From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1074442-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 34ED5138334
	for <garchives@archives.gentoo.org>; Tue, 26 Feb 2019 15:31:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 16931E087B;
	Tue, 26 Feb 2019 15:31:51 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C8A20E087B
	for <gentoo-commits@lists.gentoo.org>; Tue, 26 Feb 2019 15:31:50 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 5FA80335C67
	for <gentoo-commits@lists.gentoo.org>; Tue, 26 Feb 2019 15:31:49 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id F345A550
	for <gentoo-commits@lists.gentoo.org>; Tue, 26 Feb 2019 15:31:46 +0000 (UTC)
From: "Lars Wendler" <polynomial-c@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Lars Wendler" <polynomial-c@gentoo.org>
Message-ID: <1551195101.a1ced0de770abbc643d994378b9cd11a41605902.polynomial-c@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
X-VCS-Repository: repo/gentoo
X-VCS-Files: dev-libs/openssl/Manifest dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch dev-libs/openssl/openssl-1.0.2q-r200.ebuild dev-libs/openssl/openssl-1.1.1a-r1.ebuild dev-libs/openssl/openssl-1.1.1a.ebuild
X-VCS-Directories: dev-libs/openssl/files/ dev-libs/openssl/
X-VCS-Committer: polynomial-c
X-VCS-Committer-Name: Lars Wendler
X-VCS-Revision: a1ced0de770abbc643d994378b9cd11a41605902
X-VCS-Branch: master
Date: Tue, 26 Feb 2019 15:31:46 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 5f35c0f4-8dd0-4a9d-900a-d146122ef12e
X-Archives-Hash: 5efe222088f919e180fb769bedf00e96

commit:     a1ced0de770abbc643d994378b9cd11a41605902
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Feb 26 15:12:11 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Feb 26 15:31:41 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1ced0de

dev-libs/openssl: Removed old.

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   4 -
 ...-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch |  27 --
 ...ix-cert-with-rsa-instead-of-rsaEncryption.patch |  97 -----
 ...ix-some-SSL_export_keying_material-issues.patch | 420 ---------------------
 ...a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch |  26 --
 ...ure-build_SYS_str_reasons_preserves_errno.patch |  68 ----
 .../openssl-1.1.1a-preserve-errno-on-dlopen.patch  |  51 ---
 ...-system-error-number-in-a-few-more-places.patch |  57 ---
 ...t-reduce-stack-usage-in-tls13_hkdf_expand.patch |  56 ---
 dev-libs/openssl/openssl-1.0.2q-r200.ebuild        | 248 ------------
 dev-libs/openssl/openssl-1.1.1a-r1.ebuild          | 299 ---------------
 dev-libs/openssl/openssl-1.1.1a.ebuild             | 288 --------------
 12 files changed, 1641 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 3f3dd41c6a0..dd125204215 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -15,10 +15,6 @@ DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ec_curve.c 18401 BL
 DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b
 DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
 DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3 SHA512 de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1
-DIST openssl-1.1.1a.tar.gz 8350547 BLAKE2B 71dae2f44ade3e31983599a491b5efe5da63bbe4f32a2336a8022b282f844a9d898f3b1c3fa825a5973cb16898e8e87fcd73d68e9b602b58f500c3f3e047b199 SHA512 1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34
-DIST openssl-1.1.1a_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
-DIST openssl-1.1.1a_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef
-DIST openssl-1.1.1a_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
 DIST openssl-1.1.1b.tar.gz 8213737 BLAKE2B 7ad9da9548052e2a033a684038f97c420cfffd57994604bcb3fa12640796c8c0aea3d24fb05648ee4940fbec40b81462e81c353da5a41a2575c0585d9718eae8 SHA512 b54025fbb4fe264466f3b0d762aad4be45bd23cd48bdb26d901d4c41a40bfd776177e02230995ab181a695435039dbad313f4b9a563239a70807a2e19ecf045d
 DIST openssl-1.1.1b_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
 DIST openssl-1.1.1b_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
deleted file mode 100644
index 8014be130ab..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3be71a31a1dda204bb95462a92cf7f247e64b939 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Sun, 16 Dec 2018 12:43:59 +0100
-Subject: [PATCH] Fix a minor nit in the hkdflabel size
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7913)
-
-(cherry picked from commit 0b4233f5a4a181a6dcb7c511cd2663e500e659a4)
----
- ssl/tls13_enc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
-index c3021d18aa9..e36b7d3a066 100644
---- a/ssl/tls13_enc.c
-+++ b/ssl/tls13_enc.c
-@@ -41,7 +41,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
-      * + bytes for the hash itself
-      */
-     unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
--                            + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
-+                            + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN
-                             + 1 + EVP_MAX_MD_SIZE];
-     WPACKET pkt;
- 

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch
deleted file mode 100644
index 8f249e22a1d..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From c25ae0fff78cb3cb784ef79167329d5cd55b62de Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Thu, 27 Dec 2018 22:18:21 +0100
-Subject: [PATCH] Fix cert with rsa instead of rsaEncryption as public key
- algorithm
-
-Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
-(Merged from https://github.com/openssl/openssl/pull/7962)
-
-(cherry picked from commit 1f483a69bce11c940309edc437eee6e32294d5f2)
----
- crypto/rsa/rsa_ameth.c        |  9 ++++++---
- test/certs/root-cert-rsa2.pem | 18 ++++++++++++++++++
- test/recipes/25-test_verify.t |  4 +++-
- 3 files changed, 27 insertions(+), 4 deletions(-)
- create mode 100644 test/certs/root-cert-rsa2.pem
-
-diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
-index a6595aec054..75debb3e0a9 100644
---- a/crypto/rsa/rsa_ameth.c
-+++ b/crypto/rsa/rsa_ameth.c
-@@ -34,7 +34,7 @@ static int rsa_param_encode(const EVP_PKEY *pkey,
- 
-     *pstr = NULL;
-     /* If RSA it's just NULL type */
--    if (pkey->ameth->pkey_id == EVP_PKEY_RSA) {
-+    if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
-         *pstrtype = V_ASN1_NULL;
-         return 1;
-     }
-@@ -58,7 +58,7 @@ static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
-     int algptype;
- 
-     X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
--    if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA)
-+    if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
-         return 1;
-     if (algptype == V_ASN1_UNDEF)
-         return 1;
-@@ -109,7 +109,10 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
-         RSA_free(rsa);
-         return 0;
-     }
--    EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
-+    if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
-+        RSA_free(rsa);
-+        return 0;
-+    }
-     return 1;
- }
- 
-diff --git a/test/certs/root-cert-rsa2.pem b/test/certs/root-cert-rsa2.pem
-new file mode 100644
-index 00000000000..b817fdf3e5d
---- /dev/null
-+++ b/test/certs/root-cert-rsa2.pem
-@@ -0,0 +1,18 @@
-+-----BEGIN CERTIFICATE-----
-+MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
-+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
-+DAdSb290IENBMIIBHTAIBgRVCAEBBQADggEPADCCAQoCggEBAOHmAPUGvKBGOHkP
-+Px5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3jIVyk
-+7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcArVREX
-+OjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI0YYq
-+alUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt9gfN
-+biuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337VoIkN+
-+ZiQjr8UCAwEAAaNQME4wHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8G
-+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
-+KoZIhvcNAQELBQADggEBAJ0OIdog3uQ1pmsjv1Qtf1w4If1geOn5uK0EOj2wYBHt
-+NxlFn7l8d9+51QMZFO+RlQJ0s3Webyo1ReuaL2dMn2LGJhWMoSBAwrMALAENU3lv
-+8jioRbfO2OamsdpJpKxQUyUJYudNe+BoKNX/ry3rxezmsFsRr9nDMiJZpmBCXiMm
-+mFFJOJkG0CheexBbMkua4kyStIOwO4rb5bSHszVso/9ucdGHBSC7oRcJXoWSDjBx
-+PdQPPBK5g4yqL8Lz26ehgsmhRKL9k32eVyjDKcIzgpmgcPTfTqNbd1KHQJKx4ssb
-+7nEpGKHalSo5Oq5L9s9qYrUv37kwBY4OpJFtmGaodoI=
-+-----END CERTIFICATE-----
-diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
-index 6c3deab7c67..b80a1cde3ed 100644
---- a/test/recipes/25-test_verify.t
-+++ b/test/recipes/25-test_verify.t
-@@ -27,7 +27,7 @@ sub verify {
-     run(app([@args]));
- }
- 
--plan tests => 134;
-+plan tests => 135;
- 
- # Canonical success
- ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
-@@ -361,6 +361,8 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"]
-     "Not too many names and constraints to check (2)");
- ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ),
-     "Not too many names and constraints to check (3)");
-+ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"),
-+    "Public Key Algorithm rsa instead of rsaEncryption");
- 
- SKIP: {
-     skip "Ed25519 is not supported by this OpenSSL build", 1

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch
deleted file mode 100644
index 2db64d83e45..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch
+++ /dev/null
@@ -1,420 +0,0 @@
-From 0fb2815b873304d145ed00283454fc9f3bd35e6b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 4 Dec 2018 08:37:04 +0000
-Subject: [PATCH] Fix some SSL_export_keying_material() issues
-
-Fix some issues in tls13_hkdf_expand() which impact the above function
-for TLSv1.3. In particular test that we can use the maximum label length
-in TLSv1.3.
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7755)
----
- doc/man3/SSL_export_keying_material.pod |  3 +-
- ssl/ssl_locl.h                          |  2 +-
- ssl/statem/extensions.c                 |  2 +-
- ssl/statem/statem_clnt.c                |  2 +-
- ssl/statem/statem_srvr.c                |  2 +-
- ssl/tls13_enc.c                         | 73 +++++++++++++++++--------
- test/sslapitest.c                       | 48 ++++++++++++----
- test/tls13secretstest.c                 |  2 +-
- 8 files changed, 92 insertions(+), 42 deletions(-)
-
-diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod
-index abebf911fc3..4c81a60ffbb 100644
---- a/doc/man3/SSL_export_keying_material.pod
-+++ b/doc/man3/SSL_export_keying_material.pod
-@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from
- the IANA Exporter Label Registry
- (L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).
- Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
--to be used without registration.
-+to be used without registration. TLSv1.3 imposes a maximum label length of
-+249 bytes.
- 
- Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
- above. Attempting to use it in SSLv3 will result in an error.
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 70e5a1740f9..307131de93a 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -2461,7 +2461,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,
-                              const unsigned char *secret,
-                              const unsigned char *label, size_t labellen,
-                              const unsigned char *data, size_t datalen,
--                             unsigned char *out, size_t outlen);
-+                             unsigned char *out, size_t outlen, int fatal);
- __owur int tls13_derive_key(SSL *s, const EVP_MD *md,
-                             const unsigned char *secret, unsigned char *key,
-                             size_t keylen);
-diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
-index 63e61c6184a..716d6d23e08 100644
---- a/ssl/statem/extensions.c
-+++ b/ssl/statem/extensions.c
-@@ -1506,7 +1506,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
- 
-     /* Generate the binder key */
-     if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
--                           hashsize, binderkey, hashsize)) {
-+                           hashsize, binderkey, hashsize, 1)) {
-         /* SSLfatal() already called */
-         goto err;
-     }
-diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
-index 5a8f1163dfa..a0e495d8e83 100644
---- a/ssl/statem/statem_clnt.c
-+++ b/ssl/statem/statem_clnt.c
-@@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
-                                PACKET_data(&nonce),
-                                PACKET_remaining(&nonce),
-                                s->session->master_key,
--                               hashlen)) {
-+                               hashlen, 1)) {
-             /* SSLfatal() already called */
-             goto err;
-         }
-diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
-index e7c11c4bea4..a8e862ced55 100644
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -4099,7 +4099,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
-                                tick_nonce,
-                                TICKET_NONCE_SIZE,
-                                s->session->master_key,
--                               hashlen)) {
-+                               hashlen, 1)) {
-             /* SSLfatal() already called */
-             goto err;
-         }
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
-index f7ab0fa4704..c3021d18aa9 100644
---- a/ssl/tls13_enc.c
-+++ b/ssl/tls13_enc.c
-@@ -13,7 +13,7 @@
- #include <openssl/evp.h>
- #include <openssl/kdf.h>
- 
--#define TLS13_MAX_LABEL_LEN     246
-+#define TLS13_MAX_LABEL_LEN     249
- 
- /* Always filled with zeros */
- static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
-@@ -22,30 +22,47 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
-  * Given a |secret|; a |label| of length |labellen|; and |data| of length
-  * |datalen| (e.g. typically a hash of the handshake messages), derive a new
-  * secret |outlen| bytes long and store it in the location pointed to be |out|.
-- * The |data| value may be zero length. Returns 1 on success  0 on failure.
-+ * The |data| value may be zero length. Any errors will be treated as fatal if
-+ * |fatal| is set. Returns 1 on success  0 on failure.
-  */
- int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
-                              const unsigned char *label, size_t labellen,
-                              const unsigned char *data, size_t datalen,
--                             unsigned char *out, size_t outlen)
-+                             unsigned char *out, size_t outlen, int fatal)
- {
--    const unsigned char label_prefix[] = "tls13 ";
-+    static const unsigned char label_prefix[] = "tls13 ";
-     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
-     int ret;
-     size_t hkdflabellen;
-     size_t hashlen;
-     /*
--     * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
--     * prefix and label + bytes for the label itself + bytes for the hash
-+     * 2 bytes for length of derived secret + 1 byte for length of combined
-+     * prefix and label + bytes for the label itself + 1 byte length of hash
-+     * + bytes for the hash itself
-      */
-     unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
-                             + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
--                            + EVP_MAX_MD_SIZE];
-+                            + 1 + EVP_MAX_MD_SIZE];
-     WPACKET pkt;
- 
-     if (pctx == NULL)
-         return 0;
- 
-+    if (labellen > TLS13_MAX_LABEL_LEN) {
-+        if (fatal) {
-+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
-+                     ERR_R_INTERNAL_ERROR);
-+        } else {
-+            /*
-+             * Probably we have been called from SSL_export_keying_material(),
-+             * or SSL_export_keying_material_early().
-+             */
-+            SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
-+        }
-+        EVP_PKEY_CTX_free(pctx);
-+        return 0;
-+    }
-+
-     hashlen = EVP_MD_size(md);
- 
-     if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
-@@ -59,8 +76,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
-             || !WPACKET_finish(&pkt)) {
-         EVP_PKEY_CTX_free(pctx);
-         WPACKET_cleanup(&pkt);
--        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
--                 ERR_R_INTERNAL_ERROR);
-+        if (fatal)
-+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
-+                     ERR_R_INTERNAL_ERROR);
-+        else
-+            SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
-         return 0;
-     }
- 
-@@ -74,9 +94,13 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
- 
-     EVP_PKEY_CTX_free(pctx);
- 
--    if (ret != 0)
--        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
--                 ERR_R_INTERNAL_ERROR);
-+    if (ret != 0) {
-+        if (fatal)
-+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
-+                     ERR_R_INTERNAL_ERROR);
-+        else
-+            SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
-+    }
- 
-     return ret == 0;
- }
-@@ -91,7 +115,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
-     static const unsigned char keylabel[] = "key";
- 
-     return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
--                             NULL, 0, key, keylen);
-+                             NULL, 0, key, keylen, 1);
- }
- 
- /*
-@@ -104,7 +128,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
-     static const unsigned char ivlabel[] = "iv";
- 
-     return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
--                             NULL, 0, iv, ivlen);
-+                             NULL, 0, iv, ivlen, 1);
- }
- 
- int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
-@@ -114,7 +138,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
-     static const unsigned char finishedlabel[] = "finished";
- 
-     return tls13_hkdf_expand(s, md, secret, finishedlabel,
--                             sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
-+                             sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
- }
- 
- /*
-@@ -177,7 +201,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
-         if (!tls13_hkdf_expand(s, md, prevsecret,
-                                (unsigned char *)derived_secret_label,
-                                sizeof(derived_secret_label) - 1, hash, mdlen,
--                               preextractsec, mdlen)) {
-+                               preextractsec, mdlen, 1)) {
-             /* SSLfatal() already called */
-             EVP_PKEY_CTX_free(pctx);
-             return 0;
-@@ -337,7 +361,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
-     hashlen = (size_t)hashleni;
- 
-     if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
--                           secret, hashlen)) {
-+                           secret, hashlen, 1)) {
-         /* SSLfatal() already called */
-         goto err;
-     }
-@@ -517,7 +541,8 @@ int tls13_change_cipher_state(SSL *s, int which)
-                                    early_exporter_master_secret,
-                                    sizeof(early_exporter_master_secret) - 1,
-                                    hashval, hashlen,
--                                   s->early_exporter_master_secret, hashlen)) {
-+                                   s->early_exporter_master_secret, hashlen,
-+                                   1)) {
-                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
-                          SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
-                 goto err;
-@@ -604,7 +629,7 @@ int tls13_change_cipher_state(SSL *s, int which)
-                                resumption_master_secret,
-                                sizeof(resumption_master_secret) - 1,
-                                hashval, hashlen, s->resumption_master_secret,
--                               hashlen)) {
-+                               hashlen, 1)) {
-             /* SSLfatal() already called */
-             goto err;
-         }
-@@ -624,7 +649,7 @@ int tls13_change_cipher_state(SSL *s, int which)
-                                exporter_master_secret,
-                                sizeof(exporter_master_secret) - 1,
-                                hash, hashlen, s->exporter_master_secret,
--                               hashlen)) {
-+                               hashlen, 1)) {
-             /* SSLfatal() already called */
-             goto err;
-         }
-@@ -738,10 +763,10 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
-             || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
-             || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
-                                   (const unsigned char *)label, llen,
--                                  data, datalen, exportsecret, hashsize)
-+                                  data, datalen, exportsecret, hashsize, 0)
-             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
-                                   sizeof(exporterlabel) - 1, hash, hashsize,
--                                  out, olen))
-+                                  out, olen, 0))
-         goto err;
- 
-     ret = 1;
-@@ -797,10 +822,10 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
-             || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
-             || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
-                                   (const unsigned char *)label, llen,
--                                  data, datalen, exportsecret, hashsize)
-+                                  data, datalen, exportsecret, hashsize, 0)
-             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
-                                   sizeof(exporterlabel) - 1, hash, hashsize,
--                                  out, olen))
-+                                  out, olen, 0))
-         goto err;
- 
-     ret = 1;
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 108d57e4781..a4bbb4fead4 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -4028,20 +4028,25 @@ static int test_serverinfo(int tst)
-  * no test vectors so all we do is test that both sides of the communication
-  * produce the same results for different protocol versions.
-  */
-+#define SMALL_LABEL_LEN 10
-+#define LONG_LABEL_LEN  249
- static int test_export_key_mat(int tst)
- {
-     int testresult = 0;
-     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
-     SSL *clientssl = NULL, *serverssl = NULL;
--    const char label[] = "test label";
-+    const char label[LONG_LABEL_LEN + 1] = "test label";
-     const unsigned char context[] = "context";
-     const unsigned char *emptycontext = NULL;
-     unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
-     unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
-+    size_t labellen;
-     const int protocols[] = {
-         TLS1_VERSION,
-         TLS1_1_VERSION,
-         TLS1_2_VERSION,
-+        TLS1_3_VERSION,
-+        TLS1_3_VERSION,
-         TLS1_3_VERSION
-     };
- 
-@@ -4058,7 +4063,7 @@ static int test_export_key_mat(int tst)
-         return 1;
- #endif
- #ifdef OPENSSL_NO_TLS1_3
--    if (tst == 3)
-+    if (tst >= 3)
-         return 1;
- #endif
-     if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
-@@ -4076,33 +4081,52 @@ static int test_export_key_mat(int tst)
-                                                 SSL_ERROR_NONE)))
-         goto end;
- 
-+    if (tst == 5) {
-+        /*
-+         * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
-+         * go over that.
-+         */
-+        if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
-+                                                    sizeof(ckeymat1), label,
-+                                                    LONG_LABEL_LEN + 1, context,
-+                                                    sizeof(context) - 1, 1), 0))
-+            goto end;
-+
-+        testresult = 1;
-+        goto end;
-+    } else if (tst == 4) {
-+        labellen = LONG_LABEL_LEN;
-+    } else {
-+        labellen = SMALL_LABEL_LEN;
-+    }
-+
-     if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
-                                                 sizeof(ckeymat1), label,
--                                                sizeof(label) - 1, context,
-+                                                labellen, context,
-                                                 sizeof(context) - 1, 1), 1)
-             || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
-                                                        sizeof(ckeymat2), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        emptycontext,
-                                                        0, 1), 1)
-             || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
-                                                        sizeof(ckeymat3), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        NULL, 0, 0), 1)
-             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
-                                                        sizeof(skeymat1), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        context,
-                                                        sizeof(context) -1, 1),
-                             1)
-             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
-                                                        sizeof(skeymat2), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        emptycontext,
-                                                        0, 1), 1)
-             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
-                                                        sizeof(skeymat3), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        NULL, 0, 0), 1)
-                /*
-                 * Check that both sides created the same key material with the
-@@ -4131,10 +4155,10 @@ static int test_export_key_mat(int tst)
-      * Check that an empty context and no context produce different results in
-      * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
-      */
--    if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
-+    if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
-                                   sizeof(ckeymat3)))
--            || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
--                                        sizeof(ckeymat3))))
-+            || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
-+                                         sizeof(ckeymat3))))
-         goto end;
- 
-     testresult = 1;
-@@ -5909,7 +5933,7 @@ int setup_tests(void)
-     ADD_ALL_TESTS(test_custom_exts, 3);
- #endif
-     ADD_ALL_TESTS(test_serverinfo, 8);
--    ADD_ALL_TESTS(test_export_key_mat, 4);
-+    ADD_ALL_TESTS(test_export_key_mat, 6);
- #ifndef OPENSSL_NO_TLS1_3
-     ADD_ALL_TESTS(test_export_key_mat_early, 3);
- #endif
-diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
-index 319df17bab0..de318df02b4 100644
---- a/test/tls13secretstest.c
-+++ b/test/tls13secretstest.c
-@@ -226,7 +226,7 @@ static int test_secret(SSL *s, unsigned char *prk,
-     }
- 
-     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
--                           gensecret, hashsize)) {
-+                           gensecret, hashsize, 1)) {
-         TEST_error("Secret generation failed");
-         return 0;
-     }

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
deleted file mode 100644
index c2f8bb638b3..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 3ccccb91ae1c07a4310778b3d7ba74ff4ff787f0 Mon Sep 17 00:00:00 2001
-From: Paul Yang <yang.yang@baishancloud.com>
-Date: Wed, 21 Nov 2018 13:16:27 +0800
-Subject: [PATCH] Fix wrong return value in ssl3_ctx_ctrl
-
-This fixes issue #7677
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7678)
----
- ssl/s3_lib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 866ca4dfa9b..99ae48199c2 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
-                                   EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
-                 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
-                 EVP_PKEY_free(pkdh);
--                return 1;
-+                return 0;
-             }
-             EVP_PKEY_free(ctx->cert->dh_tmp);
-             ctx->cert->dh_tmp = pkdh;

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch b/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch
deleted file mode 100644
index cfa84c73a5b..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 99992ad22019e752c7b103a45f860a48b6bc0972 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 21 Nov 2018 11:44:42 +0000
-Subject: [PATCH] Make sure build_SYS_str_reasons() preserves errno
-
-This function can end up being called during ERR_get_error() if we are
-initialising. ERR_get_error() must preserve errno since it gets called via
-SSL_get_error(). If that function returns SSL_ERROR_SYSCALL then you are
-supposed to inspect errno.
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7680)
-
-(cherry picked from commit 71b1ceffc4c795f5db21861dd1016fbe23a53a53)
----
-
-diff --git a/crypto/err/err.c b/crypto/err/err.c
-index 03cbd73..2eeeab2 100644
---- a/crypto/err/err.c
-+++ b/crypto/err/err.c
-@@ -19,6 +19,7 @@
- #include <openssl/bio.h>
- #include <openssl/opensslconf.h>
- #include "internal/thread_once.h"
-+#include "e_os.h"
- 
- static int err_load_strings(const ERR_STRING_DATA *str);
- 
-@@ -201,6 +202,7 @@ static void build_SYS_str_reasons(void)
-     static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
-     static int init = 1;
-     int i;
-+    int saveerrno = get_last_sys_error();
- 
-     CRYPTO_THREAD_write_lock(err_string_lock);
-     if (!init) {
-@@ -229,6 +231,8 @@ static void build_SYS_str_reasons(void)
-     init = 0;
- 
-     CRYPTO_THREAD_unlock(err_string_lock);
-+    /* openssl_strerror_r could change errno, but we want to preserve it */
-+    set_sys_error(saveerrno);
-     err_load_strings(SYS_str_reasons);
- }
- #endif
-diff --git a/e_os.h b/e_os.h
-index 5340593..8e6efa9 100644
---- a/e_os.h
-+++ b/e_os.h
-@@ -49,6 +49,7 @@
- 
- # define get_last_sys_error()    errno
- # define clear_sys_error()       errno=0
-+# define set_sys_error(e)        errno=(e)
- 
- /********************************************************************
-  The Microsoft section
-@@ -66,8 +67,10 @@
- # ifdef WIN32
- #  undef get_last_sys_error
- #  undef clear_sys_error
-+#  undef set_sys_error
- #  define get_last_sys_error()    GetLastError()
- #  define clear_sys_error()       SetLastError(0)
-+#  define set_sys_error(e)        SetLastError(e)
- #  if !defined(WINNT)
- #   define WIN_CONSOLE_BUG
- #  endif

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch
deleted file mode 100644
index ed8f2dd96be..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ef97becf522fc4e2e9d98e6ae7bcb26651883d9a Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 21 Nov 2018 11:57:04 +0000
-Subject: [PATCH] Preserve errno on dlopen
-
-For the same reasons as in the previous commit we must preserve errno
-across dlopen calls. Some implementations (e.g. solaris) do not preserve
-errno even on a successful dlopen call.
-
-Fixes #6953
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7680)
-
-(cherry picked from commit 3cb4e7dc1cf92022f62b9bbdd59695885a1265ff)
----
- crypto/dso/dso_dlfcn.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
-index ad8899c289a..4240f5f5e30 100644
---- a/crypto/dso/dso_dlfcn.c
-+++ b/crypto/dso/dso_dlfcn.c
-@@ -17,6 +17,7 @@
- #endif
- 
- #include "dso_locl.h"
-+#include "e_os.h"
- 
- #ifdef DSO_DLFCN
- 
-@@ -99,6 +100,7 @@ static int dlfcn_load(DSO *dso)
-     /* See applicable comments in dso_dl.c */
-     char *filename = DSO_convert_filename(dso, NULL);
-     int flags = DLOPEN_FLAG;
-+    int saveerrno = get_last_sys_error();
- 
-     if (filename == NULL) {
-         DSOerr(DSO_F_DLFCN_LOAD, DSO_R_NO_FILENAME);
-@@ -118,6 +120,11 @@ static int dlfcn_load(DSO *dso)
-         ERR_add_error_data(4, "filename(", filename, "): ", dlerror());
-         goto err;
-     }
-+    /*
-+     * Some dlopen() implementations (e.g. solaris) do no preserve errno, even
-+     * on a successful call.
-+     */
-+    set_sys_error(saveerrno);
-     if (!sk_void_push(dso->meth_data, (char *)ptr)) {
-         DSOerr(DSO_F_DLFCN_LOAD, DSO_R_STACK_ERROR);
-         goto err;

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch
deleted file mode 100644
index 84c43a3c3e0..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 145419423e1a74ae54cdbd3aed8bb15cbd53c7cc Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Fri, 14 Dec 2018 19:33:55 +0100
-Subject: [PATCH] ERR: preserve system error number in a few more places
-
-It turns out that intialization may change the error number, so we
-need to preserve the system error number in functions where
-initialization is called for.
-These are ERR_get_state() and err_shelve_state()
-
-Fixes #7897
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7902)
-
-(cherry picked from commit 91c5473035aaf2c0d86e4039c2a29a5b70541905)
----
- crypto/err/err.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/crypto/err/err.c b/crypto/err/err.c
-index 5cfb02d821b..aef2543d60b 100644
---- a/crypto/err/err.c
-+++ b/crypto/err/err.c
-@@ -697,6 +697,7 @@ DEFINE_RUN_ONCE_STATIC(err_do_init)
- ERR_STATE *ERR_get_state(void)
- {
-     ERR_STATE *state;
-+    int saveerrno = get_last_sys_error();
- 
-     if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
-         return NULL;
-@@ -728,6 +729,7 @@ ERR_STATE *ERR_get_state(void)
-         OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-     }
- 
-+    set_sys_error(saveerrno);
-     return state;
- }
- 
-@@ -737,6 +739,8 @@ ERR_STATE *ERR_get_state(void)
-  */
- int err_shelve_state(void **state)
- {
-+    int saveerrno = get_last_sys_error();
-+
-     if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
-         return 0;
- 
-@@ -747,6 +751,7 @@ int err_shelve_state(void **state)
-     if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1))
-         return 0;
- 
-+    set_sys_error(saveerrno);
-     return 1;
- }
- 

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch b/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
deleted file mode 100644
index 5ea4fb97bfc..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From ed371b8cbac0d0349667558c061c1ae380cf75eb Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Mon, 3 Dec 2018 18:14:57 +0000
-Subject: [PATCH] Revert "Reduce stack usage in tls13_hkdf_expand"
-
-This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d.
-
-SSL_export_keying_material() may use longer label lengths.
-
-Fixes #7712
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7755)
----
- ssl/tls13_enc.c | 16 ++++------------
- 1 file changed, 4 insertions(+), 12 deletions(-)
-
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
-index b6825d20c2d..f7ab0fa4704 100644
---- a/ssl/tls13_enc.c
-+++ b/ssl/tls13_enc.c
-@@ -13,14 +13,7 @@
- #include <openssl/evp.h>
- #include <openssl/kdf.h>
- 
--/*
-- * RFC 8446, 7.1 Key Schedule, says:
-- * Note: With common hash functions, any label longer than 12 characters
-- * requires an additional iteration of the hash function to compute.
-- * The labels in this specification have all been chosen to fit within
-- * this limit.
-- */
--#define TLS13_MAX_LABEL_LEN     12
-+#define TLS13_MAX_LABEL_LEN     246
- 
- /* Always filled with zeros */
- static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
-@@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
-                              const unsigned char *data, size_t datalen,
-                              unsigned char *out, size_t outlen)
- {
--    static const unsigned char label_prefix[] = "tls13 ";
-+    const unsigned char label_prefix[] = "tls13 ";
-     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
-     int ret;
-     size_t hkdflabellen;
-     size_t hashlen;
-     /*
--     * 2 bytes for length of derived secret + 1 byte for length of combined
--     * prefix and label + bytes for the label itself + 1 byte length of hash
--     * + bytes for the hash itself
-+     * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
-+     * prefix and label + bytes for the label itself + bytes for the hash
-      */
-     unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
-                             + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN

diff --git a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild b/dev-libs/openssl/openssl-1.0.2q-r200.ebuild
deleted file mode 100644
index 44b9547d141..00000000000
--- a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild
+++ /dev/null
@@ -1,248 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-# openssl-1.0.2-patches-1.6 contain additional CVE patches
-# which got fixed with this release.
-# Please use 1.7 version number when rolling a new tarball!
-PATCH_SET="openssl-1.0.2-patches-1.5"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	!vanilla? (
-		mirror://gentoo/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz
-	)"
-
-LICENSE="openssl"
-SLOT="1.0.0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	!=dev-libs/openssl-1.0.2*:0"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-
-RESTRICT="test"
-
-# Do not install any docs
-DOCS=()
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-# These are ported instead
-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
-#PATCH37=openssl-1.1.0-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f25'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
-FEDORA_PATCH=( $PATCH1 $PATCH37 )
-for i in "${FEDORA_SOURCE[@]}" ; do
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	if use bindist; then
-		# This just removes the prefix, and puts it into WORKDIR like the RPM.
-		for i in "${FEDORA_SOURCE[@]}" ; do
-			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
-		done
-		# .spec %prep
-		bash "${WORKDIR}"/"${SOURCE1}" || die
-		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
-		for i in "${FEDORA_PATCH[@]}" ; do
-			eapply "${DISTDIR}"/"${i}"
-		done
-		eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-		# $(use_ssl !bindist srp) \
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		eapply "${WORKDIR}"/patch/*.patch
-	fi
-
-	eapply_user
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	# this breaks build with 1.0.2p, not sure if it is needed anymore
-	#sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	# https://github.com/openssl/openssl/issues/2286
-	if use ia64 ; then
-		replace-flags -g3 -g2
-		replace-flags -ggdb3 -ggdb2
-	fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		$(use_ssl !bindist srp) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl sslv2 ssl2) \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX%/}"/usr \
-		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 V=1 depend
-	emake build_libs
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	dolib.so lib{crypto,ssl}.so.${SLOT}
-}

diff --git a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild b/dev-libs/openssl/openssl-1.1.1a-r1.ebuild
deleted file mode 100644
index 0ad3e058c0c..00000000000
--- a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild
+++ /dev/null
@@ -1,299 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
-	"${FILESDIR}"/${P}-make-sure-build_SYS_str_reasons_preserves_errno.patch
-	"${FILESDIR}"/${P}-preserve-errno-on-dlopen.patch
-	"${FILESDIR}"/${P}-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
-	"${FILESDIR}"/${P}-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
-	"${FILESDIR}"/${P}-fix-some-SSL_export_keying_material-issues.patch
-	"${FILESDIR}"/${P}-preserve-system-error-number-in-a-few-more-places.patch
-	"${FILESDIR}"/${P}-fix-a-minor-nit-in-hkdflabel-size.patch
-	"${FILESDIR}"/${P}-fix-cert-with-rsa-instead-of-rsaEncryption.patch
-)
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-PATCH37=openssl-1.1.1-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f29'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
-FEDORA_PATCH=( ${PATCH37} )
-for i in "${FEDORA_SOURCE[@]}" ; do
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	if use bindist; then
-		# This just removes the prefix, and puts it into WORKDIR like the RPM.
-		for i in "${FEDORA_SOURCE[@]}" ; do
-			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
-		done
-		# .spec %prep
-		bash "${WORKDIR}"/"${SOURCE1}" || die
-		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
-		for i in "${FEDORA_PATCH[@]}" ; do
-			eapply "${DISTDIR}"/"${i}"
-		done
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
-			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
-		fi
-	fi
-
-	eapply_user #332661
-
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	# Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	# Prefixify Configure shebang (#141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX%/}&," \
-		-i Configure || die
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m'
-	# 'srp' was restricted until early 2017 as well.
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		enable-srp \
-		$(use elibc_musl && echo "no-async") \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl sslv3 ssl3-method) \
-		$(use_ssl asm) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX%/}"/usr \
-		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	# Fix quoting for sed
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-		-e 's:\\:\\\\:g' \
-	)
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create $ED/usr on our own to avoid a race condition #665130
-	if [[ ! -d "${ED%/}/usr" ]]; then
-		# We can only create this directory once
-		mkdir "${ED%/}"/usr || die
-	fi
-
-	emake DESTDIR="${D%/}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED%/}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED%/}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}

diff --git a/dev-libs/openssl/openssl-1.1.1a.ebuild b/dev-libs/openssl/openssl-1.1.1a.ebuild
deleted file mode 100644
index 5b5bb76c6b7..00000000000
--- a/dev-libs/openssl/openssl-1.1.1a.ebuild
+++ /dev/null
@@ -1,288 +0,0 @@
-# Copyright 1999-2018 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-PATCH37=openssl-1.1.1-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f29'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
-FEDORA_PATCH=( ${PATCH37} )
-for i in "${FEDORA_SOURCE[@]}" ; do
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	if use bindist; then
-		# This just removes the prefix, and puts it into WORKDIR like the RPM.
-		for i in "${FEDORA_SOURCE[@]}" ; do
-			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
-		done
-		# .spec %prep
-		bash "${WORKDIR}"/"${SOURCE1}" || die
-		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
-		for i in "${FEDORA_PATCH[@]}" ; do
-			eapply "${DISTDIR}"/"${i}"
-		done
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
-			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
-		fi
-	fi
-
-	eapply_user #332661
-
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	# Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	# Prefixify Configure shebang (#141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX%/}&," \
-		-i Configure || die
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m'
-	# 'srp' was restricted until early 2017 as well.
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		enable-srp \
-		$(use elibc_musl && echo "no-async") \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl sslv3 ssl3-method) \
-		$(use_ssl asm) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX%/}"/usr \
-		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	# Fix quoting for sed
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-		-e 's:\\:\\\\:g' \
-	)
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create $ED/usr on our own to avoid a race condition #665130
-	if [[ ! -d "${ED%/}/usr" ]]; then
-		# We can only create this directory once
-		mkdir "${ED%/}"/usr || die
-	fi
-
-	emake DESTDIR="${D%/}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED%/}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED%/}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}