[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/

Sat, 11 Mar 2023 08:51:09 -0800 

commit:     76f8af3f0ac6bd939ca6c837d0bba99098ac6ce0
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sat Mar 11 05:50:36 2023 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Mar 11 16:51:01 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76f8af3f

dev-libs/openssl: generate fipsmodule.cnf in pkg_preinst

This file contains an hash of the fips.so module, which may change after
src_install due to automatic stripping by the package manager.

README-FIPS.md says this file should be generated on each machine
separately anyway.

This will fail when cross-compiling since we call openssl from ${D}, but
I don't see a better way to handle it.

Only the primary ABI is handled currently: by the time we get to
pkg_preinst, the tools from the secondary ABIs have been clobbered.

Closes: https://bugs.gentoo.org/900625
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 .../{openssl-3.0.8.ebuild => openssl-3.0.8-r1.ebuild}       | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/dev-libs/openssl/openssl-3.0.8.ebuild 
b/dev-libs/openssl/openssl-3.0.8-r1.ebuild
similarity index 95%
rename from dev-libs/openssl/openssl-3.0.8.ebuild
rename to dev-libs/openssl/openssl-3.0.8-r1.ebuild
index a5c46e57fff2..d809d357d0fb 100644
--- a/dev-libs/openssl/openssl-3.0.8.ebuild
+++ b/dev-libs/openssl/openssl-3.0.8-r1.ebuild
@@ -222,6 +222,8 @@ multilib_src_install() {
        emake DESTDIR="${D}" install_sw
        if use fips; then
                emake DESTDIR="${D}" install_fips
+               # Regen this in pkg_preinst, bug 900625
+               rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
        fi
 
        if multilib_is_native_abi; then
@@ -257,6 +259,17 @@ multilib_src_install_all() {
        keepdir ${SSL_CNF_DIR}/private
 }
 
+pkg_preinst() {
+       if use fips; then
+               # Regen fipsmodule.cnf, bug 900625
+               ebegin "Running openssl fipsinstall"
+               "${ED}/usr/bin/openssl" fipsinstall -quiet \
+                       -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+                       -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+               eend $?
+       fi
+}
+
 pkg_postinst() {
        ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to 
rebuild hashes (bug #333069)"
        openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"

Reply via email to