUILD_ONE_CMD)
-+ +@dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
-- @dir=apps; target=all; $(BUILD_ONE_CMD)
-+ +@dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
-- @dir=test; target=all; $(BUILD_ONE_CMD)
-+ +@dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
-- @dir=tools; target=all; $(BUILD_ONE_CMD)
-+ +@dir=tools; target=all; $(BUILD_ONE_CMD)
-
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -548,7 +548,7 @@
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- do \
- if [ -f "$$i" ]; then \
---- openssl-1.0.2e/Makefile.shared
-+++ openssl-1.0.2e/Makefile.shared
-@@ -105,6 +105,7 @@
- SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
- LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
- LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+ [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
- $${SHAREDCMD} $${SHAREDFLAGS} \
- -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +123,7 @@
- done; \
- fi; \
- if [ -n "$$SHLIB_SOVER" ]; then \
-+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- fi; \
---- openssl-1.0.2e/test/Makefile
-+++ openssl-1.0.2e/test/Makefile
-@@ -138,7 +138,7 @@
- tags:
- ctags $(SRC)
-
--tests: exe apps $(TESTS)
-+tests: exe $(TESTS)
-
- apps:
- @(cd ..; $(MAKE) DIRS=apps all)
-@@ -416,127 +416,127 @@
- link_app.$${shlib_target}
-
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
-- @target=$(RSATEST); $(BUILD_CMD)
-+ +@target=$(RSATEST); $(BUILD_CMD)
-
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
-- @target=$(BNTEST); $(BUILD_CMD)
-+ +@target=$(BNTEST); $(BUILD_CMD)
-
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
-- @target=$(ECTEST); $(BUILD_CMD)
-+ +@target=$(ECTEST); $(BUILD_CMD)
-
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
-- @target=$(EXPTEST); $(BUILD_CMD)
-+ +@target=$(EXPTEST); $(BUILD_CMD)
-
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
-- @target=$(IDEATEST); $(BUILD_CMD)
-+ +@target=$(IDEATEST); $(BUILD_CMD)
-
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
-- @target=$(MD2TEST); $(BUILD_CMD)
-+ +@target=$(MD2TEST); $(BUILD_CMD)
-
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
-- @target=$(SHATEST); $(BUILD_CMD)
-+ +@target=$(SHATEST); $(BUILD_CMD)
-
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
-- @target=$(SHA1TEST); $(BUILD_CMD)
-+ +@target=$(SHA1TEST); $(BUILD_CMD)
-
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
-- @target=$(SHA256TEST); $(BUILD_CMD)
-+ +@target=$(SHA256TEST); $(BUILD_CMD)
-
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
-- @target=$(SHA512TEST); $(BUILD_CMD)
-+ +@target=$(SHA512TEST); $(BUILD_CMD)
-
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
-- @target=$(RMDTEST); $(BUILD_CMD)
-+ +@target=$(RMDTEST); $(BUILD_CMD)
-
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
-- @target=$(MDC2TEST); $(BUILD_CMD)
-+ +@target=$(MDC2TEST); $(BUILD_CMD)
-
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
-- @target=$(MD4TEST); $(BUILD_CMD)
-+ +@target=$(MD4TEST); $(BUILD_CMD)
-
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
-- @target=$(MD5TEST); $(BUILD_CMD)
-+ +@target=$(MD5TEST); $(BUILD_CMD)
-
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
-- @target=$(HMACTEST); $(BUILD_CMD)
-+ +@target=$(HMACTEST); $(BUILD_CMD)
-
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
-- @target=$(WPTEST); $(BUILD_CMD)
-+ +@target=$(WPTEST); $(BUILD_CMD)
-
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
-- @target=$(RC2TEST); $(BUILD_CMD)
-+ +@target=$(RC2TEST); $(BUILD_CMD)
-
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
-- @target=$(BFTEST); $(BUILD_CMD)
-+ +@target=$(BFTEST); $(BUILD_CMD)
-
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
-- @target=$(CASTTEST); $(BUILD_CMD)
-+ +@target=$(CASTTEST); $(BUILD_CMD)
-
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
-- @target=$(RC4TEST); $(BUILD_CMD)
-+ +@target=$(RC4TEST); $(BUILD_CMD)
-
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
-- @target=$(RC5TEST); $(BUILD_CMD)
-+ +@target=$(RC5TEST); $(BUILD_CMD)
-
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
-- @target=$(DESTEST); $(BUILD_CMD)
-+ +@target=$(DESTEST); $(BUILD_CMD)
-
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
-- @target=$(RANDTEST); $(BUILD_CMD)
-+ +@target=$(RANDTEST); $(BUILD_CMD)
-
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
-- @target=$(DHTEST); $(BUILD_CMD)
-+ +@target=$(DHTEST); $(BUILD_CMD)
-
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
-- @target=$(DSATEST); $(BUILD_CMD)
-+ +@target=$(DSATEST); $(BUILD_CMD)
-
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
-- @target=$(METHTEST); $(BUILD_CMD)
-+ +@target=$(METHTEST); $(BUILD_CMD)
-
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
-- @target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+ +@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
-- @target=$(ENGINETEST); $(BUILD_CMD)
-+ +@target=$(ENGINETEST); $(BUILD_CMD)
-
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
-- @target=$(EVPTEST); $(BUILD_CMD)
-+ +@target=$(EVPTEST); $(BUILD_CMD)
-
- $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
-- @target=$(EVPEXTRATEST); $(BUILD_CMD)
-+ +@target=$(EVPEXTRATEST); $(BUILD_CMD)
-
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
-- @target=$(ECDSATEST); $(BUILD_CMD)
-+ +@target=$(ECDSATEST); $(BUILD_CMD)
-
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
-- @target=$(ECDHTEST); $(BUILD_CMD)
-+ +@target=$(ECDHTEST); $(BUILD_CMD)
-
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
-- @target=$(IGETEST); $(BUILD_CMD)
-+ +@target=$(IGETEST); $(BUILD_CMD)
-
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
-- @target=$(JPAKETEST); $(BUILD_CMD)
-+ +@target=$(JPAKETEST); $(BUILD_CMD)
-
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
-- @target=$(ASN1TEST); $(BUILD_CMD)
-+ +@target=$(ASN1TEST); $(BUILD_CMD)
-
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
-- @target=$(SRPTEST); $(BUILD_CMD)
-+ +@target=$(SRPTEST); $(BUILD_CMD)
-
- $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
-- @target=$(V3NAMETEST); $(BUILD_CMD)
-+ +@target=$(V3NAMETEST); $(BUILD_CMD)
-
- $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
-- @target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-+ +@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-
- $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
-- @target=$(CONSTTIMETEST) $(BUILD_CMD)
-+ +@target=$(CONSTTIMETEST) $(BUILD_CMD)
-
- $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
-- @target=$(VERIFYEXTRATEST) $(BUILD_CMD)
-+ +@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
-
- $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
-- @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
-+ +@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
-
- #$(AESTEST).o: $(AESTEST).c
- # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -549,7 +549,7 @@
- # fi
-
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
-- @target=dummytest; $(BUILD_CMD)
-+ +@target=dummytest; $(BUILD_CMD)
-
- # DO NOT DELETE THIS LINE -- make depend depends on it.
-
diff --git a/dev-libs/openssl/openssl-1.0.2f.ebuild b/dev-libs/openssl/openssl-1.0.2f.ebuild
deleted file mode 100644
index a7c3eb6..0000000
--- a/dev-libs/openssl/openssl-1.0.2f.ebuild
+++ /dev/null
@@ -1,265 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking. We'll drop them in
-# the future.
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
- abi_x86_32? (
- !<=app-emulation/emul-linux-x86-baselibs-20140508
- !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
- )
- !<net-misc/openssh-5.9_p1-r4
- !<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
- epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
- epatch "${FILESDIR}"/${PN}-1.0.2e-parallel-build.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
- epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
- epatch_user #332661
- fi
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired http://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- $(use_ssl !bindist ec) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- enable-tlsext \
- $(use_ssl asm) \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
- dohtml -r doc/*
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
- has_version ${CATEGORY}/${PN}:0.9.8 && return 0
- preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-
- has_version ${CATEGORY}/${PN}:0.9.8 && return 0
- preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2016-09-22 13:15 Lars Wendler
0 siblings, 0 replies; 36+ messages in thread
From: Lars Wendler @ 2016-09-22 13:15 UTC (permalink / raw
To: gentoo-commits
commit: 4386bee9c9478ec8a20805f075ecbfc9c4325403
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 22 13:13:02 2016 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Thu Sep 22 13:15:52 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4386bee9
dev-libs/openssl: Sec bump to versions 1.0.2i and 1.1.0a (bug #594500).
Package-Manager: portage-2.3.1
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
dev-libs/openssl/Manifest | 2 +
.../files/openssl-1.0.2i-parallel-build.patch | 326 +++++++++++++++++++++
dev-libs/openssl/openssl-1.0.2i.ebuild | 249 ++++++++++++++++
dev-libs/openssl/openssl-1.1.0a.ebuild | 242 +++++++++++++++
4 files changed, 819 insertions(+)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 732c6d3..467e5d3 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,4 +1,6 @@
DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
DIST openssl-1.0.2g.tar.gz 5266102 SHA256 b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735 WHIRLPOOL aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb
DIST openssl-1.0.2h.tar.gz 5274412 SHA256 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 WHIRLPOOL 41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6
+DIST openssl-1.0.2i.tar.gz 5308232 SHA256 9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f SHA512 41764debd5d64e4e770945f30d682e2c887d9cefb39b358c5c7f9d2cdce34393ed28d49b24e95c4639db2df01c278cbcde71bed2b03f9aafafc76766b03850e3 WHIRLPOOL ba1a4513aaa1de81e36912acfe0b6cf8e0acf7cc71d32b127b5e54eb2f6fc6ce63f4f61e9fc99fecc9e037cdccc496b9d15ea75b594b0fd8721b4478eab1f31d
DIST openssl-1.1.0.tar.gz 5146831 SHA256 f5c69ff9ac1472c80b868efc1c1c0d8dcfc746d29ebe563de2365dd56dbd8c82 SHA512 6a99d391be7708fdc4eb097d27cea4ce79dc83cc7f52d353af1e222773e586405c0848557d7404716b92b23b775abed45e73c66fe9128f4bd7c09864e79317b0 WHIRLPOOL 9d38954c65073a8d02caa6aa00b1efc197391b38b341662f0d9967ce883f52eed8c3be84ebd6ecc89c494f725218bfd2bef395891a20b40c8dcdf6b31fba2131
+DIST openssl-1.1.0a.tar.gz 5161414 SHA256 c2e696e34296cde2c9ec5dcdad9e4f042cd703932591d395c389de488302442b SHA512 80d6cf795decc923b0ea6a005805993d2a4133a1d41f0208982f4b147471e24782227c77611cc4c6d1e61849ce66c57987ea7a26ea66cd0b0adc66c200b96c21 WHIRLPOOL 7cc2dd31dcfc7a34f982dde16a0954b7158ddc8d787e9c8838905c19527d31f4049a31891f33e72bbf142a9062f99bf61874a11a143e4dd3de3b039d7f572f02
diff --git a/dev-libs/openssl/files/openssl-1.0.2i-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2i-parallel-build.patch
new file mode 100644
index 00000000..387a077
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2i-parallel-build.patch
@@ -0,0 +1,326 @@
+--- openssl-1.0.2i/crypto/Makefile
++++ openssl-1.0.2i/crypto/Makefile
+@@ -85,11 +85,11 @@
+ @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+
+ subdirs:
+- @target=all; $(RECURSIVE_MAKE)
++ +@target=all; $(RECURSIVE_MAKE)
+
+ files:
+ $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
+- @target=files; $(RECURSIVE_MAKE)
++ +@target=files; $(RECURSIVE_MAKE)
+
+ links:
+ @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+@@ -100,7 +100,7 @@
+ # lib: $(LIB): are splitted to avoid end-less loop
+ lib: $(LIB)
+ @touch lib
+-$(LIB): $(LIBOBJ)
++$(LIB): $(LIBOBJ) | subdirs
+ $(AR) $(LIB) $(LIBOBJ)
+ test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+ $(RANLIB) $(LIB) || echo Never mind.
+@@ -111,7 +111,7 @@
+ fi
+
+ libs:
+- @target=lib; $(RECURSIVE_MAKE)
++ +@target=lib; $(RECURSIVE_MAKE)
+
+ install:
+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+@@ -120,7 +120,7 @@
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+- @target=install; $(RECURSIVE_MAKE)
++ +@target=install; $(RECURSIVE_MAKE)
+
+ lint:
+ @target=lint; $(RECURSIVE_MAKE)
+--- openssl-1.0.2i/engines/Makefile
++++ openssl-1.0.2i/engines/Makefile
+@@ -72,7 +72,7 @@
+
+ all: lib subdirs
+
+-lib: $(LIBOBJ)
++lib: $(LIBOBJ) | subdirs
+ @if [ -n "$(SHARED_LIBS)" ]; then \
+ set -e; \
+ for l in $(LIBNAMES); do \
+@@ -89,7 +89,7 @@
+
+ subdirs:
+ echo $(EDIRS)
+- @target=all; $(RECURSIVE_MAKE)
++ +@target=all; $(RECURSIVE_MAKE)
+
+ files:
+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+@@ -128,7 +128,7 @@
+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ done; \
+ fi
+- @target=install; $(RECURSIVE_MAKE)
++ +@target=install; $(RECURSIVE_MAKE)
+
+ tags:
+ ctags $(SRC)
+--- openssl-1.0.2i/Makefile.org
++++ openssl-1.0.2i/Makefile.org
+@@ -281,17 +281,17 @@
+ build_libssl: build_ssl libssl.pc
+
+ build_crypto:
+- @dir=crypto; target=all; $(BUILD_ONE_CMD)
++ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
+ build_ssl: build_crypto
+- @dir=ssl; target=all; $(BUILD_ONE_CMD)
++ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
+ build_engines: build_crypto
+- @dir=engines; target=all; $(BUILD_ONE_CMD)
++ +@dir=engines; target=all; $(BUILD_ONE_CMD)
+ build_apps: build_libs
+- @dir=apps; target=all; $(BUILD_ONE_CMD)
++ +@dir=apps; target=all; $(BUILD_ONE_CMD)
+ build_tests: build_libs
+- @dir=test; target=all; $(BUILD_ONE_CMD)
++ +@dir=test; target=all; $(BUILD_ONE_CMD)
+ build_tools: build_libs
+- @dir=tools; target=all; $(BUILD_ONE_CMD)
++ +@dir=tools; target=all; $(BUILD_ONE_CMD)
+
+ all_testapps: build_libs build_testapps
+ build_testapps:
+@@ -547,7 +547,7 @@
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
++ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+ @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
+ do \
+ if [ -f "$$i" ]; then \
+--- openssl-1.0.2i/Makefile.shared
++++ openssl-1.0.2i/Makefile.shared
+@@ -105,6 +105,7 @@
+ SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
+ LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
+ LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
++ [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
+ LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+ $${SHAREDCMD} $${SHAREDFLAGS} \
+ -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+@@ -122,6 +123,7 @@
+ done; \
+ fi; \
+ if [ -n "$$SHLIB_SOVER" ]; then \
++ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
+ ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
+ ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
+ fi; \
+--- openssl-1.0.2i/test/Makefile
++++ openssl-1.0.2i/test/Makefile
+@@ -144,7 +144,7 @@
+ tags:
+ ctags $(SRC)
+
+-tests: exe apps $(TESTS)
++tests: exe $(TESTS)
+
+ apps:
+ @(cd ..; $(MAKE) DIRS=apps all)
+@@ -435,136 +435,136 @@
+ link_app.$${shlib_target}
+
+ $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
+- @target=$(RSATEST); $(BUILD_CMD)
++ +@target=$(RSATEST); $(BUILD_CMD)
+
+ $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
+- @target=$(BNTEST); $(BUILD_CMD)
++ +@target=$(BNTEST); $(BUILD_CMD)
+
+ $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
+- @target=$(ECTEST); $(BUILD_CMD)
++ +@target=$(ECTEST); $(BUILD_CMD)
+
+ $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
+- @target=$(EXPTEST); $(BUILD_CMD)
++ +@target=$(EXPTEST); $(BUILD_CMD)
+
+ $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
+- @target=$(IDEATEST); $(BUILD_CMD)
++ +@target=$(IDEATEST); $(BUILD_CMD)
+
+ $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
+- @target=$(MD2TEST); $(BUILD_CMD)
++ +@target=$(MD2TEST); $(BUILD_CMD)
+
+ $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
+- @target=$(SHATEST); $(BUILD_CMD)
++ +@target=$(SHATEST); $(BUILD_CMD)
+
+ $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
+- @target=$(SHA1TEST); $(BUILD_CMD)
++ +@target=$(SHA1TEST); $(BUILD_CMD)
+
+ $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
+- @target=$(SHA256TEST); $(BUILD_CMD)
++ +@target=$(SHA256TEST); $(BUILD_CMD)
+
+ $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
+- @target=$(SHA512TEST); $(BUILD_CMD)
++ +@target=$(SHA512TEST); $(BUILD_CMD)
+
+ $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
+- @target=$(RMDTEST); $(BUILD_CMD)
++ +@target=$(RMDTEST); $(BUILD_CMD)
+
+ $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
+- @target=$(MDC2TEST); $(BUILD_CMD)
++ +@target=$(MDC2TEST); $(BUILD_CMD)
+
+ $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
+- @target=$(MD4TEST); $(BUILD_CMD)
++ +@target=$(MD4TEST); $(BUILD_CMD)
+
+ $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
+- @target=$(MD5TEST); $(BUILD_CMD)
++ +@target=$(MD5TEST); $(BUILD_CMD)
+
+ $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
+- @target=$(HMACTEST); $(BUILD_CMD)
++ +@target=$(HMACTEST); $(BUILD_CMD)
+
+ $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
+- @target=$(WPTEST); $(BUILD_CMD)
++ +@target=$(WPTEST); $(BUILD_CMD)
+
+ $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
+- @target=$(RC2TEST); $(BUILD_CMD)
++ +@target=$(RC2TEST); $(BUILD_CMD)
+
+ $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
+- @target=$(BFTEST); $(BUILD_CMD)
++ +@target=$(BFTEST); $(BUILD_CMD)
+
+ $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
+- @target=$(CASTTEST); $(BUILD_CMD)
++ +@target=$(CASTTEST); $(BUILD_CMD)
+
+ $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
+- @target=$(RC4TEST); $(BUILD_CMD)
++ +@target=$(RC4TEST); $(BUILD_CMD)
+
+ $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
+- @target=$(RC5TEST); $(BUILD_CMD)
++ +@target=$(RC5TEST); $(BUILD_CMD)
+
+ $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
+- @target=$(DESTEST); $(BUILD_CMD)
++ +@target=$(DESTEST); $(BUILD_CMD)
+
+ $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
+- @target=$(RANDTEST); $(BUILD_CMD)
++ +@target=$(RANDTEST); $(BUILD_CMD)
+
+ $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
+- @target=$(DHTEST); $(BUILD_CMD)
++ +@target=$(DHTEST); $(BUILD_CMD)
+
+ $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
+- @target=$(DSATEST); $(BUILD_CMD)
++ +@target=$(DSATEST); $(BUILD_CMD)
+
+ $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
+- @target=$(METHTEST); $(BUILD_CMD)
++ +@target=$(METHTEST); $(BUILD_CMD)
+
+ $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
+- @target=$(SSLTEST); $(FIPS_BUILD_CMD)
++ +@target=$(SSLTEST); $(FIPS_BUILD_CMD)
+
+ $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
+- @target=$(ENGINETEST); $(BUILD_CMD)
++ +@target=$(ENGINETEST); $(BUILD_CMD)
+
+ $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
+- @target=$(EVPTEST); $(BUILD_CMD)
++ +@target=$(EVPTEST); $(BUILD_CMD)
+
+ $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
+- @target=$(EVPEXTRATEST); $(BUILD_CMD)
++ +@target=$(EVPEXTRATEST); $(BUILD_CMD)
+
+ $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
+- @target=$(ECDSATEST); $(BUILD_CMD)
++ +@target=$(ECDSATEST); $(BUILD_CMD)
+
+ $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
+- @target=$(ECDHTEST); $(BUILD_CMD)
++ +@target=$(ECDHTEST); $(BUILD_CMD)
+
+ $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
+- @target=$(IGETEST); $(BUILD_CMD)
++ +@target=$(IGETEST); $(BUILD_CMD)
+
+ $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
+- @target=$(JPAKETEST); $(BUILD_CMD)
++ +@target=$(JPAKETEST); $(BUILD_CMD)
+
+ $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
+- @target=$(ASN1TEST); $(BUILD_CMD)
++ +@target=$(ASN1TEST); $(BUILD_CMD)
+
+ $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
+- @target=$(SRPTEST); $(BUILD_CMD)
++ +@target=$(SRPTEST); $(BUILD_CMD)
+
+ $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
+- @target=$(V3NAMETEST); $(BUILD_CMD)
++ +@target=$(V3NAMETEST); $(BUILD_CMD)
+
+ $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
+- @target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
++ +@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
+
+ $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
+- @target=$(CONSTTIMETEST) $(BUILD_CMD)
++ +@target=$(CONSTTIMETEST) $(BUILD_CMD)
+
+ $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
+- @target=$(VERIFYEXTRATEST) $(BUILD_CMD)
++ +@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
+
+ $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
+- @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
++ +@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
+
+ $(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o
+- @target=$(BADDTLSTEST) $(BUILD_CMD)
++ +@target=$(BADDTLSTEST) $(BUILD_CMD)
+
+ $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
+- @target=$(SSLV2CONFTEST) $(BUILD_CMD)
++ +@target=$(SSLV2CONFTEST) $(BUILD_CMD)
+
+ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO)
+- @target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
++ +@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
+
+ #$(AESTEST).o: $(AESTEST).c
+ # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+@@ -577,7 +577,7 @@
+ # fi
+
+ dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
+- @target=dummytest; $(BUILD_CMD)
++ +@target=dummytest; $(BUILD_CMD)
+
+ # DO NOT DELETE THIS LINE -- make depend depends on it.
+
diff --git a/dev-libs/openssl/openssl-1.0.2i.ebuild b/dev-libs/openssl/openssl-1.0.2i.ebuild
new file mode 100644
index 00000000..f026079
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2i.ebuild
@@ -0,0 +1,249 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+ epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
+ epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
+ epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+ epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
+
+ epatch_user #332661
+ fi
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ Makefile.org \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ enable-tlsext \
+ $(use_ssl asm) \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl sslv2 ssl2) \
+ $(use_ssl sslv3 ssl3) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+ # rehash is needed to prep the certs/ dir; do this
+ # separately to avoid parallel build issues.
+ emake rehash
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+ dohtml -r doc/*
+ use rfc3779 && dodoc engines/ccgost/README.gost
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ dodir ${SSL_CNF_DIR}/certs
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+}
diff --git a/dev-libs/openssl/openssl-1.1.0a.ebuild b/dev-libs/openssl/openssl-1.1.0a.ebuild
new file mode 100644
index 00000000..0aea4eb
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.0a.ebuild
@@ -0,0 +1,242 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.1.0-ldflags.patch #327421
+ "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+)
+
+src_prepare() {
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${PATCHES[@]}"
+ epatch_user #332661
+ fi
+
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ # Make DOCDIR Gentoo compliant
+ sed -i \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \
+ Configurations/unix-Makefile.tmpl \
+ || die
+
+ # show the actual commands in the log
+ sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ # Prefixify Configure shebang (#141906)
+ sed \
+ -e "1s,/usr/bin/env,${EPREFIX}&," \
+ -i Configure || die
+ # Remove test target when FEATURES=test isn't set
+ if ! use test ; then
+ sed \
+ -e '/^$config{dirs}/s@ "test",@@' \
+ -i Configure || die
+ fi
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ --api=1.1.0 \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ disable-deprecated \
+ $(use_ssl !bindist ec) \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ $(use_ssl asm) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ # Fix quoting for sed
+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAGS=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ -e 's:\\:\\\\:g' \
+ )
+ sed -i \
+ -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+ -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+ dohtml -r doc/*
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2017-12-07 18:53 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2017-12-07 18:53 UTC (permalink / raw
To: gentoo-commits
commit: f4afdc625b0b3aa1bc6e0df39903f133ba0caa04
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 7 18:50:17 2017 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Thu Dec 7 18:53:02 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4afdc62
dev-libs/openssl: Rev bump to add patch for CVE-2017-3738
Bug: https://bugs.gentoo.org/640212
Package-Manager: Portage-2.3.16, Repoman-2.3.6
dev-libs/openssl/Manifest | 2 +-
.../files/openssl-1.1.0g-CVE-2017-3738.patch | 77 ++++++
dev-libs/openssl/openssl-1.1.0g-r2.ebuild | 284 +++++++++++++++++++++
3 files changed, 362 insertions(+), 1 deletion(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index e9a8efaa979..d18c7e53b34 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -13,7 +13,7 @@ DIST openssl-1.1.0f.tar.gz 5278176 SHA256 12f746f3f2493b2f39da7ecf63d7ee19c6ac9e
DIST openssl-1.1.0f_ec_curve.c 18393 SHA256 9dd0e1f422116da45eb16936fbbbe4e4e05e7a8fc0f359594af76e935c37716e SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 WHIRLPOOL 6f43f3b8037f5edf323ea865d1150eaa63ee60f60b512b52e37b752b328855e57eae70c812071caba0f91eeeb379c4dd9574806ba50d5bee38ad3b0e3fe03f55
DIST openssl-1.1.0f_ectest.c 29907 SHA256 37682adb07ba260339fad3fead87b186fc8c26321a0aad45deefed4c25ad87cb SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae WHIRLPOOL f39da1830f5a6492add40f460af9d85b2fbfac0d5d8ff4eb4ba3cb16e6ff50a030aee38c518d7a06d1167f59030ded5496000793ad4cf2de7ff36f22eeefe7c7
DIST openssl-1.1.0f_hobble-openssl 1117 SHA256 ab168bd8bf578f7361524f9a12eecbbaf41fd7e2c852a0158aafd3bce9cac569 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 WHIRLPOOL 94537166ad8f5cacba2d30d0b6e4676d896cab157be5891fbeecdb2efa10a322d77e2b35a44ff1d474e860dcece63a8688f9df5edf8fe859bf67b410148ea64a
-DIST openssl-1.1.0g.tar.gz 5404748 SHA256 de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af SHA512 6c76f698fc2a4540f3977d97c889e139acf7d3f9eb85f349974175e8a7707b19743ef91c5ce32839310b6ea06ca88a03d9709ee011687b4634c5c50b5814f42a WHIRLPOOL 86363a038df1621b9fbf634efec6648e0c35b882f7b582e6522a3869f8f5c67e32ed1a4637cb0009bf6fab4528072964cba5878540407306ea2e4210026c7a78
+DIST openssl-1.1.0g.tar.gz 5404748 BLAKE2B 23daf80e4143aad4654ae86f8e96042dd7328a9d1186b4922e284fcfe0f68259ea12d21c4472d92d65a7fcef21e049cf9371cc9bdad11b66a3df11286418ed42 SHA512 6c76f698fc2a4540f3977d97c889e139acf7d3f9eb85f349974175e8a7707b19743ef91c5ce32839310b6ea06ca88a03d9709ee011687b4634c5c50b5814f42a
DIST openssl-1.1.0g_ec_curve.c 18393 SHA256 9dd0e1f422116da45eb16936fbbbe4e4e05e7a8fc0f359594af76e935c37716e SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 WHIRLPOOL 6f43f3b8037f5edf323ea865d1150eaa63ee60f60b512b52e37b752b328855e57eae70c812071caba0f91eeeb379c4dd9574806ba50d5bee38ad3b0e3fe03f55
DIST openssl-1.1.0g_ectest.c 29907 SHA256 37682adb07ba260339fad3fead87b186fc8c26321a0aad45deefed4c25ad87cb SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae WHIRLPOOL f39da1830f5a6492add40f460af9d85b2fbfac0d5d8ff4eb4ba3cb16e6ff50a030aee38c518d7a06d1167f59030ded5496000793ad4cf2de7ff36f22eeefe7c7
DIST openssl-1.1.0g_hobble-openssl 1117 SHA256 ab168bd8bf578f7361524f9a12eecbbaf41fd7e2c852a0158aafd3bce9cac569 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 WHIRLPOOL 94537166ad8f5cacba2d30d0b6e4676d896cab157be5891fbeecdb2efa10a322d77e2b35a44ff1d474e860dcece63a8688f9df5edf8fe859bf67b410148ea64a
diff --git a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
new file mode 100644
index 00000000000..4b01feb8e87
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
@@ -0,0 +1,77 @@
+From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Fri, 24 Nov 2017 11:35:50 +0100
+Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in
+ rsaz_1024_mul_avx2.
+
+Credit to OSS-Fuzz for finding this.
+
+CVE-2017-3738
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+---
+ crypto/bn/asm/rsaz-avx2.pl | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl
+index 0c1b236ef98..46d746b7d0e 100755
+--- a/crypto/bn/asm/rsaz-avx2.pl
++++ b/crypto/bn/asm/rsaz-avx2.pl
+@@ -246,7 +246,7 @@
+ vmovdqu 32*8-128($ap), $ACC8
+
+ lea 192(%rsp), $tp0 # 64+128=192
+- vpbroadcastq .Land_mask(%rip), $AND_MASK
++ vmovdqu .Land_mask(%rip), $AND_MASK
+ jmp .LOOP_GRANDE_SQR_1024
+
+ .align 32
+@@ -1077,10 +1077,10 @@
+ vpmuludq 32*6-128($np),$Yi,$TEMP1
+ vpaddq $TEMP1,$ACC6,$ACC6
+ vpmuludq 32*7-128($np),$Yi,$TEMP2
+- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3
++ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3
+ vpaddq $TEMP2,$ACC7,$ACC7
+ vpmuludq 32*8-128($np),$Yi,$TEMP0
+- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3
++ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3
+ vpaddq $TEMP0,$ACC8,$ACC8
+
+ mov %rbx, %rax
+@@ -1093,7 +1093,9 @@
+ vmovdqu -8+32*2-128($ap),$TEMP2
+
+ mov $r1, %rax
++ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3
+ imull $n0, %eax
++ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3
+ and \$0x1fffffff, %eax
+
+ imulq 16-128($ap),%rbx
+@@ -1329,15 +1331,12 @@
+ # But as we underutilize resources, it's possible to correct in
+ # each iteration with marginal performance loss. But then, as
+ # we do it in each iteration, we can correct less digits, and
+-# avoid performance penalties completely. Also note that we
+-# correct only three digits out of four. This works because
+-# most significant digit is subjected to less additions.
++# avoid performance penalties completely.
+
+ $TEMP0 = $ACC9;
+ $TEMP3 = $Bi;
+ $TEMP4 = $Yi;
+ $code.=<<___;
+- vpermq \$0, $AND_MASK, $AND_MASK
+ vpaddq (%rsp), $TEMP1, $ACC0
+
+ vpsrlq \$29, $ACC0, $TEMP1
+@@ -1770,7 +1769,7 @@
+
+ .align 64
+ .Land_mask:
+- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1
++ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
+ .Lscatter_permd:
+ .long 0,2,4,6,7,7,7,7
+ .Lgather_permd:
diff --git a/dev-libs/openssl/openssl-1.1.0g-r2.ebuild b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild
new file mode 100644
index 00000000000..0c7e76558f8
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild
@@ -0,0 +1,284 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+# This does not copy the entire Fedora patchset, but JUST the parts that
+# are needed to make it safe to use EC with RESTRICT=bindist.
+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
+SOURCE1=hobble-openssl
+SOURCE12=ec_curve.c
+SOURCE13=ectest.c
+PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
+PATCH37=openssl-1.1.0-ec-curves.patch
+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
+FEDORA_GIT_BRANCH='f27'
+FEDORA_SRC_URI=()
+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
+FEDORA_PATCH=( $PATCH1 $PATCH37 )
+for i in "${FEDORA_SOURCE[@]}" ; do
+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
+done
+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
+done
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+ "${FILESDIR}"/${PN}-1.1.0g-CVE-2017-3738.patch
+)
+
+src_prepare() {
+ if use bindist; then
+ # This just removes the prefix, and puts it into WORKDIR like the RPM.
+ for i in "${FEDORA_SOURCE[@]}" ; do
+ cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
+ done
+ # .spec %prep
+ bash "${WORKDIR}"/"${SOURCE1}" || die
+ cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
+ cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
+ for i in "${FEDORA_PATCH[@]}" ; do
+ epatch "${DISTDIR}"/"${i}"
+ done
+ # Also see the configure parts below:
+ # enable-ec \
+ # $(use_ssl !bindist ec2m) \
+
+ fi
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${PATCHES[@]}"
+ fi
+
+ eapply_user #332661
+
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ # Make DOCDIR Gentoo compliant
+ sed -i \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \
+ Configurations/unix-Makefile.tmpl \
+ || die
+
+ # show the actual commands in the log
+ sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ # Prefixify Configure shebang (#141906)
+ sed \
+ -e "1s,/usr/bin/env,${EPREFIX}&," \
+ -i Configure || die
+ # Remove test target when FEATURES=test isn't set
+ if ! use test ; then
+ sed \
+ -e '/^$config{dirs}/s@ "test",@@' \
+ -i Configure || die
+ fi
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ # Fedora hobbled-EC needs 'no-ec2m'
+ # 'srp' was restricted until early 2017 as well.
+ echoit \
+ ./${config} \
+ ${sslout} \
+ --api=1.0.0 \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ disable-deprecated \
+ enable-ec \
+ $(use_ssl !bindist ec2m) \
+ enable-srp \
+ $(use elibc_musl && echo "no-async") \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ $(use_ssl asm) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ # Fix quoting for sed
+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAGS=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ -e 's:\\:\\\\:g' \
+ )
+ sed -i \
+ -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+ -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2017-12-30 19:55 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2017-12-30 19:55 UTC (permalink / raw
To: gentoo-commits
commit: 0ef22ca0826fad8472f23e3451f5eb3295a7538e
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Sat Dec 30 19:54:49 2017 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Sat Dec 30 19:54:49 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ef22ca0
dev-libs/openssl: Security cleanup (bug #640172)
Package-Manager: Portage-2.3.19, Repoman-2.3.6
dev-libs/openssl/Manifest | 6 -
.../openssl/files/openssl-1.0.0a-ldflags.patch | 29 -
.../files/openssl-1.0.1p-default-source.patch | 30 -
dev-libs/openssl/files/openssl-1.0.2-ipv6.patch | 611 ---------------------
.../openssl-1.0.2a-parallel-install-dirs.patch | 64 ---
| 37 --
.../files/openssl-1.0.2a-parallel-symlinking.patch | 63 ---
.../files/openssl-1.0.2i-parallel-build.patch | 326 -----------
dev-libs/openssl/openssl-1.0.2k.ebuild | 254 ---------
dev-libs/openssl/openssl-1.0.2l-r1.ebuild | 296 ----------
dev-libs/openssl/openssl-1.0.2l.ebuild | 254 ---------
dev-libs/openssl/openssl-1.0.2m.ebuild | 254 ---------
12 files changed, 2224 deletions(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 583d9dd4660..1985ca1d3d7 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,11 +1,5 @@
DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d SHA512 15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9
-DIST openssl-1.0.2k.tar.gz 5309236 BLAKE2B 97069b9c7aaab2381ae5be989caff6907cd44ab1831d84685c3421ad985889a2bbc3a462decdff9c4c158ace96975de2b9e49e4f1b9f306990c3dc0f03767dad SHA512 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016
-DIST openssl-1.0.2l.tar.gz 5365054 BLAKE2B 0a459a93a0013269dea79bd6df96a434b9dad95b6d98b24a48bc1b1438415c0a8de01b67166ac13a73ae65fb64131568924c3e6f945d862b7e960f05332cf097 SHA512 047d964508ad6025c79caabd8965efd2416dc026a56183d0ef4de7a0a6769ce8e0b4608a3f8393d326f6d03b26a2b067e6e0c750f35b20be190e595e8290c0e3
-DIST openssl-1.0.2l_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
-DIST openssl-1.0.2l_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
-DIST openssl-1.0.2l_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
-DIST openssl-1.0.2m.tar.gz 5373776 BLAKE2B f40cbea061f84087a079d541f7ba841894c86c00827865f0f508ee297df45e8825d7d74bbbe16bf1f81d46f9af503a6191c9e65df674c4a5ae28172b5b03986f SHA512 7619aa223ee50d0f5e270ac9090e95b2b1ba5dfc656c98f625a9a277dda472fb960a4e89a7ba300044cb401b2072b2ca6a6fcce8206d927bf373d1c981806a93
DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894 SHA512 144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687
DIST openssl-1.1.0-build.patch 3028 BLAKE2B f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0
DIST openssl-1.1.0-ec-curves.patch 2967 BLAKE2B 1c639514445ea85cf731732aa7901b5a03ddb5f637b0483ab2ec6825433ad978723c5a07316db684bdaca4a12fc673b4e049a49c0cd4dbe5f25a5e2bd3b75cf5 SHA512 8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2
diff --git a/dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch b/dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch
deleted file mode 100644
index c99ef4abb85..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-http://bugs.gentoo.org/181438
-http://bugs.gentoo.org/327421
-https://rt.openssl.org/Ticket/Display.html?id=3331&user=guest&pass=guest
-
-make sure we respect LDFLAGS
-
-also make sure we don't add useless -rpath flags to the system libdir
-
---- Makefile.org
-+++ Makefile.org
-@@ -189,6 +189,7 @@
- MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
- DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)' \
- MAKEDEPPROG='$(MAKEDEPPROG)' \
-+ LDFLAGS='${LDFLAGS}' \
- SHARED_LDFLAGS='$(SHARED_LDFLAGS)' \
- KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)' \
- ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)' \
---- Makefile.shared
-+++ Makefile.shared
-@@ -153,7 +153,7 @@
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
--DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(LDFLAGS) $(CFLAGS)"
-
- #This is rather special. It's a special target with which one can link
- #applications without bothering with any features that have anything to
diff --git a/dev-libs/openssl/files/openssl-1.0.1p-default-source.patch b/dev-libs/openssl/files/openssl-1.0.1p-default-source.patch
deleted file mode 100644
index 73029985ae0..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.1p-default-source.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-https://bugs.gentoo.org/554338
-https://rt.openssl.org/Ticket/Display.html?id=3934&user=guest&pass=guest
-
-From 7c2e97f8bbae517496fdc11f475b4ae54b2534f5 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Fri, 10 Jul 2015 01:50:52 -0400
-Subject: [PATCH] test: use _DEFAULT_SOURCE with newer glibc versions
-
-The _BSD_SOURCE macro is replaced by the _DEFAULT_SOURCE macro. Using
-just the former with newer versions leads to a build time warning, so
-make sure to use the new macro too.
----
- ssl/ssltest.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ssl/ssltest.c b/ssl/ssltest.c
-index 26cf96c..b36f667 100644
---- a/ssl/ssltest.c
-+++ b/ssl/ssltest.c
-@@ -141,6 +141,7 @@
- */
-
- /* Or gethostname won't be declared properly on Linux and GNU platforms. */
-+#define _DEFAULT_SOURCE 1
- #define _BSD_SOURCE 1
-
- #include <assert.h>
---
-2.4.4
-
diff --git a/dev-libs/openssl/files/openssl-1.0.2-ipv6.patch b/dev-libs/openssl/files/openssl-1.0.2-ipv6.patch
deleted file mode 100644
index 27574ea616d..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2-ipv6.patch
+++ /dev/null
@@ -1,611 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=2051&user=guest&pass=guest
-
---- openssl-1.0.2/apps/s_apps.h
-+++ openssl-1.0.2/apps/s_apps.h
-@@ -154,7 +154,7 @@
- int do_server(int port, int type, int *ret,
- int (*cb) (char *hostname, int s, int stype,
- unsigned char *context), unsigned char *context,
-- int naccept);
-+ int naccept, int use_ipv4, int use_ipv6);
- #ifdef HEADER_X509_H
- int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
- #endif
-@@ -167,7 +167,8 @@
- int ssl_print_curves(BIO *out, SSL *s, int noshared);
- #endif
- int ssl_print_tmp_key(BIO *out, SSL *s);
--int init_client(int *sock, char *server, int port, int type);
-+int init_client(int *sock, char *server, int port, int type,
-+ int use_ipv4, int use_ipv6);
- int should_retry(int i);
- int extract_port(char *str, short *port_ptr);
- int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
---- openssl-1.0.2/apps/s_client.c
-+++ openssl-1.0.2/apps/s_client.c
-@@ -302,6 +302,10 @@
- {
- BIO_printf(bio_err, "usage: s_client args\n");
- BIO_printf(bio_err, "\n");
-+ BIO_printf(bio_err, " -4 - use IPv4 only\n");
-+#if OPENSSL_USE_IPV6
-+ BIO_printf(bio_err, " -6 - use IPv6 only\n");
-+#endif
- BIO_printf(bio_err, " -host host - use -connect instead\n");
- BIO_printf(bio_err, " -port port - use -connect instead\n");
- BIO_printf(bio_err,
-@@ -658,6 +662,7 @@
- int sbuf_len, sbuf_off;
- fd_set readfds, writefds;
- short port = PORT;
-+ int use_ipv4, use_ipv6;
- int full_log = 1;
- char *host = SSL_HOST_NAME;
- char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
-@@ -709,7 +714,11 @@
- #endif
- char *sess_in = NULL;
- char *sess_out = NULL;
-- struct sockaddr peer;
-+#if OPENSSL_USE_IPV6
-+ struct sockaddr_storage peer;
-+#else
-+ struct sockaddr_in peer;
-+#endif
- int peerlen = sizeof(peer);
- int fallback_scsv = 0;
- int enable_timeouts = 0;
-@@ -737,6 +746,12 @@
-
- meth = SSLv23_client_method();
-
-+ use_ipv4 = 1;
-+#if OPENSSL_USE_IPV6
-+ use_ipv6 = 1;
-+#else
-+ use_ipv6 = 0;
-+#endif
- apps_startup();
- c_Pause = 0;
- c_quiet = 0;
-@@ -1096,6 +1111,16 @@
- jpake_secret = *++argv;
- }
- #endif
-+ else if (strcmp(*argv,"-4") == 0) {
-+ use_ipv4 = 1;
-+ use_ipv6 = 0;
-+ }
-+#if OPENSSL_USE_IPV6
-+ else if (strcmp(*argv,"-6") == 0) {
-+ use_ipv4 = 0;
-+ use_ipv6 = 1;
-+ }
-+#endif
- #ifndef OPENSSL_NO_SRTP
- else if (strcmp(*argv, "-use_srtp") == 0) {
- if (--argc < 1)
-@@ -1421,7 +1446,7 @@
-
- re_start:
-
-- if (init_client(&s, host, port, socket_type) == 0) {
-+ if (init_client(&s, host, port, socket_type, use_ipv4, use_ipv6) == 0) {
- BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
- SHUTDOWN(s);
- goto end;
-@@ -1444,7 +1469,7 @@
- if (socket_type == SOCK_DGRAM) {
-
- sbio = BIO_new_dgram(s, BIO_NOCLOSE);
-- if (getsockname(s, &peer, (void *)&peerlen) < 0) {
-+ if (getsockname(s, (struct sockaddr *)&peer, (void *)&peerlen) < 0) {
- BIO_printf(bio_err, "getsockname:errno=%d\n",
- get_last_socket_error());
- SHUTDOWN(s);
---- openssl-1.0.2/apps/s_server.c
-+++ openssl-1.0.2/apps/s_server.c
-@@ -643,6 +643,10 @@
- BIO_printf(bio_err,
- " -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n");
- #endif
-+ BIO_printf(bio_err, " -4 - use IPv4 only\n");
-+#if OPENSSL_USE_IPV6
-+ BIO_printf(bio_err, " -6 - use IPv6 only\n");
-+#endif
- BIO_printf(bio_err,
- " -keymatexport label - Export keying material using label\n");
- BIO_printf(bio_err,
-@@ -1070,6 +1074,7 @@
- int state = 0;
- const SSL_METHOD *meth = NULL;
- int socket_type = SOCK_STREAM;
-+ int use_ipv4, use_ipv6;
- ENGINE *e = NULL;
- char *inrand = NULL;
- int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
-@@ -1111,6 +1116,12 @@
-
- meth = SSLv23_server_method();
-
-+ use_ipv4 = 1;
-+#if OPENSSL_USE_IPV6
-+ use_ipv6 = 1;
-+#else
-+ use_ipv6 = 0;
-+#endif
- local_argc = argc;
- local_argv = argv;
-
-@@ -1503,6 +1514,16 @@
- jpake_secret = *(++argv);
- }
- #endif
-+ else if (strcmp(*argv,"-4") == 0) {
-+ use_ipv4 = 1;
-+ use_ipv6 = 0;
-+ }
-+#if OPENSSL_USE_IPV6
-+ else if (strcmp(*argv,"-6") == 0) {
-+ use_ipv4 = 0;
-+ use_ipv6 = 1;
-+ }
-+#endif
- #ifndef OPENSSL_NO_SRTP
- else if (strcmp(*argv, "-use_srtp") == 0) {
- if (--argc < 1)
-@@ -2023,13 +2044,13 @@
- (void)BIO_flush(bio_s_out);
- if (rev)
- do_server(port, socket_type, &accept_socket, rev_body, context,
-- naccept);
-+ naccept, use_ipv4, use_ipv6);
- else if (www)
- do_server(port, socket_type, &accept_socket, www_body, context,
-- naccept);
-+ naccept, use_ipv4, use_ipv6);
- else
- do_server(port, socket_type, &accept_socket, sv_body, context,
-- naccept);
-+ naccept, use_ipv4, use_ipv6);
- print_stats(bio_s_out, ctx);
- ret = 0;
- end:
---- openssl-1.0.2/apps/s_socket.c
-+++ openssl-1.0.2/apps/s_socket.c
-@@ -101,16 +101,16 @@
- # include "netdb.h"
- # endif
-
--static struct hostent *GetHostByName(char *name);
-+static struct hostent *GetHostByName(char *name, int domain);
- # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
- static void ssl_sock_cleanup(void);
- # endif
- static int ssl_sock_init(void);
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
--static int init_server(int *sock, int port, int type);
--static int init_server_long(int *sock, int port, char *ip, int type);
-+static int init_client_ip(int *sock, unsigned char *ip, int port, int type, int domain);
-+static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6);
-+static int init_server_long(int *sock, int port, char *ip, int type, int use_ipv4, int use_ipv6);
- static int do_accept(int acc_sock, int *sock, char **host);
--static int host_ip(char *str, unsigned char ip[4]);
-+static int host_ip(char *str, unsigned char *ip, int domain);
-
- # ifdef OPENSSL_SYS_WIN16
- # define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
-@@ -231,38 +231,68 @@
- return (1);
- }
-
--int init_client(int *sock, char *host, int port, int type)
-+int init_client(int *sock, char *host, int port, int type, int use_ipv4, int use_ipv6)
- {
-+# if OPENSSL_USE_IPV6
-+ unsigned char ip[16];
-+# else
- unsigned char ip[4];
-+# endif
-
-- memset(ip, '\0', sizeof ip);
-- if (!host_ip(host, &(ip[0])))
-- return 0;
-- return init_client_ip(sock, ip, port, type);
--}
--
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
--{
-- unsigned long addr;
-+ if (use_ipv4)
-+ if (host_ip(host, ip, AF_INET))
-+ return(init_client_ip(sock, ip, port, type, AF_INET));
-+# if OPENSSL_USE_IPV6
-+ if (use_ipv6)
-+ if (host_ip(host, ip, AF_INET6))
-+ return(init_client_ip(sock, ip, port, type, AF_INET6));
-+# endif
-+ return 0;
-+}
-+
-+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type, int domain)
-+{
-+# if OPENSSL_USE_IPV6
-+ struct sockaddr_storage them;
-+ struct sockaddr_in *them_in = (struct sockaddr_in *)&them;
-+ struct sockaddr_in6 *them_in6 = (struct sockaddr_in6 *)&them;
-+# else
- struct sockaddr_in them;
-+ struct sockaddr_in *them_in = &them;
-+# endif
-+ socklen_t addr_len;
- int s, i;
-
- if (!ssl_sock_init())
- return (0);
-
- memset((char *)&them, 0, sizeof(them));
-- them.sin_family = AF_INET;
-- them.sin_port = htons((unsigned short)port);
-- addr = (unsigned long)
-- ((unsigned long)ip[0] << 24L) |
-- ((unsigned long)ip[1] << 16L) |
-- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
-- them.sin_addr.s_addr = htonl(addr);
-+ if (domain == AF_INET) {
-+ addr_len = (socklen_t)sizeof(struct sockaddr_in);
-+ them_in->sin_family=AF_INET;
-+ them_in->sin_port=htons((unsigned short)port);
-+# ifndef BIT_FIELD_LIMITS
-+ memcpy(&them_in->sin_addr.s_addr, ip, 4);
-+# else
-+ memcpy(&them_in->sin_addr, ip, 4);
-+# endif
-+ }
-+ else
-+# if OPENSSL_USE_IPV6
-+ {
-+ addr_len = (socklen_t)sizeof(struct sockaddr_in6);
-+ them_in6->sin6_family=AF_INET6;
-+ them_in6->sin6_port=htons((unsigned short)port);
-+ memcpy(&(them_in6->sin6_addr), ip, sizeof(struct in6_addr));
-+ }
-+# else
-+ return(0);
-+# endif
-
- if (type == SOCK_STREAM)
-- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
-+ s = socket(domain, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* ( type == SOCK_DGRAM) */
-- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-+ s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-
- if (s == INVALID_SOCKET) {
- perror("socket");
-@@ -280,7 +310,7 @@
- }
- # endif
-
-- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
-+ if (connect(s, (struct sockaddr *)&them, addr_len) == -1) {
- closesocket(s);
- perror("connect");
- return (0);
-@@ -292,14 +322,14 @@
- int do_server(int port, int type, int *ret,
- int (*cb) (char *hostname, int s, int stype,
- unsigned char *context), unsigned char *context,
-- int naccept)
-+ int naccept, int use_ipv4, int use_ipv6)
- {
- int sock;
- char *name = NULL;
- int accept_socket = 0;
- int i;
-
-- if (!init_server(&accept_socket, port, type))
-+ if (!init_server(&accept_socket, port, type, use_ipv4, use_ipv6))
- return (0);
-
- if (ret != NULL) {
-@@ -328,32 +358,41 @@
- }
- }
-
--static int init_server_long(int *sock, int port, char *ip, int type)
-+static int init_server_long(int *sock, int port, char *ip, int type, int use_ipv4, int use_ipv6)
- {
- int ret = 0;
-+ int domain;
-+# if OPENSSL_USE_IPV6
-+ struct sockaddr_storage server;
-+ struct sockaddr_in *server_in = (struct sockaddr_in *)&server;
-+ struct sockaddr_in6 *server_in6 = (struct sockaddr_in6 *)&server;
-+# else
- struct sockaddr_in server;
-+ struct sockaddr_in *server_in = &server;
-+# endif
-+ socklen_t addr_len;
- int s = -1;
-
-+ if (!use_ipv4 && !use_ipv6)
-+ goto err;
-+# if OPENSSL_USE_IPV6
-+ /* we are fine here */
-+# else
-+ if (use_ipv6)
-+ goto err;
-+# endif
- if (!ssl_sock_init())
- return (0);
-
-- memset((char *)&server, 0, sizeof(server));
-- server.sin_family = AF_INET;
-- server.sin_port = htons((unsigned short)port);
-- if (ip == NULL)
-- server.sin_addr.s_addr = INADDR_ANY;
-- else
--/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
--# ifndef BIT_FIELD_LIMITS
-- memcpy(&server.sin_addr.s_addr, ip, 4);
-+#if OPENSSL_USE_IPV6
-+ domain = use_ipv6 ? AF_INET6 : AF_INET;
- # else
-- memcpy(&server.sin_addr, ip, 4);
-+ domain = AF_INET;
- # endif
--
- if (type == SOCK_STREAM)
-- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
-- else /* type == SOCK_DGRAM */
-- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-+ s=socket(domain, SOCK_STREAM, SOCKET_PROTOCOL);
-+ else /* type == SOCK_DGRAM */
-+ s=socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-
- if (s == INVALID_SOCKET)
- goto err;
-@@ -363,7 +402,42 @@
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
- }
- # endif
-- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
-+# if OPENSSL_USE_IPV6
-+ if ((use_ipv4 == 0) && (use_ipv6 == 1)) {
-+ const int on = 1;
-+
-+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-+ (const void *) &on, sizeof(int));
-+ }
-+# endif
-+ if (domain == AF_INET) {
-+ addr_len = (socklen_t)sizeof(struct sockaddr_in);
-+ memset(server_in, 0, sizeof(struct sockaddr_in));
-+ server_in->sin_family=AF_INET;
-+ server_in->sin_port = htons((unsigned short)port);
-+ if (ip == NULL)
-+ server_in->sin_addr.s_addr = htonl(INADDR_ANY);
-+ else
-+/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
-+# ifndef BIT_FIELD_LIMITS
-+ memcpy(&server_in->sin_addr.s_addr, ip, 4);
-+# else
-+ memcpy(&server_in->sin_addr, ip, 4);
-+# endif
-+ }
-+# if OPENSSL_USE_IPV6
-+ else {
-+ addr_len = (socklen_t)sizeof(struct sockaddr_in6);
-+ memset(server_in6, 0, sizeof(struct sockaddr_in6));
-+ server_in6->sin6_family = AF_INET6;
-+ server_in6->sin6_port = htons((unsigned short)port);
-+ if (ip == NULL)
-+ server_in6->sin6_addr = in6addr_any;
-+ else
-+ memcpy(&server_in6->sin6_addr, ip, sizeof(struct in6_addr));
-+ }
-+# endif
-+ if (bind(s, (struct sockaddr *)&server, addr_len) == -1) {
- # ifndef OPENSSL_SYS_WINDOWS
- perror("bind");
- # endif
-@@ -381,16 +455,23 @@
- return (ret);
- }
-
--static int init_server(int *sock, int port, int type)
-+static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6)
- {
-- return (init_server_long(sock, port, NULL, type));
-+ return (init_server_long(sock, port, NULL, type, use_ipv4, use_ipv6));
- }
-
- static int do_accept(int acc_sock, int *sock, char **host)
- {
- int ret;
- struct hostent *h1, *h2;
-- static struct sockaddr_in from;
-+#if OPENSSL_USE_IPV6
-+ struct sockaddr_storage from;
-+ struct sockaddr_in *from_in = (struct sockaddr_in *)&from;
-+ struct sockaddr_in6 *from_in6 = (struct sockaddr_in6 *)&from;
-+#else
-+ struct sockaddr_in from;
-+ struct sockaddr_in *from_in = &from;
-+#endif
- int len;
- /* struct linger ling; */
-
-@@ -440,14 +521,25 @@
-
- if (host == NULL)
- goto end;
-+# if OPENSSL_USE_IPV6
-+ if (from.ss_family == AF_INET)
-+# else
-+ if (from.sin_family == AF_INET)
-+# endif
- # ifndef BIT_FIELD_LIMITS
-- /* I should use WSAAsyncGetHostByName() under windows */
-- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
-- sizeof(from.sin_addr.s_addr), AF_INET);
-+ /* I should use WSAAsyncGetHostByName() under windows */
-+ h1 = gethostbyaddr((char *)&from_in->sin_addr.s_addr,
-+ sizeof(from_in->sin_addr.s_addr), AF_INET);
- # else
-- h1 = gethostbyaddr((char *)&from.sin_addr,
-- sizeof(struct in_addr), AF_INET);
-+ h1 = gethostbyaddr((char *)&from_in->sin_addr,
-+ sizeof(struct in_addr), AF_INET);
-+# endif
-+# if OPENSSL_USE_IPV6
-+ else
-+ h1 = gethostbyaddr((char *)&from_in6->sin6_addr,
-+ sizeof(struct in6_addr), AF_INET6);
- # endif
-+
- if (h1 == NULL) {
- BIO_printf(bio_err, "bad gethostbyaddr\n");
- *host = NULL;
-@@ -460,14 +552,22 @@
- }
- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
-
-- h2 = GetHostByName(*host);
-+# if OPENSSL_USE_IPV6
-+ h2=GetHostByName(*host, from.ss_family);
-+# else
-+ h2=GetHostByName(*host, from.sin_family);
-+# endif
- if (h2 == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- closesocket(ret);
- return (0);
- }
-- if (h2->h_addrtype != AF_INET) {
-- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
-+# if OPENSSL_USE_IPV6
-+ if (h2->h_addrtype != from.ss_family) {
-+# else
-+ if (h2->h_addrtype != from.sin_family) {
-+# endif
-+ BIO_printf(bio_err, "gethostbyname addr is not correct\n");
- closesocket(ret);
- return (0);
- }
-@@ -483,14 +583,14 @@
- char *h, *p;
-
- h = str;
-- p = strchr(str, ':');
-+ p = strrchr(str, ':');
- if (p == NULL) {
- BIO_printf(bio_err, "no port defined\n");
- return (0);
- }
- *(p++) = '\0';
-
-- if ((ip != NULL) && !host_ip(str, ip))
-+ if ((ip != NULL) && !host_ip(str, ip, AF_INET))
- goto err;
- if (host_ptr != NULL)
- *host_ptr = h;
-@@ -502,44 +602,51 @@
- return (0);
- }
-
--static int host_ip(char *str, unsigned char ip[4])
-+static int host_ip(char *str, unsigned char *ip, int domain)
- {
- unsigned int in[4];
-+ unsigned long l;
- int i;
-
-- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
-- 4) {
-+ if ((domain == AF_INET) && (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) == 4)) {
- for (i = 0; i < 4; i++)
- if (in[i] > 255) {
- BIO_printf(bio_err, "invalid IP address\n");
- goto err;
- }
-- ip[0] = in[0];
-- ip[1] = in[1];
-- ip[2] = in[2];
-- ip[3] = in[3];
-- } else { /* do a gethostbyname */
-+ l=htonl((in[0]<<24L)|(in[1]<<16L)|(in[2]<<8L)|in[3]);
-+ memcpy(ip, &l, 4);
-+ return 1;
-+ }
-+# if OPENSSL_USE_IPV6
-+ else if ((domain == AF_INET6) && (inet_pton(AF_INET6, str, ip) == 1))
-+ return 1;
-+# endif
-+ else { /* do a gethostbyname */
- struct hostent *he;
-
- if (!ssl_sock_init())
- return (0);
-
-- he = GetHostByName(str);
-+ he = GetHostByName(str, domain);
- if (he == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- goto err;
- }
- /* cast to short because of win16 winsock definition */
-- if ((short)he->h_addrtype != AF_INET) {
-- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
-+ if ((short)he->h_addrtype != domain) {
-+ BIO_printf(bio_err, "gethostbyname addr is not correct\n");
- return (0);
- }
-- ip[0] = he->h_addr_list[0][0];
-- ip[1] = he->h_addr_list[0][1];
-- ip[2] = he->h_addr_list[0][2];
-- ip[3] = he->h_addr_list[0][3];
-+ if (domain == AF_INET)
-+ memset(ip, 0, 4);
-+# if OPENSSL_USE_IPV6
-+ else
-+ memset(ip, 0, 16);
-+# endif
-+ memcpy(ip, he->h_addr_list[0], he->h_length);
-+ return 1;
- }
-- return (1);
- err:
- return (0);
- }
-@@ -573,7 +680,7 @@
- static unsigned long ghbn_hits = 0L;
- static unsigned long ghbn_miss = 0L;
-
--static struct hostent *GetHostByName(char *name)
-+static struct hostent *GetHostByName(char *name, int domain)
- {
- struct hostent *ret;
- int i, lowi = 0;
-@@ -585,13 +692,18 @@
- lowi = i;
- }
- if (ghbn_cache[i].order > 0) {
-- if (strncmp(name, ghbn_cache[i].name, 128) == 0)
-+ if ((strncmp(name, ghbn_cache[i].name, 128) == 0) && (ghbn_cache[i].ent.h_addrtype == domain))
- break;
- }
- }
- if (i == GHBN_NUM) { /* no hit */
- ghbn_miss++;
-- ret = gethostbyname(name);
-+ if (domain == AF_INET)
-+ ret = gethostbyname(name);
-+# if OPENSSL_USE_IPV6
-+ else
-+ ret = gethostbyname2(name, AF_INET6);
-+# endif
- if (ret == NULL)
- return (NULL);
- /* else add to cache */
diff --git a/dev-libs/openssl/files/openssl-1.0.2a-parallel-install-dirs.patch b/dev-libs/openssl/files/openssl-1.0.2a-parallel-install-dirs.patch
deleted file mode 100644
index 0198818c5fa..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2a-parallel-install-dirs.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=3736&user=guest&pass=guest
-
-From aba899f2eca21e11e5e9797bf8258e7265dea9f5 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sun, 8 Mar 2015 01:32:01 -0500
-Subject: [PATCH] fix parallel install with dir creation
-
-The mkdir-p.pl does not handle parallel creation of directories.
-This comes up when the install_sw and install_docs rules run and
-both call mkdir-p.pl on sibling directory trees.
-
-Instead, lets create a single install_dirs rule that makes all of
-the dirs we need, and have these two install steps depend on that.
----
- Makefile.org | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/Makefile.org b/Makefile.org
-index a6d9471..78e6143 100644
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -536,9 +536,9 @@
- dist_pem_h:
- (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
-
--install: all install_docs install_sw
-+install: install_docs install_sw
-
--install_sw:
-+install_dirs:
- @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -547,6 +547,13 @@
- $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
- $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
- $(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+ @$(PERL) $(TOP)/util/mkdir-p.pl \
-+ $(INSTALL_PREFIX)$(MANDIR)/man1 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man3 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man5 \
-+ $(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
- @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- do \
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-@@ -636,12 +643,7 @@
- done; \
- done
-
--install_docs:
-- @$(PERL) $(TOP)/util/mkdir-p.pl \
-- $(INSTALL_PREFIX)$(MANDIR)/man1 \
-- $(INSTALL_PREFIX)$(MANDIR)/man3 \
-- $(INSTALL_PREFIX)$(MANDIR)/man5 \
-- $(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
- @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- here="`pwd`"; \
- filecase=; \
---
-2.3.4
-
diff --git a/dev-libs/openssl/files/openssl-1.0.2a-parallel-obj-headers.patch b/dev-libs/openssl/files/openssl-1.0.2a-parallel-obj-headers.patch
deleted file mode 100644
index a7d6f4effea..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2a-parallel-obj-headers.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=3737&user=guest&pass=guest
-
-From ce279d4361e07e9af9ceca8a6e326e661758ad53 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sun, 8 Mar 2015 01:34:48 -0500
-Subject: [PATCH] fix parallel generation of obj headers
-
-The current code has dummy sleep/touch commands to try and work
-around the parallel issue, but that is obviously racy. Instead
-lets force one of the files to depend on the other so we know
-they'll never run in parallel.
----
- crypto/objects/Makefile | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/objects/Makefile b/crypto/objects/Makefile
-index ad2db1e..7d32504 100644
---- a/crypto/objects/Makefile
-+++ b/crypto/objects/Makefile
-@@ -44,11 +44,11 @@
- # objects.pl both reads and writes obj_mac.num
- obj_mac.h: objects.pl objects.txt obj_mac.num
- $(PERL) objects.pl objects.txt obj_mac.num obj_mac.h
-- @sleep 1; touch obj_mac.h; sleep 1
-
--obj_xref.h: objxref.pl obj_xref.txt obj_mac.num
-+# This doesn't really need obj_mac.h, but since that rule reads & writes
-+# obj_mac.num, we can't run in parallel with it.
-+obj_xref.h: objxref.pl obj_xref.txt obj_mac.num obj_mac.h
- $(PERL) objxref.pl obj_mac.num obj_xref.txt > obj_xref.h
-- @sleep 1; touch obj_xref.h; sleep 1
-
- files:
- $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
---
-2.3.4
-
diff --git a/dev-libs/openssl/files/openssl-1.0.2a-parallel-symlinking.patch b/dev-libs/openssl/files/openssl-1.0.2a-parallel-symlinking.patch
deleted file mode 100644
index f2be696b106..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2a-parallel-symlinking.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=3780&user=guest&pass=guest
-
-From cc81af135bda47eaa6956a0329cbbc55bf993ac1 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Fri, 3 Apr 2015 01:16:23 -0400
-Subject: [PATCH] fix race when symlink shareds libs
-
-When the crypto/ssl targets attempt to build their shared libs, they run:
- cd ..; make libcrypto.so.1.0.0
-The top level Makefile in turn runs the build-shared target for that lib.
-
-The build-shared target depends on both do_$(SHLIB_TARGET) & link-shared.
-When building in parallel, make is allowed to run both of these. They
-both run Makefile.shared for their respective targets:
-do_$(SHLIB_TARGET) ->
- link_a.linux-shared ->
- link_a.gnu ->
- ...; $(LINK_SO_A) ->
- $(LINK_SO) ->
- $(SYMLINK_SO)
-link-shared ->
- symlink.linux-shared ->
- symlink.gnu ->
- ...; $(SYMLINK_SO)
-
-The shell code for SYMLINK_SO attempts to do a [ -e lib ] check, but fails
-basic TOCTOU semantics. Depending on the load, that means two processes
-will run the sequence:
- rm -f libcrypto.so
- ln -s libcrypto.so.1.0.0 libcrypto.so
-
-Which obviously fails:
- ln: failed to create symbolic link 'libcrypto.so': File exists
-
-Since we know do_$(SHLIB_TARGET) will create the symlink for us, don't
-bother depending on link-shared at all in the top level Makefile when
-building things.
-
-Reported-by: Martin von Gagern <Martin.vGagern@gmx.net>
-URL: https://bugs.gentoo.org/545028
----
- Makefile.org | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.org b/Makefile.org
-index 890bfe4..576c60e 100644
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -350,7 +350,10 @@ link-shared:
- libs="$$libs -l$$i"; \
- done
-
--build-shared: do_$(SHLIB_TARGET) link-shared
-+# The link target in Makefile.shared will create the symlink for us, so no need
-+# to call link-shared directly. Doing so will cause races with two processes
-+# trying to symlink the lib.
-+build-shared: do_$(SHLIB_TARGET)
-
- do_$(SHLIB_TARGET):
- @ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
---
-2.3.4
-
diff --git a/dev-libs/openssl/files/openssl-1.0.2i-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2i-parallel-build.patch
deleted file mode 100644
index 387a077da27..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2i-parallel-build.patch
+++ /dev/null
@@ -1,326 +0,0 @@
---- openssl-1.0.2i/crypto/Makefile
-+++ openssl-1.0.2i/crypto/Makefile
-@@ -85,11 +85,11 @@
- @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
-
- subdirs:
-- @target=all; $(RECURSIVE_MAKE)
-+ +@target=all; $(RECURSIVE_MAKE)
-
- files:
- $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
-- @target=files; $(RECURSIVE_MAKE)
-+ +@target=files; $(RECURSIVE_MAKE)
-
- links:
- @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib: $(LIB)
- @touch lib
--$(LIB): $(LIBOBJ)
-+$(LIB): $(LIBOBJ) | subdirs
- $(AR) $(LIB) $(LIBOBJ)
- test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- $(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@
- fi
-
- libs:
-- @target=lib; $(RECURSIVE_MAKE)
-+ +@target=lib; $(RECURSIVE_MAKE)
-
- install:
- @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-- @target=install; $(RECURSIVE_MAKE)
-+ +@target=install; $(RECURSIVE_MAKE)
-
- lint:
- @target=lint; $(RECURSIVE_MAKE)
---- openssl-1.0.2i/engines/Makefile
-+++ openssl-1.0.2i/engines/Makefile
-@@ -72,7 +72,7 @@
-
- all: lib subdirs
-
--lib: $(LIBOBJ)
-+lib: $(LIBOBJ) | subdirs
- @if [ -n "$(SHARED_LIBS)" ]; then \
- set -e; \
- for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
-
- subdirs:
- echo $(EDIRS)
-- @target=all; $(RECURSIVE_MAKE)
-+ +@target=all; $(RECURSIVE_MAKE)
-
- files:
- $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- done; \
- fi
-- @target=install; $(RECURSIVE_MAKE)
-+ +@target=install; $(RECURSIVE_MAKE)
-
- tags:
- ctags $(SRC)
---- openssl-1.0.2i/Makefile.org
-+++ openssl-1.0.2i/Makefile.org
-@@ -281,17 +281,17 @@
- build_libssl: build_ssl libssl.pc
-
- build_crypto:
-- @dir=crypto; target=all; $(BUILD_ONE_CMD)
-+ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
-- @dir=ssl; target=all; $(BUILD_ONE_CMD)
-+ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
-- @dir=engines; target=all; $(BUILD_ONE_CMD)
-+ +@dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
-- @dir=apps; target=all; $(BUILD_ONE_CMD)
-+ +@dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
-- @dir=test; target=all; $(BUILD_ONE_CMD)
-+ +@dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
-- @dir=tools; target=all; $(BUILD_ONE_CMD)
-+ +@dir=tools; target=all; $(BUILD_ONE_CMD)
-
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -547,7 +547,7 @@
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- do \
- if [ -f "$$i" ]; then \
---- openssl-1.0.2i/Makefile.shared
-+++ openssl-1.0.2i/Makefile.shared
-@@ -105,6 +105,7 @@
- SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
- LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
- LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+ [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
- $${SHAREDCMD} $${SHAREDFLAGS} \
- -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +123,7 @@
- done; \
- fi; \
- if [ -n "$$SHLIB_SOVER" ]; then \
-+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- fi; \
---- openssl-1.0.2i/test/Makefile
-+++ openssl-1.0.2i/test/Makefile
-@@ -144,7 +144,7 @@
- tags:
- ctags $(SRC)
-
--tests: exe apps $(TESTS)
-+tests: exe $(TESTS)
-
- apps:
- @(cd ..; $(MAKE) DIRS=apps all)
-@@ -435,136 +435,136 @@
- link_app.$${shlib_target}
-
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
-- @target=$(RSATEST); $(BUILD_CMD)
-+ +@target=$(RSATEST); $(BUILD_CMD)
-
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
-- @target=$(BNTEST); $(BUILD_CMD)
-+ +@target=$(BNTEST); $(BUILD_CMD)
-
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
-- @target=$(ECTEST); $(BUILD_CMD)
-+ +@target=$(ECTEST); $(BUILD_CMD)
-
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
-- @target=$(EXPTEST); $(BUILD_CMD)
-+ +@target=$(EXPTEST); $(BUILD_CMD)
-
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
-- @target=$(IDEATEST); $(BUILD_CMD)
-+ +@target=$(IDEATEST); $(BUILD_CMD)
-
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
-- @target=$(MD2TEST); $(BUILD_CMD)
-+ +@target=$(MD2TEST); $(BUILD_CMD)
-
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
-- @target=$(SHATEST); $(BUILD_CMD)
-+ +@target=$(SHATEST); $(BUILD_CMD)
-
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
-- @target=$(SHA1TEST); $(BUILD_CMD)
-+ +@target=$(SHA1TEST); $(BUILD_CMD)
-
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
-- @target=$(SHA256TEST); $(BUILD_CMD)
-+ +@target=$(SHA256TEST); $(BUILD_CMD)
-
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
-- @target=$(SHA512TEST); $(BUILD_CMD)
-+ +@target=$(SHA512TEST); $(BUILD_CMD)
-
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
-- @target=$(RMDTEST); $(BUILD_CMD)
-+ +@target=$(RMDTEST); $(BUILD_CMD)
-
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
-- @target=$(MDC2TEST); $(BUILD_CMD)
-+ +@target=$(MDC2TEST); $(BUILD_CMD)
-
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
-- @target=$(MD4TEST); $(BUILD_CMD)
-+ +@target=$(MD4TEST); $(BUILD_CMD)
-
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
-- @target=$(MD5TEST); $(BUILD_CMD)
-+ +@target=$(MD5TEST); $(BUILD_CMD)
-
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
-- @target=$(HMACTEST); $(BUILD_CMD)
-+ +@target=$(HMACTEST); $(BUILD_CMD)
-
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
-- @target=$(WPTEST); $(BUILD_CMD)
-+ +@target=$(WPTEST); $(BUILD_CMD)
-
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
-- @target=$(RC2TEST); $(BUILD_CMD)
-+ +@target=$(RC2TEST); $(BUILD_CMD)
-
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
-- @target=$(BFTEST); $(BUILD_CMD)
-+ +@target=$(BFTEST); $(BUILD_CMD)
-
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
-- @target=$(CASTTEST); $(BUILD_CMD)
-+ +@target=$(CASTTEST); $(BUILD_CMD)
-
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
-- @target=$(RC4TEST); $(BUILD_CMD)
-+ +@target=$(RC4TEST); $(BUILD_CMD)
-
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
-- @target=$(RC5TEST); $(BUILD_CMD)
-+ +@target=$(RC5TEST); $(BUILD_CMD)
-
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
-- @target=$(DESTEST); $(BUILD_CMD)
-+ +@target=$(DESTEST); $(BUILD_CMD)
-
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
-- @target=$(RANDTEST); $(BUILD_CMD)
-+ +@target=$(RANDTEST); $(BUILD_CMD)
-
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
-- @target=$(DHTEST); $(BUILD_CMD)
-+ +@target=$(DHTEST); $(BUILD_CMD)
-
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
-- @target=$(DSATEST); $(BUILD_CMD)
-+ +@target=$(DSATEST); $(BUILD_CMD)
-
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
-- @target=$(METHTEST); $(BUILD_CMD)
-+ +@target=$(METHTEST); $(BUILD_CMD)
-
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
-- @target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+ +@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
-- @target=$(ENGINETEST); $(BUILD_CMD)
-+ +@target=$(ENGINETEST); $(BUILD_CMD)
-
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
-- @target=$(EVPTEST); $(BUILD_CMD)
-+ +@target=$(EVPTEST); $(BUILD_CMD)
-
- $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
-- @target=$(EVPEXTRATEST); $(BUILD_CMD)
-+ +@target=$(EVPEXTRATEST); $(BUILD_CMD)
-
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
-- @target=$(ECDSATEST); $(BUILD_CMD)
-+ +@target=$(ECDSATEST); $(BUILD_CMD)
-
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
-- @target=$(ECDHTEST); $(BUILD_CMD)
-+ +@target=$(ECDHTEST); $(BUILD_CMD)
-
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
-- @target=$(IGETEST); $(BUILD_CMD)
-+ +@target=$(IGETEST); $(BUILD_CMD)
-
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
-- @target=$(JPAKETEST); $(BUILD_CMD)
-+ +@target=$(JPAKETEST); $(BUILD_CMD)
-
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
-- @target=$(ASN1TEST); $(BUILD_CMD)
-+ +@target=$(ASN1TEST); $(BUILD_CMD)
-
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
-- @target=$(SRPTEST); $(BUILD_CMD)
-+ +@target=$(SRPTEST); $(BUILD_CMD)
-
- $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
-- @target=$(V3NAMETEST); $(BUILD_CMD)
-+ +@target=$(V3NAMETEST); $(BUILD_CMD)
-
- $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
-- @target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-+ +@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-
- $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
-- @target=$(CONSTTIMETEST) $(BUILD_CMD)
-+ +@target=$(CONSTTIMETEST) $(BUILD_CMD)
-
- $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
-- @target=$(VERIFYEXTRATEST) $(BUILD_CMD)
-+ +@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
-
- $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
-- @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
-+ +@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
-
- $(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o
-- @target=$(BADDTLSTEST) $(BUILD_CMD)
-+ +@target=$(BADDTLSTEST) $(BUILD_CMD)
-
- $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
-- @target=$(SSLV2CONFTEST) $(BUILD_CMD)
-+ +@target=$(SSLV2CONFTEST) $(BUILD_CMD)
-
- $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO)
-- @target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
-+ +@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
-
- #$(AESTEST).o: $(AESTEST).c
- # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -577,7 +577,7 @@
- # fi
-
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
-- @target=dummytest; $(BUILD_CMD)
-+ +@target=dummytest; $(BUILD_CMD)
-
- # DO NOT DELETE THIS LINE -- make depend depends on it.
-
diff --git a/dev-libs/openssl/openssl-1.0.2k.ebuild b/dev-libs/openssl/openssl-1.0.2k.ebuild
deleted file mode 100644
index 9ba2eeef6ad..00000000000
--- a/dev-libs/openssl/openssl-1.0.2k.ebuild
+++ /dev/null
@@ -1,254 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
- epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
- epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
- epatch_user #332661
- fi
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired http://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- # https://github.com/openssl/openssl/issues/2286
- if use ia64 ; then
- replace-flags -g3 -g2
- replace-flags -ggdb3 -ggdb2
- fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- $(use_ssl !bindist ec) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- enable-tlsext \
- $(use_ssl asm) \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl sslv2 ssl2) \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
- dohtml -r doc/*
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
diff --git a/dev-libs/openssl/openssl-1.0.2l-r1.ebuild b/dev-libs/openssl/openssl-1.0.2l-r1.ebuild
deleted file mode 100644
index 4c78a177bf6..00000000000
--- a/dev-libs/openssl/openssl-1.0.2l-r1.ebuild
+++ /dev/null
@@ -1,296 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
-#PATCH37=openssl-1.1.0-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f25'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
-FEDORA_PATCH=( $PATCH1 $PATCH37 )
-for i in "${FEDORA_SOURCE[@]}" ; do
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- if use bindist; then
- # This just removes the prefix, and puts it into WORKDIR like the RPM.
- for i in "${FEDORA_SOURCE[@]}" ; do
- cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
- done
- # .spec %prep
- bash "${WORKDIR}"/"${SOURCE1}" || die
- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
- for i in "${FEDORA_PATCH[@]}" ; do
- epatch "${DISTDIR}"/"${i}"
- done
- # Also see the configure parts below:
- # enable-ec \
- # $(use_ssl !bindist ec2m) \
- # $(use_ssl !bindist srp) \
-
- fi
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
- epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
- epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
- epatch_user #332661
- fi
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired http://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- # https://github.com/openssl/openssl/issues/2286
- if use ia64 ; then
- replace-flags -g3 -g2
- replace-flags -ggdb3 -ggdb2
- fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- # Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- enable-ec \
- $(use_ssl !bindist ec2m) \
- $(use_ssl !bindist srp) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- enable-tlsext \
- $(use_ssl asm) \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl sslv2 ssl2) \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
- dohtml -r doc/*
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
diff --git a/dev-libs/openssl/openssl-1.0.2l.ebuild b/dev-libs/openssl/openssl-1.0.2l.ebuild
deleted file mode 100644
index 32431370450..00000000000
--- a/dev-libs/openssl/openssl-1.0.2l.ebuild
+++ /dev/null
@@ -1,254 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
- epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
- epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
- epatch_user #332661
- fi
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired http://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- # https://github.com/openssl/openssl/issues/2286
- if use ia64 ; then
- replace-flags -g3 -g2
- replace-flags -ggdb3 -ggdb2
- fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- $(use_ssl !bindist ec) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- enable-tlsext \
- $(use_ssl asm) \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl sslv2 ssl2) \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
- dohtml -r doc/*
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
diff --git a/dev-libs/openssl/openssl-1.0.2m.ebuild b/dev-libs/openssl/openssl-1.0.2m.ebuild
deleted file mode 100644
index c356e4ff2bd..00000000000
--- a/dev-libs/openssl/openssl-1.0.2m.ebuild
+++ /dev/null
@@ -1,254 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
- epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
- epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
- epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
- epatch_user #332661
- fi
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired http://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- # https://github.com/openssl/openssl/issues/2286
- if use ia64 ; then
- replace-flags -g3 -g2
- replace-flags -ggdb3 -ggdb2
- fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- $(use_ssl !bindist ec) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- enable-tlsext \
- $(use_ssl asm) \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl sslv2 ssl2) \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
- dohtml -r doc/*
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2018-06-12 10:40 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2018-06-12 10:40 UTC (permalink / raw
To: gentoo-commits
commit: e18f23bb2a2da949d03482b4a5f3a77c37d97c09
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 12 10:39:20 2018 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Jun 12 10:40:15 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e18f23bb
dev-libs/openssl: Add patch for CVE-2018-0732
Package-Manager: Portage-2.3.40, Repoman-2.3.9
.../files/openssl-1.0.2o-CVE-2018-0732.patch | 39 +++
.../files/openssl-1.1.0h-CVE-2018-0732.patch | 39 +++
.../files/openssl-1.1.1_pre7-CVE-2018-0732.patch | 39 +++
dev-libs/openssl/openssl-1.0.2o-r4.ebuild | 294 ---------------------
...l-1.0.2o-r5.ebuild => openssl-1.0.2o-r6.ebuild} | 1 +
...l-1.1.0h-r1.ebuild => openssl-1.1.0h-r2.ebuild} | 1 +
....1_pre7.ebuild => openssl-1.1.1_pre7-r1.ebuild} | 1 +
7 files changed, 120 insertions(+), 294 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch
new file mode 100644
index 00000000000..148e7c3bc1a
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch
@@ -0,0 +1,39 @@
+From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001
+From: Guido Vranken <guidovranken@gmail.com>
+Date: Mon, 11 Jun 2018 19:38:54 +0200
+Subject: [PATCH] Reject excessively large primes in DH key generation.
+
+CVE-2018-0732
+
+Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6457)
+---
+ crypto/dh/dh_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 387558f1467..f235e0d682b 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
+ int ok = 0;
+ int generate_new_key = 0;
+ unsigned l;
+- BN_CTX *ctx;
++ BN_CTX *ctx = NULL;
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
++ return 0;
++ }
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch
new file mode 100644
index 00000000000..e7dfba43f2a
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch
@@ -0,0 +1,39 @@
+From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001
+From: Guido Vranken <guidovranken@gmail.com>
+Date: Mon, 11 Jun 2018 19:38:54 +0200
+Subject: [PATCH] Reject excessively large primes in DH key generation.
+
+CVE-2018-0732
+
+Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6457)
+---
+ crypto/dh/dh_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index fce9ff47f36..58003d70878 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -78,10 +78,15 @@ static int generate_key(DH *dh)
+ int ok = 0;
+ int generate_new_key = 0;
+ unsigned l;
+- BN_CTX *ctx;
++ BN_CTX *ctx = NULL;
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
++ return 0;
++ }
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
diff --git a/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch
new file mode 100644
index 00000000000..6c336f2507a
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch
@@ -0,0 +1,39 @@
+From 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe Mon Sep 17 00:00:00 2001
+From: Guido Vranken <guidovranken@gmail.com>
+Date: Mon, 11 Jun 2018 19:38:54 +0200
+Subject: [PATCH] Reject excessively large primes in DH key generation.
+
+CVE-2018-0732
+
+Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6457)
+---
+ crypto/dh/dh_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 6901548ed69..752542b5563 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -78,10 +78,15 @@ static int generate_key(DH *dh)
+ int ok = 0;
+ int generate_new_key = 0;
+ unsigned l;
+- BN_CTX *ctx;
++ BN_CTX *ctx = NULL;
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
++ return 0;
++ }
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
diff --git a/dev-libs/openssl/openssl-1.0.2o-r4.ebuild b/dev-libs/openssl/openssl-1.0.2o-r4.ebuild
deleted file mode 100644
index 335dce5ded3..00000000000
--- a/dev-libs/openssl/openssl-1.0.2o-r4.ebuild
+++ /dev/null
@@ -1,294 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-PATCH_SET="openssl-1.0.2-patches-1.4"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
- mirror://gentoo/${PATCH_SET}.tar.xz
- https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
- https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
- kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
-#PATCH37=openssl-1.1.0-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f25'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
-FEDORA_PATCH=( $PATCH1 $PATCH37 )
-for i in "${FEDORA_SOURCE[@]}" ; do
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- if use bindist; then
- # This just removes the prefix, and puts it into WORKDIR like the RPM.
- for i in "${FEDORA_SOURCE[@]}" ; do
- cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
- done
- # .spec %prep
- bash "${WORKDIR}"/"${SOURCE1}" || die
- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
- for i in "${FEDORA_PATCH[@]}" ; do
- eapply "${DISTDIR}"/"${i}"
- done
- # Also see the configure parts below:
- # enable-ec \
- # $(use_ssl !bindist ec2m) \
- # $(use_ssl !bindist srp) \
- fi
-
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- eapply "${WORKDIR}"/patch/*.patch
- fi
-
- eapply_user
-
- # disable fips in the build
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- sed -i \
- -e '/DIRS/s: fips : :g' \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- Makefile.org \
- || die
- # show the actual commands in the log
- sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
- # since we're forcing $(CC) as makedep anyway, just fix
- # the conditional as always-on
- # helps clang (#417795), and versioned gcc (#499818)
- sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config || die
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired https://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- # https://github.com/openssl/openssl/issues/2286
- if use ia64 ; then
- replace-flags -g3 -g2
- replace-flags -ggdb3 -ggdb2
- fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- # Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- enable-ec \
- $(use_ssl !bindist ec2m) \
- $(use_ssl !bindist srp) \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- enable-tlsext \
- $(use_ssl asm) \
- $(use_ssl gmp gmp -lgmp) \
- $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl sslv2 ssl2) \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
- -e 's:^CFLAG=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- )
- sed -i \
- -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
- -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
- # rehash is needed to prep the certs/ dir; do this
- # separately to avoid parallel build issues.
- emake rehash
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
- einstalldocs
-
- use rfc3779 && dodoc engines/ccgost/README.gost
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- dodir ${SSL_CNF_DIR}/certs
- cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
- rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
diff --git a/dev-libs/openssl/openssl-1.0.2o-r5.ebuild b/dev-libs/openssl/openssl-1.0.2o-r6.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.0.2o-r5.ebuild
rename to dev-libs/openssl/openssl-1.0.2o-r6.ebuild
index 5f43db3451e..f7ae84bae16 100644
--- a/dev-libs/openssl/openssl-1.0.2o-r5.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2o-r6.ebuild
@@ -90,6 +90,7 @@ src_prepare() {
if ! use vanilla ; then
eapply "${WORKDIR}"/patch/*.patch
+ eapply "${FILESDIR}"/${P}-CVE-2018-0732.patch
fi
eapply_user
diff --git a/dev-libs/openssl/openssl-1.1.0h-r1.ebuild b/dev-libs/openssl/openssl-1.1.0h-r2.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.0h-r1.ebuild
rename to dev-libs/openssl/openssl-1.1.0h-r2.ebuild
index 6e38d19eaf5..5881fe74d35 100644
--- a/dev-libs/openssl/openssl-1.1.0h-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0h-r2.ebuild
@@ -57,6 +57,7 @@ MULTILIB_WRAPPED_HEADERS=(
PATCHES=(
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
"${FILESDIR}"/${P}-CVE-2018-0737.patch
+ "${FILESDIR}"/${P}-CVE-2018-0732.patch
)
src_prepare() {
diff --git a/dev-libs/openssl/openssl-1.1.1_pre7.ebuild b/dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.1_pre7.ebuild
rename to dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild
index e022bf39b77..d7246b0d043 100644
--- a/dev-libs/openssl/openssl-1.1.1_pre7.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild
@@ -36,6 +36,7 @@ MULTILIB_WRAPPED_HEADERS=(
PATCHES=(
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+ "${FILESDIR}"/${P}-CVE-2018-0732.patch
)
src_prepare() {
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2018-06-20 15:38 Lars Wendler
0 siblings, 0 replies; 36+ messages in thread
From: Lars Wendler @ 2018-06-20 15:38 UTC (permalink / raw
To: gentoo-commits
commit: 3cd2a2b440c58d5392a833dad8a718d2de292476
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Wed Jun 20 15:37:46 2018 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Wed Jun 20 15:38:35 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3cd2a2b4
dev-libs/openssl: Bump to version 1.1.1_pre8. Removed old.
Package-Manager: Portage-2.3.40, Repoman-2.3.9
dev-libs/openssl/Manifest | 2 +-
.../files/openssl-1.1.1_pre7-CVE-2018-0732.patch | 39 ----------------------
....1_pre7-r1.ebuild => openssl-1.1.1_pre8.ebuild} | 5 +--
3 files changed, 4 insertions(+), 42 deletions(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 0abab2d57a3..c8f76950a4e 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -10,4 +10,4 @@ DIST openssl-1.1.0h.tar.gz 5422717 BLAKE2B 11de1468855c0bb1836fb346c8efdfedd0613
DIST openssl-1.1.0h_ec_curve.c 18393 BLAKE2B 49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2beeeea15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879
DIST openssl-1.1.0h_ectest.c 29907 BLAKE2B 73dc800c1de5449f14d7753f7f7b8e672cd36bd4570e6df07f246d1d823c7dbbeef492f25cdd0ebfd693f5956732bc84c9d91fc6a22c854fe4b245ecf3890bda SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae
DIST openssl-1.1.0h_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
-DIST openssl-1.1.1-pre7.tar.gz 8308876 BLAKE2B 621cc6c541d81c2fa62e12eb75b62f1444af2bc1fcf001620515810700eacc3b36975a5b0c4764fed78c37ad1c9ad78b94f5115794b929626b085ccab15d9ab0 SHA512 38efa67b26e83a4dcb6da2d61d92b6be890535c61cec23d781d49efe66173fd9b9185b89ba50d591fed65f440417e16ba0738ffba58a684e48e8b82032ea36ff
+DIST openssl-1.1.1-pre8.tar.gz 8334954 BLAKE2B 97cd018908925abd5a4eb660b3488b23efb582dd49dd87504e5522b2e9c5c6500417ef4893590a60ce35cfa316de51bfbf3e448e9cb2a5858ecd8ae72722922d SHA512 33b20f8589e0ba67500993635e1ba7f7f7ce2b6fa1eb8d4d7c44711ff047045dde57ad7e0605377c2b030fc954a3fb9b1f1d68feac2080991ef2b1b72a761041
diff --git a/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch
deleted file mode 100644
index 6c336f2507a..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1_pre7-CVE-2018-0732.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe Mon Sep 17 00:00:00 2001
-From: Guido Vranken <guidovranken@gmail.com>
-Date: Mon, 11 Jun 2018 19:38:54 +0200
-Subject: [PATCH] Reject excessively large primes in DH key generation.
-
-CVE-2018-0732
-
-Signed-off-by: Guido Vranken <guidovranken@gmail.com>
-
-Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
-Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-Reviewed-by: Rich Salz <rsalz@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/6457)
----
- crypto/dh/dh_key.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 6901548ed69..752542b5563 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -78,10 +78,15 @@ static int generate_key(DH *dh)
- int ok = 0;
- int generate_new_key = 0;
- unsigned l;
-- BN_CTX *ctx;
-+ BN_CTX *ctx = NULL;
- BN_MONT_CTX *mont = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
-+ return 0;
-+ }
-+
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
diff --git a/dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild b/dev-libs/openssl/openssl-1.1.1_pre8.ebuild
similarity index 97%
rename from dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild
rename to dev-libs/openssl/openssl-1.1.1_pre8.ebuild
index d7246b0d043..3acbe2ea21f 100644
--- a/dev-libs/openssl/openssl-1.1.1_pre7-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1_pre8.ebuild
@@ -14,7 +14,7 @@ LICENSE="openssl"
SLOT="0/1.1" # .so version of libssl/libcrypto
[[ "${PV}" = *_pre* ]] || \
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
RESTRICT="!bindist? ( bindist )"
RDEPEND=">=app-misc/c_rehash-1.7-r1
@@ -36,7 +36,6 @@ MULTILIB_WRAPPED_HEADERS=(
PATCHES=(
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- "${FILESDIR}"/${P}-CVE-2018-0732.patch
)
src_prepare() {
@@ -146,6 +145,8 @@ multilib_src_configure() {
enable-idea \
enable-mdc2 \
enable-rc5 \
+ $(use_ssl sslv3 ssl3) \
+ $(use_ssl sslv3 ssl3-method) \
$(use_ssl asm) \
$(use_ssl rfc3779) \
$(use_ssl sctp) \
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2018-11-12 18:36 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2018-11-12 18:36 UTC (permalink / raw
To: gentoo-commits
commit: 596a07e9526a752f67478eeae44c7d31c4d40932
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 12 18:26:35 2018 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon Nov 12 18:36:46 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=596a07e9
dev-libs/openssl: add patch for CVE-2018-0734
Package-Manager: Portage-2.3.51, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
.../files/openssl-1.1.1-CVE-2018-0734.patch | 131 +++++++++++++++++++++
...ssl-1.1.1-r1.ebuild => openssl-1.1.1-r2.ebuild} | 1 +
2 files changed, 132 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0734.patch b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0734.patch
new file mode 100644
index 00000000000..dbc379c80d4
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0734.patch
@@ -0,0 +1,131 @@
+CVE-2018-0734
+https://github.com/openssl/openssl/commit/f1b12b8713a739f27d74e6911580b2e70aea2fa4
+https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f
+
+--- a/crypto/dsa/dsa_ossl.c
++++ b/crypto/dsa/dsa_ossl.c
+@@ -9,6 +9,7 @@
+
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
++#include "internal/bn_int.h"
+ #include <openssl/bn.h>
+ #include <openssl/sha.h>
+ #include "dsa_locl.h"
+@@ -23,6 +24,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
+ DSA_SIG *sig, DSA *dsa);
+ static int dsa_init(DSA *dsa);
+ static int dsa_finish(DSA *dsa);
++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
++ BN_CTX *ctx);
+
+ static DSA_METHOD openssl_dsa_meth = {
+ "OpenSSL DSA method",
+@@ -178,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ {
+ BN_CTX *ctx = NULL;
+ BIGNUM *k, *kinv = NULL, *r = *rp;
+- BIGNUM *l, *m;
++ BIGNUM *l;
+ int ret = 0;
+- int q_bits;
++ int q_bits, q_words;
+
+ if (!dsa->p || !dsa->q || !dsa->g) {
+ DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
+@@ -189,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+
+ k = BN_new();
+ l = BN_new();
+- m = BN_new();
+- if (k == NULL || l == NULL || m == NULL)
++ if (k == NULL || l == NULL)
+ goto err;
+
+ if (ctx_in == NULL) {
+@@ -201,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+
+ /* Preallocate space */
+ q_bits = BN_num_bits(dsa->q);
+- if (!BN_set_bit(k, q_bits)
+- || !BN_set_bit(l, q_bits)
+- || !BN_set_bit(m, q_bits))
++ q_words = bn_get_top(dsa->q);
++ if (!bn_wexpand(k, q_words + 2)
++ || !bn_wexpand(l, q_words + 2))
+ goto err;
+
+ /* Get random k */
+@@ -238,14 +240,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the modulus.
+ *
+- * TODO: revisit the BN_copy aiming for a memory access agnostic
+- * conditional copy.
++ * There are some concerns about the efficacy of doing this. More
++ * specificly refer to the discussion starting with:
++ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
++ * The fix is to rework BN so these gymnastics aren't required.
+ */
+ if (!BN_add(l, k, dsa->q)
+- || !BN_add(m, l, dsa->q)
+- || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
++ || !BN_add(k, l, dsa->q))
+ goto err;
+
++ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
++
+ if ((dsa)->meth->bn_mod_exp != NULL) {
+ if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
+ dsa->method_mont_p))
+@@ -258,8 +263,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ if (!BN_mod(r, r, dsa->q, ctx))
+ goto err;
+
+- /* Compute part of 's = inv(k) (m + xr) mod q' */
+- if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
++ /* Compute part of 's = inv(k) (m + xr) mod q' */
++ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
+ goto err;
+
+ BN_clear_free(*kinvp);
+@@ -273,7 +278,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ BN_CTX_free(ctx);
+ BN_clear_free(k);
+ BN_clear_free(l);
+- BN_clear_free(m);
+ return ret;
+ }
+
+@@ -393,3 +397,31 @@ static int dsa_finish(DSA *dsa)
+ BN_MONT_CTX_free(dsa->method_mont_p);
+ return 1;
+ }
++
++/*
++ * Compute the inverse of k modulo q.
++ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
++ * mod-exp operation. Both the exponent and modulus are public information
++ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
++ * BIGNUM is returned which the caller must free.
++ */
++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
++ BN_CTX *ctx)
++{
++ BIGNUM *res = NULL;
++ BIGNUM *r, *e;
++
++ if ((r = BN_new()) == NULL)
++ return NULL;
++
++ BN_CTX_start(ctx);
++ if ((e = BN_CTX_get(ctx)) != NULL
++ && BN_set_word(r, 2)
++ && BN_sub(e, q, r)
++ && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
++ res = r;
++ else
++ BN_free(r);
++ BN_CTX_end(ctx);
++ return res;
++}
diff --git a/dev-libs/openssl/openssl-1.1.1-r1.ebuild b/dev-libs/openssl/openssl-1.1.1-r2.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.1-r1.ebuild
rename to dev-libs/openssl/openssl-1.1.1-r2.ebuild
index 01dfbd3ec61..87d4a44d49a 100644
--- a/dev-libs/openssl/openssl-1.1.1-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1-r2.ebuild
@@ -35,6 +35,7 @@ MULTILIB_WRAPPED_HEADERS=(
)
PATCHES=(
+ "${FILESDIR}"/${P}-CVE-2018-0734.patch
"${FILESDIR}"/${P}-CVE-2018-0735.patch
)
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2018-11-20 14:46 Lars Wendler
0 siblings, 0 replies; 36+ messages in thread
From: Lars Wendler @ 2018-11-20 14:46 UTC (permalink / raw
To: gentoo-commits
commit: b28e60d76c3f7a1f4ff4322acd6aa006364f9de7
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 20 14:45:17 2018 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Nov 20 14:45:17 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b28e60d7
dev-libs/openssl: Security bump to versions 1.0.2q, 1.1.0j and 1.1.1a
Removed old.
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
dev-libs/openssl/Manifest | 21 ++--
.../files/openssl-1.1.0i-CVE-2018-0734.patch | 131 ---------------------
.../files/openssl-1.1.0i-CVE-2018-0735.patch | 44 -------
.../files/openssl-1.1.1-CVE-2018-0734.patch | 131 ---------------------
.../files/openssl-1.1.1-CVE-2018-0735.patch | 44 -------
...enssl-1.1.1-r3.ebuild => openssl-1.0.2q.ebuild} | 128 +++++++++++---------
...nssl-1.1.0i-r3.ebuild => openssl-1.1.0j.ebuild} | 2 -
...enssl-1.1.1-r3.ebuild => openssl-1.1.1a.ebuild} | 5 -
8 files changed, 85 insertions(+), 421 deletions(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 6586b888cd9..830b54cf634 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,17 +1,22 @@
DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
+DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
DIST openssl-1.0.2-patches-1.6.tar.xz 16004 BLAKE2B 28c7e9a8c8b09a34aa6ed21dec18b04c1d6140276e319cfa99b63db5ae188ca7837c444e8352748ffc86e6df7676534aef2f28788e825ee8207c0f876efb5b7b SHA512 eac9bbbebd8d942707ef385ee466929045bb4698985f7a0fb16f529f2101a246735cc2e654bfbdaa8a178224bb5ac564478a7587e6156cfcbdfe62a719bfb0a3
DIST openssl-1.0.2p.tar.gz 5338192 BLAKE2B fe4c0e2bf75d47a76e7377c7977be7bcaaa532061ab89ee989786eeb6495295711a29a88bf026c85d9ed55c97e71b0e9c8cf4c29b6e58a3dc56bcff518666823 SHA512 958c5a7c3324bbdc8f07dfb13e11329d9a1b4452c07cf41fbd2d42b5fe29c95679332a3476d24c2dc2b88be16e4a24744aba675a05a388c0905756c77a8a2f16
DIST openssl-1.0.2p_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
DIST openssl-1.0.2p_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
DIST openssl-1.0.2p_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
+DIST openssl-1.0.2q.tar.gz 5345604 BLAKE2B c03dd92de1cc8941a7f3e4d9f2fe6f8e4ea89eccc58743d7690491fc22cc54a9783311699b008aeb4a0d37cd3172154e67623c8ada6fc8dde57e80a5cd3c5fc1 SHA512 403e6cad42db3ba860c3fa4fa81c1b7b02f0b873259e5c19a7fc8e42de0854602555f1b1ca74f4e3a7737a4cbd3aac063061e628ec86534586500819fae7fec0
+DIST openssl-1.0.2q_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
+DIST openssl-1.0.2q_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
+DIST openssl-1.0.2q_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
DIST openssl-1.1.0-build.patch 3001 BLAKE2B 8f0ac4be6409b4ec50bec171697da2aebe2688e8ae06bd0dfac8b0c74661d38ebeb0a12bde0ef941b213eee9b85965262213b140636060285dcfb02a3bd14961 SHA512 ec6710e9669ac19e4c6f1286c89a383e7d276a773a2740037f98a8f2dbf18305614e7d30d9ed530923a0e7d10a3776fea2ca77229adc25df13ecad55589a3673
DIST openssl-1.1.0-ec-curves.patch 5311 BLAKE2B e9ec985adf6f13eb04412158a05da7cbe10be7d64bce73b899152ea379336ece7b7069089ef46993ac301ef850fd46fd0352898e249b2ea9fff5baf20896e5b5 SHA512 c38c4b05195f2b323a07efd8d17335ba2a168a16a59d7941da36568081f1c043da8d2216b7084b0617963635ded9bafeee736ecddbfa251cf0a02e4cba64cdc8
-DIST openssl-1.1.0i.tar.gz 5453234 BLAKE2B ae6bec9c116769d98a77165b96fb7d201fe2ede8ee98e3cb68eba496cc90a5fae38dbcbb68b824c9eeacb25605aa80c3ccca9b4f00725658da3ad646834b0f9d SHA512 4a9d454031f644a3072a980f4ea20df976f6c5c58178549dfa62fd4dcf1417509e3be517d2ccb265c87688836f2993531b142fc5971bac5c41d33060057627df
-DIST openssl-1.1.0i_ec_curve.c 18401 BLAKE2B f969071ac1b5d0e43b50d54e50b5c4d9201fc8b94458902e9849f14841b5505a2e43ed57a8c13255f042a211af9ee904776c155c36da838a8ad22e1052b02bc1 SHA512 a1c2bb3c3e3d342bddc8c952985e87fc4bad2e8142d5d760b18f346c44c20f00db61c4856f3dcf879b2098e0c036330762915f65d80a1a2cba717d2caeb95457
-DIST openssl-1.1.0i_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b
-DIST openssl-1.1.0i_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
+DIST openssl-1.1.0j.tar.gz 5411919 BLAKE2B 0fbd936f38d30b64bea717a67cd59704c5ce44ee19f377a820f89ba66b9e0a7509cf39e0fb00c104ae6440a6bd811e388239b458ffe685d8601235bab2afb2f1 SHA512 e7d30951ebb3cbcb6d59e3eb40f64f5a84634b7f5c380a588d378973f1c415395e3ab71a9aaff6478a89ec6efcc88f17f1882c99c25dcd18165f1435a51e5768
+DIST openssl-1.1.0j_ec_curve.c 18401 BLAKE2B f969071ac1b5d0e43b50d54e50b5c4d9201fc8b94458902e9849f14841b5505a2e43ed57a8c13255f042a211af9ee904776c155c36da838a8ad22e1052b02bc1 SHA512 a1c2bb3c3e3d342bddc8c952985e87fc4bad2e8142d5d760b18f346c44c20f00db61c4856f3dcf879b2098e0c036330762915f65d80a1a2cba717d2caeb95457
+DIST openssl-1.1.0j_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b
+DIST openssl-1.1.0j_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3 SHA512 de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1
-DIST openssl-1.1.1.tar.gz 8337920 BLAKE2B 266fb97bad4e1e7c0694c67a065d6669560695c92ad8fa10824169288a3fdfb9798faf408274a1e0c4e10a83a12b57367611bf4037dd2ab7ee74d7edab580a7b SHA512 c0284a4fe84bdf765ca5bc5148da4441ffc36392cfecaf9d372af00cf93b6de5681cab1248b6f8246474532155dc205da5ad49549ad7c61c07c917145e7c9c71
-DIST openssl-1.1.1_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
-DIST openssl-1.1.1_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef
-DIST openssl-1.1.1_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
+DIST openssl-1.1.1a.tar.gz 8350547 BLAKE2B 71dae2f44ade3e31983599a491b5efe5da63bbe4f32a2336a8022b282f844a9d898f3b1c3fa825a5973cb16898e8e87fcd73d68e9b602b58f500c3f3e047b199 SHA512 1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34
+DIST openssl-1.1.1a_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
+DIST openssl-1.1.1a_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef
+DIST openssl-1.1.1a_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch
deleted file mode 100644
index 47b082f4085..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-CVE-2018-0734
-https://github.com/openssl/openssl/commit/415c33563528667868c3c653a612e6fc8736fd79
-https://github.com/openssl/openssl/commit/ef11e19d1365eea2b1851e6f540a0bf365d303e7
-
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -11,6 +11,7 @@
-
- #include <stdio.h>
- #include "internal/cryptlib.h"
-+#include "internal/bn_int.h"
- #include <openssl/bn.h>
- #include <openssl/sha.h>
- #include "dsa_locl.h"
-@@ -25,6 +26,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
- DSA_SIG *sig, DSA *dsa);
- static int dsa_init(DSA *dsa);
- static int dsa_finish(DSA *dsa);
-+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
-+ BN_CTX *ctx);
-
- static DSA_METHOD openssl_dsa_meth = {
- "OpenSSL DSA method",
-@@ -180,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- {
- BN_CTX *ctx = NULL;
- BIGNUM *k, *kinv = NULL, *r = *rp;
-- BIGNUM *l, *m;
-+ BIGNUM *l;
- int ret = 0;
-- int q_bits;
-+ int q_bits, q_words;
-
- if (!dsa->p || !dsa->q || !dsa->g) {
- DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
-@@ -191,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-
- k = BN_new();
- l = BN_new();
-- m = BN_new();
-- if (k == NULL || l == NULL || m == NULL)
-+ if (k == NULL || l == NULL)
- goto err;
-
- if (ctx_in == NULL) {
-@@ -203,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-
- /* Preallocate space */
- q_bits = BN_num_bits(dsa->q);
-- if (!BN_set_bit(k, q_bits)
-- || !BN_set_bit(l, q_bits)
-- || !BN_set_bit(m, q_bits))
-+ q_words = bn_get_top(dsa->q);
-+ if (!bn_wexpand(k, q_words + 2)
-+ || !bn_wexpand(l, q_words + 2))
- goto err;
-
- /* Get random k */
-@@ -240,14 +242,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- * small timing information leakage. We then choose the sum that is
- * one bit longer than the modulus.
- *
-- * TODO: revisit the BN_copy aiming for a memory access agnostic
-- * conditional copy.
-+ * There are some concerns about the efficacy of doing this. More
-+ * specificly refer to the discussion starting with:
-+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
-+ * The fix is to rework BN so these gymnastics aren't required.
- */
- if (!BN_add(l, k, dsa->q)
-- || !BN_add(m, l, dsa->q)
-- || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
-+ || !BN_add(k, l, dsa->q))
- goto err;
-
-+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
-+
- if ((dsa)->meth->bn_mod_exp != NULL) {
- if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
- dsa->method_mont_p))
-@@ -260,8 +265,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- if (!BN_mod(r, r, dsa->q, ctx))
- goto err;
-
-- /* Compute part of 's = inv(k) (m + xr) mod q' */
-- if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
-+ /* Compute part of 's = inv(k) (m + xr) mod q' */
-+ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
- goto err;
-
- BN_clear_free(*kinvp);
-@@ -275,7 +280,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- BN_CTX_free(ctx);
- BN_clear_free(k);
- BN_clear_free(l);
-- BN_clear_free(m);
- return ret;
- }
-
-@@ -395,3 +399,31 @@ static int dsa_finish(DSA *dsa)
- BN_MONT_CTX_free(dsa->method_mont_p);
- return (1);
- }
-+
-+/*
-+ * Compute the inverse of k modulo q.
-+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
-+ * mod-exp operation. Both the exponent and modulus are public information
-+ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
-+ * BIGNUM is returned which the caller must free.
-+ */
-+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
-+ BN_CTX *ctx)
-+{
-+ BIGNUM *res = NULL;
-+ BIGNUM *r, *e;
-+
-+ if ((r = BN_new()) == NULL)
-+ return NULL;
-+
-+ BN_CTX_start(ctx);
-+ if ((e = BN_CTX_get(ctx)) != NULL
-+ && BN_set_word(r, 2)
-+ && BN_sub(e, q, r)
-+ && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
-+ res = r;
-+ else
-+ BN_free(r);
-+ BN_CTX_end(ctx);
-+ return res;
-+}
diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch
deleted file mode 100644
index 5762c04fa34..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 56fb454d281a023b3f950d969693553d3f3ceea1 Mon Sep 17 00:00:00 2001
-From: Pauli <paul.dale@oracle.com>
-Date: Fri, 26 Oct 2018 10:54:58 +1000
-Subject: [PATCH] Timing vulnerability in ECDSA signature generation
- (CVE-2018-0735)
-
-Preallocate an extra limb for some of the big numbers to avoid a reallocation
-that can potentially provide a side channel.
-
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-(Merged from https://github.com/openssl/openssl/pull/7486)
-
-(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
----
- crypto/ec/ec_mult.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
-index 22bb30ffa1..ff882cce20 100644
---- a/crypto/ec/ec_mult.c
-+++ b/crypto/ec/ec_mult.c
-@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
- */
- cardinality_bits = BN_num_bits(cardinality);
- group_top = bn_get_top(cardinality);
-- if ((bn_wexpand(k, group_top + 1) == NULL)
-- || (bn_wexpand(lambda, group_top + 1) == NULL))
-+ if ((bn_wexpand(k, group_top + 2) == NULL)
-+ || (bn_wexpand(lambda, group_top + 2) == NULL))
- goto err;
-
- if (!BN_copy(k, scalar))
-@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
- * k := scalar + 2*cardinality
- */
- kbit = BN_is_bit_set(lambda, cardinality_bits);
-- BN_consttime_swap(kbit, k, lambda, group_top + 1);
-+ BN_consttime_swap(kbit, k, lambda, group_top + 2);
-
- group_top = bn_get_top(group->field);
- if ((bn_wexpand(s->X, group_top) == NULL)
---
-2.19.1
-
diff --git a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0734.patch b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0734.patch
deleted file mode 100644
index dbc379c80d4..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0734.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-CVE-2018-0734
-https://github.com/openssl/openssl/commit/f1b12b8713a739f27d74e6911580b2e70aea2fa4
-https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f
-
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -9,6 +9,7 @@
-
- #include <stdio.h>
- #include "internal/cryptlib.h"
-+#include "internal/bn_int.h"
- #include <openssl/bn.h>
- #include <openssl/sha.h>
- #include "dsa_locl.h"
-@@ -23,6 +24,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
- DSA_SIG *sig, DSA *dsa);
- static int dsa_init(DSA *dsa);
- static int dsa_finish(DSA *dsa);
-+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
-+ BN_CTX *ctx);
-
- static DSA_METHOD openssl_dsa_meth = {
- "OpenSSL DSA method",
-@@ -178,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- {
- BN_CTX *ctx = NULL;
- BIGNUM *k, *kinv = NULL, *r = *rp;
-- BIGNUM *l, *m;
-+ BIGNUM *l;
- int ret = 0;
-- int q_bits;
-+ int q_bits, q_words;
-
- if (!dsa->p || !dsa->q || !dsa->g) {
- DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
-@@ -189,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-
- k = BN_new();
- l = BN_new();
-- m = BN_new();
-- if (k == NULL || l == NULL || m == NULL)
-+ if (k == NULL || l == NULL)
- goto err;
-
- if (ctx_in == NULL) {
-@@ -201,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-
- /* Preallocate space */
- q_bits = BN_num_bits(dsa->q);
-- if (!BN_set_bit(k, q_bits)
-- || !BN_set_bit(l, q_bits)
-- || !BN_set_bit(m, q_bits))
-+ q_words = bn_get_top(dsa->q);
-+ if (!bn_wexpand(k, q_words + 2)
-+ || !bn_wexpand(l, q_words + 2))
- goto err;
-
- /* Get random k */
-@@ -238,14 +240,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- * small timing information leakage. We then choose the sum that is
- * one bit longer than the modulus.
- *
-- * TODO: revisit the BN_copy aiming for a memory access agnostic
-- * conditional copy.
-+ * There are some concerns about the efficacy of doing this. More
-+ * specificly refer to the discussion starting with:
-+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
-+ * The fix is to rework BN so these gymnastics aren't required.
- */
- if (!BN_add(l, k, dsa->q)
-- || !BN_add(m, l, dsa->q)
-- || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
-+ || !BN_add(k, l, dsa->q))
- goto err;
-
-+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
-+
- if ((dsa)->meth->bn_mod_exp != NULL) {
- if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
- dsa->method_mont_p))
-@@ -258,8 +263,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- if (!BN_mod(r, r, dsa->q, ctx))
- goto err;
-
-- /* Compute part of 's = inv(k) (m + xr) mod q' */
-- if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
-+ /* Compute part of 's = inv(k) (m + xr) mod q' */
-+ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
- goto err;
-
- BN_clear_free(*kinvp);
-@@ -273,7 +278,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- BN_CTX_free(ctx);
- BN_clear_free(k);
- BN_clear_free(l);
-- BN_clear_free(m);
- return ret;
- }
-
-@@ -393,3 +397,31 @@ static int dsa_finish(DSA *dsa)
- BN_MONT_CTX_free(dsa->method_mont_p);
- return 1;
- }
-+
-+/*
-+ * Compute the inverse of k modulo q.
-+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
-+ * mod-exp operation. Both the exponent and modulus are public information
-+ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
-+ * BIGNUM is returned which the caller must free.
-+ */
-+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
-+ BN_CTX *ctx)
-+{
-+ BIGNUM *res = NULL;
-+ BIGNUM *r, *e;
-+
-+ if ((r = BN_new()) == NULL)
-+ return NULL;
-+
-+ BN_CTX_start(ctx);
-+ if ((e = BN_CTX_get(ctx)) != NULL
-+ && BN_set_word(r, 2)
-+ && BN_sub(e, q, r)
-+ && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
-+ res = r;
-+ else
-+ BN_free(r);
-+ BN_CTX_end(ctx);
-+ return res;
-+}
diff --git a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch
deleted file mode 100644
index 295f5dbe8d8..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Mon Sep 17 00:00:00 2001
-From: Pauli <paul.dale@oracle.com>
-Date: Fri, 26 Oct 2018 10:54:58 +1000
-Subject: [PATCH] Timing vulnerability in ECDSA signature generation
- (CVE-2018-0735)
-
-Preallocate an extra limb for some of the big numbers to avoid a reallocation
-that can potentially provide a side channel.
-
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-(Merged from https://github.com/openssl/openssl/pull/7486)
-
-(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
----
- crypto/ec/ec_mult.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
-index 7e1b3650e7..0e0a5e1394 100644
---- a/crypto/ec/ec_mult.c
-+++ b/crypto/ec/ec_mult.c
-@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
- */
- cardinality_bits = BN_num_bits(cardinality);
- group_top = bn_get_top(cardinality);
-- if ((bn_wexpand(k, group_top + 1) == NULL)
-- || (bn_wexpand(lambda, group_top + 1) == NULL)) {
-+ if ((bn_wexpand(k, group_top + 2) == NULL)
-+ || (bn_wexpand(lambda, group_top + 2) == NULL)) {
- ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
- goto err;
- }
-@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
- * k := scalar + 2*cardinality
- */
- kbit = BN_is_bit_set(lambda, cardinality_bits);
-- BN_consttime_swap(kbit, k, lambda, group_top + 1);
-+ BN_consttime_swap(kbit, k, lambda, group_top + 2);
-
- group_top = bn_get_top(group->field);
- if ((bn_wexpand(s->X, group_top) == NULL)
---
-2.19.1
-
diff --git a/dev-libs/openssl/openssl-1.1.1-r3.ebuild b/dev-libs/openssl/openssl-1.0.2q.ebuild
similarity index 72%
copy from dev-libs/openssl/openssl-1.1.1-r3.ebuild
copy to dev-libs/openssl/openssl-1.0.2q.ebuild
index 391d0bc059c..a073a353fb9 100644
--- a/dev-libs/openssl/openssl-1.1.1-r3.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2q.ebuild
@@ -3,22 +3,33 @@
EAPI="6"
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+# openssl-1.0.2-patches-1.6 contain additional CVE patches
+# which got fixed with this release.
+# Please use 1.7 version number when rolling a new tarball!
+PATCH_SET="openssl-1.0.2-patches-1.5"
MY_P=${P/_/-}
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+ !vanilla? (
+ mirror://gentoo/${PATCH_SET}.tar.xz
+ https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
+ https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
+ https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz
+ )"
LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
+SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
RESTRICT="!bindist? ( bindist )"
RDEPEND=">=app-misc/c_rehash-1.7-r1
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+ gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
DEPEND="${RDEPEND}
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
@@ -34,12 +45,14 @@ PDEPEND="app-misc/ca-certificates"
SOURCE1=hobble-openssl
SOURCE12=ec_curve.c
SOURCE13=ectest.c
-PATCH37=openssl-1.1.1-ec-curves.patch
+# These are ported instead
+#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
+#PATCH37=openssl-1.1.0-ec-curves.patch
FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f29'
+FEDORA_GIT_BRANCH='f25'
FEDORA_SRC_URI=()
-FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
-FEDORA_PATCH=( ${PATCH37} )
+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
+FEDORA_PATCH=( $PATCH1 $PATCH37 )
for i in "${FEDORA_SOURCE[@]}" ; do
FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
done
@@ -54,11 +67,6 @@ MULTILIB_WRAPPED_HEADERS=(
usr/include/openssl/opensslconf.h
)
-PATCHES=(
- "${FILESDIR}"/${P}-CVE-2018-0734.patch
- "${FILESDIR}"/${P}-CVE-2018-0735.patch
-)
-
src_prepare() {
if use bindist; then
# This just removes the prefix, and puts it into WORKDIR like the RPM.
@@ -68,14 +76,15 @@ src_prepare() {
# .spec %prep
bash "${WORKDIR}"/"${SOURCE1}" || die
cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
+ cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
for i in "${FEDORA_PATCH[@]}" ; do
eapply "${DISTDIR}"/"${i}"
done
+ eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
# Also see the configure parts below:
# enable-ec \
# $(use_ssl !bindist ec2m) \
-
+ # $(use_ssl !bindist srp) \
fi
# keep this in sync with app-misc/c_rehash
@@ -86,25 +95,31 @@ src_prepare() {
rm -f Makefile
if ! use vanilla ; then
- if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
- [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
- fi
+ eapply "${WORKDIR}"/patch/*.patch
fi
- eapply_user #332661
+ eapply_user
+ # disable fips in the build
# make sure the man pages are suffixed #302165
# don't bother building man pages if they're disabled
- # Make DOCDIR Gentoo compliant
sed -i \
+ -e '/DIRS/s: fips : :g' \
-e '/^MANSUFFIX/s:=.*:=ssl:' \
-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-e $(has noman FEATURES \
&& echo '/^install:/s:install_docs::' \
|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
- -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
- Configurations/unix-Makefile.tmpl \
+ Makefile.org \
|| die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ # this breaks build with 1.0.2p, not sure if it is needed anymore
+ #sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
# quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
@@ -119,16 +134,7 @@ src_prepare() {
append-flags $(test-flags-CC -Wa,--noexecstack)
append-cppflags -DOPENSSL_NO_BUF_FREELISTS
- # Prefixify Configure shebang (#141906)
- sed \
- -e "1s,/usr/bin/env,${EPREFIX%/}&," \
- -i Configure || die
- # Remove test target when FEATURES=test isn't set
- if ! use test ; then
- sed \
- -e '/^$config{dirs}/s@ "test",@@' \
- -i Configure || die
- fi
+ sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906
# The config script does stupid stuff to prompt the user. Kill it.
sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
./config --test-sanity || die "I AM NOT SANE"
@@ -166,15 +172,18 @@ multilib_src_configure() {
# fi
#fi
+ # https://github.com/openssl/openssl/issues/2286
+ if use ia64 ; then
+ replace-flags -g3 -g2
+ replace-flags -ggdb3 -ggdb2
+ fi
+
local sslout=$(./gentoo.config)
einfo "Use configuration ${sslout:-(openssl knows best)}"
local config="Configure"
[[ -z ${sslout} ]] && config="config"
- # Fedora hobbled-EC needs 'no-ec2m'
- # 'srp' was restricted until early 2017 as well.
- # "disable-deprecated" option breaks too many consumers.
- # Don't set it without thorough revdeps testing.
+ # Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
echoit \
./${config} \
${sslout} \
@@ -182,17 +191,19 @@ multilib_src_configure() {
enable-camellia \
enable-ec \
$(use_ssl !bindist ec2m) \
- enable-srp \
- $(use elibc_musl && echo "no-async") \
+ $(use_ssl !bindist srp) \
${ec_nistp_64_gcc_128} \
enable-idea \
enable-mdc2 \
enable-rc5 \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl sslv3 ssl3-method) \
+ enable-tlsext \
$(use_ssl asm) \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
$(use_ssl rfc3779) \
$(use_ssl sctp) \
+ $(use_ssl sslv2 ssl2) \
+ $(use_ssl sslv3 ssl3) \
$(use_ssl tls-heartbeat heartbeats) \
$(use_ssl zlib) \
--prefix="${EPREFIX%/}"/usr \
@@ -202,27 +213,28 @@ multilib_src_configure() {
|| die
# Clean out hardcoded flags that openssl uses
- # Fix quoting for sed
- local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
- -e 's:^CFLAGS=::' \
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
-e 's:-fomit-frame-pointer ::g' \
-e 's:-O[0-9] ::g' \
-e 's:-march=[-a-z0-9]* ::g' \
-e 's:-mcpu=[-a-z0-9]* ::g' \
-e 's:-m[a-z0-9]* ::g' \
- -e 's:\\:\\\\:g' \
)
sed -i \
- -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
- -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
Makefile || die
}
multilib_src_compile() {
# depend is needed to use $confopts; it also doesn't matter
# that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
+ emake -j1 V=1 depend
emake all
+ # rehash is needed to prep the certs/ dir; do this
+ # separately to avoid parallel build issues.
+ emake rehash
}
multilib_src_test() {
@@ -236,7 +248,7 @@ multilib_src_install() {
mkdir "${ED%/}"/usr || die
fi
- emake DESTDIR="${D%/}" install
+ emake INSTALL_PREFIX="${D%/}" install
}
multilib_src_install_all() {
@@ -244,20 +256,25 @@ multilib_src_install_all() {
# we provide a shell version via app-misc/c_rehash
rm "${ED%/}"/usr/bin/c_rehash || die
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+ local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
+ einstalldocs
+
+ use rfc3779 && dodoc engines/ccgost/README.gost
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
# create the certs directory
- keepdir ${SSL_CNF_DIR}/certs
+ dodir ${SSL_CNF_DIR}/certs
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
# Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED%/}"/usr/share/man || die
+ cd "${ED}"/usr/share/man
local m d s
for m in $(find . -type f | xargs grep -L '#include') ; do
d=${m%/*} ; d=${d#./} ; m=${m##*/}
@@ -272,7 +289,6 @@ multilib_src_install_all() {
for s in $(find -L ${d} -type l) ; do
s=${s##*/}
rm -f ${d}/${s}
- # We don't want to "|| die" here
ln -s ssl-${m} ${d}/ssl-${s}
ln -s ssl-${s} ${d}/openssl-${s}
done
@@ -280,7 +296,7 @@ multilib_src_install_all() {
[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
diff --git a/dev-libs/openssl/openssl-1.1.0i-r3.ebuild b/dev-libs/openssl/openssl-1.1.0j.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.0i-r3.ebuild
rename to dev-libs/openssl/openssl-1.1.0j.ebuild
index 7837bf78175..e46218cc483 100644
--- a/dev-libs/openssl/openssl-1.1.0i-r3.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0j.ebuild
@@ -56,8 +56,6 @@ MULTILIB_WRAPPED_HEADERS=(
PATCHES=(
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- "${FILESDIR}"/${P}-CVE-2018-0734.patch
- "${FILESDIR}"/${P}-CVE-2018-0735.patch
)
src_prepare() {
diff --git a/dev-libs/openssl/openssl-1.1.1-r3.ebuild b/dev-libs/openssl/openssl-1.1.1a.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.1-r3.ebuild
rename to dev-libs/openssl/openssl-1.1.1a.ebuild
index 391d0bc059c..5b5bb76c6b7 100644
--- a/dev-libs/openssl/openssl-1.1.1-r3.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1a.ebuild
@@ -54,11 +54,6 @@ MULTILIB_WRAPPED_HEADERS=(
usr/include/openssl/opensslconf.h
)
-PATCHES=(
- "${FILESDIR}"/${P}-CVE-2018-0734.patch
- "${FILESDIR}"/${P}-CVE-2018-0735.patch
-)
-
src_prepare() {
if use bindist; then
# This just removes the prefix, and puts it into WORKDIR like the RPM.
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2018-12-25 17:24 Lars Wendler
0 siblings, 0 replies; 36+ messages in thread
From: Lars Wendler @ 2018-12-25 17:24 UTC (permalink / raw
To: gentoo-commits
commit: 15d6fa4ce6547c18471e0e0a369bd390b64feedb
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 25 17:23:56 2018 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Dec 25 17:23:56 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15d6fa4c
dev-libs/openssl: Fixed parallel install
Closes: https://bugs.gentoo.org/671602
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
.../files/openssl-1.1.0j-parallel_install_fix.patch | 21 +++++++++++++++++++++
dev-libs/openssl/openssl-1.1.0j.ebuild | 1 +
2 files changed, 22 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch b/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch
new file mode 100644
index 00000000000..c837e208cf6
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch
@@ -0,0 +1,21 @@
+https://github.com/openssl/openssl/issues/7679
+
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -77,8 +77,14 @@
+ # to. You're welcome.
+ sub dependmagic {
+ my $target = shift;
+-
+- return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target";
++ my $magic = <<"_____";
++$target: build_generated depend
++ \$(MAKE) _$target
++_$target
++_____
++ # Remove line ending
++ $magic =~ s|\R$||;
++ return $magic;
+ }
+ '';
+ -}
diff --git a/dev-libs/openssl/openssl-1.1.0j.ebuild b/dev-libs/openssl/openssl-1.1.0j.ebuild
index e46218cc483..9394eac2532 100644
--- a/dev-libs/openssl/openssl-1.1.0j.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0j.ebuild
@@ -56,6 +56,7 @@ MULTILIB_WRAPPED_HEADERS=(
PATCHES=(
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+ "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
)
src_prepare() {
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2019-01-02 21:58 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2019-01-02 21:58 UTC (permalink / raw
To: gentoo-commits
commit: 8d6b4d861cc299d5dd9691a73f9eab81e02d5f6c
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 2 21:57:28 2019 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Jan 2 21:58:20 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d6b4d86
dev-libs/openssl: rev bumped to add some cherry-picked patches
Package-Manager: Portage-2.3.53, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
...-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch | 27 ++
...ix-cert-with-rsa-instead-of-rsaEncryption.patch | 97 +++++
...ix-some-SSL_export_keying_material-issues.patch | 420 +++++++++++++++++++++
...a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch | 26 ++
...ure-build_SYS_str_reasons_preserves_errno.patch | 68 ++++
.../openssl-1.1.1a-preserve-errno-on-dlopen.patch | 51 +++
...-system-error-number-in-a-few-more-places.patch | 57 +++
...t-reduce-stack-usage-in-tls13_hkdf_expand.patch | 56 +++
dev-libs/openssl/openssl-1.1.1a-r1.ebuild | 299 +++++++++++++++
9 files changed, 1101 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
new file mode 100644
index 00000000000..8014be130ab
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
@@ -0,0 +1,27 @@
+From 3be71a31a1dda204bb95462a92cf7f247e64b939 Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Sun, 16 Dec 2018 12:43:59 +0100
+Subject: [PATCH] Fix a minor nit in the hkdflabel size
+
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7913)
+
+(cherry picked from commit 0b4233f5a4a181a6dcb7c511cd2663e500e659a4)
+---
+ ssl/tls13_enc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index c3021d18aa9..e36b7d3a066 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -41,7 +41,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
+ * + bytes for the hash itself
+ */
+ unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
+- + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
++ + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN
+ + 1 + EVP_MAX_MD_SIZE];
+ WPACKET pkt;
+
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch
new file mode 100644
index 00000000000..8f249e22a1d
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch
@@ -0,0 +1,97 @@
+From c25ae0fff78cb3cb784ef79167329d5cd55b62de Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Thu, 27 Dec 2018 22:18:21 +0100
+Subject: [PATCH] Fix cert with rsa instead of rsaEncryption as public key
+ algorithm
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+(Merged from https://github.com/openssl/openssl/pull/7962)
+
+(cherry picked from commit 1f483a69bce11c940309edc437eee6e32294d5f2)
+---
+ crypto/rsa/rsa_ameth.c | 9 ++++++---
+ test/certs/root-cert-rsa2.pem | 18 ++++++++++++++++++
+ test/recipes/25-test_verify.t | 4 +++-
+ 3 files changed, 27 insertions(+), 4 deletions(-)
+ create mode 100644 test/certs/root-cert-rsa2.pem
+
+diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
+index a6595aec054..75debb3e0a9 100644
+--- a/crypto/rsa/rsa_ameth.c
++++ b/crypto/rsa/rsa_ameth.c
+@@ -34,7 +34,7 @@ static int rsa_param_encode(const EVP_PKEY *pkey,
+
+ *pstr = NULL;
+ /* If RSA it's just NULL type */
+- if (pkey->ameth->pkey_id == EVP_PKEY_RSA) {
++ if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
+ *pstrtype = V_ASN1_NULL;
+ return 1;
+ }
+@@ -58,7 +58,7 @@ static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
+ int algptype;
+
+ X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
+- if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA)
++ if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
+ return 1;
+ if (algptype == V_ASN1_UNDEF)
+ return 1;
+@@ -109,7 +109,10 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
+ RSA_free(rsa);
+ return 0;
+ }
+- EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
++ if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
++ RSA_free(rsa);
++ return 0;
++ }
+ return 1;
+ }
+
+diff --git a/test/certs/root-cert-rsa2.pem b/test/certs/root-cert-rsa2.pem
+new file mode 100644
+index 00000000000..b817fdf3e5d
+--- /dev/null
++++ b/test/certs/root-cert-rsa2.pem
+@@ -0,0 +1,18 @@
++-----BEGIN CERTIFICATE-----
++MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
++IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
++DAdSb290IENBMIIBHTAIBgRVCAEBBQADggEPADCCAQoCggEBAOHmAPUGvKBGOHkP
++Px5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3jIVyk
++7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcArVREX
++OjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI0YYq
++alUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt9gfN
++biuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337VoIkN+
++ZiQjr8UCAwEAAaNQME4wHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8G
++A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
++KoZIhvcNAQELBQADggEBAJ0OIdog3uQ1pmsjv1Qtf1w4If1geOn5uK0EOj2wYBHt
++NxlFn7l8d9+51QMZFO+RlQJ0s3Webyo1ReuaL2dMn2LGJhWMoSBAwrMALAENU3lv
++8jioRbfO2OamsdpJpKxQUyUJYudNe+BoKNX/ry3rxezmsFsRr9nDMiJZpmBCXiMm
++mFFJOJkG0CheexBbMkua4kyStIOwO4rb5bSHszVso/9ucdGHBSC7oRcJXoWSDjBx
++PdQPPBK5g4yqL8Lz26ehgsmhRKL9k32eVyjDKcIzgpmgcPTfTqNbd1KHQJKx4ssb
++7nEpGKHalSo5Oq5L9s9qYrUv37kwBY4OpJFtmGaodoI=
++-----END CERTIFICATE-----
+diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
+index 6c3deab7c67..b80a1cde3ed 100644
+--- a/test/recipes/25-test_verify.t
++++ b/test/recipes/25-test_verify.t
+@@ -27,7 +27,7 @@ sub verify {
+ run(app([@args]));
+ }
+
+-plan tests => 134;
++plan tests => 135;
+
+ # Canonical success
+ ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
+@@ -361,6 +361,8 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"]
+ "Not too many names and constraints to check (2)");
+ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ),
+ "Not too many names and constraints to check (3)");
++ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"),
++ "Public Key Algorithm rsa instead of rsaEncryption");
+
+ SKIP: {
+ skip "Ed25519 is not supported by this OpenSSL build", 1
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch
new file mode 100644
index 00000000000..2db64d83e45
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch
@@ -0,0 +1,420 @@
+From 0fb2815b873304d145ed00283454fc9f3bd35e6b Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 4 Dec 2018 08:37:04 +0000
+Subject: [PATCH] Fix some SSL_export_keying_material() issues
+
+Fix some issues in tls13_hkdf_expand() which impact the above function
+for TLSv1.3. In particular test that we can use the maximum label length
+in TLSv1.3.
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7755)
+---
+ doc/man3/SSL_export_keying_material.pod | 3 +-
+ ssl/ssl_locl.h | 2 +-
+ ssl/statem/extensions.c | 2 +-
+ ssl/statem/statem_clnt.c | 2 +-
+ ssl/statem/statem_srvr.c | 2 +-
+ ssl/tls13_enc.c | 73 +++++++++++++++++--------
+ test/sslapitest.c | 48 ++++++++++++----
+ test/tls13secretstest.c | 2 +-
+ 8 files changed, 92 insertions(+), 42 deletions(-)
+
+diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod
+index abebf911fc3..4c81a60ffbb 100644
+--- a/doc/man3/SSL_export_keying_material.pod
++++ b/doc/man3/SSL_export_keying_material.pod
+@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from
+ the IANA Exporter Label Registry
+ (L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).
+ Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
+-to be used without registration.
++to be used without registration. TLSv1.3 imposes a maximum label length of
++249 bytes.
+
+ Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
+ above. Attempting to use it in SSLv3 will result in an error.
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index 70e5a1740f9..307131de93a 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -2461,7 +2461,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,
+ const unsigned char *secret,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *data, size_t datalen,
+- unsigned char *out, size_t outlen);
++ unsigned char *out, size_t outlen, int fatal);
+ __owur int tls13_derive_key(SSL *s, const EVP_MD *md,
+ const unsigned char *secret, unsigned char *key,
+ size_t keylen);
+diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
+index 63e61c6184a..716d6d23e08 100644
+--- a/ssl/statem/extensions.c
++++ b/ssl/statem/extensions.c
+@@ -1506,7 +1506,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
+
+ /* Generate the binder key */
+ if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
+- hashsize, binderkey, hashsize)) {
++ hashsize, binderkey, hashsize, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
+index 5a8f1163dfa..a0e495d8e83 100644
+--- a/ssl/statem/statem_clnt.c
++++ b/ssl/statem/statem_clnt.c
+@@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
+ PACKET_data(&nonce),
+ PACKET_remaining(&nonce),
+ s->session->master_key,
+- hashlen)) {
++ hashlen, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index e7c11c4bea4..a8e862ced55 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -4099,7 +4099,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
+ tick_nonce,
+ TICKET_NONCE_SIZE,
+ s->session->master_key,
+- hashlen)) {
++ hashlen, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index f7ab0fa4704..c3021d18aa9 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -13,7 +13,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/kdf.h>
+
+-#define TLS13_MAX_LABEL_LEN 246
++#define TLS13_MAX_LABEL_LEN 249
+
+ /* Always filled with zeros */
+ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
+@@ -22,30 +22,47 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
+ * Given a |secret|; a |label| of length |labellen|; and |data| of length
+ * |datalen| (e.g. typically a hash of the handshake messages), derive a new
+ * secret |outlen| bytes long and store it in the location pointed to be |out|.
+- * The |data| value may be zero length. Returns 1 on success 0 on failure.
++ * The |data| value may be zero length. Any errors will be treated as fatal if
++ * |fatal| is set. Returns 1 on success 0 on failure.
+ */
+ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *data, size_t datalen,
+- unsigned char *out, size_t outlen)
++ unsigned char *out, size_t outlen, int fatal)
+ {
+- const unsigned char label_prefix[] = "tls13 ";
++ static const unsigned char label_prefix[] = "tls13 ";
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+ int ret;
+ size_t hkdflabellen;
+ size_t hashlen;
+ /*
+- * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
+- * prefix and label + bytes for the label itself + bytes for the hash
++ * 2 bytes for length of derived secret + 1 byte for length of combined
++ * prefix and label + bytes for the label itself + 1 byte length of hash
++ * + bytes for the hash itself
+ */
+ unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
+ + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
+- + EVP_MAX_MD_SIZE];
++ + 1 + EVP_MAX_MD_SIZE];
+ WPACKET pkt;
+
+ if (pctx == NULL)
+ return 0;
+
++ if (labellen > TLS13_MAX_LABEL_LEN) {
++ if (fatal) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
++ ERR_R_INTERNAL_ERROR);
++ } else {
++ /*
++ * Probably we have been called from SSL_export_keying_material(),
++ * or SSL_export_keying_material_early().
++ */
++ SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
++ }
++ EVP_PKEY_CTX_free(pctx);
++ return 0;
++ }
++
+ hashlen = EVP_MD_size(md);
+
+ if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
+@@ -59,8 +76,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
+ || !WPACKET_finish(&pkt)) {
+ EVP_PKEY_CTX_free(pctx);
+ WPACKET_cleanup(&pkt);
+- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
+- ERR_R_INTERNAL_ERROR);
++ if (fatal)
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
++ ERR_R_INTERNAL_ERROR);
++ else
++ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+@@ -74,9 +94,13 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
+
+ EVP_PKEY_CTX_free(pctx);
+
+- if (ret != 0)
+- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
+- ERR_R_INTERNAL_ERROR);
++ if (ret != 0) {
++ if (fatal)
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
++ ERR_R_INTERNAL_ERROR);
++ else
++ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
++ }
+
+ return ret == 0;
+ }
+@@ -91,7 +115,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
+ static const unsigned char keylabel[] = "key";
+
+ return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
+- NULL, 0, key, keylen);
++ NULL, 0, key, keylen, 1);
+ }
+
+ /*
+@@ -104,7 +128,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
+ static const unsigned char ivlabel[] = "iv";
+
+ return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
+- NULL, 0, iv, ivlen);
++ NULL, 0, iv, ivlen, 1);
+ }
+
+ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
+@@ -114,7 +138,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
+ static const unsigned char finishedlabel[] = "finished";
+
+ return tls13_hkdf_expand(s, md, secret, finishedlabel,
+- sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
++ sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
+ }
+
+ /*
+@@ -177,7 +201,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
+ if (!tls13_hkdf_expand(s, md, prevsecret,
+ (unsigned char *)derived_secret_label,
+ sizeof(derived_secret_label) - 1, hash, mdlen,
+- preextractsec, mdlen)) {
++ preextractsec, mdlen, 1)) {
+ /* SSLfatal() already called */
+ EVP_PKEY_CTX_free(pctx);
+ return 0;
+@@ -337,7 +361,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
+ hashlen = (size_t)hashleni;
+
+ if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
+- secret, hashlen)) {
++ secret, hashlen, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+@@ -517,7 +541,8 @@ int tls13_change_cipher_state(SSL *s, int which)
+ early_exporter_master_secret,
+ sizeof(early_exporter_master_secret) - 1,
+ hashval, hashlen,
+- s->early_exporter_master_secret, hashlen)) {
++ s->early_exporter_master_secret, hashlen,
++ 1)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err;
+@@ -604,7 +629,7 @@ int tls13_change_cipher_state(SSL *s, int which)
+ resumption_master_secret,
+ sizeof(resumption_master_secret) - 1,
+ hashval, hashlen, s->resumption_master_secret,
+- hashlen)) {
++ hashlen, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+@@ -624,7 +649,7 @@ int tls13_change_cipher_state(SSL *s, int which)
+ exporter_master_secret,
+ sizeof(exporter_master_secret) - 1,
+ hash, hashlen, s->exporter_master_secret,
+- hashlen)) {
++ hashlen, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+@@ -738,10 +763,10 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+ || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
+ || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
+ (const unsigned char *)label, llen,
+- data, datalen, exportsecret, hashsize)
++ data, datalen, exportsecret, hashsize, 0)
+ || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
+ sizeof(exporterlabel) - 1, hash, hashsize,
+- out, olen))
++ out, olen, 0))
+ goto err;
+
+ ret = 1;
+@@ -797,10 +822,10 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
+ || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
+ || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
+ (const unsigned char *)label, llen,
+- data, datalen, exportsecret, hashsize)
++ data, datalen, exportsecret, hashsize, 0)
+ || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
+ sizeof(exporterlabel) - 1, hash, hashsize,
+- out, olen))
++ out, olen, 0))
+ goto err;
+
+ ret = 1;
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index 108d57e4781..a4bbb4fead4 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -4028,20 +4028,25 @@ static int test_serverinfo(int tst)
+ * no test vectors so all we do is test that both sides of the communication
+ * produce the same results for different protocol versions.
+ */
++#define SMALL_LABEL_LEN 10
++#define LONG_LABEL_LEN 249
+ static int test_export_key_mat(int tst)
+ {
+ int testresult = 0;
+ SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+- const char label[] = "test label";
++ const char label[LONG_LABEL_LEN + 1] = "test label";
+ const unsigned char context[] = "context";
+ const unsigned char *emptycontext = NULL;
+ unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
+ unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
++ size_t labellen;
+ const int protocols[] = {
+ TLS1_VERSION,
+ TLS1_1_VERSION,
+ TLS1_2_VERSION,
++ TLS1_3_VERSION,
++ TLS1_3_VERSION,
+ TLS1_3_VERSION
+ };
+
+@@ -4058,7 +4063,7 @@ static int test_export_key_mat(int tst)
+ return 1;
+ #endif
+ #ifdef OPENSSL_NO_TLS1_3
+- if (tst == 3)
++ if (tst >= 3)
+ return 1;
+ #endif
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+@@ -4076,33 +4081,52 @@ static int test_export_key_mat(int tst)
+ SSL_ERROR_NONE)))
+ goto end;
+
++ if (tst == 5) {
++ /*
++ * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
++ * go over that.
++ */
++ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
++ sizeof(ckeymat1), label,
++ LONG_LABEL_LEN + 1, context,
++ sizeof(context) - 1, 1), 0))
++ goto end;
++
++ testresult = 1;
++ goto end;
++ } else if (tst == 4) {
++ labellen = LONG_LABEL_LEN;
++ } else {
++ labellen = SMALL_LABEL_LEN;
++ }
++
+ if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
+ sizeof(ckeymat1), label,
+- sizeof(label) - 1, context,
++ labellen, context,
+ sizeof(context) - 1, 1), 1)
+ || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
+ sizeof(ckeymat2), label,
+- sizeof(label) - 1,
++ labellen,
+ emptycontext,
+ 0, 1), 1)
+ || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
+ sizeof(ckeymat3), label,
+- sizeof(label) - 1,
++ labellen,
+ NULL, 0, 0), 1)
+ || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
+ sizeof(skeymat1), label,
+- sizeof(label) - 1,
++ labellen,
+ context,
+ sizeof(context) -1, 1),
+ 1)
+ || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
+ sizeof(skeymat2), label,
+- sizeof(label) - 1,
++ labellen,
+ emptycontext,
+ 0, 1), 1)
+ || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
+ sizeof(skeymat3), label,
+- sizeof(label) - 1,
++ labellen,
+ NULL, 0, 0), 1)
+ /*
+ * Check that both sides created the same key material with the
+@@ -4131,10 +4155,10 @@ static int test_export_key_mat(int tst)
+ * Check that an empty context and no context produce different results in
+ * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
+ */
+- if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
++ if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
+ sizeof(ckeymat3)))
+- || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
+- sizeof(ckeymat3))))
++ || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
++ sizeof(ckeymat3))))
+ goto end;
+
+ testresult = 1;
+@@ -5909,7 +5933,7 @@ int setup_tests(void)
+ ADD_ALL_TESTS(test_custom_exts, 3);
+ #endif
+ ADD_ALL_TESTS(test_serverinfo, 8);
+- ADD_ALL_TESTS(test_export_key_mat, 4);
++ ADD_ALL_TESTS(test_export_key_mat, 6);
+ #ifndef OPENSSL_NO_TLS1_3
+ ADD_ALL_TESTS(test_export_key_mat_early, 3);
+ #endif
+diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
+index 319df17bab0..de318df02b4 100644
+--- a/test/tls13secretstest.c
++++ b/test/tls13secretstest.c
+@@ -226,7 +226,7 @@ static int test_secret(SSL *s, unsigned char *prk,
+ }
+
+ if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
+- gensecret, hashsize)) {
++ gensecret, hashsize, 1)) {
+ TEST_error("Secret generation failed");
+ return 0;
+ }
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
new file mode 100644
index 00000000000..c2f8bb638b3
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
@@ -0,0 +1,26 @@
+From 3ccccb91ae1c07a4310778b3d7ba74ff4ff787f0 Mon Sep 17 00:00:00 2001
+From: Paul Yang <yang.yang@baishancloud.com>
+Date: Wed, 21 Nov 2018 13:16:27 +0800
+Subject: [PATCH] Fix wrong return value in ssl3_ctx_ctrl
+
+This fixes issue #7677
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7678)
+---
+ ssl/s3_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index 866ca4dfa9b..99ae48199c2 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
+ EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
+ SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
+ EVP_PKEY_free(pkdh);
+- return 1;
++ return 0;
+ }
+ EVP_PKEY_free(ctx->cert->dh_tmp);
+ ctx->cert->dh_tmp = pkdh;
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch b/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch
new file mode 100644
index 00000000000..cfa84c73a5b
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch
@@ -0,0 +1,68 @@
+From 99992ad22019e752c7b103a45f860a48b6bc0972 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 21 Nov 2018 11:44:42 +0000
+Subject: [PATCH] Make sure build_SYS_str_reasons() preserves errno
+
+This function can end up being called during ERR_get_error() if we are
+initialising. ERR_get_error() must preserve errno since it gets called via
+SSL_get_error(). If that function returns SSL_ERROR_SYSCALL then you are
+supposed to inspect errno.
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7680)
+
+(cherry picked from commit 71b1ceffc4c795f5db21861dd1016fbe23a53a53)
+---
+
+diff --git a/crypto/err/err.c b/crypto/err/err.c
+index 03cbd73..2eeeab2 100644
+--- a/crypto/err/err.c
++++ b/crypto/err/err.c
+@@ -19,6 +19,7 @@
+ #include <openssl/bio.h>
+ #include <openssl/opensslconf.h>
+ #include "internal/thread_once.h"
++#include "e_os.h"
+
+ static int err_load_strings(const ERR_STRING_DATA *str);
+
+@@ -201,6 +202,7 @@ static void build_SYS_str_reasons(void)
+ static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
+ static int init = 1;
+ int i;
++ int saveerrno = get_last_sys_error();
+
+ CRYPTO_THREAD_write_lock(err_string_lock);
+ if (!init) {
+@@ -229,6 +231,8 @@ static void build_SYS_str_reasons(void)
+ init = 0;
+
+ CRYPTO_THREAD_unlock(err_string_lock);
++ /* openssl_strerror_r could change errno, but we want to preserve it */
++ set_sys_error(saveerrno);
+ err_load_strings(SYS_str_reasons);
+ }
+ #endif
+diff --git a/e_os.h b/e_os.h
+index 5340593..8e6efa9 100644
+--- a/e_os.h
++++ b/e_os.h
+@@ -49,6 +49,7 @@
+
+ # define get_last_sys_error() errno
+ # define clear_sys_error() errno=0
++# define set_sys_error(e) errno=(e)
+
+ /********************************************************************
+ The Microsoft section
+@@ -66,8 +67,10 @@
+ # ifdef WIN32
+ # undef get_last_sys_error
+ # undef clear_sys_error
++# undef set_sys_error
+ # define get_last_sys_error() GetLastError()
+ # define clear_sys_error() SetLastError(0)
++# define set_sys_error(e) SetLastError(e)
+ # if !defined(WINNT)
+ # define WIN_CONSOLE_BUG
+ # endif
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch
new file mode 100644
index 00000000000..ed8f2dd96be
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch
@@ -0,0 +1,51 @@
+From ef97becf522fc4e2e9d98e6ae7bcb26651883d9a Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 21 Nov 2018 11:57:04 +0000
+Subject: [PATCH] Preserve errno on dlopen
+
+For the same reasons as in the previous commit we must preserve errno
+across dlopen calls. Some implementations (e.g. solaris) do not preserve
+errno even on a successful dlopen call.
+
+Fixes #6953
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7680)
+
+(cherry picked from commit 3cb4e7dc1cf92022f62b9bbdd59695885a1265ff)
+---
+ crypto/dso/dso_dlfcn.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
+index ad8899c289a..4240f5f5e30 100644
+--- a/crypto/dso/dso_dlfcn.c
++++ b/crypto/dso/dso_dlfcn.c
+@@ -17,6 +17,7 @@
+ #endif
+
+ #include "dso_locl.h"
++#include "e_os.h"
+
+ #ifdef DSO_DLFCN
+
+@@ -99,6 +100,7 @@ static int dlfcn_load(DSO *dso)
+ /* See applicable comments in dso_dl.c */
+ char *filename = DSO_convert_filename(dso, NULL);
+ int flags = DLOPEN_FLAG;
++ int saveerrno = get_last_sys_error();
+
+ if (filename == NULL) {
+ DSOerr(DSO_F_DLFCN_LOAD, DSO_R_NO_FILENAME);
+@@ -118,6 +120,11 @@ static int dlfcn_load(DSO *dso)
+ ERR_add_error_data(4, "filename(", filename, "): ", dlerror());
+ goto err;
+ }
++ /*
++ * Some dlopen() implementations (e.g. solaris) do no preserve errno, even
++ * on a successful call.
++ */
++ set_sys_error(saveerrno);
+ if (!sk_void_push(dso->meth_data, (char *)ptr)) {
+ DSOerr(DSO_F_DLFCN_LOAD, DSO_R_STACK_ERROR);
+ goto err;
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch
new file mode 100644
index 00000000000..84c43a3c3e0
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch
@@ -0,0 +1,57 @@
+From 145419423e1a74ae54cdbd3aed8bb15cbd53c7cc Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Fri, 14 Dec 2018 19:33:55 +0100
+Subject: [PATCH] ERR: preserve system error number in a few more places
+
+It turns out that intialization may change the error number, so we
+need to preserve the system error number in functions where
+initialization is called for.
+These are ERR_get_state() and err_shelve_state()
+
+Fixes #7897
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7902)
+
+(cherry picked from commit 91c5473035aaf2c0d86e4039c2a29a5b70541905)
+---
+ crypto/err/err.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/err/err.c b/crypto/err/err.c
+index 5cfb02d821b..aef2543d60b 100644
+--- a/crypto/err/err.c
++++ b/crypto/err/err.c
+@@ -697,6 +697,7 @@ DEFINE_RUN_ONCE_STATIC(err_do_init)
+ ERR_STATE *ERR_get_state(void)
+ {
+ ERR_STATE *state;
++ int saveerrno = get_last_sys_error();
+
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
+ return NULL;
+@@ -728,6 +729,7 @@ ERR_STATE *ERR_get_state(void)
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+ }
+
++ set_sys_error(saveerrno);
+ return state;
+ }
+
+@@ -737,6 +739,8 @@ ERR_STATE *ERR_get_state(void)
+ */
+ int err_shelve_state(void **state)
+ {
++ int saveerrno = get_last_sys_error();
++
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
+ return 0;
+
+@@ -747,6 +751,7 @@ int err_shelve_state(void **state)
+ if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1))
+ return 0;
+
++ set_sys_error(saveerrno);
+ return 1;
+ }
+
diff --git a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch b/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
new file mode 100644
index 00000000000..5ea4fb97bfc
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
@@ -0,0 +1,56 @@
+From ed371b8cbac0d0349667558c061c1ae380cf75eb Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Mon, 3 Dec 2018 18:14:57 +0000
+Subject: [PATCH] Revert "Reduce stack usage in tls13_hkdf_expand"
+
+This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d.
+
+SSL_export_keying_material() may use longer label lengths.
+
+Fixes #7712
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7755)
+---
+ ssl/tls13_enc.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
+index b6825d20c2d..f7ab0fa4704 100644
+--- a/ssl/tls13_enc.c
++++ b/ssl/tls13_enc.c
+@@ -13,14 +13,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/kdf.h>
+
+-/*
+- * RFC 8446, 7.1 Key Schedule, says:
+- * Note: With common hash functions, any label longer than 12 characters
+- * requires an additional iteration of the hash function to compute.
+- * The labels in this specification have all been chosen to fit within
+- * this limit.
+- */
+-#define TLS13_MAX_LABEL_LEN 12
++#define TLS13_MAX_LABEL_LEN 246
+
+ /* Always filled with zeros */
+ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
+@@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
+ const unsigned char *data, size_t datalen,
+ unsigned char *out, size_t outlen)
+ {
+- static const unsigned char label_prefix[] = "tls13 ";
++ const unsigned char label_prefix[] = "tls13 ";
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+ int ret;
+ size_t hkdflabellen;
+ size_t hashlen;
+ /*
+- * 2 bytes for length of derived secret + 1 byte for length of combined
+- * prefix and label + bytes for the label itself + 1 byte length of hash
+- * + bytes for the hash itself
++ * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
++ * prefix and label + bytes for the label itself + bytes for the hash
+ */
+ unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
+ + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
diff --git a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild b/dev-libs/openssl/openssl-1.1.1a-r1.ebuild
new file mode 100644
index 00000000000..0ad3e058c0c
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1a-r1.ebuild
@@ -0,0 +1,299 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+[[ "${PV}" = *_pre* ]] || \
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-make-sure-build_SYS_str_reasons_preserves_errno.patch
+ "${FILESDIR}"/${P}-preserve-errno-on-dlopen.patch
+ "${FILESDIR}"/${P}-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
+ "${FILESDIR}"/${P}-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
+ "${FILESDIR}"/${P}-fix-some-SSL_export_keying_material-issues.patch
+ "${FILESDIR}"/${P}-preserve-system-error-number-in-a-few-more-places.patch
+ "${FILESDIR}"/${P}-fix-a-minor-nit-in-hkdflabel-size.patch
+ "${FILESDIR}"/${P}-fix-cert-with-rsa-instead-of-rsaEncryption.patch
+)
+
+# This does not copy the entire Fedora patchset, but JUST the parts that
+# are needed to make it safe to use EC with RESTRICT=bindist.
+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
+SOURCE1=hobble-openssl
+SOURCE12=ec_curve.c
+SOURCE13=ectest.c
+PATCH37=openssl-1.1.1-ec-curves.patch
+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
+FEDORA_GIT_BRANCH='f29'
+FEDORA_SRC_URI=()
+FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
+FEDORA_PATCH=( ${PATCH37} )
+for i in "${FEDORA_SOURCE[@]}" ; do
+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
+done
+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
+done
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+ if use bindist; then
+ # This just removes the prefix, and puts it into WORKDIR like the RPM.
+ for i in "${FEDORA_SOURCE[@]}" ; do
+ cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
+ done
+ # .spec %prep
+ bash "${WORKDIR}"/"${SOURCE1}" || die
+ cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
+ cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
+ for i in "${FEDORA_PATCH[@]}" ; do
+ eapply "${DISTDIR}"/"${i}"
+ done
+ # Also see the configure parts below:
+ # enable-ec \
+ # $(use_ssl !bindist ec2m) \
+
+ fi
+
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
+ [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
+ fi
+ fi
+
+ eapply_user #332661
+
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ # Make DOCDIR Gentoo compliant
+ sed -i \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+ Configurations/unix-Makefile.tmpl \
+ || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config || die
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ # Prefixify Configure shebang (#141906)
+ sed \
+ -e "1s,/usr/bin/env,${EPREFIX%/}&," \
+ -i Configure || die
+ # Remove test target when FEATURES=test isn't set
+ if ! use test ; then
+ sed \
+ -e '/^$config{dirs}/s@ "test",@@' \
+ -i Configure || die
+ fi
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired https://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ # Fedora hobbled-EC needs 'no-ec2m'
+ # 'srp' was restricted until early 2017 as well.
+ # "disable-deprecated" option breaks too many consumers.
+ # Don't set it without thorough revdeps testing.
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ enable-ec \
+ $(use_ssl !bindist ec2m) \
+ enable-srp \
+ $(use elibc_musl && echo "no-async") \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ $(use_ssl sslv3 ssl3) \
+ $(use_ssl sslv3 ssl3-method) \
+ $(use_ssl asm) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX%/}"/usr \
+ --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ # Fix quoting for sed
+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAGS=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ -e 's:\\:\\\\:g' \
+ )
+ sed -i \
+ -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+ -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ # We need to create $ED/usr on our own to avoid a race condition #665130
+ if [[ ! -d "${ED%/}/usr" ]]; then
+ # We can only create this directory once
+ mkdir "${ED%/}"/usr || die
+ fi
+
+ emake DESTDIR="${D%/}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED%/}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED%/}"/usr/share/man || die
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ # We don't want to "|| die" here
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2019-08-23 18:10 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2019-08-23 18:10 UTC (permalink / raw
To: gentoo-commits
commit: 4a898bb77d04e01e132bd1cd37bfc8b0e437467c
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 23 17:46:20 2019 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Aug 23 18:10:21 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a898bb7
dev-libs/openssl: drop old
Package-Manager: Portage-2.3.72, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
dev-libs/openssl/Manifest | 11 -
.../files/openssl-1.1.1b-CVE-2019-1543.patch | 66 -----
.../files/openssl-1.1.1b-ec-curves-patch.patch | 207 --------------
dev-libs/openssl/openssl-1.1.0j-r1.ebuild | 299 ---------------------
dev-libs/openssl/openssl-1.1.1b-r2.ebuild | 299 ---------------------
5 files changed, 882 deletions(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 5f6b9b90602..4322efaa3ab 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -7,18 +7,7 @@ DIST openssl-1.0.2s.tar.gz 5349149 BLAKE2B 46c72dcceb5b473b129be0a895f3d6c25a24e
DIST openssl-1.0.2s_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
DIST openssl-1.0.2s_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
DIST openssl-1.0.2s_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
-DIST openssl-1.1.0-build_d2ede125556ac99aa0faa7744c703af3f559094e.patch 3001 BLAKE2B 8f0ac4be6409b4ec50bec171697da2aebe2688e8ae06bd0dfac8b0c74661d38ebeb0a12bde0ef941b213eee9b85965262213b140636060285dcfb02a3bd14961 SHA512 ec6710e9669ac19e4c6f1286c89a383e7d276a773a2740037f98a8f2dbf18305614e7d30d9ed530923a0e7d10a3776fea2ca77229adc25df13ecad55589a3673
-DIST openssl-1.1.0-ec-curves_d2ede125556ac99aa0faa7744c703af3f559094e.patch 5311 BLAKE2B e9ec985adf6f13eb04412158a05da7cbe10be7d64bce73b899152ea379336ece7b7069089ef46993ac301ef850fd46fd0352898e249b2ea9fff5baf20896e5b5 SHA512 c38c4b05195f2b323a07efd8d17335ba2a168a16a59d7941da36568081f1c043da8d2216b7084b0617963635ded9bafeee736ecddbfa251cf0a02e4cba64cdc8
-DIST openssl-1.1.0j.tar.gz 5411919 BLAKE2B 0fbd936f38d30b64bea717a67cd59704c5ce44ee19f377a820f89ba66b9e0a7509cf39e0fb00c104ae6440a6bd811e388239b458ffe685d8601235bab2afb2f1 SHA512 e7d30951ebb3cbcb6d59e3eb40f64f5a84634b7f5c380a588d378973f1c415395e3ab71a9aaff6478a89ec6efcc88f17f1882c99c25dcd18165f1435a51e5768
-DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ec_curve.c 18401 BLAKE2B f969071ac1b5d0e43b50d54e50b5c4d9201fc8b94458902e9849f14841b5505a2e43ed57a8c13255f042a211af9ee904776c155c36da838a8ad22e1052b02bc1 SHA512 a1c2bb3c3e3d342bddc8c952985e87fc4bad2e8142d5d760b18f346c44c20f00db61c4856f3dcf879b2098e0c036330762915f65d80a1a2cba717d2caeb95457
-DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b
-DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
DIST openssl-1.1.0k-bindist-1.0.tar.xz 11716 BLAKE2B c491ba0899c44dbcc63f85b255548c439c965a20a04ac2a6324a4122c4691b7c95ec18e62be6d708a7ea62ea197d32e5091987cb5043969878f89e5bc26243d4 SHA512 1d5bc9d7b24cf55d32d996e2421d43a1218b605720293f00d07814afb481387856f0dc000ad3c3e4cba2361055668cfe79a945be44ab85a249555f37e683a909
DIST openssl-1.1.0k.tar.gz 5287321 BLAKE2B fce40a399f5a08d5fe183dfcaab11b211d982885fb9888b25fa41bdd9919ecd203fca6f573363cfb42c9a0776ae69ea50b0f144227a3f28ca0dbadf878d396bc SHA512 65f41a240a97d79504c0e1391fde8ac8692f0993437cdc35e4bc964ecc36e5ef75a62499c4c6cb4ce63f892135e06dba2d3594c8869d935554296fa3c6ccd822
-DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3 SHA512 de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1
-DIST openssl-1.1.1b.tar.gz 8213737 BLAKE2B 7ad9da9548052e2a033a684038f97c420cfffd57994604bcb3fa12640796c8c0aea3d24fb05648ee4940fbec40b81462e81c353da5a41a2575c0585d9718eae8 SHA512 b54025fbb4fe264466f3b0d762aad4be45bd23cd48bdb26d901d4c41a40bfd776177e02230995ab181a695435039dbad313f4b9a563239a70807a2e19ecf045d
-DIST openssl-1.1.1b_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
-DIST openssl-1.1.1b_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef
-DIST openssl-1.1.1b_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
DIST openssl-1.1.1c-bindist-1.0.tar.xz 11964 BLAKE2B 8c5190846d13984589a150089d329bb3ecc613788b9462c6f6a1833a040e21cb9bf940140449f09fd797c0e396b0aea073237be374bd16097795b8974c3e7ce5 SHA512 249c6d8c455130b98e3be635f12f323e0cc349f1770648bad591e5de15483917185a473c162ed871a2fa05b47056931e6f12e5fdd9cecee7e6d1c246b862923b
DIST openssl-1.1.1c.tar.gz 8864262 BLAKE2B bd157b244bedcefb8e646a743732945119b267236789ac69c38856570318aca09299bdaaea3f20294863b633e6fd4dfe124820597185b3b7461cfdf094daadb0 SHA512 8e2c5cc11c120efbb7d7850980cb6eaa782d29b4996b3f3378d37613c1679f852d7cc08a90d62e78fcec3439f06bdbee70064579a8c2adaffd91532a97f646ff
diff --git a/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch
deleted file mode 100644
index 4d478c484c9..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Mar 2019 14:39:15 +0000
-Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305
-
-ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
-every encryption operation. RFC 7539 specifies that the nonce value (IV)
-should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
-front pads the nonce with 0 bytes if it is less than 12 bytes. However it
-also incorrectly allows a nonce to be set of up to 16 bytes. In this case
-only the last 12 bytes are significant and any additional leading bytes are
-ignored.
-
-It is a requirement of using this cipher that nonce values are unique.
-Messages encrypted using a reused nonce value are susceptible to serious
-confidentiality and integrity attacks. If an application changes the
-default nonce length to be longer than 12 bytes and then makes a change to
-the leading bytes of the nonce expecting the new value to be a new unique
-nonce then such an application could inadvertently encrypt messages with a
-reused nonce.
-
-Additionally the ignored bytes in a long nonce are not covered by the
-integrity guarantee of this cipher. Any application that relies on the
-integrity of these ignored leading bytes of a long nonce may be further
-affected.
-
-Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
-because no such use sets such a long nonce value. However user
-applications that use this cipher directly and set a non-default nonce
-length to be longer than 12 bytes may be vulnerable.
-
-CVE-2019-1543
-
-Fixes #8345
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/8406)
-
-(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)
----
- crypto/evp/e_chacha20_poly1305.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
-index c1917bb86a6..d3e2c622a1b 100644
---- a/crypto/evp/e_chacha20_poly1305.c
-+++ b/crypto/evp/e_chacha20_poly1305.c
-@@ -30,6 +30,8 @@ typedef struct {
-
- #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
-
-+#define CHACHA20_POLY1305_MAX_IVLEN 12
-+
- static int chacha_init_key(EVP_CIPHER_CTX *ctx,
- const unsigned char user_key[CHACHA_KEY_SIZE],
- const unsigned char iv[CHACHA_CTR_SIZE], int enc)
-@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
- return 1;
-
- case EVP_CTRL_AEAD_SET_IVLEN:
-- if (arg <= 0 || arg > CHACHA_CTR_SIZE)
-+ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
- return 0;
- actx->nonce_len = arg;
- return 1;
diff --git a/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch
deleted file mode 100644
index c1f53c83823..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch
+++ /dev/null
@@ -1,207 +0,0 @@
-Based on openssl-1.1.1-ec-curves.patch.
-
-Updated for OpenSSL change b6d41ff73392df5af9c931c902ae4cd75c5b61ea.
-
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
- static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
- #endif /* OPENSSL_NO_RSA */
-
--#define R_EC_P160 0
--#define R_EC_P192 1
--#define R_EC_P224 2
--#define R_EC_P256 3
--#define R_EC_P384 4
--#define R_EC_P521 5
--#define R_EC_K163 6
--#define R_EC_K233 7
--#define R_EC_K283 8
--#define R_EC_K409 9
--#define R_EC_K571 10
--#define R_EC_B163 11
--#define R_EC_B233 12
--#define R_EC_B283 13
--#define R_EC_B409 14
--#define R_EC_B571 15
--#define R_EC_BRP256R1 16
--#define R_EC_BRP256T1 17
--#define R_EC_BRP384R1 18
--#define R_EC_BRP384T1 19
--#define R_EC_BRP512R1 20
--#define R_EC_BRP512T1 21
--#define R_EC_X25519 22
--#define R_EC_X448 23
-+#define R_EC_P224 0
-+#define R_EC_P256 1
-+#define R_EC_P384 2
-+#define R_EC_P521 3
-+#define R_EC_X25519 4
-+#define R_EC_X448 5
- #ifndef OPENSSL_NO_EC
- static OPT_PAIR ecdsa_choices[] = {
-- {"ecdsap160", R_EC_P160},
-- {"ecdsap192", R_EC_P192},
- {"ecdsap224", R_EC_P224},
- {"ecdsap256", R_EC_P256},
- {"ecdsap384", R_EC_P384},
- {"ecdsap521", R_EC_P521},
-- {"ecdsak163", R_EC_K163},
-- {"ecdsak233", R_EC_K233},
-- {"ecdsak283", R_EC_K283},
-- {"ecdsak409", R_EC_K409},
-- {"ecdsak571", R_EC_K571},
-- {"ecdsab163", R_EC_B163},
-- {"ecdsab233", R_EC_B233},
-- {"ecdsab283", R_EC_B283},
-- {"ecdsab409", R_EC_B409},
-- {"ecdsab571", R_EC_B571},
-- {"ecdsabrp256r1", R_EC_BRP256R1},
-- {"ecdsabrp256t1", R_EC_BRP256T1},
-- {"ecdsabrp384r1", R_EC_BRP384R1},
-- {"ecdsabrp384t1", R_EC_BRP384T1},
-- {"ecdsabrp512r1", R_EC_BRP512R1},
-- {"ecdsabrp512t1", R_EC_BRP512T1}
- };
- # define ECDSA_NUM OSSL_NELEM(ecdsa_choices)
-
- static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */
-
- static const OPT_PAIR ecdh_choices[] = {
-- {"ecdhp160", R_EC_P160},
-- {"ecdhp192", R_EC_P192},
- {"ecdhp224", R_EC_P224},
- {"ecdhp256", R_EC_P256},
- {"ecdhp384", R_EC_P384},
- {"ecdhp521", R_EC_P521},
-- {"ecdhk163", R_EC_K163},
-- {"ecdhk233", R_EC_K233},
-- {"ecdhk283", R_EC_K283},
-- {"ecdhk409", R_EC_K409},
-- {"ecdhk571", R_EC_K571},
-- {"ecdhb163", R_EC_B163},
-- {"ecdhb233", R_EC_B233},
-- {"ecdhb283", R_EC_B283},
-- {"ecdhb409", R_EC_B409},
-- {"ecdhb571", R_EC_B571},
-- {"ecdhbrp256r1", R_EC_BRP256R1},
-- {"ecdhbrp256t1", R_EC_BRP256T1},
-- {"ecdhbrp384r1", R_EC_BRP384R1},
-- {"ecdhbrp384t1", R_EC_BRP384T1},
-- {"ecdhbrp512r1", R_EC_BRP512R1},
-- {"ecdhbrp512t1", R_EC_BRP512T1},
- {"ecdhx25519", R_EC_X25519},
- {"ecdhx448", R_EC_X448}
- };
-@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
- unsigned int bits;
- } test_curves[] = {
- /* Prime Curves */
-- {"secp160r1", NID_secp160r1, 160},
-- {"nistp192", NID_X9_62_prime192v1, 192},
- {"nistp224", NID_secp224r1, 224},
- {"nistp256", NID_X9_62_prime256v1, 256},
- {"nistp384", NID_secp384r1, 384},
- {"nistp521", NID_secp521r1, 521},
-- /* Binary Curves */
-- {"nistk163", NID_sect163k1, 163},
-- {"nistk233", NID_sect233k1, 233},
-- {"nistk283", NID_sect283k1, 283},
-- {"nistk409", NID_sect409k1, 409},
-- {"nistk571", NID_sect571k1, 571},
-- {"nistb163", NID_sect163r2, 163},
-- {"nistb233", NID_sect233r1, 233},
-- {"nistb283", NID_sect283r1, 283},
-- {"nistb409", NID_sect409r1, 409},
-- {"nistb571", NID_sect571r1, 571},
-- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
-- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
-- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
-- {"brainpoolP384t1", NID_brainpoolP384t1, 384},
-- {"brainpoolP512r1", NID_brainpoolP512r1, 512},
-- {"brainpoolP512t1", NID_brainpoolP512t1, 512},
- /* Other and ECDH only ones */
- {"X25519", NID_X25519, 253},
- {"X448", NID_X448, 448}
-@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
- # endif
-
- # ifndef OPENSSL_NO_EC
-- ecdsa_c[R_EC_P160][0] = count / 1000;
-- ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
-- for (i = R_EC_P192; i <= R_EC_P521; i++) {
-+ ecdsa_c[R_EC_P224][0] = count / 1000;
-+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
-+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
- ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
- ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
- if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
-@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
- }
- }
- }
-+#if 0
- ecdsa_c[R_EC_K163][0] = count / 1000;
- ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
- for (i = R_EC_K233; i <= R_EC_K571; i++) {
-@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
- }
- }
- }
--
-- ecdh_c[R_EC_P160][0] = count / 1000;
-- for (i = R_EC_P192; i <= R_EC_P521; i++) {
-+#endif
-+ ecdh_c[R_EC_P224][0] = count / 1000;
-+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
- ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
- if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
- ecdh_doit[i] = 0;
-@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
- }
- }
- }
-+#if 0
- ecdh_c[R_EC_K163][0] = count / 1000;
- for (i = R_EC_K233; i <= R_EC_K571; i++) {
- ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
- }
- }
- }
-+#endif
- /* default iteration count for the last two EC Curves */
- ecdh_c[R_EC_X25519][0] = count / 1800;
- ecdh_c[R_EC_X448][0] = count / 7200;
---- a/crypto/ec/ecp_smpl.c
-+++ b/crypto/ec/ecp_smpl.c
-@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group,
- return 0;
- }
-
-+ if (BN_num_bits(p) < 224) {
-+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+ return 0;
-+ }
-+
- if (ctx == NULL) {
- ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
---- a/test/ecdsatest.c
-+++ b/test/ecdsatest.c
-@@ -176,6 +176,7 @@ static int x9_62_tests(void)
- if (!change_rand())
- goto x962_err;
-
-+#if 0
- if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1,
- "3342403536405981729393488334694600415596881826869351677613",
- "5735822328888155254683894997897571951568553642892029982342")))
-@@ -186,6 +187,7 @@ static int x9_62_tests(void)
- "3238135532097973577080787768312505059318910517550078427819"
- "78505179448783")))
- goto x962_err;
-+#endif
-
- # ifndef OPENSSL_NO_EC2M
- if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1,
diff --git a/dev-libs/openssl/openssl-1.1.0j-r1.ebuild b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild
deleted file mode 100644
index 165f6d9a050..00000000000
--- a/dev-libs/openssl/openssl-1.1.0j-r1.ebuild
+++ /dev/null
@@ -1,299 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
-PATCH37=openssl-1.1.0-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f28'
-FEDORA_GIT_COMMIT="d2ede125556ac99aa0faa7744c703af3f559094e"
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
-FEDORA_PATCH=( $PATCH1 $PATCH37 )
-for i in "${FEDORA_SOURCE[@]}" ; do
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH}&id=${FEDORA_GIT_COMMIT} -> ${P}_${FEDORA_GIT_COMMIT}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH}&id=${FEDORA_GIT_COMMIT} -> ${i%.patch}_${FEDORA_GIT_COMMIT}.patch" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-PATCHES=(
- "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
- "${FILESDIR}"/${PN}-1.1.1b-CVE-2019-1543.patch
-)
-
-src_prepare() {
- if use bindist; then
- # we need to patch the patch but we cannot patch in DISTDIR...
- mkdir "${WORKDIR}"/fedora_patches || die
- for i in "${FEDORA_PATCH[@]}" ; do
- cp "${DISTDIR}"/"${i%.patch}_${FEDORA_GIT_COMMIT}.patch" "${WORKDIR}"/fedora_patches || die
- done
-
- # now patch the path, due to OpenSSL change cb193560e0da17a41b40ce574a2349f1d4d59ed1
- sed -i -e 's#test/evptests.txt#test/recipes/30-test_evp_data/evppkey.txt#g' \
- "${WORKDIR}"/fedora_patches/openssl-1.1.0-build_d2ede125556ac99aa0faa7744c703af3f559094e.patch || \
- die
-
- # This just removes the prefix, and puts it into WORKDIR like the RPM.
- for i in "${FEDORA_SOURCE[@]}" ; do
- cp -f "${DISTDIR}"/"${P}_${FEDORA_GIT_COMMIT}_${i}" "${WORKDIR}"/"${i}" || die
- done
- # .spec %prep
- bash "${WORKDIR}"/"${SOURCE1}" || die
- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
- for i in "${FEDORA_PATCH[@]}" ; do
- #eapply "${DISTDIR}"/"${i%.patch}_${FEDORA_GIT_COMMIT}.patch"
- eapply "${WORKDIR}/fedora_patches/${i%.patch}_${FEDORA_GIT_COMMIT}.patch"
- done
- # Also see the configure parts below:
- # enable-ec \
- # $(use_ssl !bindist ec2m) \
-
- fi
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- eapply "${PATCHES[@]}"
- fi
-
- eapply_user #332661
-
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- # Make DOCDIR Gentoo compliant
- sed -i \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
- Configurations/unix-Makefile.tmpl \
- || die
-
- # show the actual commands in the log
- sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config || die
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- # Prefixify Configure shebang (#141906)
- sed \
- -e "1s,/usr/bin/env,${EPREFIX}&," \
- -i Configure || die
- # Remove test target when FEATURES=test isn't set
- if ! use test ; then
- sed \
- -e '/^$config{dirs}/s@ "test",@@' \
- -i Configure || die
- fi
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired https://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- # Fedora hobbled-EC needs 'no-ec2m'
- # 'srp' was restricted until early 2017 as well.
- # "disable-deprecated" option breaks too many consumers.
- # Don't set it without thorough revdeps testing.
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- enable-ec \
- $(use_ssl !bindist ec2m) \
- enable-srp \
- $(use elibc_musl && echo "no-async") \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- $(use_ssl asm) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- # Fix quoting for sed
- local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
- -e 's:^CFLAGS=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- -e 's:\\:\\\\:g' \
- )
- sed -i \
- -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
- -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- emake DESTDIR="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED%/}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
-
- # create the certs directory
- keepdir ${SSL_CNF_DIR}/certs
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED%/}"/usr/share/man || die
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- # We don't want to "|| die" here
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
diff --git a/dev-libs/openssl/openssl-1.1.1b-r2.ebuild b/dev-libs/openssl/openssl-1.1.1b-r2.ebuild
deleted file mode 100644
index 09f5e991cf9..00000000000
--- a/dev-libs/openssl/openssl-1.1.1b-r2.ebuild
+++ /dev/null
@@ -1,299 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
- "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
- "${FILESDIR}"/${P}-CVE-2019-1543.patch
-)
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-PATCH37=openssl-1.1.1-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f29'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
-FEDORA_PATCH=( ${PATCH37} )
-for i in "${FEDORA_SOURCE[@]}" ; do
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
- FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- if use bindist; then
- # This just removes the prefix, and puts it into WORKDIR like the RPM.
- for i in "${FEDORA_SOURCE[@]}" ; do
- cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
- done
-
- # .spec %prep
- bash "${WORKDIR}"/"${SOURCE1}" || die
- cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
- cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
- for i in "${FEDORA_PATCH[@]}" ; do
- if [[ "${i}" == "${PATCH37}" ]] ; then
- # apply our own for OpenSSL 1.1.1b adjusted version of this patch
- eapply "${FILESDIR}"/openssl-1.1.1b-ec-curves-patch.patch
- else
- eapply "${DISTDIR}"/"${i}"
- fi
- done
- # Also see the configure parts below:
- # enable-ec \
- # $(use_ssl !bindist ec2m) \
-
- fi
-
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
- [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
- fi
- fi
-
- eapply_user #332661
-
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- # Make DOCDIR Gentoo compliant
- sed -i \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
- -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
- Configurations/unix-Makefile.tmpl \
- || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config || die
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- # Prefixify Configure shebang (#141906)
- sed \
- -e "1s,/usr/bin/env,${EPREFIX%/}&," \
- -i Configure || die
- # Remove test target when FEATURES=test isn't set
- if ! use test ; then
- sed \
- -e '/^$config{dirs}/s@ "test",@@' \
- -i Configure || die
- fi
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired https://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- # Fedora hobbled-EC needs 'no-ec2m'
- # 'srp' was restricted until early 2017 as well.
- # "disable-deprecated" option breaks too many consumers.
- # Don't set it without thorough revdeps testing.
- echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- enable-ec \
- $(use_ssl !bindist ec2m) \
- enable-srp \
- $(use elibc_musl && echo "no-async") \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl sslv3 ssl3-method) \
- $(use_ssl asm) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX%/}"/usr \
- --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- # Fix quoting for sed
- local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
- -e 's:^CFLAGS=::' \
- -e 's:-fomit-frame-pointer ::g' \
- -e 's:-O[0-9] ::g' \
- -e 's:-march=[-a-z0-9]* ::g' \
- -e 's:-mcpu=[-a-z0-9]* ::g' \
- -e 's:-m[a-z0-9]* ::g' \
- -e 's:\\:\\\\:g' \
- )
- sed -i \
- -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
- -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- # We need to create $ED/usr on our own to avoid a race condition #665130
- if [[ ! -d "${ED%/}/usr" ]]; then
- # We can only create this directory once
- mkdir "${ED%/}"/usr || die
- fi
-
- emake DESTDIR="${D%/}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED%/}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
-
- # create the certs directory
- keepdir ${SSL_CNF_DIR}/certs
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED%/}"/usr/share/man || die
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- # We don't want to "|| die" here
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2019-10-04 15:48 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2019-10-04 15:48 UTC (permalink / raw
To: gentoo-commits
commit: 584cf074dc8ef5f6aabf3130e5d590c5a331d7a8
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 4 13:43:28 2019 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Oct 4 15:48:14 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=584cf074
dev-libs/openssl: fix USE=zlib
Closes: https://bugs.gentoo.org/696166
Package-Manager: Portage-2.3.76, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
.../openssl/files/openssl-1.1.1d-fix-zlib.patch | 52 ++++++++++++++++++++++
...nssl-1.1.1d.ebuild => openssl-1.1.1d-r1.ebuild} | 1 +
2 files changed, 53 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch b/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch
new file mode 100644
index 00000000000..5d2f923a487
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch
@@ -0,0 +1,52 @@
+From 86ed78676c660b553696cc10c682962522dfeb6c Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 12 Sep 2019 12:27:36 +0200
+Subject: [PATCH] BIO_f_zlib: Properly handle BIO_CTRL_PENDING and
+ BIO_CTRL_WPENDING calls.
+
+There can be data to write in output buffer and data to read that were
+not yet read in the input stream.
+
+Fixes #9866
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/9877)
+
+(cherry picked from commit 6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95)
+---
+ crypto/comp/c_zlib.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
+index d688deee5f2..7c1be358fd7 100644
+--- a/crypto/comp/c_zlib.c
++++ b/crypto/comp/c_zlib.c
+@@ -598,6 +598,28 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
+ BIO_copy_next_retry(b);
+ break;
+
++ case BIO_CTRL_WPENDING:
++ if (ctx->obuf == NULL)
++ return 0;
++
++ if (ctx->odone) {
++ ret = ctx->ocount;
++ } else {
++ ret = ctx->ocount;
++ if (ret == 0)
++ /* Unknown amount pending but we are not finished */
++ ret = 1;
++ }
++ if (ret == 0)
++ ret = BIO_ctrl(next, cmd, num, ptr);
++ break;
++
++ case BIO_CTRL_PENDING:
++ ret = ctx->zin.avail_in;
++ if (ret == 0)
++ ret = BIO_ctrl(next, cmd, num, ptr);
++ break;
++
+ default:
+ ret = BIO_ctrl(next, cmd, num, ptr);
+ break;
diff --git a/dev-libs/openssl/openssl-1.1.1d.ebuild b/dev-libs/openssl/openssl-1.1.1d-r1.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.1d.ebuild
rename to dev-libs/openssl/openssl-1.1.1d-r1.ebuild
index dfb4be45e23..b9fd0c73a62 100644
--- a/dev-libs/openssl/openssl-1.1.1d.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1d-r1.ebuild
@@ -45,6 +45,7 @@ PDEPEND="app-misc/ca-certificates"
PATCHES=(
"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+ "${FILESDIR}"/${P}-fix-zlib.patch
)
S="${WORKDIR}/${MY_P}"
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2019-10-04 15:48 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2019-10-04 15:48 UTC (permalink / raw
To: gentoo-commits
commit: b76774f393a90f6a74371864ec4850f176373b4c
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 4 14:04:47 2019 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Oct 4 15:48:15 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b76774f3
dev-libs/openssl: fix mem leaks with BN_to_ASN1_INTEGER
Package-Manager: Portage-2.3.76, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
...x-potential-memleaks-w-BN_to_ASN1_INTEGER.patch | 107 +++++++++++++++++++++
dev-libs/openssl/openssl-1.1.1d-r1.ebuild | 1 +
2 files changed, 108 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch b/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
new file mode 100644
index 00000000000..1f195d0384c
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
@@ -0,0 +1,107 @@
+From 515c728dbaa92211d2eafb0041ab9fcd258fdc41 Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Mon, 9 Sep 2019 19:12:25 +0200
+Subject: [PATCH] Fix potential memory leaks with BN_to_ASN1_INTEGER
+
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/9833)
+
+(cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09)
+---
+ crypto/ec/ec_asn1.c | 7 +++++--
+ crypto/x509v3/v3_asid.c | 26 ++++++++++++++++++++------
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
+index 1ce1181fc10..7cbf8de9813 100644
+--- a/crypto/ec/ec_asn1.c
++++ b/crypto/ec/ec_asn1.c
+@@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
+ unsigned char *buffer = NULL;
+ const EC_POINT *point = NULL;
+ point_conversion_form_t form;
++ ASN1_INTEGER *orig;
+
+ if (params == NULL) {
+ if ((ret = ECPARAMETERS_new()) == NULL) {
+@@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
+ ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
+ goto err;
+ }
+- ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
++ ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);
+ if (ret->order == NULL) {
++ ret->order = orig;
+ ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
+ goto err;
+ }
+@@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
+ /* set the cofactor (optional) */
+ tmp = EC_GROUP_get0_cofactor(group);
+ if (tmp != NULL) {
+- ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
++ ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);
+ if (ret->cofactor == NULL) {
++ ret->cofactor = orig;
+ ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
+ goto err;
+ }
+diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
+index 089f2ae29f0..ef2d64826fb 100644
+--- a/crypto/x509v3/v3_asid.c
++++ b/crypto/x509v3/v3_asid.c
+@@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor,
+ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
+ {
+ ASN1_INTEGER *a_max_plus_one = NULL;
++ ASN1_INTEGER *orig;
+ BIGNUM *bn = NULL;
+ int i, ret = 0;
+
+@@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
+ */
+ if ((bn == NULL && (bn = BN_new()) == NULL) ||
+ ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
+- !BN_add_word(bn, 1) ||
+- (a_max_plus_one =
+- BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
++ !BN_add_word(bn, 1)) {
++ X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
++ ERR_R_MALLOC_FAILURE);
++ goto done;
++ }
++
++ if ((a_max_plus_one =
++ BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
++ a_max_plus_one = orig;
+ X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
+ ERR_R_MALLOC_FAILURE);
+ goto done;
+@@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid)
+ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
+ {
+ ASN1_INTEGER *a_max_plus_one = NULL;
++ ASN1_INTEGER *orig;
+ BIGNUM *bn = NULL;
+ int i, ret = 0;
+
+@@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
+ */
+ if ((bn == NULL && (bn = BN_new()) == NULL) ||
+ ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
+- !BN_add_word(bn, 1) ||
+- (a_max_plus_one =
+- BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
++ !BN_add_word(bn, 1)) {
++ X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
++ ERR_R_MALLOC_FAILURE);
++ goto done;
++ }
++
++ if ((a_max_plus_one =
++ BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
++ a_max_plus_one = orig;
+ X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
+ ERR_R_MALLOC_FAILURE);
+ goto done;
diff --git a/dev-libs/openssl/openssl-1.1.1d-r1.ebuild b/dev-libs/openssl/openssl-1.1.1d-r1.ebuild
index b9fd0c73a62..db1ec434fd7 100644
--- a/dev-libs/openssl/openssl-1.1.1d-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1d-r1.ebuild
@@ -46,6 +46,7 @@ PDEPEND="app-misc/ca-certificates"
PATCHES=(
"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
"${FILESDIR}"/${P}-fix-zlib.patch
+ "${FILESDIR}"/${P}-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
)
S="${WORKDIR}/${MY_P}"
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2019-11-25 0:13 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2019-11-25 0:13 UTC (permalink / raw
To: gentoo-commits
commit: 5303fe62cef99c176381cd4788984b1b4f3e2ad7
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 25 00:07:51 2019 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon Nov 25 00:08:24 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5303fe62
dev-libs/openssl: reenable the stitched AES-CBC-HMAC-SHA implementations
Package-Manager: Portage-2.3.79, Repoman-2.3.18
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
...stitched-AES-CBC-HMAC-SHA-implementations.patch | 62 ++++
dev-libs/openssl/openssl-1.1.1d-r3.ebuild | 331 +++++++++++++++++++++
2 files changed, 393 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.1.1d-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch b/dev-libs/openssl/files/openssl-1.1.1d-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch
new file mode 100644
index 00000000000..dc8fe7146b7
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1d-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch
@@ -0,0 +1,62 @@
+From 61cc715240d2d3f9511ca88043a3e9797c11482f Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Thu, 3 Oct 2019 08:28:31 +0200
+Subject: [PATCH] Define AESNI_ASM if AESNI assembler is included, and use it
+
+Because we have cases where basic assembler support isn't present, but
+AESNI asssembler support is, we need a separate macro that indicates
+that, and use it.
+
+Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/10080)
+---
+ Configure | 1 +
+ crypto/evp/e_aes_cbc_hmac_sha1.c | 2 +-
+ crypto/evp/e_aes_cbc_hmac_sha256.c | 4 ++--
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Configure b/Configure
+index 811bee81f54..f498ac2f81b 100755
+--- a/Configure
++++ b/Configure
+@@ -1376,6 +1376,7 @@ unless ($disabled{asm}) {
+ }
+ if ($target{aes_asm_src}) {
+ push @{$config{lib_defines}}, "AES_ASM" if ($target{aes_asm_src} =~ m/\baes-/);;
++ push @{$config{lib_defines}}, "AESNI_ASM" if ($target{aes_asm_src} =~ m/\baesni-/);;
+ # aes-ctr.fake is not a real file, only indication that assembler
+ # module implements AES_ctr32_encrypt...
+ push @{$config{lib_defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//);
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index c9f5969162c..27c36b46e7a 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -33,7 +33,7 @@ typedef struct {
+
+ #define NO_PAYLOAD_LENGTH ((size_t)-1)
+
+-#if defined(AES_ASM) && ( \
++#if defined(AESNI_ASM) && ( \
+ defined(__x86_64) || defined(__x86_64__) || \
+ defined(_M_AMD64) || defined(_M_X64) )
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c
+index d5178313ae3..cc622b6faa8 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha256.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha256.c
+@@ -34,7 +34,7 @@ typedef struct {
+
+ # define NO_PAYLOAD_LENGTH ((size_t)-1)
+
+-#if defined(AES_ASM) && ( \
++#if defined(AESNI_ASM) && ( \
+ defined(__x86_64) || defined(__x86_64__) || \
+ defined(_M_AMD64) || defined(_M_X64) )
+
+@@ -947,4 +947,4 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha256(void)
+ {
+ return NULL;
+ }
+-#endif
++#endif /* AESNI_ASM */
diff --git a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
new file mode 100644
index 00000000000..977c384a375
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
@@ -0,0 +1,331 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+
+# This patch set is based on the following files from Fedora 31,
+# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
+# for more details:
+# - hobble-openssl (SOURCE1)
+# - ec_curve.c (SOURCE12) -- MODIFIED
+# - ectest.c (SOURCE13)
+# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
+BINDIST_PATCH_SET="openssl-1.1.1d-bindist-1.0.tar.xz"
+
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+ bindist? (
+ mirror://gentoo/${BINDIST_PATCH_SET}
+ https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
+ )"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+[[ "${PV}" = *_pre* ]] || \
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ )"
+PDEPEND="app-misc/ca-certificates"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+ "${FILESDIR}"/${P}-fix-zlib.patch
+ "${FILESDIR}"/${P}-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
+ "${FILESDIR}"/${P}-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch
+)
+
+S="${WORKDIR}/${MY_P}"
+
+# force upgrade to prevent broken login, bug 696950
+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+pkg_setup() {
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl don't work with userpriv!
+ if has test ${FEATURES}; then
+ if use sctp; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" || ${sctp_auth_status} != 1 ]]; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+ fi
+}
+
+src_prepare() {
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config || die
+
+ if use bindist; then
+ mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
+ bash "${WORKDIR}"/hobble-openssl || die
+
+ cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
+ cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
+
+ eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
+
+ local known_failing_test
+ for known_failing_test in \
+ 30-test_evp_extra.t \
+ 80-test_ssl_new.t \
+ ; do
+ ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
+ rm test/recipes/${known_failing_test} || die
+ eend $?
+ done
+
+ # Also see the configure parts below:
+ # enable-ec \
+ # $(use_ssl !bindist ec2m) \
+ fi
+
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
+ [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
+ fi
+ fi
+
+ eapply_user #332661
+
+ if has test ${FEATURES}; then
+ if use sctp; then
+ if has network-sandbox ${FEATURES}; then
+ ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
+ rm test/recipes/80-test_ssl_new.t || die
+ eend $?
+ fi
+ fi
+ fi
+
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ # Make DOCDIR Gentoo compliant
+ sed -i \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+ Configurations/unix-Makefile.tmpl \
+ || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ # Prefixify Configure shebang (#141906)
+ sed \
+ -e "1s,/usr/bin/env,${EPREFIX}&," \
+ -i Configure || die
+ # Remove test target when FEATURES=test isn't set
+ if ! use test ; then
+ sed \
+ -e '/^$config{dirs}/s@ "test",@@' \
+ -i Configure || die
+ fi
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
+ # RC5: Expired https://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ #if ! use bindist ; then
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+ #fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ # Fedora hobbled-EC needs 'no-ec2m'
+ # 'srp' was restricted until early 2017 as well.
+ # "disable-deprecated" option breaks too many consumers.
+ # Don't set it without thorough revdeps testing.
+ # Make sure user flags don't get added *yet* to avoid duplicated
+ # flags.
+ CFLAGS= LDFLAGS= echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ enable-ec \
+ $(use_ssl !bindist ec2m) \
+ enable-srp \
+ $(use elibc_musl && echo "no-async") \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ $(use_ssl sslv3 ssl3) \
+ $(use_ssl sslv3 ssl3-method) \
+ $(use_ssl asm) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAGS=::' \
+ -e 's:\(^\| \)-fomit-frame-pointer::g' \
+ -e 's:\(^\| \)-O[^ ]*::g' \
+ -e 's:\(^\| \)-march=[^ ]*::g' \
+ -e 's:\(^\| \)-mcpu=[^ ]*::g' \
+ -e 's:\(^\| \)-m[^ ]*::g' \
+ -e 's:^ *::' \
+ -e 's: *$::' \
+ -e 's: \+: :g' \
+ -e 's:\\:\\\\:g'
+ )
+
+ # Now insert clean default flags with user flags
+ sed -i \
+ -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+ -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ # We need to create $ED/usr on our own to avoid a race condition #665130
+ if [[ ! -d "${ED}/usr" ]]; then
+ # We can only create this directory once
+ mkdir "${ED}"/usr || die
+ fi
+
+ emake DESTDIR="${D}" install
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man || die
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ # We don't want to "|| die" here
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2020-12-17 16:23 Andreas K. Hüttel
0 siblings, 0 replies; 36+ messages in thread
From: Andreas K. Hüttel @ 2020-12-17 16:23 UTC (permalink / raw
To: gentoo-commits
commit: 34632a44997f4c5bf63392dac2017f2f51e56bdc
Author: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 17 16:22:29 2020 +0000
Commit: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 16:23:11 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34632a44
dev-libs/openssl: Fix build on riscv32
Patch is backport from openssl master; ack'ed by Whissi
Package-Manager: Portage-3.0.9, Repoman-3.0.2
Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>
.../openssl/files/openssl-1.1.1i-riscv32.patch | 61 ++++++++++++++++++++++
dev-libs/openssl/openssl-1.1.1i.ebuild | 1 +
2 files changed, 62 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch b/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch
new file mode 100644
index 00000000000..c94b0323eb4
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch
@@ -0,0 +1,61 @@
+From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@wdc.com>
+Date: Thu, 29 Aug 2019 13:56:21 -0700
+Subject: [PATCH] Add support for io_pgetevents_time64 syscall
+
+32-bit architectures that are y2038 safe don't include syscalls that use
+32-bit time_t. Instead these architectures have suffixed syscalls that
+always use a 64-bit time_t. In the case of the io_getevents syscall the
+syscall has been replaced with the io_pgetevents_time64 syscall instead.
+
+This patch changes the io_getevents() function to use the correct
+syscall based on the avaliable syscalls and the time_t size. We will
+only use the new 64-bit time_t syscall if the architecture is using a
+64-bit time_t. This is to avoid having to deal with 32/64-bit
+conversions and relying on a 64-bit timespec struct on 32-bit time_t
+platforms. As of Linux 5.3 there are no 32-bit time_t architectures
+without __NR_io_getevents. In the future if a 32-bit time_t architecture
+wants to use the 64-bit syscalls we can handle the conversion.
+
+This fixes build failures on 32-bit RISC-V.
+
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9819)
+---
+ engines/e_afalg.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/engines/e_afalg.c b/engines/e_afalg.c
+index dacbe358cb..99516cb1bb 100644
+--- a/engines/e_afalg.c
++++ b/engines/e_afalg.c
+@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
+ struct io_event *events,
+ struct timespec *timeout)
+ {
++#if defined(__NR_io_getevents)
+ return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
++#elif defined(__NR_io_pgetevents_time64)
++ /* Let's only support the 64 suffix syscalls for 64-bit time_t.
++ * This simplifies the code for us as we don't need to use a 64-bit
++ * version of timespec with a 32-bit time_t and handle converting
++ * between 64-bit and 32-bit times and check for overflows.
++ */
++ if (sizeof(timeout->tv_sec) == 8)
++ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
++ else {
++ errno = ENOSYS;
++ return -1;
++ }
++#else
++# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
++#endif
+ }
+
+ static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
+--
+2.26.2
+
diff --git a/dev-libs/openssl/openssl-1.1.1i.ebuild b/dev-libs/openssl/openssl-1.1.1i.ebuild
index 7d5fc56e026..6c86f655c99 100644
--- a/dev-libs/openssl/openssl-1.1.1i.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1i.ebuild
@@ -47,6 +47,7 @@ PDEPEND="app-misc/ca-certificates"
PATCHES=(
"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+ "${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
)
S="${WORKDIR}/${MY_P}"
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2020-12-22 22:44 Thomas Deutschmann
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Deutschmann @ 2020-12-22 22:44 UTC (permalink / raw
To: gentoo-commits
commit: 36f38e537df50b879d2fe851801e104989b482a7
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 22 22:44:06 2020 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Dec 22 22:44:06 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36f38e53
dev-libs/openssl: security cleanup (bug #759079)
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
dev-libs/openssl/Manifest | 5 -
.../files/openssl-1.1.0k-fix-test_fuzz.patch | 19 --
.../openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch | 30 --
dev-libs/openssl/openssl-1.1.0l.ebuild | 306 -------------------
dev-libs/openssl/openssl-1.1.1g.ebuild | 324 ---------------------
dev-libs/openssl/openssl-1.1.1h.ebuild | 324 ---------------------
6 files changed, 1008 deletions(-)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 49b73ef3c56..a7dabaf27ae 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,10 +1,5 @@
DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
-DIST openssl-1.1.0l-bindist-1.0.tar.xz 13184 BLAKE2B c09e023458faff17b10d6f20c28462c0851757a20d59b4b751220ab307324d5778252df112ad74fd319407cc75fdd1cd507d48058dd0234dc8c03020c882ed42 SHA512 39720ecee3ec6080c1416f2fb7c9246b89ee55b21be2baabad51eb6823dbe1559450b1ae92fa61ac1cf5ba04ac8c02438aa469bc65eae6905cf1ea486f270793
-DIST openssl-1.1.0l.tar.gz 5294857 BLAKE2B 0e4f30f9e8a22414325bd780dc4e875e962487fbe72967f0392ace959955429192541881a98d097d7bb75ed7238b1817b0c3c2c4da04421512bd538f2b07cdd7 SHA512 81b74149f40ea7d9f7e235820a4f977844653ad1e2b302e65e712c12193f47542fe7e3385fd1e25e3dd074e4e6d04199836cbc492656f5a7692edab5e234f4ad
-DIST openssl-1.1.1e-bindist-1.0.tar.xz 16948 BLAKE2B 78e034f1d263cbf5e57c92393f72acd07e86e39a5511a8852bad151371430954e07d787fd82cca55b373d1579bb22b9d29c9d677104ed68291a9d2dffe3ffbbb SHA512 0dbfb378b8f2724db82915e17fd4e43977e3e45030db25cdb9241c0ab842e41ef3d597ef71c4db5103635752dc2059ea6022597511a440f55fb56a5a52d3ccea
-DIST openssl-1.1.1g.tar.gz 9801502 BLAKE2B 5e3dd4725ff89b959a5436d64b521317c6ffeb377418cc24c6d1927fab923423cb5f5fce2f9c2cdee597041c7be156d09668a5fd13dc6ff06d235a83db94cf19 SHA512 01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab
-DIST openssl-1.1.1h.tar.gz 9810045 BLAKE2B ac9ba6fb0c4da0a761e8655b6907634365ddb114216acfcfc981e13c211577b6bd23ea8d2ad0999c0960b039f5d3dead5733e6dc07c5231ab953307a9015cd36 SHA512 da50fd99325841ed7a4367d9251c771ce505a443a73b327d8a46b2c6a7d2ea99e43551a164efc86f8743b22c2bdb0020bf24a9cbd445e9d68868b2dc1d34033a
DIST openssl-1.1.1i-bindist-1.0.tar.xz 18124 BLAKE2B bcbce700676d1d61498ac98281b7ad06f9970d91afa6bfb2c259ab7462b2554be79a1c06759bc7aaeca9948c2f5276bac2c4f42dbc6822669f863444b9913ccd SHA512 1dbb81bcb4cf7e634bb363c7e2bb2590a1fe3fcb6c3b5e377cac3c5241abd116c2a89c516be8e5fd1799ab64375a58052a4df944eeadc87b0b7785da710906d8
DIST openssl-1.1.1i.tar.gz 9808346 BLAKE2B ca98bab08e1874134da113dd0bda0583c133c7dce5b739f9601641ed2cf97894e5e13d901f0db9367aa5d7b78c552ac598aa0a3c2a3f0a438daae044e29f58d6 SHA512 fe12e0ab9e1688f24dd862ac633d0ab703b499c0f34b53c3560aa0d3879d81d647aa0678ed517dda5efb2711f669fcb1a1e0e24f6eac2efc2cf4eae6b62014d8
diff --git a/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch b/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch
deleted file mode 100644
index 2c4cc31257c..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Test fuzz was forgotten when
-
- Perl: Use our own globbing wrapper rather than File::Glob::glob
-
-was backported to openssl-1.1.0 branch.
-
-Link: https://github.com/openssl/openssl/commit/b81cfa07ada850fd287d0a0c82ba280907f18ce7
-
---- a/test/recipes/90-test_fuzz.t
-+++ b/test/recipes/90-test_fuzz.t
-@@ -9,7 +9,7 @@
- use strict;
- use warnings;
-
--use if $^O ne "VMS", 'File::Glob' => qw/glob/;
-+use OpenSSL::Glob;
- use OpenSSL::Test qw/:DEFAULT srctop_file/;
- use OpenSSL::Test::Utils;
-
diff --git a/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch b/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
deleted file mode 100644
index 35a435df28b..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From bcf6a94c4bc912ad313ea21abdf7e83bbae450e5 Mon Sep 17 00:00:00 2001
-From: Nicola Tuveri <nic.tuv@gmail.com>
-Date: Thu, 12 Sep 2019 01:57:47 +0300
-Subject: [PATCH] Fix no-ec2m in ec_curve.c (1.1.0)
-
-I made a mistake in d4a5dac9f9242c580fb9d0a4389440eccd3494a7 and
-inverted the GF2m and GFp calls in ec_point_get_affine_coordinates, this
-fixes it.
----
- crypto/ec/ec_curve.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
-index 2d28d7f70bb..6a58b3a23e0 100644
---- a/crypto/ec/ec_curve.c
-+++ b/crypto/ec/ec_curve.c
-@@ -3200,11 +3200,11 @@ int ec_point_get_affine_coordinates(const EC_GROUP *group,
-
- #ifndef OPENSSL_NO_EC2M
- if (field_nid == NID_X9_62_characteristic_two_field) {
-- return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
-+ return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
- } else
- #endif /* !def(OPENSSL_NO_EC2M) */
- if (field_nid == NID_X9_62_prime_field) {
-- return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
-+ return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
- } else {
- /* this should never happen */
- return 0;
diff --git a/dev-libs/openssl/openssl-1.1.0l.ebuild b/dev-libs/openssl/openssl-1.1.0l.ebuild
deleted file mode 100644
index 7e8ec91525c..00000000000
--- a/dev-libs/openssl/openssl-1.1.0l.ebuild
+++ /dev/null
@@ -1,306 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-
-# This patch set is based on the following files from Fedora 28,
-# see https://src.fedoraproject.org/rpms/openssl/blob/f28/f/openssl.spec
-# for more details:
-# - hobble-openssl (SOURCE1)
-# - ec_curve.c (SOURCE12) -- MODIFIED
-# - ectest.c (SOURCE13)
-# - openssl-1.1.0-ec-curves.patch (PATCH37) -- MODIFIED
-BINDIST_PATCH_SET="openssl-1.1.0l-bindist-1.0.tar.xz"
-
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
- bindist? (
- mirror://gentoo/${BINDIST_PATCH_SET}
- https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
- )"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )
- !test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- )"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
- "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
- "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
- "${FILESDIR}"/${PN}-1.1.0k-fix-test_fuzz.patch
-)
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
- if use bindist; then
- mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
- bash "${WORKDIR}"/hobble-openssl || die
-
- cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
- cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
-
- eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
-
- local known_failing_test
- for known_failing_test in \
- 30-test_evp_extra.t \
- 80-test_ssl_new.t \
- ; do
- ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
- rm test/recipes/${known_failing_test} || die
- eend $?
- done
-
- # Also see the configure parts below:
- # enable-ec \
- # $(use_ssl !bindist ec2m) \
- fi
-
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
- [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
- fi
-
- use bindist || eapply "${FILESDIR}"/${PN}-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
- fi
-
- eapply_user #332661
-
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- # Make DOCDIR Gentoo compliant
- sed -i \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
- Configurations/unix-Makefile.tmpl \
- || die
-
- # show the actual commands in the log
- sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config || die
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- # Prefixify Configure shebang (#141906)
- sed \
- -e "1s,/usr/bin/env,${EPREFIX}&," \
- -i Configure || die
- # Remove test target when FEATURES=test isn't set
- if ! use test ; then
- sed \
- -e '/^$config{dirs}/s@ "test",@@' \
- -i Configure || die
- fi
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired https://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- # Fedora hobbled-EC needs 'no-ec2m'
- # 'srp' was restricted until early 2017 as well.
- # "disable-deprecated" option breaks too many consumers.
- # Don't set it without thorough revdeps testing.
- # Make sure user flags don't get added *yet* to avoid duplicated
- # flags.
- CFLAGS= LDFLAGS= echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- enable-ec \
- $(use_ssl !bindist ec2m) \
- enable-srp \
- $(use elibc_musl && echo "no-async") \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl sslv3 ssl3-method) \
- $(use_ssl asm) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
- -e 's:^CFLAGS=::' \
- -e 's:\(^\| \)-fomit-frame-pointer::g' \
- -e 's:\(^\| \)-O[^ ]*::g' \
- -e 's:\(^\| \)-march=[^ ]*::g' \
- -e 's:\(^\| \)-mcpu=[^ ]*::g' \
- -e 's:\(^\| \)-m[^ ]*::g' \
- -e 's:^ *::' \
- -e 's: *$::' \
- -e 's: \+: :g' \
- -e 's:\\:\\\\:g'
- )
-
- # Now insert clean default flags with user flags
- sed -i \
- -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
- -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- # We need to create $ED/usr on our own to avoid a race condition #665130
- if [[ ! -d "${ED}/usr" ]]; then
- # We can only create this directory once
- mkdir "${ED}"/usr || die
- fi
-
- emake DESTDIR="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- keepdir ${SSL_CNF_DIR}/certs
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man || die
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- # We don't want to "|| die" here
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
diff --git a/dev-libs/openssl/openssl-1.1.1g.ebuild b/dev-libs/openssl/openssl-1.1.1g.ebuild
deleted file mode 100644
index 7a3f675be54..00000000000
--- a/dev-libs/openssl/openssl-1.1.1g.ebuild
+++ /dev/null
@@ -1,324 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-
-# This patch set is based on the following files from Fedora 31,
-# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
-# for more details:
-# - hobble-openssl (SOURCE1)
-# - ec_curve.c (SOURCE12) -- MODIFIED
-# - ectest.c (SOURCE13)
-# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
-BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz"
-
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
- bindist? (
- mirror://gentoo/${BINDIST_PATCH_SET}
- https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
- )"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )
- !test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- sys-process/procps
- )"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
- "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
-)
-
-S="${WORKDIR}/${MY_P}"
-
-# force upgrade to prevent broken login, bug 696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-pkg_setup() {
- [[ ${MERGE_TYPE} == binary ]] && return
-
- # must check in pkg_setup; sysctl don't work with userpriv!
- if has test ${FEATURES} && use sctp; then
- # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
- # if sctp.auth_enable is not enabled.
- local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
- if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
- die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
- fi
- fi
-}
-
-src_prepare() {
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config || die
-
- if use bindist; then
- mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
- bash "${WORKDIR}"/hobble-openssl || die
-
- cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
- cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
-
- eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
-
- local known_failing_test
- for known_failing_test in \
- 30-test_evp_extra.t \
- 80-test_ssl_new.t \
- ; do
- ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
- rm test/recipes/${known_failing_test} || die
- eend $?
- done
-
- # Also see the configure parts below:
- # enable-ec \
- # $(use_ssl !bindist ec2m) \
- fi
-
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
- [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
- fi
- fi
-
- eapply_user #332661
-
- if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
- ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
- rm test/recipes/80-test_ssl_new.t || die
- eend $?
- fi
-
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- # Make DOCDIR Gentoo compliant
- sed -i \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
- Configurations/unix-Makefile.tmpl \
- || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- # Prefixify Configure shebang (#141906)
- sed \
- -e "1s,/usr/bin/env,${EPREFIX}&," \
- -i Configure || die
- # Remove test target when FEATURES=test isn't set
- if ! use test ; then
- sed \
- -e '/^$config{dirs}/s@ "test",@@' \
- -i Configure || die
- fi
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired https://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- # Fedora hobbled-EC needs 'no-ec2m'
- # 'srp' was restricted until early 2017 as well.
- # "disable-deprecated" option breaks too many consumers.
- # Don't set it without thorough revdeps testing.
- # Make sure user flags don't get added *yet* to avoid duplicated
- # flags.
- CFLAGS= LDFLAGS= echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- enable-ec \
- $(use_ssl !bindist ec2m) \
- enable-srp \
- $(use elibc_musl && echo "no-async") \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl sslv3 ssl3-method) \
- $(use_ssl asm) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
- -e 's:^CFLAGS=::' \
- -e 's:\(^\| \)-fomit-frame-pointer::g' \
- -e 's:\(^\| \)-O[^ ]*::g' \
- -e 's:\(^\| \)-march=[^ ]*::g' \
- -e 's:\(^\| \)-mcpu=[^ ]*::g' \
- -e 's:\(^\| \)-m[^ ]*::g' \
- -e 's:^ *::' \
- -e 's: *$::' \
- -e 's: \+: :g' \
- -e 's:\\:\\\\:g'
- )
-
- # Now insert clean default flags with user flags
- sed -i \
- -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
- -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- # We need to create $ED/usr on our own to avoid a race condition #665130
- if [[ ! -d "${ED}/usr" ]]; then
- # We can only create this directory once
- mkdir "${ED}"/usr || die
- fi
-
- emake DESTDIR="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- keepdir ${SSL_CNF_DIR}/certs
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man || die
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- # We don't want to "|| die" here
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
diff --git a/dev-libs/openssl/openssl-1.1.1h.ebuild b/dev-libs/openssl/openssl-1.1.1h.ebuild
deleted file mode 100644
index ccc0cbc5d58..00000000000
--- a/dev-libs/openssl/openssl-1.1.1h.ebuild
+++ /dev/null
@@ -1,324 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-
-# This patch set is based on the following files from Fedora 31,
-# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
-# for more details:
-# - hobble-openssl (SOURCE1)
-# - ec_curve.c (SOURCE12) -- MODIFIED
-# - ectest.c (SOURCE13)
-# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
-BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz"
-
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
- bindist? (
- mirror://gentoo/${BINDIST_PATCH_SET}
- https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
- )"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )
- !test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
- zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- sys-devel/bc
- sys-process/procps
- )"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
- "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
-)
-
-S="${WORKDIR}/${MY_P}"
-
-# force upgrade to prevent broken login, bug 696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
- usr/include/openssl/opensslconf.h
-)
-
-pkg_setup() {
- [[ ${MERGE_TYPE} == binary ]] && return
-
- # must check in pkg_setup; sysctl don't work with userpriv!
- if has test ${FEATURES} && use sctp; then
- # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
- # if sctp.auth_enable is not enabled.
- local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
- if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
- die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
- fi
- fi
-}
-
-src_prepare() {
- # allow openssl to be cross-compiled
- cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
- chmod a+rx gentoo.config || die
-
- if use bindist; then
- mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
- bash "${WORKDIR}"/hobble-openssl || die
-
- cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
- cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
-
- eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
-
- local known_failing_test
- for known_failing_test in \
- 30-test_evp_extra.t \
- 80-test_ssl_new.t \
- ; do
- ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
- rm test/recipes/${known_failing_test} || die
- eend $?
- done
-
- # Also see the configure parts below:
- # enable-ec \
- # $(use_ssl !bindist ec2m) \
- fi
-
- # keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
- [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
- fi
- fi
-
- eapply_user #332661
-
- if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
- ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
- rm test/recipes/80-test_ssl_new.t || die
- eend $?
- fi
-
- # make sure the man pages are suffixed #302165
- # don't bother building man pages if they're disabled
- # Make DOCDIR Gentoo compliant
- sed -i \
- -e '/^MANSUFFIX/s:=.*:=ssl:' \
- -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
- -e $(has noman FEATURES \
- && echo '/^install:/s:install_docs::' \
- || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
- -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
- Configurations/unix-Makefile.tmpl \
- || die
-
- # quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (#417795 again)
- [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
- append-flags -fno-strict-aliasing
- append-flags $(test-flags-CC -Wa,--noexecstack)
- append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
- # Prefixify Configure shebang (#141906)
- sed \
- -e "1s,/usr/bin/env,${EPREFIX}&," \
- -i Configure || die
- # Remove test target when FEATURES=test isn't set
- if ! use test ; then
- sed \
- -e '/^$config{dirs}/s@ "test",@@' \
- -i Configure || die
- fi
- # The config script does stupid stuff to prompt the user. Kill it.
- sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
- ./config --test-sanity || die "I AM NOT SANE"
-
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- unset APPS #197996
- unset SCRIPTS #312551
- unset CROSS_COMPILE #311473
-
- tc-export CC AR RANLIB RC
-
- # Clean out patent-or-otherwise-encumbered code
- # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
- # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
- # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
- # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
- # RC5: Expired https://en.wikipedia.org/wiki/RC5
-
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
- echoit() { echo "$@" ; "$@" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths. #460790
- local ec_nistp_64_gcc_128
- # Disable it for now though #469976
- #if ! use bindist ; then
- # echo "__uint128_t i;" > "${T}"/128.c
- # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- # fi
- #fi
-
- local sslout=$(./gentoo.config)
- einfo "Use configuration ${sslout:-(openssl knows best)}"
- local config="Configure"
- [[ -z ${sslout} ]] && config="config"
-
- # Fedora hobbled-EC needs 'no-ec2m'
- # 'srp' was restricted until early 2017 as well.
- # "disable-deprecated" option breaks too many consumers.
- # Don't set it without thorough revdeps testing.
- # Make sure user flags don't get added *yet* to avoid duplicated
- # flags.
- CFLAGS= LDFLAGS= echoit \
- ./${config} \
- ${sslout} \
- $(use cpu_flags_x86_sse2 || echo "no-sse2") \
- enable-camellia \
- enable-ec \
- $(use_ssl !bindist ec2m) \
- enable-srp \
- $(use elibc_musl && echo "no-async") \
- ${ec_nistp_64_gcc_128} \
- enable-idea \
- enable-mdc2 \
- enable-rc5 \
- $(use_ssl sslv3 ssl3) \
- $(use_ssl sslv3 ssl3-method) \
- $(use_ssl asm) \
- $(use_ssl rfc3779) \
- $(use_ssl sctp) \
- $(use_ssl tls-heartbeat heartbeats) \
- $(use_ssl zlib) \
- --prefix="${EPREFIX}"/usr \
- --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
- --libdir=$(get_libdir) \
- shared threads \
- || die
-
- # Clean out hardcoded flags that openssl uses
- local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
- -e 's:^CFLAGS=::' \
- -e 's:\(^\| \)-fomit-frame-pointer::g' \
- -e 's:\(^\| \)-O[^ ]*::g' \
- -e 's:\(^\| \)-march=[^ ]*::g' \
- -e 's:\(^\| \)-mcpu=[^ ]*::g' \
- -e 's:\(^\| \)-m[^ ]*::g' \
- -e 's:^ *::' \
- -e 's: *$::' \
- -e 's: \+: :g' \
- -e 's:\\:\\\\:g'
- )
-
- # Now insert clean default flags with user flags
- sed -i \
- -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
- -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
- Makefile || die
-}
-
-multilib_src_compile() {
- # depend is needed to use $confopts; it also doesn't matter
- # that it's -j1 as the code itself serializes subdirs
- emake -j1 depend
- emake all
-}
-
-multilib_src_test() {
- emake -j1 test
-}
-
-multilib_src_install() {
- # We need to create $ED/usr on our own to avoid a race condition #665130
- if [[ ! -d "${ED}/usr" ]]; then
- # We can only create this directory once
- mkdir "${ED}"/usr || die
- fi
-
- emake DESTDIR="${D}" install
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
- # create the certs directory
- keepdir ${SSL_CNF_DIR}/certs
-
- # Namespace openssl programs to prevent conflicts with other man pages
- cd "${ED}"/usr/share/man || die
- local m d s
- for m in $(find . -type f | xargs grep -L '#include') ; do
- d=${m%/*} ; d=${d#./} ; m=${m##*/}
- [[ ${m} == openssl.1* ]] && continue
- [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
- mv ${d}/{,ssl-}${m}
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
- ln -s ssl-${m} ${d}/openssl-${m}
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L ${d} -type l) ; do
- s=${s##*/}
- rm -f ${d}/${s}
- # We don't want to "|| die" here
- ln -s ssl-${m} ${d}/ssl-${s}
- ln -s ssl-${s} ${d}/openssl-${s}
- done
- done
- [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
- dodir /etc/sandbox.d #254521
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
- ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
- c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
- eend $?
-}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2022-12-18 2:11 Andreas K. Hüttel
0 siblings, 0 replies; 36+ messages in thread
From: Andreas K. Hüttel @ 2022-12-18 2:11 UTC (permalink / raw
To: gentoo-commits
commit: a5fc0ef26bfb1d767e4a0479e9b477c0bed6f166
Author: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 18 02:11:09 2022 +0000
Commit: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Sun Dec 18 02:11:25 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5fc0ef2
dev-libs/openssl: keyword 3.0.7-r2 for ~riscv
Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.4 | 2 +-
dev-libs/openssl/openssl-3.0.7-r2.ebuild | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4
index 98f8d1af64ac..bc9e5b7aa80c 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -110,7 +110,7 @@ linux)
powerpc*le*) machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
riscv32*) machine="generic32 -DL_ENDIAN";;
- riscv64*) machine="generic64 -DL_ENDIAN";;
+ riscv64*) machine="riscv64 -DL_ENDIAN" system=linux64;;
# sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";;
sh*) machine="generic32 -DL_ENDIAN";;
diff --git a/dev-libs/openssl/openssl-3.0.7-r2.ebuild b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
index 1bb9088f7ed1..6c4fc5d5cb57 100644
--- a/dev-libs/openssl/openssl-3.0.7-r2.ebuild
+++ b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
@@ -19,7 +19,7 @@ else
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
- KEYWORDS="~alpha ~amd64 ~arm64 ~loong ~m68k ~mips"
+ KEYWORDS="~alpha ~amd64 ~arm64 ~loong ~m68k ~mips ~riscv"
fi
S="${WORKDIR}"/${MY_P}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2022-12-18 5:00 Andreas K. Hüttel
0 siblings, 0 replies; 36+ messages in thread
From: Andreas K. Hüttel @ 2022-12-18 5:00 UTC (permalink / raw
To: gentoo-commits
commit: daa9c13faa905a3e1c6c76c11a8263ba08fbb211
Author: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 18 04:59:37 2022 +0000
Commit: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Sun Dec 18 04:59:53 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=daa9c13f
dev-libs/openssl: keyword 3.0.7-r2 for ~x86
Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.4 | 2 +-
dev-libs/openssl/openssl-3.0.7-r2.ebuild | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4
index bc9e5b7aa80c..573a97de3543 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -95,7 +95,7 @@ linux)
# hppa64*) machine=parisc64;;
hppa*) machine="generic32 -DB_ENDIAN";;
i[0-9]86*|\
- x86_64*:x86) machine=elf;;
+ x86_64*:x86) machine=x86;;
ia64*) machine=ia64;;
loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
m68*) machine="latomic -DB_ENDIAN";;
diff --git a/dev-libs/openssl/openssl-3.0.7-r2.ebuild b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
index 35089e6f56f5..82448a37129b 100644
--- a/dev-libs/openssl/openssl-3.0.7-r2.ebuild
+++ b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
@@ -19,7 +19,7 @@ else
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
- KEYWORDS="~alpha ~amd64 ~arm64 ~ia64 ~loong ~m68k ~mips ~riscv ~s390"
+ KEYWORDS="~alpha ~amd64 ~arm64 ~ia64 ~loong ~m68k ~mips ~riscv ~s390 ~x86"
fi
S="${WORKDIR}"/${MY_P}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2023-03-22 23:00 Patrick McLean
0 siblings, 0 replies; 36+ messages in thread
From: Patrick McLean @ 2023-03-22 23:00 UTC (permalink / raw
To: gentoo-commits
commit: ee408a386b32af4b3006d0d03724607f28e76cd8
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 22 22:57:52 2023 +0000
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Wed Mar 22 22:59:40 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee408a38
dev-libs/openssl: Bump to 1.1.1t-r2, add patch for CVE-2023-0464
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
.../files/openssl-1.1.1t-CVE-2023-0464.patch | 215 +++++++++++++++++
dev-libs/openssl/openssl-1.1.1t-r2.ebuild | 267 +++++++++++++++++++++
2 files changed, 482 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch
new file mode 100644
index 000000000000..950e6572cd28
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch
@@ -0,0 +1,215 @@
+commit 879f7080d7e141f415c79eaa3a8ac4a3dad0348b
+Author: Pauli <pauli@openssl.org>
+Date: Wed Mar 8 15:28:20 2023 +1100
+
+ x509: excessive resource use verifying policy constraints
+
+ A security vulnerability has been identified in all supported versions
+ of OpenSSL related to the verification of X.509 certificate chains
+ that include policy constraints. Attackers may be able to exploit this
+ vulnerability by creating a malicious certificate chain that triggers
+ exponential use of computational resources, leading to a denial-of-service
+ (DoS) attack on affected systems.
+
+ Fixes CVE-2023-0464
+
+ Reviewed-by: Tomas Mraz <tomas@openssl.org>
+ Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+ (Merged from https://github.com/openssl/openssl/pull/20569)
+
+diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
+index 5daf78de45..344aa06765 100644
+--- a/crypto/x509v3/pcy_local.h
++++ b/crypto/x509v3/pcy_local.h
+@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+
+ struct X509_POLICY_TREE_st {
++ /* The number of nodes in the tree */
++ size_t node_count;
++ /* The maximum number of nodes in the tree */
++ size_t node_maximum;
++
+ /* This is the tree 'level' data */
+ X509_POLICY_LEVEL *levels;
+ int nlevel;
+@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+ X509_POLICY_DATA *data,
+ X509_POLICY_NODE *parent,
+- X509_POLICY_TREE *tree);
++ X509_POLICY_TREE *tree,
++ int extra_data);
+ void policy_node_free(X509_POLICY_NODE *node);
+ int policy_node_match(const X509_POLICY_LEVEL *lvl,
+ const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
+index e2d7b15322..d574fb9d66 100644
+--- a/crypto/x509v3/pcy_node.c
++++ b/crypto/x509v3/pcy_node.c
+@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+ X509_POLICY_DATA *data,
+ X509_POLICY_NODE *parent,
+- X509_POLICY_TREE *tree)
++ X509_POLICY_TREE *tree,
++ int extra_data)
+ {
+ X509_POLICY_NODE *node;
+
++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
++ return NULL;
++
+ node = OPENSSL_zalloc(sizeof(*node));
+ if (node == NULL) {
+ X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
+@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+ }
+ node->data = data;
+ node->parent = parent;
+- if (level) {
++ if (level != NULL) {
+ if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+ if (level->anyPolicy)
+ goto node_error;
+@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+ }
+ }
+
+- if (tree) {
++ if (extra_data) {
+ if (tree->extra_data == NULL)
+ tree->extra_data = sk_X509_POLICY_DATA_new_null();
+ if (tree->extra_data == NULL){
+@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+ }
+ }
+
++ tree->node_count++;
+ if (parent)
+ parent->nchild++;
+
+diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
+index 6e8322cbc5..6c7fd35405 100644
+--- a/crypto/x509v3/pcy_tree.c
++++ b/crypto/x509v3/pcy_tree.c
+@@ -13,6 +13,18 @@
+
+ #include "pcy_local.h"
+
++/*
++ * If the maximum number of nodes in the policy tree isn't defined, set it to
++ * a generous default of 1000 nodes.
++ *
++ * Defining this to be zero means unlimited policy tree growth which opens the
++ * door on CVE-2023-0464.
++ */
++
++#ifndef OPENSSL_POLICY_TREE_NODES_MAX
++# define OPENSSL_POLICY_TREE_NODES_MAX 1000
++#endif
++
+ /*
+ * Enable this to print out the complete policy tree at various point during
+ * evaluation.
+@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+ return X509_PCY_TREE_INTERNAL;
+ }
+
++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
++
+ /*
+ * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
+ *
+@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+ level = tree->levels;
+ if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
+ goto bad_tree;
+- if (level_add_node(level, data, NULL, tree) == NULL) {
++ if (level_add_node(level, data, NULL, tree, 1) == NULL) {
+ policy_data_free(data);
+ goto bad_tree;
+ }
+@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+ * Return value: 1 on success, 0 otherwise
+ */
+ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+- X509_POLICY_DATA *data)
++ X509_POLICY_DATA *data,
++ X509_POLICY_TREE *tree)
+ {
+ X509_POLICY_LEVEL *last = curr - 1;
+ int i, matched = 0;
+@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+ X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
+
+ if (policy_node_match(last, node, data->valid_policy)) {
+- if (level_add_node(curr, data, node, NULL) == NULL)
++ if (level_add_node(curr, data, node, tree, 0) == NULL)
+ return 0;
+ matched = 1;
+ }
+ }
+ if (!matched && last->anyPolicy) {
+- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
++ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
+ return 0;
+ }
+ return 1;
+@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+ * Return value: 1 on success, 0 otherwise.
+ */
+ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+- const X509_POLICY_CACHE *cache)
++ const X509_POLICY_CACHE *cache,
++ X509_POLICY_TREE *tree)
+ {
+ int i;
+
+@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+ X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
+
+ /* Look for matching nodes in previous level */
+- if (!tree_link_matching_nodes(curr, data))
++ if (!tree_link_matching_nodes(curr, data, tree))
+ return 0;
+ }
+ return 1;
+@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
+ /* Curr may not have anyPolicy */
+ data->qualifier_set = cache->anyPolicy->qualifier_set;
+ data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+- if (level_add_node(curr, data, node, tree) == NULL) {
++ if (level_add_node(curr, data, node, tree, 1) == NULL) {
+ policy_data_free(data);
+ return 0;
+ }
+@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+ }
+ /* Finally add link to anyPolicy */
+ if (last->anyPolicy &&
+- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
++ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
+ return 0;
+ return 1;
+ }
+@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+ extra->qualifier_set = anyPolicy->data->qualifier_set;
+ extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+ | POLICY_DATA_FLAG_EXTRA_NODE;
+- node = level_add_node(NULL, extra, anyPolicy->parent, tree);
++ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
+ }
+ if (!tree->user_policies) {
+ tree->user_policies = sk_X509_POLICY_NODE_new_null();
+@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
+
+ for (i = 1; i < tree->nlevel; i++, curr++) {
+ cache = policy_cache_set(curr->cert);
+- if (!tree_link_nodes(curr, cache))
++ if (!tree_link_nodes(curr, cache, tree))
+ return X509_PCY_TREE_INTERNAL;
+
+ if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
diff --git a/dev-libs/openssl/openssl-1.1.1t-r2.ebuild b/dev-libs/openssl/openssl-1.1.1t-r2.ebuild
new file mode 100644
index 000000000000..6153c5fb1f34
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1t-r2.ebuild
@@ -0,0 +1,267 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
+
+MY_P=${P/_/-}
+DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+if [[ ${PV} != *_pre* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
+fi
+IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ kernel_linux? ( sys-process/procps )
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+PDEPEND="app-misc/ca-certificates"
+
+# force upgrade to prevent broken login, bug #696950
+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+PATCHES=(
+ # General patches which are suitable to always apply
+ # If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
+ "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
+ "${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
+ "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+ "${FILESDIR}"/openssl-1.1.1t-CVE-2023-0464.patch
+)
+
+pkg_setup() {
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_unpack() {
+ # Can delete this once test fix patch is dropped
+ if use verify-sig ; then
+ # Needed for downloaded patch (which is unsigned, which is fine)
+ verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+ fi
+
+ default
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES}; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+
+ # Remove test target when FEATURES=test isn't set
+ if ! use test ; then
+ sed \
+ -e '/^$config{dirs}/s@ "test",@@' \
+ -i Configure || die
+ fi
+
+ if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
+ # use GNU ld full option, not to confuse it on Solaris
+ sed -i \
+ -e 's/-Wl,-M,/-Wl,--version-script=/' \
+ -e 's/-Wl,-h,/-Wl,--soname=/' \
+ Configurations/10-main.conf || die
+
+ # fix building on Solaris 10
+ # https://github.com/openssl/openssl/issues/6333
+ sed -i \
+ -e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
+ Configurations/10-main.conf || die
+ fi
+
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config=( perl "${S}/Configure" )
+ [[ -z ${sslout} ]] && config=( sh "${S}/config" -v )
+
+ # "disable-deprecated" option breaks too many consumers.
+ # Don't set it without thorough revdeps testing.
+ # Make sure user flags don't get added *yet* to avoid duplicated
+ # flags.
+ local myeconfargs=(
+ ${sslout}
+
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ ${ec_nistp_64_gcc_128}
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use_ssl sslv3 ssl3)
+ $(use_ssl sslv3 ssl3-method)
+ $(use_ssl asm)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl tls-heartbeat heartbeats)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo "${config[@]}" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake all
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" install_sw
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} MANSUFFIX=ssl install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2023-04-20 16:58 Patrick McLean
0 siblings, 0 replies; 36+ messages in thread
From: Patrick McLean @ 2023-04-20 16:58 UTC (permalink / raw
To: gentoo-commits
commit: aee281d7c39df1b84312af263e00d2cac548ef8a
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Apr 20 16:54:30 2023 +0000
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Apr 20 16:57:55 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aee281d7
dev-libs/openssl: 3.1.0-r3, add patch for CVE-2023-1255
Upstream changelog (diff edited to remove NEWS and CHANGES.md changes to avoid
conflicts):
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
happens if the buffer size is 4 mod 5. This can trigger a crash of an
application using AES-XTS decryption if the memory just after the buffer
being decrypted is not mapped.
Thanks to Anton Romanov (Amazon) for discovering the issue.
([CVE-2023-1255])
*Nevine Ebeid*
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
.../files/openssl-3.1.0-CVE-2023-1255.patch | 40 +++
dev-libs/openssl/openssl-3.1.0-r3.ebuild | 281 +++++++++++++++++++++
2 files changed, 321 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-1255.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-1255.patch
new file mode 100644
index 000000000000..aea425f83556
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-1255.patch
@@ -0,0 +1,40 @@
+commit bc2f61ad70971869b242fc1cb445b98bad50074a
+Author: Tomas Mraz <tomas@openssl.org>
+Date: Mon Apr 17 16:51:20 2023 +0200
+
+ aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption
+
+ Original author: Nevine Ebeid (Amazon)
+ Fixes: CVE-2023-1255
+
+ The buffer overread happens on decrypts of 4 mod 5 sizes.
+ Unless the memory just after the buffer is unmapped this is harmless.
+
+ Reviewed-by: Paul Dale <pauli@openssl.org>
+ Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+ (Merged from https://github.com/openssl/openssl/pull/20759)
+
+ (cherry picked from commit 72dfe46550ee1f1bbfacd49f071419365bc23304)
+
+diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
+index ea74217317..efd3ccd1a4 100755
+--- a/crypto/aes/asm/aesv8-armx.pl
++++ b/crypto/aes/asm/aesv8-armx.pl
+@@ -3367,7 +3367,7 @@ $code.=<<___ if ($flavour =~ /64/);
+ .align 4
+ .Lxts_dec_tail4x:
+ add $inp,$inp,#16
+- vld1.32 {$dat0},[$inp],#16
++ tst $tailcnt,#0xf
+ veor $tmp1,$dat1,$tmp0
+ vst1.8 {$tmp1},[$out],#16
+ veor $tmp2,$dat2,$tmp2
+@@ -3376,6 +3376,8 @@ $code.=<<___ if ($flavour =~ /64/);
+ veor $tmp4,$dat4,$tmp4
+ vst1.8 {$tmp3-$tmp4},[$out],#32
+
++ b.eq .Lxts_dec_abort
++ vld1.32 {$dat0},[$inp],#16
+ b .Lxts_done
+ .align 4
+ .Lxts_outer_dec_tail:
diff --git a/dev-libs/openssl/openssl-3.1.0-r3.ebuild b/dev-libs/openssl/openssl-3.1.0-r3.ebuild
new file mode 100644
index 000000000000..e98ee05437c1
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.1.0-r3.ebuild
@@ -0,0 +1,281 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="
+ mirror://openssl/source/${MY_P}.tar.gz
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ "
+ #KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ !<net-misc/openssh-9.2_p1-r3
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+ "${FILESDIR}"/openssl-3.1.0-CVE-2023-0464.patch
+ "${FILESDIR}"/openssl-3.1.0-CVE-2023-0465.patch
+ "${FILESDIR}"/openssl-3.1.0-CVE-2023-0466.patch
+ "${FILESDIR}"/openssl-3.1.0-CVE-2023-1255.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_unpack() {
+ # Can delete this once test fix patch is dropped
+ if use verify-sig ; then
+ # Needed for downloaded patch (which is unsigned, which is fine)
+ verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+ fi
+
+ default
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+
+ if multilib_is_native_abi; then
+ emake build_docs
+ fi
+}
+
+multilib_src_test() {
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" install_sw
+ if use fips; then
+ emake DESTDIR="${D}" install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2023-07-19 15:06 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2023-07-19 15:06 UTC (permalink / raw
To: gentoo-commits
commit: f78f883629408972dc4300c2e45aa6991ac3a37d
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 19 15:04:46 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jul 19 15:05:53 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f78f8836
dev-libs/openssl: patch CVE-2023-2975, CVE-2023-3446 for 3.1.1
Bug: https://bugs.gentoo.org/910556
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/openssl-3.1.1-CVE-2023-2975.patch | 110 ++++++++
.../files/openssl-3.1.1-CVE-2023-3446.patch | 121 +++++++++
dev-libs/openssl/openssl-3.1.1-r2.ebuild | 293 +++++++++++++++++++++
3 files changed, 524 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch b/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch
new file mode 100644
index 000000000000..5abf60737dbd
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch
@@ -0,0 +1,110 @@
+https://github.com/openssl/openssl/commit/6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
+https://github.com/openssl/openssl/commit/76214c4a8f3374b786811fdfeda3d98690f8faf4
+
+From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 4 Jul 2023 17:30:35 +0200
+Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
+
+The AES-SIV mode allows for multiple associated data items
+authenticated separately with any of these being 0 length.
+
+The provided implementation ignores such empty associated data
+which is incorrect in regards to the RFC 5297 and is also
+a security issue because such empty associated data then become
+unauthenticated if an application expects to authenticate them.
+
+Fixes CVE-2023-2975
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21384)
+
+(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
+--- a/providers/implementations/ciphers/cipher_aes_siv.c
++++ b/providers/implementations/ciphers/cipher_aes_siv.c
+@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
+ if (!ossl_prov_is_running())
+ return 0;
+
+- if (inl == 0) {
+- *outl = 0;
+- return 1;
+- }
++ /* Ignore just empty encryption/decryption call and not AAD. */
++ if (out != NULL) {
++ if (inl == 0) {
++ if (outl != NULL)
++ *outl = 0;
++ return 1;
++ }
+
+- if (outsize < inl) {
+- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+- return 0;
++ if (outsize < inl) {
++ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
++ return 0;
++ }
+ }
+
+ if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
+
+From 76214c4a8f3374b786811fdfeda3d98690f8faf4 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 4 Jul 2023 17:50:37 +0200
+Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21384)
+
+(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
+--- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
++++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
+@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
+ Plaintext = 112233445566778899aabbccddee
+ Ciphertext = 40c02b9690c4dc04daef7f6afe5c
+
++Cipher = aes-128-siv
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++Tag = f1c5fdeac1f15a26779c1501f9fb7588
++Plaintext = 112233445566778899aabbccddee
++Ciphertext = 27e946c669088ab06da58c5c831c
++
++Cipher = aes-128-siv
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++AAD =
++Tag = d1022f5b3664e5a4dfaf90f85be6f28a
++Plaintext = 112233445566778899aabbccddee
++Ciphertext = b66cff6b8eca0b79f083b39a0901
++
+ Cipher = aes-128-siv
+ Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+ AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
+ Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+ Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
+
++Cipher = aes-128-siv
++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
++AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
++AAD =
++AAD = 09f911029d74e35bd84156c5635688c0
++Tag = 83ce6593a8fa67eb6fcd2819cedfc011
++Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
++Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
++
++Cipher = aes-128-siv
++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
++AAD =
++AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
++AAD = 09f911029d74e35bd84156c5635688c0
++Tag = 77dd4a44f5a6b41302121ee7f378de25
++Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
++Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe
++
+ Cipher = aes-192-siv
+ Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0
+ AAD = 101112131415161718191a1b1c1d1e1f2021222324252627
+
diff --git a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-3446.patch b/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-3446.patch
new file mode 100644
index 000000000000..781b0c8f48b3
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-3446.patch
@@ -0,0 +1,121 @@
+https://github.com/openssl/openssl/commit/fc9867c1e03c22ebf56943be205202e576aabf23
+https://github.com/openssl/openssl/commit/4791e79b8803924b28c19af4d4036ad85335110d
+
+From fc9867c1e03c22ebf56943be205202e576aabf23 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 6 Jul 2023 16:36:35 +0100
+Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
+
+The DH_check() function checks numerous aspects of the key or parameters
+that have been supplied. Some of those checks use the supplied modulus
+value even if it is excessively large.
+
+There is already a maximum DH modulus size (10,000 bits) over which
+OpenSSL will not generate or derive keys. DH_check() will however still
+perform various tests for validity on such a large modulus. We introduce a
+new maximum (32,768) over which DH_check() will just fail.
+
+An application that calls DH_check() and supplies a key or parameters
+obtained from an untrusted source could be vulnerable to a Denial of
+Service attack.
+
+The function DH_check() is itself called by a number of other OpenSSL
+functions. An application calling any of those other functions may
+similarly be affected. The other functions affected by this are
+DH_check_ex() and EVP_PKEY_param_check().
+
+CVE-2023-3446
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21451)
+
+(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
+ if (nid != NID_undef)
+ return 1;
+
++ /* Don't do any checks at all with an excessively large modulus */
++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
++ return 0;
++ }
++
+ if (!DH_check_params(dh, ret))
+ return 0;
+
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -92,7 +92,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
+ # include <openssl/dherr.h>
+
+ # ifndef OPENSSL_DH_MAX_MODULUS_BITS
+-# define OPENSSL_DH_MAX_MODULUS_BITS 10000
++# define OPENSSL_DH_MAX_MODULUS_BITS 10000
++# endif
++
++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
++# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
+ # endif
+
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+
+From 4791e79b8803924b28c19af4d4036ad85335110d Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 7 Jul 2023 14:39:48 +0100
+Subject: [PATCH] Add a test for CVE-2023-3446
+
+Confirm that the only errors DH_check() finds with DH parameters with an
+excessively long modulus is that the modulus is too large. We should not
+be performing time consuming checks using that modulus.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21451)
+
+(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)
+--- a/test/dhtest.c
++++ b/test/dhtest.c
+@@ -73,7 +73,7 @@ static int dh_test(void)
+ goto err1;
+
+ /* check fails, because p is way too small */
+- if (!DH_check(dh, &i))
++ if (!TEST_true(DH_check(dh, &i)))
+ goto err2;
+ i ^= DH_MODULUS_TOO_SMALL;
+ if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+@@ -124,6 +124,17 @@ static int dh_test(void)
+ /* We'll have a stale error on the queue from the above test so clear it */
+ ERR_clear_error();
+
++ /* Modulus of size: dh check max modulus bits + 1 */
++ if (!TEST_true(BN_set_word(p, 1))
++ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
++ goto err3;
++
++ /*
++ * We expect no checks at all for an excessively large modulus
++ */
++ if (!TEST_false(DH_check(dh, &i)))
++ goto err3;
++
+ /*
+ * II) key generation
+ */
+@@ -138,7 +149,7 @@ static int dh_test(void)
+ goto err3;
+
+ /* ... and check whether it is valid */
+- if (!DH_check(a, &i))
++ if (!TEST_true(DH_check(a, &i)))
+ goto err3;
+ if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+ || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
+
diff --git a/dev-libs/openssl/openssl-3.1.1-r2.ebuild b/dev-libs/openssl/openssl-3.1.1-r2.ebuild
new file mode 100644
index 000000000000..cfa017e58411
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.1.1-r2.ebuild
@@ -0,0 +1,293 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="
+ mirror://openssl/source/${MY_P}.tar.gz
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ "
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ !<net-misc/openssh-9.2_p1-r3
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${P}-CVE-2023-2975.patch
+ "${FILESDIR}"/${P}-CVE-2023-3446.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_unpack() {
+ # Can delete this once test fix patch is dropped
+ if use verify-sig ; then
+ # Needed for downloaded patch (which is unsigned, which is fine)
+ verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+ fi
+
+ default
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+ # Test fails depending on kernel configuration, bug #699134
+ rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #895308
+ append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+
+ if multilib_is_native_abi; then
+ emake build_docs
+ fi
+}
+
+multilib_src_test() {
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" install_sw
+ if use fips; then
+ emake DESTDIR="${D}" install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-02-01 16:46 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2024-02-01 16:46 UTC (permalink / raw
To: gentoo-commits
commit: 1d9f0cf25f1b992278cea5dacc29f54a03cd45bb
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu Feb 1 16:42:00 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu Feb 1 16:45:56 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d9f0cf2
dev-libs/openssl: backport libp11 segfault fix/workaround to 3.1.5-r1, 3.2.1-r1
Bug: https://bugs.gentoo.org/916328
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../openssl/files/openssl-3.1.5-p11-segfault.patch | 78 ++++++
.../openssl/files/openssl-3.2.1-p11-segfault.patch | 79 ++++++
dev-libs/openssl/openssl-3.1.5-r1.ebuild | 285 +++++++++++++++++++
dev-libs/openssl/openssl-3.2.1-r1.ebuild | 304 +++++++++++++++++++++
4 files changed, 746 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch
new file mode 100644
index 000000000000..50bc63ef2d14
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch
@@ -0,0 +1,78 @@
+https://bugs.gentoo.org/916328
+https://github.com/opendnssec/SoftHSMv2/issues/729
+https://github.com/openssl/openssl/issues/22508
+https://github.com/openssl/openssl/commit/0058a55407d824d5b55ecc0a1cbf8931803dc238
+
+From 0058a55407d824d5b55ecc0a1cbf8931803dc238 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Fri, 15 Dec 2023 13:45:50 +0100
+Subject: [PATCH] Revert "Improved detection of engine-provided private
+ "classic" keys"
+
+This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
+
+The commit was wrong. With 3.x versions the engines must be themselves
+responsible for creating their EVP_PKEYs in a way that they are treated
+as legacy - either by using the respective set1 calls or by setting
+non-default EVP_PKEY_METHOD.
+
+The workaround has caused more problems than it solved.
+
+Fixes #22945
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23063)
+
+(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
+--- a/crypto/engine/eng_pkey.c
++++ b/crypto/engine/eng_pkey.c
+@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+ ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+ return NULL;
+ }
+- /* We enforce check for legacy key */
+- switch (EVP_PKEY_get_id(pkey)) {
+- case EVP_PKEY_RSA:
+- {
+- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+- EVP_PKEY_set1_RSA(pkey, rsa);
+- RSA_free(rsa);
+- }
+- break;
+-# ifndef OPENSSL_NO_EC
+- case EVP_PKEY_SM2:
+- case EVP_PKEY_EC:
+- {
+- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+- EVP_PKEY_set1_EC_KEY(pkey, ec);
+- EC_KEY_free(ec);
+- }
+- break;
+-# endif
+-# ifndef OPENSSL_NO_DSA
+- case EVP_PKEY_DSA:
+- {
+- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+- EVP_PKEY_set1_DSA(pkey, dsa);
+- DSA_free(dsa);
+- }
+- break;
+-#endif
+-# ifndef OPENSSL_NO_DH
+- case EVP_PKEY_DH:
+- {
+- DH *dh = EVP_PKEY_get1_DH(pkey);
+- EVP_PKEY_set1_DH(pkey, dh);
+- DH_free(dh);
+- }
+- break;
+-#endif
+- default:
+- /*Do nothing */
+- break;
+- }
+-
+ return pkey;
+ }
+
diff --git a/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch
new file mode 100644
index 000000000000..59e785caac7c
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch
@@ -0,0 +1,79 @@
+https://bugs.gentoo.org/916328
+https://github.com/opendnssec/SoftHSMv2/issues/729
+https://github.com/openssl/openssl/issues/22508
+https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65
+
+From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Fri, 15 Dec 2023 13:45:50 +0100
+Subject: [PATCH] Revert "Improved detection of engine-provided private
+ "classic" keys"
+
+This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
+
+The commit was wrong. With 3.x versions the engines must be themselves
+responsible for creating their EVP_PKEYs in a way that they are treated
+as legacy - either by using the respective set1 calls or by setting
+non-default EVP_PKEY_METHOD.
+
+The workaround has caused more problems than it solved.
+
+Fixes #22945
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23063)
+
+(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
+--- a/crypto/engine/eng_pkey.c
++++ b/crypto/engine/eng_pkey.c
+@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+ ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+ return NULL;
+ }
+- /* We enforce check for legacy key */
+- switch (EVP_PKEY_get_id(pkey)) {
+- case EVP_PKEY_RSA:
+- {
+- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+- EVP_PKEY_set1_RSA(pkey, rsa);
+- RSA_free(rsa);
+- }
+- break;
+-# ifndef OPENSSL_NO_EC
+- case EVP_PKEY_SM2:
+- case EVP_PKEY_EC:
+- {
+- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+- EVP_PKEY_set1_EC_KEY(pkey, ec);
+- EC_KEY_free(ec);
+- }
+- break;
+-# endif
+-# ifndef OPENSSL_NO_DSA
+- case EVP_PKEY_DSA:
+- {
+- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+- EVP_PKEY_set1_DSA(pkey, dsa);
+- DSA_free(dsa);
+- }
+- break;
+-#endif
+-# ifndef OPENSSL_NO_DH
+- case EVP_PKEY_DH:
+- {
+- DH *dh = EVP_PKEY_get1_DH(pkey);
+- EVP_PKEY_set1_DH(pkey, dh);
+- DH_free(dh);
+- }
+- break;
+-#endif
+- default:
+- /*Do nothing */
+- break;
+- }
+-
+ return pkey;
+ }
+
+
diff --git a/dev-libs/openssl/openssl-3.1.5-r1.ebuild b/dev-libs/openssl/openssl-3.1.5-r1.ebuild
new file mode 100644
index 000000000000..23a3463ec688
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.1.5-r1.ebuild
@@ -0,0 +1,285 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="
+ mirror://openssl/source/${MY_P}.tar.gz
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ "
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ !<net-misc/openssh-9.2_p1-r3
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ app-alternatives/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${P}-p11-segfault.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+ # Test fails depending on kernel configuration, bug #699134
+ rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/12247
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #895308
+ append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+
+ if multilib_is_native_abi; then
+ emake build_docs
+ fi
+}
+
+multilib_src_test() {
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+ # Only -j1 is supported for the install targets:
+ # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+ emake DESTDIR="${D}" -j1 install_sw
+ if use fips; then
+ emake DESTDIR="${D}" -j1 install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" -j1 install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
diff --git a/dev-libs/openssl/openssl-3.2.1-r1.ebuild b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
new file mode 100644
index 000000000000..4226369d0bf0
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
@@ -0,0 +1,304 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="
+ mirror://openssl/source/${MY_P}.tar.gz
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ "
+
+ #if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+ # KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ #fi
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ !<net-misc/openssh-9.2_p1-r3
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ app-alternatives/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${P}-p11-segfault.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_unpack() {
+ # Can delete this once test fix patch is dropped
+ if use verify-sig ; then
+ # Needed for downloaded patch (which is unsigned, which is fine)
+ verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
+ fi
+
+ default
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+ # Test fails depending on kernel configuration, bug #699134
+ rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/12247
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #895308
+ append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+
+ if multilib_is_native_abi; then
+ emake build_docs
+ fi
+}
+
+multilib_src_test() {
+ # See https://github.com/openssl/openssl/blob/master/test/README.md for options.
+ #
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ #
+ # -j1 here for https://github.com/openssl/openssl/issues/21999, but it
+ # shouldn't matter as tests were already built earlier, and HARNESS_JOBS
+ # controls running the tests.
+ emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+ # Only -j1 is supported for the install targets:
+ # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+ emake DESTDIR="${D}" -j1 install_sw
+ if use fips; then
+ emake DESTDIR="${D}" -j1 install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" -j1 install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-04-15 7:16 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2024-04-15 7:16 UTC (permalink / raw
To: gentoo-commits
commit: 84e42134da6902dd0b2f9d224127defa9b5ef21f
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 15 07:01:15 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Apr 15 07:16:10 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84e42134
dev-libs/openssl: fix CVE-2024-2511 for 3.0.13
Bug: https://bugs.gentoo.org/930047
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/openssl-3.0.13-CVE-2024-2511.patch | 141 +++++++++++
dev-libs/openssl/openssl-3.0.13-r1.ebuild | 282 +++++++++++++++++++++
2 files changed, 423 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.0.13-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.0.13-CVE-2024-2511.patch
new file mode 100644
index 000000000000..fff4fb72837b
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.13-CVE-2024-2511.patch
@@ -0,0 +1,141 @@
+https://www.openssl.org/news/secadv/20240408.txt
+https://bugs.gentoo.org/930047
+https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
+https://github.com/openssl/openssl/commit/cc9ece9118eeacccc3571c2ee852f8ba067d0607
+
+From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Mar 2024 15:43:53 +0000
+Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
+
+In TLSv1.3 we create a new session object for each ticket that we send.
+We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+use then the new session will be added to the session cache. However, if
+early data is not in use (and therefore anti-replay protection is being
+used), then multiple threads could be resuming from the same session
+simultaneously. If this happens and a problem occurs on one of the threads,
+then the original session object could be marked as not_resumable. When we
+duplicate the session object this not_resumable status gets copied into the
+new session object. The new session object is then added to the session
+cache even though it is not_resumable.
+
+Subsequently, another bug means that the session_id_length is set to 0 for
+sessions that are marked as not_resumable - even though that session is
+still in the cache. Once this happens the session can never be removed from
+the cache. When that object gets to be the session cache tail object the
+cache never shrinks again and grows indefinitely.
+
+CVE-2024-2511
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24044)
+
+(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce)
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -3736,9 +3736,10 @@ void ssl_update_cache(SSL *s, int mode)
+
+ /*
+ * If the session_id_length is 0, we are not supposed to cache it, and it
+- * would be rather hard to do anyway :-)
++ * would be rather hard to do anyway :-). Also if the session has already
++ * been marked as not_resumable we should not cache it for later reuse.
+ */
+- if (s->session->session_id_length == 0)
++ if (s->session->session_id_length == 0 || s->session->not_resumable)
+ return;
+
+ /*
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+ return ss;
+ }
+
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+- return ssl_session_dup(src, 1);
+-}
+-
+ /*
+ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+ * ticket == 0 then no ticket information is duplicated, otherwise it is.
+ */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+ SSL_SESSION *dest;
+
+@@ -285,6 +280,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+ return NULL;
+ }
+
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++ return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++ if (sess != NULL)
++ sess->not_resumable = 0;
++
++ return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+ if (len)
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+ * so the following won't overwrite an ID that we're supposed
+ * to send back.
+ */
+- if (s->session->not_resumable ||
+- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+- && !s->hit))
++ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
++ && !s->hit)
+ s->session->session_id_length = 0;
+
+ if (usetls13) {
+
+From cc9ece9118eeacccc3571c2ee852f8ba067d0607 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 15 Mar 2024 17:58:42 +0000
+Subject: [PATCH] Hardening around not_resumable sessions
+
+Make sure we can't inadvertently use a not_resumable session
+
+Related to CVE-2024-2511
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24044)
+
+(cherry picked from commit c342f4b8bd2d0b375b0e22337057c2eab47d9b96)
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -531,6 +531,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
+ ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©);
+
+ if (ret != NULL) {
++ if (ret->not_resumable) {
++ /* If its not resumable then ignore this session */
++ if (!copy)
++ SSL_SESSION_free(ret);
++ return NULL;
++ }
+ ssl_tsan_counter(s->session_ctx,
+ &s->session_ctx->stats.sess_cb_hit);
+
diff --git a/dev-libs/openssl/openssl-3.0.13-r1.ebuild b/dev-libs/openssl/openssl-3.0.13-r1.ebuild
new file mode 100644
index 000000000000..4241ad7f72ed
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.13-r1.ebuild
@@ -0,0 +1,282 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ app-alternatives/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-3.0.13-CVE-2024-2511.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile || die
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+ # Test fails depending on kernel configuration, bug #699134
+ rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/12247
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #895308
+ append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+
+ if multilib_is_native_abi; then
+ emake build_docs
+ fi
+}
+
+multilib_src_test() {
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+ # Only -j1 is supported for the install targets:
+ # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+ emake DESTDIR="${D}" -j1 install_sw
+ if use fips; then
+ emake DESTDIR="${D}" -j1 install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" -j1 install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-04-15 7:16 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2024-04-15 7:16 UTC (permalink / raw
To: gentoo-commits
commit: 636d49c76a46cd0bbe86a1eb9c64880b34036c43
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 15 07:08:32 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Apr 15 07:16:10 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=636d49c7
dev-libs/openssl: fix CVE-2024-2511 for 3.1.5
Bug: https://bugs.gentoo.org/930047
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/openssl-3.1.5-CVE-2024-2511.patch | 137 ++++++++++
dev-libs/openssl/openssl-3.1.5-r2.ebuild | 286 +++++++++++++++++++++
2 files changed, 423 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch
new file mode 100644
index 000000000000..c5b7dfe449f7
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch
@@ -0,0 +1,137 @@
+https://www.openssl.org/news/secadv/20240408.txt
+https://bugs.gentoo.org/930047
+https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce
+https://github.com/openssl/openssl/commit/c342f4b8bd2d0b375b0e22337057c2eab47d9b96
+
+From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Mar 2024 15:43:53 +0000
+Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
+
+In TLSv1.3 we create a new session object for each ticket that we send.
+We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+use then the new session will be added to the session cache. However, if
+early data is not in use (and therefore anti-replay protection is being
+used), then multiple threads could be resuming from the same session
+simultaneously. If this happens and a problem occurs on one of the threads,
+then the original session object could be marked as not_resumable. When we
+duplicate the session object this not_resumable status gets copied into the
+new session object. The new session object is then added to the session
+cache even though it is not_resumable.
+
+Subsequently, another bug means that the session_id_length is set to 0 for
+sessions that are marked as not_resumable - even though that session is
+still in the cache. Once this happens the session can never be removed from
+the cache. When that object gets to be the session cache tail object the
+cache never shrinks again and grows indefinitely.
+
+CVE-2024-2511
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24044)
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
+
+ /*
+ * If the session_id_length is 0, we are not supposed to cache it, and it
+- * would be rather hard to do anyway :-)
++ * would be rather hard to do anyway :-). Also if the session has already
++ * been marked as not_resumable we should not cache it for later reuse.
+ */
+- if (s->session->session_id_length == 0)
++ if (s->session->session_id_length == 0 || s->session->not_resumable)
+ return;
+
+ /*
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+ return ss;
+ }
+
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+- return ssl_session_dup(src, 1);
+-}
+-
+ /*
+ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+ * ticket == 0 then no ticket information is duplicated, otherwise it is.
+ */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+ SSL_SESSION *dest;
+
+@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+ return NULL;
+ }
+
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++ return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++ if (sess != NULL)
++ sess->not_resumable = 0;
++
++ return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+ if (len)
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+ * so the following won't overwrite an ID that we're supposed
+ * to send back.
+ */
+- if (s->session->not_resumable ||
+- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+- && !s->hit))
++ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
++ && !s->hit)
+ s->session->session_id_length = 0;
+
+ if (usetls13) {
+
+From c342f4b8bd2d0b375b0e22337057c2eab47d9b96 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 15 Mar 2024 17:58:42 +0000
+Subject: [PATCH] Hardening around not_resumable sessions
+
+Make sure we can't inadvertently use a not_resumable session
+
+Related to CVE-2024-2511
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24044)
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -533,6 +533,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
+ ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©);
+
+ if (ret != NULL) {
++ if (ret->not_resumable) {
++ /* If its not resumable then ignore this session */
++ if (!copy)
++ SSL_SESSION_free(ret);
++ return NULL;
++ }
+ ssl_tsan_counter(s->session_ctx,
+ &s->session_ctx->stats.sess_cb_hit);
+
diff --git a/dev-libs/openssl/openssl-3.1.5-r2.ebuild b/dev-libs/openssl/openssl-3.1.5-r2.ebuild
new file mode 100644
index 000000000000..1c3b048b75a0
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.1.5-r2.ebuild
@@ -0,0 +1,286 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="
+ mirror://openssl/source/${MY_P}.tar.gz
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ "
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ !<net-misc/openssh-9.2_p1-r3
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ app-alternatives/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${P}-p11-segfault.patch
+ "${FILESDIR}"/${P}-CVE-2024-2511.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+ # Test fails depending on kernel configuration, bug #699134
+ rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/12247
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #895308
+ append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+
+ if multilib_is_native_abi; then
+ emake build_docs
+ fi
+}
+
+multilib_src_test() {
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+ # Only -j1 is supported for the install targets:
+ # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+ emake DESTDIR="${D}" -j1 install_sw
+ if use fips; then
+ emake DESTDIR="${D}" -j1 install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" -j1 install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-04-29 17:07 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2024-04-29 17:07 UTC (permalink / raw
To: gentoo-commits
commit: 9f3e7da215c0462b6ab264daa4d15f8933a8e379
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 29 17:05:12 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Apr 29 17:05:12 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f3e7da2
dev-libs/openssl: backport fix for s390x w/ USE=-asm to 3.2.x
It's already been backported upstream on the 3.2 branch but no new
3.2.x release yet.
Closes: https://bugs.gentoo.org/923957
Signed-off-by: Sam James <sam <AT> gentoo.org>
dev-libs/openssl/files/openssl-3.2.1-s390x.patch | 31 ++++++++++++++++++++++++
dev-libs/openssl/openssl-3.2.1-r2.ebuild | 1 +
2 files changed, 32 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.2.1-s390x.patch b/dev-libs/openssl/files/openssl-3.2.1-s390x.patch
new file mode 100644
index 000000000000..3cbf4854e12e
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.1-s390x.patch
@@ -0,0 +1,31 @@
+https://bugs.gentoo.org/923957
+https://github.com/openssl/openssl/pull/23458
+https://github.com/openssl/openssl/commit/5fa5d59750db9df00f4871949a66020ac44f4f9c
+
+From 5fa5d59750db9df00f4871949a66020ac44f4f9c Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Fri, 2 Feb 2024 10:20:55 +0100
+Subject: [PATCH] s390x: Fix build on s390x with 'disable-asm'
+
+Do not define S390X_MOD_EXP for a NO_ASM build, this would result in
+unresolved externals for s390x_mod_exp and s390x_crt.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23458)
+
+(cherry picked from commit a5b0c568dbefddd154f99011d7ce76cfbfadb67a)
+--- a/include/crypto/bn.h
++++ b/include/crypto/bn.h
+@@ -116,7 +116,8 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx);
+
+ extern const BIGNUM ossl_bn_inv_sqrt_2;
+
+-#if defined(OPENSSL_SYS_LINUX) && !defined(FIPS_MODULE) && defined (__s390x__)
++#if defined(OPENSSL_SYS_LINUX) && !defined(FIPS_MODULE) && defined (__s390x__) \
++ && !defined (OPENSSL_NO_ASM)
+ # define S390X_MOD_EXP
+ #endif
+
diff --git a/dev-libs/openssl/openssl-3.2.1-r2.ebuild b/dev-libs/openssl/openssl-3.2.1-r2.ebuild
index 31486ad9fabe..fb480821f325 100644
--- a/dev-libs/openssl/openssl-3.2.1-r2.ebuild
+++ b/dev-libs/openssl/openssl-3.2.1-r2.ebuild
@@ -61,6 +61,7 @@ PATCHES=(
# bug 923956 (drop on next version bump)
"${FILESDIR}"/${P}-riscv.patch
"${FILESDIR}"/${P}-CVE-2024-2511.patch
+ "${FILESDIR}"/${P}-s390x.patch
)
pkg_setup() {
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-07-19 17:03 Jakov Smolić
0 siblings, 0 replies; 36+ messages in thread
From: Jakov Smolić @ 2024-07-19 17:03 UTC (permalink / raw
To: gentoo-commits
commit: c7004197a2f486c7807e7ae8c5fc2fba65816ac9
Author: Jakov Smolić <jsmolic <AT> gentoo <DOT> org>
AuthorDate: Fri Jul 19 16:51:15 2024 +0000
Commit: Jakov Smolić <jsmolic <AT> gentoo <DOT> org>
CommitDate: Fri Jul 19 17:01:48 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7004197
dev-libs/openssl: Fix riscv build issue in version 3.3.1
Closes: https://bugs.gentoo.org/936311
Signed-off-by: Jakov Smolić <jsmolic <AT> gentoo.org>
dev-libs/openssl/files/openssl-3.3.1-riscv.patch | 96 ++++++++++++++++++++++++
dev-libs/openssl/openssl-3.3.1.ebuild | 2 +
2 files changed, 98 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.3.1-riscv.patch b/dev-libs/openssl/files/openssl-3.3.1-riscv.patch
new file mode 100644
index 000000000000..90cad6d92a00
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.1-riscv.patch
@@ -0,0 +1,96 @@
+# https://bugs.gentoo.org/936311
+# Taken from https://github.com/openssl/openssl/pull/24486
+
+From b1dd4a8005cf172053d986c0dd85fd104f005307 Mon Sep 17 00:00:00 2001
+From: Hongren Zheng <i@zenithal.me>
+Date: Fri, 24 May 2024 14:12:47 +0800
+Subject: [PATCH] riscv: Fix cpuid_obj asm checks for sm4/sm3
+
+Similar to #22881 / #23752
+---
+ crypto/sm3/sm3_local.h | 2 +-
+ include/crypto/sm4_platform.h | 2 +-
+ providers/implementations/ciphers/cipher_sm4_ccm_hw.c | 2 +-
+ providers/implementations/ciphers/cipher_sm4_gcm_hw.c | 2 +-
+ providers/implementations/ciphers/cipher_sm4_hw.c | 2 +-
+ providers/implementations/ciphers/cipher_sm4_xts_hw.c | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/sm3/sm3_local.h b/crypto/sm3/sm3_local.h
+index d2845f9678967..a467cc98eb13e 100644
+--- a/crypto/sm3/sm3_local.h
++++ b/crypto/sm3/sm3_local.h
+@@ -39,7 +39,7 @@
+ # define HWSM3_CAPABLE (OPENSSL_armcap_P & ARMV8_SM3)
+ void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num);
+ # endif
+-# if defined(__riscv) && __riscv_xlen == 64
++# if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "crypto/riscv_arch.h"
+ # define HWSM3_CAPABLE 1
+ void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num);
+diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h
+index 928dc17ff0838..4d70d291450a1 100644
+--- a/include/crypto/sm4_platform.h
++++ b/include/crypto/sm4_platform.h
+@@ -38,7 +38,7 @@ static inline int vpsm4_ex_capable(void)
+ # define HWSM4_cbc_encrypt sm4_v8_cbc_encrypt
+ # define HWSM4_ecb_encrypt sm4_v8_ecb_encrypt
+ # define HWSM4_ctr32_encrypt_blocks sm4_v8_ctr32_encrypt_blocks
+-# elif defined(__riscv) && __riscv_xlen == 64
++# elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ /* RV64 support */
+ # include "riscv_arch.h"
+ /* Zvksed extension (vector crypto SM4). */
+diff --git a/providers/implementations/ciphers/cipher_sm4_ccm_hw.c b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c
+index 34f0e751e007d..293bb69d64272 100644
+--- a/providers/implementations/ciphers/cipher_sm4_ccm_hw.c
++++ b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c
+@@ -59,7 +59,7 @@ static const PROV_CCM_HW ccm_sm4 = {
+ ossl_ccm_generic_gettag
+ };
+
+-#if defined(__riscv) && __riscv_xlen == 64
++#if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "cipher_sm4_ccm_hw_rv64i.inc"
+ #else
+ const PROV_CCM_HW *ossl_prov_sm4_hw_ccm(size_t keybits)
+diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c
+index 06ca450782ff2..e3b4e9f588807 100644
+--- a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c
++++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c
+@@ -89,7 +89,7 @@ static const PROV_GCM_HW sm4_gcm = {
+ ossl_gcm_one_shot
+ };
+
+-#if defined(__riscv) && __riscv_xlen == 64
++#if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "cipher_sm4_gcm_hw_rv64i.inc"
+ #else
+ const PROV_GCM_HW *ossl_prov_sm4_hw_gcm(size_t keybits)
+diff --git a/providers/implementations/ciphers/cipher_sm4_hw.c b/providers/implementations/ciphers/cipher_sm4_hw.c
+index c4f2f97cccd8d..70dc66ffae233 100644
+--- a/providers/implementations/ciphers/cipher_sm4_hw.c
++++ b/providers/implementations/ciphers/cipher_sm4_hw.c
+@@ -134,7 +134,7 @@ const PROV_CIPHER_HW *ossl_prov_cipher_hw_sm4_##mode(size_t keybits) \
+ return &sm4_##mode; \
+ }
+
+-#if defined(__riscv) && __riscv_xlen == 64
++#if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "cipher_sm4_hw_rv64i.inc"
+ #else
+ /* The generic case */
+diff --git a/providers/implementations/ciphers/cipher_sm4_xts_hw.c b/providers/implementations/ciphers/cipher_sm4_xts_hw.c
+index 6cf58e851f5d4..423598317d217 100644
+--- a/providers/implementations/ciphers/cipher_sm4_xts_hw.c
++++ b/providers/implementations/ciphers/cipher_sm4_xts_hw.c
+@@ -89,7 +89,7 @@ static const PROV_CIPHER_HW sm4_generic_xts = {
+ cipher_hw_sm4_xts_copyctx
+ };
+
+-#if defined(__riscv) && __riscv_xlen == 64
++#if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "cipher_sm4_xts_hw_rv64i.inc"
+ #else
+ const PROV_CIPHER_HW *ossl_prov_cipher_hw_sm4_xts(size_t keybits)
diff --git a/dev-libs/openssl/openssl-3.3.1.ebuild b/dev-libs/openssl/openssl-3.3.1.ebuild
index bc558bb65a06..d348842d29b0 100644
--- a/dev-libs/openssl/openssl-3.3.1.ebuild
+++ b/dev-libs/openssl/openssl-3.3.1.ebuild
@@ -57,6 +57,8 @@ MULTILIB_WRAPPED_HEADERS=(
)
PATCHES=(
+ # bug 936311, drop on next version bump
+ "${FILESDIR}"/${P}-riscv.patch
)
pkg_setup() {
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-08-03 5:08 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2024-08-03 5:08 UTC (permalink / raw
To: gentoo-commits
commit: 187bd7adbec88b8f6f75607bca811c645b20618d
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 3 04:17:03 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Aug 3 05:07:19 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=187bd7ad
dev-libs/openssl: fix exec_prefix absence in pkg-config file
Closes: https://bugs.gentoo.org/936576
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/openssl-3.3.1-pkg-config-deux.patch | 303 ++++++++++++++++++++
dev-libs/openssl/openssl-3.3.1-r2.ebuild | 309 +++++++++++++++++++++
2 files changed, 612 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch b/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch
new file mode 100644
index 000000000000..a5ad9987eb57
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch
@@ -0,0 +1,303 @@
+https://github.com/openssl/openssl/pull/24687
+https://bugs.gentoo.org/936576
+
+https://github.com/openssl/openssl/commit/aa099dba7c80c723cf4babf5adc0c801f1c28363
+https://github.com/openssl/openssl/commit/1c437b5704c9ee5f667bc2b11e5fdf176dfb714f
+
+From aa099dba7c80c723cf4babf5adc0c801f1c28363 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Thu, 20 Jun 2024 14:30:16 +0200
+Subject: [PATCH] Give util/mkinstallvars.pl more fine grained control over var
+ dependencies
+
+Essentially, we try to do what GNU does. 'prefix' is used to define the
+defaults for 'exec_prefix' and 'libdir', and these are then used to define
+further directory values. util/mkinstallvars.pl is changed to reflect that
+to the best of our ability.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24687)
+
+(cherry picked from commit 6e0fd246e7a6e51f92b2ef3520bfc4414b7773c0)
+---
+ exporters/build.info | 2 +-
+ util/mkinstallvars.pl | 133 ++++++++++++++++++++++++++----------------
+ 2 files changed, 85 insertions(+), 50 deletions(-)
+
+diff --git a/exporters/build.info b/exporters/build.info
+index 86acf2df9467c..9241dc9b0a658 100644
+--- a/exporters/build.info
++++ b/exporters/build.info
+@@ -19,7 +19,7 @@ DEPEND[openssl.pc]=libcrypto.pc libssl.pc
+ DEPEND[""]=openssl.pc
+
+ GENERATE[../installdata.pm]=../util/mkinstallvars.pl \
+- "PREFIX=$(INSTALLTOP)" BINDIR=bin "LIBDIR=$(LIBDIR)" \
++ "PREFIX=$(INSTALLTOP)" BINDIR=bin "LIBDIR=$(LIBDIR)" "libdir=$(libdir)" \
+ INCLUDEDIR=include APPLINKDIR=include/openssl \
+ "ENGINESDIR=$(ENGINESDIR)" "MODULESDIR=$(MODULESDIR)" \
+ "PKGCONFIGDIR=$(PKGCONFIGDIR)" "CMAKECONFIGDIR=$(CMAKECONFIGDIR)" \
+diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl
+index 59a432d28c601..5fadb708e1b77 100644
+--- a/util/mkinstallvars.pl
++++ b/util/mkinstallvars.pl
+@@ -11,13 +11,25 @@
+ # The result is a Perl module creating the package OpenSSL::safe::installdata.
+
+ use File::Spec;
++use List::Util qw(pairs);
+
+ # These are expected to be set up as absolute directories
+-my @absolutes = qw(PREFIX);
++my @absolutes = qw(PREFIX libdir);
+ # These may be absolute directories, and if not, they are expected to be set up
+-# as subdirectories to PREFIX
+-my @subdirs = qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR ENGINESDIR MODULESDIR
+- PKGCONFIGDIR CMAKECONFIGDIR);
++# as subdirectories to PREFIX or LIBDIR. The order of the pairs is important,
++# since the LIBDIR subdirectories depend on the calculation of LIBDIR from
++# PREFIX.
++my @subdirs = pairs (PREFIX => [ qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR) ],
++ LIBDIR => [ qw(ENGINESDIR MODULESDIR PKGCONFIGDIR
++ CMAKECONFIGDIR) ]);
++# For completeness, other expected variables
++my @others = qw(VERSION LDLIBS);
++
++my %all = ( );
++foreach (@absolutes) { $all{$_} = 1 }
++foreach (@subdirs) { foreach (@{$_->[1]}) { $all{$_} = 1 } }
++foreach (@others) { $all{$_} = 1 }
++print STDERR "DEBUG: all keys: ", join(", ", sort keys %all), "\n";
+
+ my %keys = ();
+ foreach (@ARGV) {
+@@ -26,29 +38,47 @@
+ $ENV{$k} = $v;
+ }
+
+-foreach my $k (sort keys %keys) {
+- my $v = $ENV{$k};
+- $v = File::Spec->rel2abs($v) if $v && grep { $k eq $_ } @absolutes;
+- $ENV{$k} = $v;
++# warn if there are missing values, and also if there are unexpected values
++foreach my $k (sort keys %all) {
++ warn "No value given for $k\n" unless $keys{$k};
+ }
+ foreach my $k (sort keys %keys) {
++ warn "Unknown variable $k\n" unless $all{$k};
++}
++
++# This shouldn't be needed, but just in case we get relative paths that
++# should be absolute, make sure they actually are.
++foreach my $k (@absolutes) {
+ my $v = $ENV{$k} || '.';
++ print STDERR "DEBUG: $k = $v => ";
++ $v = File::Spec->rel2abs($v) if $v;
++ $ENV{$k} = $v;
++ print STDERR "$k = $ENV{$k}\n";
++}
+
+- # Absolute paths for the subdir variables are computed. This provides
+- # the usual form of values for names that have become norm, known as GNU
+- # installation paths.
+- # For the benefit of those that need it, the subdirectories are preserved
+- # as they are, using the same variable names, suffixed with '_REL', if they
+- # are indeed subdirectories.
+- if (grep { $k eq $_ } @subdirs) {
++# Absolute paths for the subdir variables are computed. This provides
++# the usual form of values for names that have become norm, known as GNU
++# installation paths.
++# For the benefit of those that need it, the subdirectories are preserved
++# as they are, using the same variable names, suffixed with '_REL_{var}',
++# if they are indeed subdirectories. The '{var}' part of the name tells
++# which other variable value they are relative to.
++foreach my $pair (@subdirs) {
++ my ($var, $subdir_vars) = @$pair;
++ foreach my $k (@$subdir_vars) {
++ my $v = $ENV{$k} || '.';
++ print STDERR "DEBUG: $k = $v => ";
+ if (File::Spec->file_name_is_absolute($v)) {
+- $ENV{"${k}_REL"} = File::Spec->abs2rel($v, $ENV{PREFIX});
++ my $kr = "${k}_REL_${var}";
++ $ENV{$kr} = File::Spec->abs2rel($v, $ENV{$var});
++ print STDERR "$kr = $ENV{$kr}\n";
+ } else {
+- $ENV{"${k}_REL"} = $v;
+- $v = File::Spec->rel2abs($v, $ENV{PREFIX});
++ my $kr = "${k}_REL_${var}";
++ $ENV{$kr} = $v;
++ $ENV{$k} = File::Spec->rel2abs($v, $ENV{$var});
++ print STDERR "$k = $ENV{$k} , $kr = $v\n";
+ }
+ }
+- $ENV{$k} = $v;
+ }
+
+ print <<_____;
+@@ -58,36 +88,41 @@ package OpenSSL::safe::installdata;
+ use warnings;
+ use Exporter;
+ our \@ISA = qw(Exporter);
+-our \@EXPORT = qw(\$PREFIX
+- \$BINDIR \$BINDIR_REL
+- \$LIBDIR \$LIBDIR_REL
+- \$INCLUDEDIR \$INCLUDEDIR_REL
+- \$APPLINKDIR \$APPLINKDIR_REL
+- \$ENGINESDIR \$ENGINESDIR_REL
+- \$MODULESDIR \$MODULESDIR_REL
+- \$PKGCONFIGDIR \$PKGCONFIGDIR_REL
+- \$CMAKECONFIGDIR \$CMAKECONFIGDIR_REL
+- \$VERSION \@LDLIBS);
+-
+-our \$PREFIX = '$ENV{PREFIX}';
+-our \$BINDIR = '$ENV{BINDIR}';
+-our \$BINDIR_REL = '$ENV{BINDIR_REL}';
+-our \$LIBDIR = '$ENV{LIBDIR}';
+-our \$LIBDIR_REL = '$ENV{LIBDIR_REL}';
+-our \$INCLUDEDIR = '$ENV{INCLUDEDIR}';
+-our \$INCLUDEDIR_REL = '$ENV{INCLUDEDIR_REL}';
+-our \$APPLINKDIR = '$ENV{APPLINKDIR}';
+-our \$APPLINKDIR_REL = '$ENV{APPLINKDIR_REL}';
+-our \$ENGINESDIR = '$ENV{ENGINESDIR}';
+-our \$ENGINESDIR_REL = '$ENV{ENGINESDIR_REL}';
+-our \$MODULESDIR = '$ENV{MODULESDIR}';
+-our \$MODULESDIR_REL = '$ENV{MODULESDIR_REL}';
+-our \$PKGCONFIGDIR = '$ENV{PKGCONFIGDIR}';
+-our \$PKGCONFIGDIR_REL = '$ENV{PKGCONFIGDIR_REL}';
+-our \$CMAKECONFIGDIR = '$ENV{CMAKECONFIGDIR}';
+-our \$CMAKECONFIGDIR_REL = '$ENV{CMAKECONFIGDIR_REL}';
+-our \$VERSION = '$ENV{VERSION}';
+-our \@LDLIBS =
++our \@EXPORT = qw(
++_____
++
++foreach my $k (@absolutes) {
++ print " \$$k\n";
++}
++foreach my $pair (@subdirs) {
++ my ($var, $subdir_vars) = @$pair;
++ foreach my $k (@$subdir_vars) {
++ my $k2 = "${k}_REL_${var}";
++ print " \$$k \$$k2\n";
++ }
++}
++
++print <<_____;
++ \$VERSION \@LDLIBS
++);
++
++_____
++
++foreach my $k (@absolutes) {
++ print "our \$$k" . ' ' x (27 - length($k)) . "= '$ENV{$k}';\n";
++}
++foreach my $pair (@subdirs) {
++ my ($var, $subdir_vars) = @$pair;
++ foreach my $k (@$subdir_vars) {
++ my $k2 = "${k}_REL_${var}";
++ print "our \$$k" . ' ' x (27 - length($k)) . "= '$ENV{$k}';\n";
++ print "our \$$k2" . ' ' x (27 - length($k2)) . "= '$ENV{$k2}';\n";
++ }
++}
++
++print <<_____;
++our \$VERSION = '$ENV{VERSION}';
++our \@LDLIBS =
+ # Unix and Windows use space separation, VMS uses comma separation
+ split(/ +| *, */, '$ENV{LDLIBS}');
+
+
+From 1c437b5704c9ee5f667bc2b11e5fdf176dfb714f Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Thu, 20 Jun 2024 14:33:15 +0200
+Subject: [PATCH] Adapt all the exporter files to the new vars from
+ util/mkinstallvars.pl
+
+With this, the pkg-config files take better advantage of relative directory
+values.
+
+Fixes #24298
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24687)
+
+(cherry picked from commit 30dc37d798a0428fd477d3763086e7e97b3d596f)
+---
+ exporters/cmake/OpenSSLConfig.cmake.in | 7 ++++---
+ exporters/pkg-config/libcrypto.pc.in | 12 ++++++++----
+ exporters/pkg-config/libssl.pc.in | 8 ++++++--
+ exporters/pkg-config/openssl.pc.in | 8 ++++++--
+ 4 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/exporters/cmake/OpenSSLConfig.cmake.in b/exporters/cmake/OpenSSLConfig.cmake.in
+index 2d2321931de1d..06f796158b2fa 100644
+--- a/exporters/cmake/OpenSSLConfig.cmake.in
++++ b/exporters/cmake/OpenSSLConfig.cmake.in
+@@ -89,9 +89,10 @@ unset(_ossl_undefined_targets)
+ # Set up the import path, so all other import paths are made relative this file
+ get_filename_component(_ossl_prefix "${CMAKE_CURRENT_LIST_FILE}" PATH)
+ {-
+- # For each component in $OpenSSL::safe::installdata::CMAKECONFIGDIR_REL, have CMake
+- # out the parent directory.
+- my $d = unixify($OpenSSL::safe::installdata::CMAKECONFIGDIR_REL);
++ # For each component in $OpenSSL::safe::installdata::CMAKECONFIGDIR relative to
++ # $OpenSSL::safe::installdata::PREFIX, have CMake figure out the parent directory.
++ my $d = join('/', unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX),
++ unixify($OpenSSL::safe::installdata::CMAKECONFIGDIR_REL_LIBDIR));
+ $OUT = '';
+ $OUT .= 'get_filename_component(_ossl_prefix "${_ossl_prefix}" PATH)' . "\n"
+ foreach (split '/', $d);
+diff --git a/exporters/pkg-config/libcrypto.pc.in b/exporters/pkg-config/libcrypto.pc.in
+index 14ed339f3c3a0..fbc8ea4c79b06 100644
+--- a/exporters/pkg-config/libcrypto.pc.in
++++ b/exporters/pkg-config/libcrypto.pc.in
+@@ -1,7 +1,11 @@
+-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
+-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
+-enginesdir={- $OpenSSL::safe::installdata::ENGINESDIR -}
+-modulesdir={- $OpenSSL::safe::installdata::MODULESDIR -}
++prefix={- $OpenSSL::safe::installdata::PREFIX -}
++exec_prefix=${prefix}
++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ : $OpenSSL::safe::installdata::libdir -}
++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
++enginesdir=${libdir}/{- $OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR -}
++modulesdir=${libdir}/{- $OpenSSL::safe::installdata::MODULESDIR_REL_LIBDIR -}
+
+ Name: OpenSSL-libcrypto
+ Description: OpenSSL cryptography library
+diff --git a/exporters/pkg-config/libssl.pc.in b/exporters/pkg-config/libssl.pc.in
+index a7828b3cc6a49..963538807bb2b 100644
+--- a/exporters/pkg-config/libssl.pc.in
++++ b/exporters/pkg-config/libssl.pc.in
+@@ -1,5 +1,9 @@
+-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
+-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
++prefix={- $OpenSSL::safe::installdata::PREFIX -}
++exec_prefix=${prefix}
++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ : $OpenSSL::safe::installdata::libdir -}
++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
+
+ Name: OpenSSL-libssl
+ Description: Secure Sockets Layer and cryptography libraries
+diff --git a/exporters/pkg-config/openssl.pc.in b/exporters/pkg-config/openssl.pc.in
+index dbb77aa39add2..225bef9e2384d 100644
+--- a/exporters/pkg-config/openssl.pc.in
++++ b/exporters/pkg-config/openssl.pc.in
+@@ -1,5 +1,9 @@
+-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
+-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
++prefix={- $OpenSSL::safe::installdata::PREFIX -}
++exec_prefix=${prefix}
++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ : $OpenSSL::safe::installdata::libdir -}
++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
+
+ Name: OpenSSL
+ Description: Secure Sockets Layer and cryptography libraries and tools
diff --git a/dev-libs/openssl/openssl-3.3.1-r2.ebuild b/dev-libs/openssl/openssl-3.3.1-r2.ebuild
new file mode 100644
index 000000000000..a321e0cf5cc8
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.3.1-r2.ebuild
@@ -0,0 +1,309 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+ verify-sig? (
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+ )
+ "
+
+ if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+ KEYWORDS="~amd64 ~arm ~m68k ~mips ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ fi
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ !<net-misc/openssh-9.2_p1-r3
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ app-alternatives/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240424 )
+"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ # bug 936311, drop on next version bump
+ "${FILESDIR}"/${P}-riscv.patch
+ # https://bugs.gentoo.org/936793
+ "${FILESDIR}"/openssl-3.3.1-pkg-config.patch
+ # https://bugs.gentoo.org/936576
+ "${FILESDIR}"/openssl-3.3.1-pkg-config-deux.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_unpack() {
+ # Can delete this once test fix patch is dropped
+ if use verify-sig ; then
+ # Needed for downloaded patch (which is unsigned, which is fine)
+ verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
+ fi
+
+ default
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile || die
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+ # Test fails depending on kernel configuration, bug #699134
+ rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/12247
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #895308 -- check inserts GNU ld-compatible arguments
+ [[ ${CHOST} == *-darwin* ]] || append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(multilib_is_native_abi || echo "no-docs")
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use quic && echo "enable-quic")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+}
+
+multilib_src_test() {
+ # See https://github.com/openssl/openssl/blob/master/test/README.md for options.
+ #
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ #
+ # -j1 here for https://github.com/openssl/openssl/issues/21999, but it
+ # shouldn't matter as tests were already built earlier, and HARNESS_JOBS
+ # controls running the tests.
+ emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+ # Only -j1 is supported for the install targets:
+ # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+ emake DESTDIR="${D}" -j1 install_sw
+ if use fips; then
+ emake DESTDIR="${D}" -j1 install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" -j1 install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-08-07 2:41 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2024-08-07 2:41 UTC (permalink / raw
To: gentoo-commits
commit: e72db01d85e337872d536973fbba845ffdd87313
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Aug 7 02:38:46 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Aug 7 02:38:58 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e72db01d
dev-libs/openssl: fix CMake generator
Closes: https://bugs.gentoo.org/937457
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/openssl-3.3.1-cmake-generator.patch | 55 ++++++++++++++++++++++
...ssl-3.3.1-r2.ebuild => openssl-3.3.1-r3.ebuild} | 2 +
2 files changed, 57 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch b/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch
new file mode 100644
index 000000000000..bb8fdbe3f241
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch
@@ -0,0 +1,55 @@
+https://bugs.gentoo.org/937457
+https://github.com/openssl/openssl/commit/419fb4ea4be4c0b28c63b494ff30fa3510aba06e
+
+From 419fb4ea4be4c0b28c63b494ff30fa3510aba06e Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Sun, 14 Jul 2024 08:57:25 -0400
+Subject: [PATCH] Fix cmake generator
+
+PR #24678 modified some environment variables and locations that the
+cmake exporter depended on, resulting in empty directory resolution.
+Adjust build build.info and input variable names to match up again
+
+Fixes #24874
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24877)
+
+(cherry picked from commit c1a27bdeb9a4f915aa92ed0e74ed48a1f9b94176)
+--- a/build.info
++++ b/build.info
+@@ -102,6 +102,11 @@ IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}]
+ ENDIF
+
+ # This file sets the build directory up for CMake inclusion
++# Note: This generation of OpenSSLConfig[Version].cmake is used
++# for building openssl locally, and so the build variables are
++# taken from builddata.pm rather than installdata.pm. For exportable
++# versions of these generated files, you'll find them in the exporters
++# directory
+ GENERATE[OpenSSLConfig.cmake]=exporters/cmake/OpenSSLConfig.cmake.in
+ DEPEND[OpenSSLConfig.cmake]=builddata.pm
+ GENERATE[OpenSSLConfigVersion.cmake]=exporters/cmake/OpenSSLConfigVersion.cmake.in
+--- a/exporters/cmake/OpenSSLConfig.cmake.in
++++ b/exporters/cmake/OpenSSLConfig.cmake.in
+@@ -127,13 +127,13 @@ set(OPENSSL_VERSION_FIX "${OpenSSL_VERSION_PATCH}")
+ set(OPENSSL_FOUND YES)
+
+ # Directories and names
+-set(OPENSSL_INCLUDE_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::INCLUDEDIR_REL, 1); -}")
+-set(OPENSSL_LIBRARY_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL, 1); -}")
+-set(OPENSSL_ENGINES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::ENGINESDIR_REL, 1); -}")
+-set(OPENSSL_MODULES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::MODULESDIR_REL, 1); -}")
+-set(OPENSSL_RUNTIME_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::BINDIR_REL, 1); -}")
++set(OPENSSL_LIBRARY_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}")
++set(OPENSSL_INCLUDE_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX, 1); -}")
++set(OPENSSL_ENGINES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}/{- unixify($OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR, 1); -}")
++set(OPENSSL_MODULES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}/{- unixify($OpenSSL::safe::installdata::MODULESDIR_REL_LIBDIR, 1); -}")
++set(OPENSSL_RUNTIME_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::BINDIR_REL_PREFIX, 1); -}")
+ {- output_off() if $disabled{uplink}; "" -}
+-set(OPENSSL_APPLINK_SOURCE "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::APPLINKDIR_REL, 1); -}/applink.c")
++set(OPENSSL_APPLINK_SOURCE "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::APPLINKDIR_REL_PREFIX, 1); -}/applink.c")
+ {- output_on() if $disabled{uplink}; "" -}
+ set(OPENSSL_PROGRAM "${OPENSSL_RUNTIME_DIR}/{- platform->bin('openssl') -}")
+
diff --git a/dev-libs/openssl/openssl-3.3.1-r2.ebuild b/dev-libs/openssl/openssl-3.3.1-r3.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-3.3.1-r2.ebuild
rename to dev-libs/openssl/openssl-3.3.1-r3.ebuild
index a321e0cf5cc8..ede3297ccbdf 100644
--- a/dev-libs/openssl/openssl-3.3.1-r2.ebuild
+++ b/dev-libs/openssl/openssl-3.3.1-r3.ebuild
@@ -65,6 +65,8 @@ PATCHES=(
"${FILESDIR}"/openssl-3.3.1-pkg-config.patch
# https://bugs.gentoo.org/936576
"${FILESDIR}"/openssl-3.3.1-pkg-config-deux.patch
+ # https://bugs.gentoo.org/937457
+ "${FILESDIR}"/openssl-3.3.1-cmake-generator.patch
)
pkg_setup() {
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-10-29 2:10 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2024-10-29 2:10 UTC (permalink / raw
To: gentoo-commits
commit: 536e382d480933cfc6721f129368a8468ebd2321
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 29 01:53:30 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Oct 29 02:09:22 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=536e382d
dev-libs/openssl: fix CVE-2024-9143 for 3.1.7-r1
Bug: https://bugs.gentoo.org/941643
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/openssl-3.1.7-CVE-2024-9143.patch | 192 ++++++++++++++
dev-libs/openssl/openssl-3.1.7-r1.ebuild | 288 +++++++++++++++++++++
2 files changed, 480 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.1.7-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.1.7-CVE-2024-9143.patch
new file mode 100644
index 000000000000..4f33ef000dca
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.7-CVE-2024-9143.patch
@@ -0,0 +1,192 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154
+
+From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction. A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+ https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large. Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates. These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters. The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+
+ /*
+ * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+ * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+ * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient. Array is terminated with -1. Up to max elements of the array
+- * will be filled. Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient. The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1. Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`. It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+ */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+ int i, j, k = 0;
+ BN_ULONG mask;
+
+- if (BN_is_zero(a))
++ if (!BN_is_odd(a))
+ return 0;
+
+ for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ }
+ }
+
+- if (k < max) {
++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++ return 0;
++
++ if (k < max)
+ p[k] = -1;
+- k++;
+- }
+
+- return k;
++ return k + 1;
+ }
+
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++ int ret = 0;
++ BN_CTX *ctx = BN_CTX_new();
++ BIGNUM *p, *a, *b;
++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++ TEST_info("Testing GF2m hardening\n");
++
++ BN_CTX_start(ctx);
++ p = BN_CTX_get(ctx);
++ a = BN_CTX_get(ctx);
++ if (!TEST_ptr(b = BN_CTX_get(ctx))
++ || !TEST_true(BN_one(a))
++ || !TEST_true(BN_one(b)))
++ goto out;
++
++ /* Even pentanomial value should be rejected */
++ if (!TEST_true(BN_set_word(p, 0xf2)))
++ goto out;
++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("Zero constant term accepted in GF2m polynomial");
++
++ /* Odd hexanomial should also be rejected */
++ if (!TEST_true(BN_set_word(p, 0xf3)))
++ goto out;
++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("Hexanomial accepted as GF2m polynomial");
++
++ /* Excessive polynomial degree should also be rejected */
++ if (!TEST_true(BN_set_word(p, 0x71))
++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++ goto out;
++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("GF2m polynomial degree > %d accepted",
++ OPENSSL_ECC_MAX_FIELD_BITS);
++
++ ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++ EC_GROUP_free(group1);
++ EC_GROUP_free(group2);
++ EC_GROUP_free(group3);
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++
++ return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+ ADD_TEST(field_tests_ecp_simple);
+ ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++ ADD_TEST(ec2m_field_sanity);
+ ADD_TEST(field_tests_ec2_simple);
+ #endif
+ ADD_ALL_TESTS(field_tests_default, crv_len);
diff --git a/dev-libs/openssl/openssl-3.1.7-r1.ebuild b/dev-libs/openssl/openssl-3.1.7-r1.ebuild
new file mode 100644
index 000000000000..5ca73111c8f3
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.1.7-r1.ebuild
@@ -0,0 +1,288 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+ verify-sig? (
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+ )
+ "
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ !<net-misc/openssh-9.2_p1-r3
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ app-alternatives/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${P}-CVE-2024-9143.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+ # Test fails depending on kernel configuration, bug #699134
+ rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/12247
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #895308
+ append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+
+ if multilib_is_native_abi; then
+ emake build_docs
+ fi
+}
+
+multilib_src_test() {
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+ # Only -j1 is supported for the install targets:
+ # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+ emake DESTDIR="${D}" -j1 install_sw
+ if use fips; then
+ emake DESTDIR="${D}" -j1 install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" -j1 install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
@ 2024-10-29 2:10 Sam James
0 siblings, 0 replies; 36+ messages in thread
From: Sam James @ 2024-10-29 2:10 UTC (permalink / raw
To: gentoo-commits
commit: 22235f92b4d8cd565c29264b7955ed1f5ea4ac48
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 29 02:08:41 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Oct 29 02:09:24 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22235f92
dev-libs/openssl: fix CVE-2024-9143 for 3.3.2-r1
Bug: https://bugs.gentoo.org/941643
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/openssl-3.3.2-CVE-2024-9143.patch | 193 +++++++++++++
dev-libs/openssl/openssl-3.3.2-r1.ebuild | 304 +++++++++++++++++++++
2 files changed, 497 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch
new file mode 100644
index 000000000000..5776c78bfbbf
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch
@@ -0,0 +1,193 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4
+
+From c0d3e4d32d2805f49bec30547f225bc4d092e1f4 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction. A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+ https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large. Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates. These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters. The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+
+ /*
+ * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+ * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+ * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient. Array is terminated with -1. Up to max elements of the array
+- * will be filled. Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient. The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1. Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`. It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+ */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+ int i, j, k = 0;
+ BN_ULONG mask;
+
+- if (BN_is_zero(a))
++ if (!BN_is_odd(a))
+ return 0;
+
+ for (i = a->top - 1; i >= 0; i--) {
+@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ }
+ }
+
+- if (k < max) {
++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++ return 0;
++
++ if (k < max)
+ p[k] = -1;
+- k++;
+- }
+
+- return k;
++ return k + 1;
+ }
+
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++ int ret = 0;
++ BN_CTX *ctx = BN_CTX_new();
++ BIGNUM *p, *a, *b;
++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++ TEST_info("Testing GF2m hardening\n");
++
++ BN_CTX_start(ctx);
++ p = BN_CTX_get(ctx);
++ a = BN_CTX_get(ctx);
++ if (!TEST_ptr(b = BN_CTX_get(ctx))
++ || !TEST_true(BN_one(a))
++ || !TEST_true(BN_one(b)))
++ goto out;
++
++ /* Even pentanomial value should be rejected */
++ if (!TEST_true(BN_set_word(p, 0xf2)))
++ goto out;
++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("Zero constant term accepted in GF2m polynomial");
++
++ /* Odd hexanomial should also be rejected */
++ if (!TEST_true(BN_set_word(p, 0xf3)))
++ goto out;
++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("Hexanomial accepted as GF2m polynomial");
++
++ /* Excessive polynomial degree should also be rejected */
++ if (!TEST_true(BN_set_word(p, 0x71))
++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++ goto out;
++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("GF2m polynomial degree > %d accepted",
++ OPENSSL_ECC_MAX_FIELD_BITS);
++
++ ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++ EC_GROUP_free(group1);
++ EC_GROUP_free(group2);
++ EC_GROUP_free(group3);
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++
++ return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+ ADD_TEST(field_tests_ecp_simple);
+ ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++ ADD_TEST(ec2m_field_sanity);
+ ADD_TEST(field_tests_ec2_simple);
+ #endif
+ ADD_ALL_TESTS(field_tests_default, crv_len);
+
diff --git a/dev-libs/openssl/openssl-3.3.2-r1.ebuild b/dev-libs/openssl/openssl-3.3.2-r1.ebuild
new file mode 100644
index 000000000000..8014cc0dea66
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.3.2-r1.ebuild
@@ -0,0 +1,304 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+ inherit git-r3
+else
+ SRC_URI="
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+ verify-sig? (
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+ )
+ "
+
+ if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ fi
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ !<net-misc/openssh-9.2_p1-r3
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ app-alternatives/bc
+ sys-process/procps
+ )
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+ "${FILESDIR}"/${P}-CVE-2024-9143.patch
+)
+
+pkg_setup() {
+ if use ktls ; then
+ if kernel_is -lt 4 18 ; then
+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+ else
+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+ use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+ linux-info_pkg_setup
+ fi
+ fi
+
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl doesn't work with userpriv!
+ if use test && use sctp ; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_unpack() {
+ # Can delete this once test fix patch is dropped
+ if use verify-sig ; then
+ # Needed for downloaded patch (which is unsigned, which is fine)
+ verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
+ fi
+
+ default
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile || die
+
+ if ! use vanilla ; then
+ PATCHES+=(
+ # Add patches which are Gentoo-specific customisations here
+ )
+ fi
+
+ default
+
+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+ rm test/recipes/80-test_ssl_new.t || die
+ fi
+
+ # Test fails depending on kernel configuration, bug #699134
+ rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+ # Keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (bug #417795 again)
+ tc-is-clang && append-flags -Qunused-arguments
+
+ # We really, really need to build OpenSSL w/ strict aliasing disabled.
+ # It's filled with violations and it *will* result in miscompiled
+ # code. This has been in the ebuild for > 10 years but even in 2022,
+ # it's still relevant:
+ # - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/12247
+ # - https://github.com/openssl/openssl/issues/18225
+ # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+ # Don't remove the no strict aliasing bits below!
+ filter-flags -fstrict-aliasing
+ append-flags -fno-strict-aliasing
+ # The OpenSSL developers don't test with LTO right now, it leads to various
+ # warnings/errors (which may or may not be false positives), it's considered
+ # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+ filter-lto
+
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ # bug #895308 -- check inserts GNU ld-compatible arguments
+ [[ ${CHOST} == *-darwin* ]] || append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
+ # bug #197996
+ unset APPS
+ # bug #312551
+ unset SCRIPTS
+ # bug #311473
+ unset CROSS_COMPILE
+
+ tc-export AR CC CXX RANLIB RC
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths, bug #460790.
+ #local ec_nistp_64_gcc_128
+ #
+ # Disable it for now though (bug #469976)
+ # Do NOT re-enable without substantial discussion first!
+ #
+ #echo "__uint128_t i;" > "${T}"/128.c
+ #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ #fi
+
+ local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+ einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+ # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+ local myeconfargs=(
+ ${sslout}
+
+ $(multilib_is_native_abi || echo "no-docs")
+ $(use cpu_flags_x86_sse2 || echo "no-sse2")
+ enable-camellia
+ enable-ec
+ enable-ec2m
+ enable-sm2
+ enable-srp
+ $(use elibc_musl && echo "no-async")
+ enable-idea
+ enable-mdc2
+ enable-rc5
+ $(use fips && echo "enable-fips")
+ $(use quic && echo "enable-quic")
+ $(use_ssl asm)
+ $(use_ssl ktls)
+ $(use_ssl rfc3779)
+ $(use_ssl sctp)
+ $(use test || echo "no-tests")
+ $(use_ssl tls-compression zlib)
+ $(use_ssl weak-ssl-ciphers)
+
+ --prefix="${EPREFIX}"/usr
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
+ --libdir=$(get_libdir)
+
+ shared
+ threads
+ )
+
+ edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+ emake build_sw
+}
+
+multilib_src_test() {
+ # See https://github.com/openssl/openssl/blob/master/test/README.md for options.
+ #
+ # VFP = show subtests verbosely and show failed tests verbosely
+ # Normal V=1 would show everything verbosely but this slows things down.
+ #
+ # -j1 here for https://github.com/openssl/openssl/issues/21999, but it
+ # shouldn't matter as tests were already built earlier, and HARNESS_JOBS
+ # controls running the tests.
+ emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+ # Only -j1 is supported for the install targets:
+ # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+ emake DESTDIR="${D}" -j1 install_sw
+ if use fips; then
+ emake DESTDIR="${D}" -j1 install_fips
+ # Regen this in pkg_preinst, bug 900625
+ rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+ fi
+
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" -j1 install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+ fi
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs ; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+ # Create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # bug #254521
+ dodir /etc/sandbox.d
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ if use fips; then
+ # Regen fipsmodule.cnf, bug 900625
+ ebegin "Running openssl fipsinstall"
+ "${ED}/usr/bin/openssl" fipsinstall -quiet \
+ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+ -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+ eend $?
+ fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+ ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+ openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+ eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
^ permalink raw reply related [flat|nested] 36+ messages in thread
end of thread, other threads:[~2024-10-29 2:10 UTC | newest]
Thread overview: 36+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-12 10:40 [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/ Thomas Deutschmann
-- strict thread matches above, loose matches on Subject: below --
2024-10-29 2:10 Sam James
2024-10-29 2:10 Sam James
2024-08-07 2:41 Sam James
2024-08-03 5:08 Sam James
2024-07-19 17:03 Jakov Smolić
2024-04-29 17:07 Sam James
2024-04-15 7:16 Sam James
2024-04-15 7:16 Sam James
2024-02-01 16:46 Sam James
2023-07-19 15:06 Sam James
2023-04-20 16:58 Patrick McLean
2023-03-22 23:00 Patrick McLean
2022-12-18 5:00 Andreas K. Hüttel
2022-12-18 2:11 Andreas K. Hüttel
2020-12-22 22:44 Thomas Deutschmann
2020-12-17 16:23 Andreas K. Hüttel
2019-11-25 0:13 Thomas Deutschmann
2019-10-04 15:48 Thomas Deutschmann
2019-10-04 15:48 Thomas Deutschmann
2019-08-23 18:10 Thomas Deutschmann
2019-01-02 21:58 Thomas Deutschmann
2018-12-25 17:24 Lars Wendler
2018-11-20 14:46 Lars Wendler
2018-11-12 18:36 Thomas Deutschmann
2018-06-20 15:38 Lars Wendler
2017-12-30 19:55 Thomas Deutschmann
2017-12-07 18:53 Thomas Deutschmann
2016-09-22 13:15 Lars Wendler
2016-05-03 14:21 Lars Wendler
2016-02-26 22:46 Doug Goldstein
2016-02-09 13:32 Jason Donenfeld
2016-01-29 6:59 Lars Wendler
2015-12-03 19:58 Mike Frysinger
2015-12-03 18:40 Lars Wendler
2015-12-03 17:10 Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox