From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-dev:musl commit in: dev-libs/openssl/files/, dev-libs/openssl/
Date: Mon, 6 Jan 2014 17:36:21 +0000 (UTC) [thread overview]
Message-ID: <1389029824.e4dff52caed8073d32e1db0fcccc31d6cc928350.blueness@gentoo> (raw)
commit: e4dff52caed8073d32e1db0fcccc31d6cc928350
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 22 01:13:14 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Jan 6 17:37:04 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=e4dff52c
dev-libs/openssl: bump to 1.01e
Package-Manager: portage-2.2.7
RepoMan-Options: --force
---
.../files/openssl-1.0.1e-bad-mac-aes-ni.patch | 34 ++
dev-libs/openssl/files/openssl-1.0.1e-ipv6.patch | 656 +++++++++++++++++++++
.../openssl/files/openssl-1.0.1e-perl-5.18.patch | 375 ++++++++++++
.../files/openssl-1.0.1e-rdrand-explicit.patch | 27 +
.../files/openssl-1.0.1e-s_client-verify.patch | 17 +
.../files/openssl-1.0.1e-tls-ver-crash.patch | 33 ++
dev-libs/openssl/metadata.xml | 1 +
dev-libs/openssl/openssl-1.0.1e-r99.ebuild | 238 ++++++++
8 files changed, 1381 insertions(+)
diff --git a/dev-libs/openssl/files/openssl-1.0.1e-bad-mac-aes-ni.patch b/dev-libs/openssl/files/openssl-1.0.1e-bad-mac-aes-ni.patch
new file mode 100644
index 0000000..ede40c2
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.1e-bad-mac-aes-ni.patch
@@ -0,0 +1,34 @@
+https://bugs.gentoo.org/463444
+
+From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: [PATCH] e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI
+ plaforms.
+
+PR: 3002
+(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)
+---
+ crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+
+ if (res!=SHA_CBLOCK) continue;
+
+- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++ /* j is not incremented yet */
++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+--
+1.8.2.1
diff --git a/dev-libs/openssl/files/openssl-1.0.1e-ipv6.patch b/dev-libs/openssl/files/openssl-1.0.1e-ipv6.patch
new file mode 100644
index 0000000..ff73c53
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.1e-ipv6.patch
@@ -0,0 +1,656 @@
+http://rt.openssl.org/Ticket/Display.html?id=2051
+user/pass: guest/guest
+
+Index: apps/s_apps.h
+===================================================================
+RCS file: /v/openssl/cvs/openssl/apps/s_apps.h,v
+retrieving revision 1.21.2.1
+diff -u -r1.21.2.1 s_apps.h
+--- apps/s_apps.h 4 Sep 2009 17:42:04 -0000 1.21.2.1
++++ apps/s_apps.h 28 Dec 2011 00:28:14 -0000
+@@ -148,7 +148,7 @@
+ #define PORT_STR "4433"
+ #define PROTOCOL "tcp"
+
+-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
++int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context, int use_ipv4, int use_ipv6);
+ #ifdef HEADER_X509_H
+ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
+ #endif
+@@ -156,7 +156,7 @@
+ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
+ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
+ #endif
+-int init_client(int *sock, char *server, int port, int type);
++int init_client(int *sock, char *server, int port, int type, int use_ipv4, int use_ipv6);
+ int should_retry(int i);
+ int extract_port(char *str, short *port_ptr);
+ int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
+Index: apps/s_client.c
+===================================================================
+RCS file: /v/openssl/cvs/openssl/apps/s_client.c,v
+retrieving revision 1.123.2.6.2.10
+diff -u -r1.123.2.6.2.10 s_client.c
+--- apps/s_client.c 14 Dec 2011 22:18:02 -0000 1.123.2.6.2.10
++++ apps/s_client.c 28 Dec 2011 00:28:14 -0000
+@@ -285,6 +285,10 @@
+ {
+ BIO_printf(bio_err,"usage: s_client args\n");
+ BIO_printf(bio_err,"\n");
++ BIO_printf(bio_err," -4 - use IPv4 only\n");
++#if OPENSSL_USE_IPV6
++ BIO_printf(bio_err," -6 - use IPv6 only\n");
++#endif
+ BIO_printf(bio_err," -host host - use -connect instead\n");
+ BIO_printf(bio_err," -port port - use -connect instead\n");
+ BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
+@@ -564,6 +567,7 @@
+ int sbuf_len,sbuf_off;
+ fd_set readfds,writefds;
+ short port=PORT;
++ int use_ipv4, use_ipv6;
+ int full_log=1;
+ char *host=SSL_HOST_NAME;
+ char *cert_file=NULL,*key_file=NULL;
+@@ -609,7 +613,11 @@
+ #endif
+ char *sess_in = NULL;
+ char *sess_out = NULL;
+- struct sockaddr peer;
++#if OPENSSL_USE_IPV6
++ struct sockaddr_storage peer;
++#else
++ struct sockaddr_in peer;
++#endif
+ int peerlen = sizeof(peer);
+ int enable_timeouts = 0 ;
+ long socket_mtu = 0;
+@@ -630,6 +638,12 @@
+ meth=SSLv2_client_method();
+ #endif
+
++ use_ipv4 = 1;
++#if OPENSSL_USE_IPV6
++ use_ipv6 = 1;
++#else
++ use_ipv6 = 0;
++#endif
+ apps_startup();
+ c_Pause=0;
+ c_quiet=0;
+@@ -951,6 +961,18 @@
+ jpake_secret = *++argv;
+ }
+ #endif
++ else if (strcmp(*argv,"-4") == 0)
++ {
++ use_ipv4 = 1;
++ use_ipv6 = 0;
++ }
++#if OPENSSL_USE_IPV6
++ else if (strcmp(*argv,"-6") == 0)
++ {
++ use_ipv4 = 0;
++ use_ipv6 = 1;
++ }
++#endif
+ #ifndef OPENSSL_NO_SRTP
+ else if (strcmp(*argv,"-use_srtp") == 0)
+ {
+@@ -1259,7 +1276,7 @@
+
+ re_start:
+
+- if (init_client(&s,host,port,socket_type) == 0)
++ if (init_client(&s,host,port,socket_type,use_ipv4,use_ipv6) == 0)
+ {
+ BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
+ SHUTDOWN(s);
+@@ -1285,7 +1302,7 @@
+ {
+
+ sbio=BIO_new_dgram(s,BIO_NOCLOSE);
+- if (getsockname(s, &peer, (void *)&peerlen) < 0)
++ if (getsockname(s, (struct sockaddr *)&peer, (void *)&peerlen) < 0)
+ {
+ BIO_printf(bio_err, "getsockname:errno=%d\n",
+ get_last_socket_error());
+===================================================================
+RCS file: /v/openssl/cvs/openssl/apps/s_server.c,v
+retrieving revision 1.136.2.15.2.13
+diff -u -r1.136.2.15.2.13 s_server.c
+--- apps/s_server.c 27 Dec 2011 14:23:22 -0000 1.136.2.15.2.13
++++ apps/s_server.c 28 Dec 2011 00:28:14 -0000
+@@ -558,6 +558,10 @@
+ # endif
+ BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list");
+ #endif
++ BIO_printf(bio_err," -4 - use IPv4 only\n");
++#if OPENSSL_USE_IPV6
++ BIO_printf(bio_err," -6 - use IPv6 only\n");
++#endif
+ BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
+ BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
+ }
+@@ -943,6 +947,7 @@
+ int state=0;
+ const SSL_METHOD *meth=NULL;
+ int socket_type=SOCK_STREAM;
++ int use_ipv4, use_ipv6;
+ ENGINE *e=NULL;
+ char *inrand=NULL;
+ int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
+@@ -981,6 +986,12 @@
+ /* #error no SSL version enabled */
+ #endif
+
++ use_ipv4 = 1;
++#if OPENSSL_USE_IPV6
++ use_ipv6 = 1;
++#else
++ use_ipv6 = 0;
++#endif
+ local_argc=argc;
+ local_argv=argv;
+
+@@ -1329,6 +1340,18 @@
+ jpake_secret = *(++argv);
+ }
+ #endif
++ else if (strcmp(*argv,"-4") == 0)
++ {
++ use_ipv4 = 1;
++ use_ipv6 = 0;
++ }
++#if OPENSSL_USE_IPV6
++ else if (strcmp(*argv,"-6") == 0)
++ {
++ use_ipv4 = 0;
++ use_ipv6 = 1;
++ }
++#endif
+ #ifndef OPENSSL_NO_SRTP
+ else if (strcmp(*argv,"-use_srtp") == 0)
+ {
+@@ -1884,9 +1907,9 @@
+ BIO_printf(bio_s_out,"ACCEPT\n");
+ (void)BIO_flush(bio_s_out);
+ if (www)
+- do_server(port,socket_type,&accept_socket,www_body, context);
++ do_server(port,socket_type,&accept_socket,www_body, context, use_ipv4, use_ipv6);
+ else
+- do_server(port,socket_type,&accept_socket,sv_body, context);
++ do_server(port,socket_type,&accept_socket,sv_body, context, use_ipv4, use_ipv6);
+ print_stats(bio_s_out,ctx);
+ ret=0;
+ end:
+Index: apps/s_socket.c
+===================================================================
+RCS file: /v/openssl/cvs/openssl/apps/s_socket.c,v
+retrieving revision 1.43.2.3.2.2
+diff -u -r1.43.2.3.2.2 s_socket.c
+--- apps/s_socket.c 2 Dec 2011 14:39:40 -0000 1.43.2.3.2.2
++++ apps/s_socket.c 28 Dec 2011 00:28:14 -0000
+@@ -97,16 +97,16 @@
+ #include "netdb.h"
+ #endif
+
+-static struct hostent *GetHostByName(char *name);
++static struct hostent *GetHostByName(char *name, int domain);
+ #if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
+ static void ssl_sock_cleanup(void);
+ #endif
+ static int ssl_sock_init(void);
+-static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
+-static int init_server(int *sock, int port, int type);
+-static int init_server_long(int *sock, int port,char *ip, int type);
++static int init_client_ip(int *sock,unsigned char *ip, int port, int type, int domain);
++static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6);
++static int init_server_long(int *sock, int port,char *ip, int type, int use_ipv4, int use_ipv6);
+ static int do_accept(int acc_sock, int *sock, char **host);
+-static int host_ip(char *str, unsigned char ip[4]);
++static int host_ip(char *str, unsigned char *ip, int domain);
+
+ #ifdef OPENSSL_SYS_WIN16
+ #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
+@@ -234,38 +234,68 @@
+ return(1);
+ }
+
+-int init_client(int *sock, char *host, int port, int type)
++int init_client(int *sock, char *host, int port, int type, int use_ipv4, int use_ipv6)
+ {
++#if OPENSSL_USE_IPV6
++ unsigned char ip[16];
++#else
+ unsigned char ip[4];
++#endif
+
+- memset(ip, '\0', sizeof ip);
+- if (!host_ip(host,&(ip[0])))
+- return 0;
+- return init_client_ip(sock,ip,port,type);
+- }
+-
+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
+- {
+- unsigned long addr;
++ if (use_ipv4)
++ if (host_ip(host,ip,AF_INET))
++ return(init_client_ip(sock,ip,port,type,AF_INET));
++#if OPENSSL_USE_IPV6
++ if (use_ipv6)
++ if (host_ip(host,ip,AF_INET6))
++ return(init_client_ip(sock,ip,port,type,AF_INET6));
++#endif
++ return 0;
++ }
++
++static int init_client_ip(int *sock, unsigned char ip[4], int port, int type, int domain)
++ {
++#if OPENSSL_USE_IPV6
++ struct sockaddr_storage them;
++ struct sockaddr_in *them_in = (struct sockaddr_in *)&them;
++ struct sockaddr_in6 *them_in6 = (struct sockaddr_in6 *)&them;
++#else
+ struct sockaddr_in them;
++ struct sockaddr_in *them_in = &them;
++#endif
++ socklen_t addr_len;
+ int s,i;
+
+ if (!ssl_sock_init()) return(0);
+
+ memset((char *)&them,0,sizeof(them));
+- them.sin_family=AF_INET;
+- them.sin_port=htons((unsigned short)port);
+- addr=(unsigned long)
+- ((unsigned long)ip[0]<<24L)|
+- ((unsigned long)ip[1]<<16L)|
+- ((unsigned long)ip[2]<< 8L)|
+- ((unsigned long)ip[3]);
+- them.sin_addr.s_addr=htonl(addr);
++ if (domain == AF_INET)
++ {
++ addr_len = (socklen_t)sizeof(struct sockaddr_in);
++ them_in->sin_family=AF_INET;
++ them_in->sin_port=htons((unsigned short)port);
++#ifndef BIT_FIELD_LIMITS
++ memcpy(&them_in->sin_addr.s_addr, ip, 4);
++#else
++ memcpy(&them_in->sin_addr, ip, 4);
++#endif
++ }
++ else
++#if OPENSSL_USE_IPV6
++ {
++ addr_len = (socklen_t)sizeof(struct sockaddr_in6);
++ them_in6->sin6_family=AF_INET6;
++ them_in6->sin6_port=htons((unsigned short)port);
++ memcpy(&(them_in6->sin6_addr), ip, sizeof(struct in6_addr));
++ }
++#else
++ return(0);
++#endif
+
+ if (type == SOCK_STREAM)
+- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
++ s=socket(domain,SOCK_STREAM,SOCKET_PROTOCOL);
+ else /* ( type == SOCK_DGRAM) */
+- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
++ s=socket(domain,SOCK_DGRAM,IPPROTO_UDP);
+
+ if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+
+@@ -277,29 +315,27 @@
+ if (i < 0) { perror("keepalive"); return(0); }
+ }
+ #endif
+-
+- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
++ if (connect(s,(struct sockaddr *)&them,addr_len) == -1)
+ { closesocket(s); perror("connect"); return(0); }
+ *sock=s;
+ return(1);
+ }
+
+-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
++int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context, int use_ipv4, int use_ipv6)
+ {
+ int sock;
+ char *name = NULL;
+ int accept_socket = 0;
+ int i;
+
+- if (!init_server(&accept_socket,port,type)) return(0);
+-
++ if (!init_server(&accept_socket,port,type, use_ipv4, use_ipv6)) return(0);
+ if (ret != NULL)
+ {
+ *ret=accept_socket;
+ /* return(1);*/
+ }
+- for (;;)
+- {
++ for (;;)
++ {
+ if (type==SOCK_STREAM)
+ {
+ if (do_accept(accept_socket,&sock,&name) == 0)
+@@ -322,41 +358,88 @@
+ }
+ }
+
+-static int init_server_long(int *sock, int port, char *ip, int type)
++static int init_server_long(int *sock, int port, char *ip, int type, int use_ipv4, int use_ipv6)
+ {
+ int ret=0;
++ int domain;
++#if OPENSSL_USE_IPV6
++ struct sockaddr_storage server;
++ struct sockaddr_in *server_in = (struct sockaddr_in *)&server;
++ struct sockaddr_in6 *server_in6 = (struct sockaddr_in6 *)&server;
++#else
+ struct sockaddr_in server;
++ struct sockaddr_in *server_in = &server;
++#endif
++ socklen_t addr_len;
+ int s= -1;
+
++ if (!use_ipv4 && !use_ipv6)
++ goto err;
++#if OPENSSL_USE_IPV6
++ /* we are fine here */
++#else
++ if (use_ipv6)
++ goto err;
++#endif
+ if (!ssl_sock_init()) return(0);
+
+- memset((char *)&server,0,sizeof(server));
+- server.sin_family=AF_INET;
+- server.sin_port=htons((unsigned short)port);
+- if (ip == NULL)
+- server.sin_addr.s_addr=INADDR_ANY;
+- else
+-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
+-#ifndef BIT_FIELD_LIMITS
+- memcpy(&server.sin_addr.s_addr,ip,4);
++#if OPENSSL_USE_IPV6
++ domain = use_ipv6 ? AF_INET6 : AF_INET;
+ #else
+- memcpy(&server.sin_addr,ip,4);
++ domain = AF_INET;
+ #endif
+-
+- if (type == SOCK_STREAM)
+- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+- else /* type == SOCK_DGRAM */
+- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
++ if (type == SOCK_STREAM)
++ s=socket(domain,SOCK_STREAM,SOCKET_PROTOCOL);
++ else /* type == SOCK_DGRAM */
++ s=socket(domain, SOCK_DGRAM,IPPROTO_UDP);
+
+ if (s == INVALID_SOCKET) goto err;
+ #if defined SOL_SOCKET && defined SO_REUSEADDR
++ {
++ int j = 1;
++ setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
++ (void *) &j, sizeof j);
++ }
++#endif
++#if OPENSSL_USE_IPV6
++ if ((use_ipv4 == 0) && (use_ipv6 == 1))
+ {
+- int j = 1;
+- setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
+- (void *) &j, sizeof j);
++ const int on = 1;
++
++ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
++ (const void *) &on, sizeof(int));
+ }
+ #endif
+- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
++ if (domain == AF_INET)
++ {
++ addr_len = (socklen_t)sizeof(struct sockaddr_in);
++ memset(server_in, 0, sizeof(struct sockaddr_in));
++ server_in->sin_family=AF_INET;
++ server_in->sin_port = htons((unsigned short)port);
++ if (ip == NULL)
++ server_in->sin_addr.s_addr = htonl(INADDR_ANY);
++ else
++/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
++#ifndef BIT_FIELD_LIMITS
++ memcpy(&server_in->sin_addr.s_addr, ip, 4);
++#else
++ memcpy(&server_in->sin_addr, ip, 4);
++#endif
++ }
++#if OPENSSL_USE_IPV6
++ else
++ {
++ addr_len = (socklen_t)sizeof(struct sockaddr_in6);
++ memset(server_in6, 0, sizeof(struct sockaddr_in6));
++ server_in6->sin6_family = AF_INET6;
++ server_in6->sin6_port = htons((unsigned short)port);
++ if (ip == NULL)
++ server_in6->sin6_addr = in6addr_any;
++ else
++ memcpy(&server_in6->sin6_addr, ip, sizeof(struct in6_addr));
++ }
++#endif
++ if (bind(s, (struct sockaddr *)&server, addr_len) == -1)
+ {
+ #ifndef OPENSSL_SYS_WINDOWS
+ perror("bind");
+@@ -375,16 +458,23 @@
+ return(ret);
+ }
+
+-static int init_server(int *sock, int port, int type)
++static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6)
+ {
+- return(init_server_long(sock, port, NULL, type));
++ return(init_server_long(sock, port, NULL, type, use_ipv4, use_ipv6));
+ }
+
+ static int do_accept(int acc_sock, int *sock, char **host)
+ {
+ int ret;
+ struct hostent *h1,*h2;
+- static struct sockaddr_in from;
++#if OPENSSL_USE_IPV6
++ struct sockaddr_storage from;
++ struct sockaddr_in *from_in = (struct sockaddr_in *)&from;
++ struct sockaddr_in6 *from_in6 = (struct sockaddr_in6 *)&from;
++#else
++ struct sockaddr_in from;
++ struct sockaddr_in *from_in = &from;
++#endif
+ int len;
+ /* struct linger ling; */
+
+@@ -431,13 +521,23 @@
+ */
+
+ if (host == NULL) goto end;
++#if OPENSSL_USE_IPV6
++ if (from.ss_family == AF_INET)
++#else
++ if (from.sin_family == AF_INET)
++#endif
+ #ifndef BIT_FIELD_LIMITS
+- /* I should use WSAAsyncGetHostByName() under windows */
+- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
+- sizeof(from.sin_addr.s_addr),AF_INET);
++ /* I should use WSAAsyncGetHostByName() under windows */
++ h1=gethostbyaddr((char *)&from_in->sin_addr.s_addr,
++ sizeof(from_in->sin_addr.s_addr), AF_INET);
+ #else
+- h1=gethostbyaddr((char *)&from.sin_addr,
+- sizeof(struct in_addr),AF_INET);
++ h1=gethostbyaddr((char *)&from_in->sin_addr,
++ sizeof(struct in_addr), AF_INET);
++#endif
++#if OPENSSL_USE_IPV6
++ else
++ h1=gethostbyaddr((char *)&from_in6->sin6_addr,
++ sizeof(struct in6_addr), AF_INET6);
+ #endif
+ if (h1 == NULL)
+ {
+@@ -454,15 +554,23 @@
+ }
+ BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
+
+- h2=GetHostByName(*host);
++#if OPENSSL_USE_IPV6
++ h2=GetHostByName(*host, from.ss_family);
++#else
++ h2=GetHostByName(*host, from.sin_family);
++#endif
+ if (h2 == NULL)
+ {
+ BIO_printf(bio_err,"gethostbyname failure\n");
+ return(0);
+ }
+- if (h2->h_addrtype != AF_INET)
++#if OPENSSL_USE_IPV6
++ if (h2->h_addrtype != from.ss_family)
++#else
++ if (h2->h_addrtype != from.sin_family)
++#endif
+ {
+- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
++ BIO_printf(bio_err,"gethostbyname addr address is not correct\n");
+ return(0);
+ }
+ }
+@@ -477,7 +585,7 @@
+ char *h,*p;
+
+ h=str;
+- p=strchr(str,':');
++ p=strrchr(str,':');
+ if (p == NULL)
+ {
+ BIO_printf(bio_err,"no port defined\n");
+@@ -485,7 +593,7 @@
+ }
+ *(p++)='\0';
+
+- if ((ip != NULL) && !host_ip(str,ip))
++ if ((ip != NULL) && !host_ip(str,ip,AF_INET))
+ goto err;
+ if (host_ptr != NULL) *host_ptr=h;
+
+@@ -496,48 +604,58 @@
+ return(0);
+ }
+
+-static int host_ip(char *str, unsigned char ip[4])
++static int host_ip(char *str, unsigned char *ip, int domain)
+ {
+- unsigned int in[4];
++ unsigned int in[4];
++ unsigned long l;
+ int i;
+
+- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
++ if ((domain == AF_INET) &&
++ (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4))
+ {
++
+ for (i=0; i<4; i++)
+ if (in[i] > 255)
+ {
+ BIO_printf(bio_err,"invalid IP address\n");
+ goto err;
+ }
+- ip[0]=in[0];
+- ip[1]=in[1];
+- ip[2]=in[2];
+- ip[3]=in[3];
+- }
++ l=htonl((in[0]<<24L)|(in[1]<<16L)|(in[2]<<8L)|in[3]);
++ memcpy(ip, &l, 4);
++ return 1;
++ }
++#if OPENSSL_USE_IPV6
++ else if ((domain == AF_INET6) &&
++ (inet_pton(AF_INET6, str, ip) == 1))
++ return 1;
++#endif
+ else
+ { /* do a gethostbyname */
+ struct hostent *he;
+
+ if (!ssl_sock_init()) return(0);
+
+- he=GetHostByName(str);
++ he=GetHostByName(str,domain);
+ if (he == NULL)
+ {
+ BIO_printf(bio_err,"gethostbyname failure\n");
+ goto err;
+ }
+ /* cast to short because of win16 winsock definition */
+- if ((short)he->h_addrtype != AF_INET)
++ if ((short)he->h_addrtype != domain)
+ {
+- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
++ BIO_printf(bio_err,"gethostbyname addr family is not correct\n");
+ return(0);
+ }
+- ip[0]=he->h_addr_list[0][0];
+- ip[1]=he->h_addr_list[0][1];
+- ip[2]=he->h_addr_list[0][2];
+- ip[3]=he->h_addr_list[0][3];
++ if (domain == AF_INET)
++ memset(ip, 0, 4);
++#if OPENSSL_USE_IPV6
++ else
++ memset(ip, 0, 16);
++#endif
++ memcpy(ip, he->h_addr_list[0], he->h_length);
++ return 1;
+ }
+- return(1);
+ err:
+ return(0);
+ }
+@@ -574,7 +692,7 @@
+ static unsigned long ghbn_hits=0L;
+ static unsigned long ghbn_miss=0L;
+
+-static struct hostent *GetHostByName(char *name)
++static struct hostent *GetHostByName(char *name, int domain)
+ {
+ struct hostent *ret;
+ int i,lowi=0;
+@@ -589,14 +707,20 @@
+ }
+ if (ghbn_cache[i].order > 0)
+ {
+- if (strncmp(name,ghbn_cache[i].name,128) == 0)
++ if ((strncmp(name,ghbn_cache[i].name,128) == 0) &&
++ (ghbn_cache[i].ent.h_addrtype == domain))
+ break;
+ }
+ }
+ if (i == GHBN_NUM) /* no hit*/
+ {
+ ghbn_miss++;
+- ret=gethostbyname(name);
++ if (domain == AF_INET)
++ ret=gethostbyname(name);
++#if OPENSSL_USE_IPV6
++ else
++ ret=gethostbyname2(name, AF_INET6);
++#endif
+ if (ret == NULL) return(NULL);
+ /* else add to cache */
+ if(strlen(name) < sizeof ghbn_cache[0].name)
diff --git a/dev-libs/openssl/files/openssl-1.0.1e-perl-5.18.patch b/dev-libs/openssl/files/openssl-1.0.1e-perl-5.18.patch
new file mode 100644
index 0000000..bfc24fc
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.1e-perl-5.18.patch
@@ -0,0 +1,375 @@
+https://bugs.gentoo.org/483820
+
+Submitted By: Martin Ward <macros_the_black at ntlworld dot com>
+Date: 2013-06-18
+Initial Package Version: 1.0.1e
+Upstream Status: Unknown
+Origin: self, based on fedora
+Description: Fixes install with perl-5.18.
+
+--- openssl-1.0.1e.orig/doc/apps/cms.pod
++++ openssl-1.0.1e/doc/apps/cms.pod
+@@ -450,28 +450,28 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ the operation was completely successfully.
+
+-=item 1
++=item C<1>
+
+ an error occurred parsing the command options.
+
+-=item 2
++=item C<2>
+
+ one of the input files could not be read.
+
+-=item 3
++=item C<3>
+
+ an error occurred creating the CMS file or when reading the MIME
+ message.
+
+-=item 4
++=item C<4>
+
+ an error occurred decrypting or verifying the message.
+
+-=item 5
++=item C<5>
+
+ the message was verified correctly but an error occurred writing out
+ the signers certificates.
+--- openssl-1.0.1e.orig/doc/apps/smime.pod
++++ openssl-1.0.1e/doc/apps/smime.pod
+@@ -308,28 +308,28 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ the operation was completely successfully.
+
+-=item 1
++=item C<1>
+
+ an error occurred parsing the command options.
+
+-=item 2
++=item C<2>
+
+ one of the input files could not be read.
+
+-=item 3
++=item C<3>
+
+ an error occurred creating the PKCS#7 file or when reading the MIME
+ message.
+
+-=item 4
++=item C<4>
+
+ an error occurred decrypting or verifying the message.
+
+-=item 5
++=item C<5>
+
+ the message was verified correctly but an error occurred writing out
+ the signers certificates.
+--- openssl-1.0.1e.orig/doc/crypto/X509_STORE_CTX_get_error.pod
++++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod
+@@ -278,6 +278,8 @@
+ an application specific error. This will never be returned unless explicitly
+ set by an application.
+
++=back
++
+ =head1 NOTES
+
+ The above functions should be used instead of directly referencing the fields
+--- openssl-1.0.1e.orig/doc/ssl/SSL_accept.pod
++++ openssl-1.0.1e/doc/ssl/SSL_accept.pod
+@@ -44,12 +44,12 @@
+
+ =over 4
+
+-=item 1
++=item C<1>
+
+ The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+ established.
+
+-=item 0
++=item C<0>
+
+ The TLS/SSL handshake was not successful but was shut down controlled and
+ by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
+--- openssl-1.0.1e.orig/doc/ssl/SSL_clear.pod
++++ openssl-1.0.1e/doc/ssl/SSL_clear.pod
+@@ -56,12 +56,12 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ The SSL_clear() operation could not be performed. Check the error stack to
+ find out the reason.
+
+-=item 1
++=item C<1>
+
+ The SSL_clear() operation was successful.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod
++++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
+@@ -53,11 +53,11 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ The operation succeeded.
+
+-=item 1
++=item C<1>
+
+ The operation failed. Check the error queue to find out the reason.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_connect.pod
++++ openssl-1.0.1e/doc/ssl/SSL_connect.pod
+@@ -41,12 +41,12 @@
+
+ =over 4
+
+-=item 1
++=item C<1>
+
+ The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+ established.
+
+-=item 0
++=item C<0>
+
+ The TLS/SSL handshake was not successful but was shut down controlled and
+ by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
+--- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_add_session.pod
++++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod
+@@ -52,13 +52,13 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ The operation failed. In case of the add operation, it was tried to add
+ the same (identical) session twice. In case of the remove operation, the
+ session was not found in the cache.
+
+-=item 1
++=item C<1>
+
+ The operation succeeded.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_load_verify_locations.pod
++++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod
+@@ -100,13 +100,13 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ The operation failed because B<CAfile> and B<CApath> are NULL or the
+ processing at one of the locations specified failed. Check the error
+ stack to find out the reason.
+
+-=item 1
++=item C<1>
+
+ The operation succeeded.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod
++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
+@@ -66,11 +66,11 @@
+
+ =over 4
+
+-=item 1
++=item C<1>
+
+ The operation succeeded.
+
+-=item 0
++=item C<0>
+
+ A failure while manipulating the STACK_OF(X509_NAME) object occurred or
+ the X509_NAME could not be extracted from B<cacert>. Check the error stack
+--- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_session_id_context.pod
++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod
+@@ -64,13 +64,13 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
+ the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
+ is logged to the error stack.
+
+-=item 1
++=item C<1>
+
+ The operation succeeded.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_ssl_version.pod
++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod
+@@ -42,11 +42,11 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ The new choice failed, check the error stack to find out the reason.
+
+-=item 1
++=item C<1>
+
+ The operation succeeded.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
++++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
+@@ -81,6 +81,8 @@
+
+ Return values from the server callback are interpreted as follows:
+
++=over
++
+ =item > 0
+
+ PSK identity was found and the server callback has provided the PSK
+@@ -94,9 +96,11 @@
+ connection will fail with decryption_error before it will be finished
+ completely.
+
+-=item 0
++=item C<0>
+
+ PSK identity was not found. An "unknown_psk_identity" alert message
+ will be sent and the connection setup fails.
+
++=back
++
+ =cut
+--- openssl-1.0.1e.orig/doc/ssl/SSL_do_handshake.pod
++++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
+@@ -45,12 +45,12 @@
+
+ =over 4
+
+-=item 1
++=item C<1>
+
+ The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+ established.
+
+-=item 0
++=item C<0>
+
+ The TLS/SSL handshake was not successful but was shut down controlled and
+ by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
+--- openssl-1.0.1e.orig/doc/ssl/SSL_read.pod
++++ openssl-1.0.1e/doc/ssl/SSL_read.pod
+@@ -86,7 +86,7 @@
+ The read operation was successful; the return value is the number of
+ bytes actually read from the TLS/SSL connection.
+
+-=item 0
++=item C<0>
+
+ The read operation was not successful. The reason may either be a clean
+ shutdown due to a "close notify" alert sent by the peer (in which case
+--- openssl-1.0.1e.orig/doc/ssl/SSL_session_reused.pod
++++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod
+@@ -27,11 +27,11 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ A new session was negotiated.
+
+-=item 1
++=item C<1>
+
+ A session was reused.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_set_fd.pod
++++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod
+@@ -35,11 +35,11 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ The operation failed. Check the error stack to find out why.
+
+-=item 1
++=item C<1>
+
+ The operation succeeded.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_set_session.pod
++++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod
+@@ -37,11 +37,11 @@
+
+ =over 4
+
+-=item 0
++=item C<0>
+
+ The operation failed; check the error stack to find out the reason.
+
+-=item 1
++=item C<1>
+
+ The operation succeeded.
+
+--- openssl-1.0.1e.orig/doc/ssl/SSL_shutdown.pod
++++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
+@@ -92,12 +92,12 @@
+
+ =over 4
+
+-=item 1
++=item C<1>
+
+ The shutdown was successfully completed. The "close notify" alert was sent
+ and the peer's "close notify" alert was received.
+
+-=item 0
++=item C<0>
+
+ The shutdown is not yet finished. Call SSL_shutdown() for a second time,
+ if a bidirectional shutdown shall be performed.
+--- openssl-1.0.1e.orig/doc/ssl/SSL_write.pod
++++ openssl-1.0.1e/doc/ssl/SSL_write.pod
+@@ -79,7 +79,7 @@
+ The write operation was successful, the return value is the number of
+ bytes actually written to the TLS/SSL connection.
+
+-=item 0
++=item C<0>
+
+ The write operation was not successful. Probably the underlying connection
+ was closed. Call SSL_get_error() with the return value B<ret> to find out,
diff --git a/dev-libs/openssl/files/openssl-1.0.1e-rdrand-explicit.patch b/dev-libs/openssl/files/openssl-1.0.1e-rdrand-explicit.patch
new file mode 100644
index 0000000..fae056c
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.1e-rdrand-explicit.patch
@@ -0,0 +1,27 @@
+https://chromium-review.googlesource.com/181001
+
+From 8a1956f3eac8b164f8c741ff1a259008bab3bac1 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Wed, 11 Dec 2013 14:45:12 +0000
+Subject: [PATCH] Don't use rdrand engine as default unless explicitly
+ requested. (cherry picked from commit
+ 16898401bd47a153fbf799127ff57fdcfcbd324f)
+
+---
+ crypto/engine/eng_rdrand.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/engine/eng_rdrand.c b/crypto/engine/eng_rdrand.c
+index a9ba5ae..4e9e91d 100644
+--- a/crypto/engine/eng_rdrand.c
++++ b/crypto/engine/eng_rdrand.c
+@@ -104,6 +104,7 @@ static int bind_helper(ENGINE *e)
+ {
+ if (!ENGINE_set_id(e, engine_e_rdrand_id) ||
+ !ENGINE_set_name(e, engine_e_rdrand_name) ||
++ !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) ||
+ !ENGINE_set_init_function(e, rdrand_init) ||
+ !ENGINE_set_RAND(e, &rdrand_meth) )
+ return 0;
+--
+1.8.4.3
diff --git a/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch b/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch
new file mode 100644
index 0000000..8561d78
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch
@@ -0,0 +1,17 @@
+https://bugs.gentoo.org/472584
+http://rt.openssl.org/Ticket/Display.html?id=2387&user=guest&pass=guest
+
+fix verification handling in s_client. when loading paths, make sure
+we properly fallback to setting the default paths.
+
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -899,7 +899,7 @@
+ if (!set_cert_key_stuff(ctx,cert,key))
+ goto end;
+
+- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
++ if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) &&
+ (!SSL_CTX_set_default_verify_paths(ctx)))
+ {
+ /* BIO_printf(bio_err,"error setting default verify locations\n"); */
diff --git a/dev-libs/openssl/files/openssl-1.0.1e-tls-ver-crash.patch b/dev-libs/openssl/files/openssl-1.0.1e-tls-ver-crash.patch
new file mode 100644
index 0000000..62454a6
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.1e-tls-ver-crash.patch
@@ -0,0 +1,33 @@
+https://bugs.gentoo.org/494816
+https://bugzilla.redhat.com/show_bug.cgi?id=1045363
+http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
+
+From ca989269a2876bae79393bd54c3e72d49975fc75 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Thu, 19 Dec 2013 14:37:39 +0000
+Subject: [PATCH] Use version in SSL_METHOD not SSL structure.
+
+When deciding whether to use TLS 1.2 PRF and record hash algorithms
+use the version number in the corresponding SSL_METHOD structure
+instead of the SSL structure. The SSL structure version is sometimes
+inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
+(CVE-2013-6449)
+---
+ ssl/s3_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index bf832bb..c4ef273 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
+ long ssl_get_algorithm2(SSL *s)
+ {
+ long alg2 = s->s3->tmp.new_cipher->algorithm2;
+- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
++ if (s->method->version == TLS1_2_VERSION &&
+ alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
+ return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
+ return alg2;
+--
+1.8.4.3
diff --git a/dev-libs/openssl/metadata.xml b/dev-libs/openssl/metadata.xml
index e6141a7..84ddb51 100644
--- a/dev-libs/openssl/metadata.xml
+++ b/dev-libs/openssl/metadata.xml
@@ -5,6 +5,7 @@
<use>
<flag name='bindist'>Disable EC/RC5 algorithms (as they seem to be patented)</flag>
<flag name='rfc3779'>Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)</flag>
+ <flag name='tls-heartbeat'>Enable the Heartbeat Extension in TLS and DTLS</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:openssl:openssl</remote-id>
diff --git a/dev-libs/openssl/openssl-1.0.1e-r99.ebuild b/dev-libs/openssl/openssl-1.0.1e-r99.ebuild
new file mode 100644
index 0000000..78ec202
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.1e-r99.ebuild
@@ -0,0 +1,238 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-1.0.1e-r1.ebuild,v 1.16 2013/10/15 01:53:27 vapier Exp $
+
+EAPI="4"
+
+inherit eutils flag-o-matic toolchain-funcs multilib
+
+REV="1.7"
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${P}.tar.gz
+ http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="amd64"
+IUSE="bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib"
+
+# Have the sub-libs in RDEPEND with [static-libs] since, logically,
+# our libssl.a depends on libz.a/etc... at runtime.
+LIB_DEPEND="gmp? ( dev-libs/gmp[static-libs(+)] )
+ zlib? ( sys-libs/zlib[static-libs(+)] )
+ kerberos? ( app-crypt/mit-krb5 )"
+# The blocks are temporary just to make sure people upgrade to a
+# version that lack runtime version checking. We'll drop them in
+# the future.
+RDEPEND="static-libs? ( ${LIB_DEPEND} )
+ !static-libs? ( ${LIB_DEPEND//\[static-libs(+)]} )
+ !<net-misc/openssh-5.9_p1-r4
+ !<net-libs/neon-0.29.6-r1"
+DEPEND="${RDEPEND}
+ sys-apps/diffutils
+ >=dev-lang/perl-5
+ test? ( sys-devel/bc )"
+PDEPEND="app-misc/ca-certificates"
+
+src_unpack() {
+ unpack ${P}.tar.gz
+ SSL_CNF_DIR="/etc/ssl"
+ sed \
+ -e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
+ -e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
+ "${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
+ > "${WORKDIR}"/c_rehash || die #416717
+}
+
+src_prepare() {
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+ epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+ epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
+ epatch "${FILESDIR}"/${PN}-1.0.1-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-1.0.1-x32.patch
+ epatch "${FILESDIR}"/${PN}-1.0.1e-ipv6.patch
+ epatch "${FILESDIR}"/${P}-bad-mac-aes-ni.patch #463444
+ epatch "${FILESDIR}"/${PN}-1.0.1e-perl-5.18.patch #483820
+ epatch "${FILESDIR}"/${PN}-1.0.1c-force-termios.patch
+ epatch_user #332661
+ fi
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ Makefile.org \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+
+ sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+}
+
+src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ if ! use bindist ; then
+ echo "__uint128_t i;" > "${T}"/128.c
+ if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ fi
+ fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ $(use_ssl !bindist rc5) \
+ enable-tlsext \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl rfc3779) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ $(use_ssl zlib) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+ # rehash is needed to prep the certs/ dir; do this
+ # separately to avoid parallel build issues.
+ emake rehash
+}
+
+src_test() {
+ emake -j1 test
+}
+
+src_install() {
+ emake INSTALL_PREFIX="${D}" install
+ dobin "${WORKDIR}"/c_rehash #333117
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+ dohtml -r doc/*
+ use rfc3779 && dodoc engines/ccgost/README.gost
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+ # create the certs directory
+ dodir ${SSL_CNF_DIR}/certs
+ cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+ rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+
+ has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
next reply other threads:[~2014-01-06 17:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-06 17:36 Anthony G. Basile [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-03-20 18:10 [gentoo-commits] proj/hardened-dev:musl commit in: dev-libs/openssl/files/, dev-libs/openssl/ Anthony G. Basile
2014-06-06 17:51 Anthony G. Basile
2014-04-19 12:23 Anthony G. Basile
2014-01-21 17:56 Anthony G. Basile
2014-01-06 22:34 Anthony G. Basile
2013-07-06 18:24 Anthony G. Basile
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1389029824.e4dff52caed8073d32e1db0fcccc31d6cc928350.blueness@gentoo \
--to=blueness@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox