| 4 |
4 |
EAPI=8
|
| 5 |
5 |
|
| 6 |
6 |
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
|
| 7 |
|
inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
|
|
7 |
inherit edo flag-o-matic linux-info toolchain-funcs
|
|
8 |
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
|
| 8 |
9 |
|
| 9 |
|
MY_P=${P/_/-}
|
| 10 |
|
DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
|
|
10 |
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
|
| 11 |
11 |
HOMEPAGE="https://www.openssl.org/"
|
| 12 |
|
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
|
| 13 |
|
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
|
| 14 |
|
S="${WORKDIR}/${MY_P}"
|
| 15 |
|
|
| 16 |
|
LICENSE="openssl"
|
| 17 |
|
SLOT="0/1.1" # .so version of libssl/libcrypto
|
| 18 |
|
if [[ ${PV} != *_pre* ]] ; then
|
| 19 |
|
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
|
|
12 |
|
|
13 |
MY_P=${P/_/-}
|
|
14 |
|
|
15 |
if [[ ${PV} == 9999 ]] ; then
|
|
16 |
EGIT_REPO_URI="https://github.com/openssl/openssl.git"
|
|
17 |
|
|
18 |
inherit git-r3
|
|
19 |
else
|
|
20 |
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
|
|
21 |
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
|
|
22 |
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos"
|
| 20 |
23 |
fi
|
| 21 |
|
IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
|
|
24 |
|
|
25 |
S="${WORKDIR}"/${MY_P}
|
|
26 |
|
|
27 |
LICENSE="Apache-2.0"
|
|
28 |
SLOT="0/3" # .so version of libssl/libcrypto
|
|
29 |
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
|
| 22 |
30 |
RESTRICT="!test? ( test )"
|
| 23 |
31 |
|
| 24 |
|
RDEPEND="
|
| 25 |
|
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
|
| 26 |
|
DEPEND="${RDEPEND}"
|
|
32 |
COMMON_DEPEND="
|
|
33 |
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
|
|
34 |
"
|
| 27 |
35 |
BDEPEND="
|
| 28 |
36 |
>=dev-lang/perl-5
|
| 29 |
37 |
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
|
| 30 |
38 |
test? (
|
| 31 |
39 |
sys-apps/diffutils
|
| 32 |
40 |
sys-devel/bc
|
| 33 |
|
kernel_linux? ( sys-process/procps )
|
|
41 |
sys-process/procps
|
| 34 |
42 |
)
|
| 35 |
|
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
|
| 36 |
|
PDEPEND="app-misc/ca-certificates"
|
|
43 |
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
|
| 37 |
44 |
|
| 38 |
|
# force upgrade to prevent broken login, bug #696950
|
| 39 |
|
RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
|
|
45 |
DEPEND="${COMMON_DEPEND}"
|
|
46 |
RDEPEND="${COMMON_DEPEND}"
|
|
47 |
PDEPEND="app-misc/ca-certificates"
|
| 40 |
48 |
|
| 41 |
49 |
MULTILIB_WRAPPED_HEADERS=(
|
| 42 |
|
usr/include/openssl/opensslconf.h
|
| 43 |
|
)
|
| 44 |
|
|
| 45 |
|
PATCHES=(
|
| 46 |
|
# General patches which are suitable to always apply
|
| 47 |
|
# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
|
| 48 |
|
"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
|
| 49 |
|
"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
|
|
50 |
/usr/include/openssl/configuration.h
|
| 50 |
51 |
)
|
| 51 |
52 |
|
| 52 |
53 |
pkg_setup() {
|
|
54 |
if use ktls ; then
|
|
55 |
if kernel_is -lt 4 18 ; then
|
|
56 |
ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
|
|
57 |
else
|
|
58 |
CONFIG_CHECK="~TLS ~TLS_DEVICE"
|
|
59 |
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
|
|
60 |
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
|
|
61 |
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
|
|
62 |
|
|
63 |
linux-info_pkg_setup
|
|
64 |
fi
|
|
65 |
fi
|
|
66 |
|
| 53 |
67 |
[[ ${MERGE_TYPE} == binary ]] && return
|
| 54 |
68 |
|
| 55 |
69 |
# must check in pkg_setup; sysctl doesn't work with userpriv!
|
| 56 |
|
if use test && use sctp; then
|
|
70 |
if use test && use sctp ; then
|
| 57 |
71 |
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
|
| 58 |
72 |
# if sctp.auth_enable is not enabled.
|
| 59 |
73 |
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
|
| 60 |
|
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
|
|
74 |
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
|
| 61 |
75 |
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
|
| 62 |
76 |
fi
|
| 63 |
77 |
fi
|
| ... | ... | |
| 86 |
100 |
|
| 87 |
101 |
default
|
| 88 |
102 |
|
| 89 |
|
if use test && use sctp && has network-sandbox ${FEATURES}; then
|
|
103 |
if use test && use sctp && has network-sandbox ${FEATURES} ; then
|
| 90 |
104 |
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
|
| 91 |
105 |
rm test/recipes/80-test_ssl_new.t || die
|
| 92 |
106 |
fi
|
| 93 |
107 |
|
| 94 |
108 |
# Test fails depending on kernel configuration, bug #699134
|
| 95 |
109 |
rm test/recipes/30-test_afalg.t || die
|
| 96 |
|
|
| 97 |
|
# Remove test target when FEATURES=test isn't set
|
| 98 |
|
if ! use test ; then
|
| 99 |
|
sed \
|
| 100 |
|
-e '/^$config{dirs}/s@ "test",@@' \
|
| 101 |
|
-i Configure || die
|
| 102 |
|
fi
|
| 103 |
|
|
| 104 |
|
if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
|
| 105 |
|
# use GNU ld full option, not to confuse it on Solaris
|
| 106 |
|
sed -i \
|
| 107 |
|
-e 's/-Wl,-M,/-Wl,--version-script=/' \
|
| 108 |
|
-e 's/-Wl,-h,/-Wl,--soname=/' \
|
| 109 |
|
Configurations/10-main.conf || die
|
| 110 |
|
fi
|
| 111 |
|
|
| 112 |
|
# The config script does stupid stuff to prompt the user. Kill it.
|
| 113 |
|
sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
|
| 114 |
110 |
}
|
| 115 |
111 |
|
| 116 |
112 |
src_configure() {
|
| ... | ... | |
| 137 |
133 |
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
|
| 138 |
134 |
filter-lto
|
| 139 |
135 |
|
| 140 |
|
append-cppflags -DOPENSSL_NO_BUF_FREELISTS
|
| 141 |
|
|
| 142 |
136 |
append-flags $(test-flags-CC -Wa,--noexecstack)
|
| 143 |
137 |
|
|
138 |
# bug #895308
|
|
139 |
append-atomic-flags
|
|
140 |
# Configure doesn't respect LIBS
|
|
141 |
export LDLIBS="${LIBS}"
|
|
142 |
|
| 144 |
143 |
# bug #197996
|
| 145 |
144 |
unset APPS
|
| 146 |
145 |
# bug #312551
|
| ... | ... | |
| 167 |
166 |
#
|
| 168 |
167 |
#echo "__uint128_t i;" > "${T}"/128.c
|
| 169 |
168 |
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
|
| 170 |
|
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
|
|
169 |
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
|
| 171 |
170 |
#fi
|
| 172 |
171 |
|
| 173 |
172 |
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
|
| 174 |
|
einfo "Use configuration ${sslout:-(openssl knows best)}"
|
| 175 |
|
local config=( perl "${S}/Configure" )
|
| 176 |
|
[[ -z ${sslout} ]] && config=( sh "${S}/config" -v )
|
| 177 |
|
|
| 178 |
|
# "disable-deprecated" option breaks too many consumers.
|
| 179 |
|
# Don't set it without thorough revdeps testing.
|
| 180 |
|
# Make sure user flags don't get added *yet* to avoid duplicated
|
| 181 |
|
# flags.
|
|
173 |
einfo "Using configuration: ${sslout:-(openssl knows best)}"
|
|
174 |
|
|
175 |
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
|
| 182 |
176 |
local myeconfargs=(
|
| 183 |
177 |
${sslout}
|
| 184 |
178 |
|
| ... | ... | |
| 189 |
183 |
enable-sm2
|
| 190 |
184 |
enable-srp
|
| 191 |
185 |
$(use elibc_musl && echo "no-async")
|
| 192 |
|
${ec_nistp_64_gcc_128}
|
| 193 |
186 |
enable-idea
|
| 194 |
187 |
enable-mdc2
|
| 195 |
188 |
enable-rc5
|
| 196 |
|
$(use_ssl sslv3 ssl3)
|
| 197 |
|
$(use_ssl sslv3 ssl3-method)
|
|
189 |
$(use fips && echo "enable-fips")
|
| 198 |
190 |
$(use_ssl asm)
|
|
191 |
$(use_ssl ktls)
|
| 199 |
192 |
$(use_ssl rfc3779)
|
| 200 |
193 |
$(use_ssl sctp)
|
| 201 |
194 |
$(use test || echo "no-tests")
|
| 202 |
195 |
$(use_ssl tls-compression zlib)
|
| 203 |
|
$(use_ssl tls-heartbeat heartbeats)
|
| 204 |
196 |
$(use_ssl weak-ssl-ciphers)
|
| 205 |
197 |
|
| 206 |
198 |
--prefix="${EPREFIX}"/usr
|
| ... | ... | |
| 211 |
203 |
threads
|
| 212 |
204 |
)
|
| 213 |
205 |
|
| 214 |
|
edo "${config[@]}" "${myeconfargs[@]}"
|
|
206 |
edo perl "${S}/Configure" "${myeconfargs[@]}"
|
| 215 |
207 |
}
|
| 216 |
208 |
|
| 217 |
209 |
multilib_src_compile() {
|
| 218 |
|
emake all
|
|
210 |
emake build_sw
|
|
211 |
|
|
212 |
if multilib_is_native_abi; then
|
|
213 |
emake build_docs
|
|
214 |
fi
|
| 219 |
215 |
}
|
| 220 |
216 |
|
| 221 |
217 |
multilib_src_test() {
|
| 222 |
|
emake -j1 test
|
|
218 |
# VFP = show subtests verbosely and show failed tests verbosely
|
|
219 |
# Normal V=1 would show everything verbosely but this slows things down.
|
|
220 |
emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
|
| 223 |
221 |
}
|
| 224 |
222 |
|
| 225 |
223 |
multilib_src_install() {
|
| 226 |
224 |
emake DESTDIR="${D}" install_sw
|
|
225 |
if use fips; then
|
|
226 |
emake DESTDIR="${D}" install_fips
|
|
227 |
# Regen this in pkg_preinst, bug 900625
|
|
228 |
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
|
|
229 |
fi
|
| 227 |
230 |
|
| 228 |
231 |
if multilib_is_native_abi; then
|
| 229 |
232 |
emake DESTDIR="${D}" install_ssldirs
|
| 230 |
|
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} MANSUFFIX=ssl install_docs
|
|
233 |
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
|
| 231 |
234 |
fi
|
| 232 |
235 |
|
| 233 |
236 |
# This is crappy in that the static archives are still built even
|
| ... | ... | |
| 235 |
238 |
# build system: the static archives are built as PIC all the time.
|
| 236 |
239 |
# Only way around this would be to manually configure+compile openssl
|
| 237 |
240 |
# twice; once with shared lib support enabled and once without.
|
| 238 |
|
if ! use static-libs; then
|
|
241 |
if ! use static-libs ; then
|
| 239 |
242 |
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
|
| 240 |
243 |
fi
|
| 241 |
244 |
}
|
| ... | ... | |
| 245 |
248 |
# we provide a shell version via app-misc/c_rehash
|
| 246 |
249 |
rm "${ED}"/usr/bin/c_rehash || die
|
| 247 |
250 |
|
| 248 |
|
dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
|
|
251 |
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
|
| 249 |
252 |
|
| 250 |
253 |
# Create the certs directory
|
| 251 |
254 |
keepdir ${SSL_CNF_DIR}/certs
|
| ... | ... | |
| 258 |
261 |
keepdir ${SSL_CNF_DIR}/private
|
| 259 |
262 |
}
|
| 260 |
263 |
|
|
264 |
pkg_preinst() {
|
|
265 |
if use fips; then
|
|
266 |
# Regen fipsmodule.cnf, bug 900625
|
|
267 |
ebegin "Running openssl fipsinstall"
|
|
268 |
"${ED}/usr/bin/openssl" fipsinstall -quiet \
|
|
269 |
-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
|
|
270 |
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
|
|
271 |
eend $?
|
|
272 |
fi
|
|
273 |
|
|
274 |
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
|
|
275 |
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
|
|
276 |
}
|
|
277 |
|
| 261 |
278 |
pkg_postinst() {
|
| 262 |
279 |
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
|
| 263 |
280 |
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
|
| 264 |
281 |
eend $?
|
|
282 |
|
|
283 |
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
|
|
284 |
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
|
| 265 |
285 |
}
|
