public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2015-09-02  5:04 Mike Frysinger
  0 siblings, 0 replies; 52+ messages in thread
From: Mike Frysinger @ 2015-09-02  5:04 UTC (permalink / raw
  To: gentoo-commits

commit:     d93bba52f83fea4e6393988686e10fb2da64a64b
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Sep  2 05:04:23 2015 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Sep  2 05:04:23 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d93bba52

dev-libs/openssl: delete old

 dev-libs/openssl/Manifest                          |   8 -
 dev-libs/openssl/files/gentoo.config-1.0.0         | 159 -----
 .../files/openssl-0.9.8ze-CVE-2015-0286.patch      | 326 -----------
 .../files/openssl-1.0.0e-parallel-build.patch      | 315 ----------
 dev-libs/openssl/files/openssl-1.0.0r-x32.patch    |  76 ---
 .../files/openssl-1.0.1-parallel-build.patch       | 354 ------------
 dev-libs/openssl/files/openssl-1.0.1-x32.patch     |  79 ---
 .../files/openssl-1.0.1e-s_client-verify.patch     |  18 -
 dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch   | 642 ---------------------
 .../files/openssl-1.0.1l-CVE-2015-0286.patch       | 356 ------------
 .../files/openssl-1.0.1m-parallel-build.patch      | 364 ------------
 .../files/openssl-1.0.1m-s_client-verify.patch     |  21 -
 .../files/openssl-1.0.2-CVE-2015-0209.patch        |  49 --
 .../files/openssl-1.0.2-CVE-2015-0288.patch        |  31 -
 .../files/openssl-1.0.2-CVE-2015-0291.patch        | 459 ---------------
 .../files/openssl-1.0.2-parallel-build.patch       | 354 ------------
 dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild       | 161 ------
 dev-libs/openssl/openssl-0.9.8z_p6.ebuild          | 160 -----
 dev-libs/openssl/openssl-1.0.0r.ebuild             | 214 -------
 dev-libs/openssl/openssl-1.0.1l-r1.ebuild          | 260 ---------
 dev-libs/openssl/openssl-1.0.1m.ebuild             | 259 ---------
 dev-libs/openssl/openssl-1.0.1n.ebuild             | 258 ---------
 dev-libs/openssl/openssl-1.0.1o.ebuild             | 258 ---------
 dev-libs/openssl/openssl-1.0.2-r3.ebuild           | 263 ---------
 24 files changed, 5444 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 458ddc5..d78f82a 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,13 +1,5 @@
-DIST openssl-0.9.8ze.tar.gz 3734873 SHA256 ee3da602826e975b47e4d7af8a27be8258c160876194898c58881eab814b55b8 SHA512 6ab08065ab2cdf6699e462e2a082e6d4c21f027383e12d4dd1d0dce2a4073ae52230494215b3fe24b8a8d73f5f5dd3a1fe53c66acd8db6e162e4bf3636e229c3 WHIRLPOOL 8a5de0aed7b48007b3b8092726c9c8eb6771c49d388baaff4d7ba3591be0b1856cb17842db5bc608994b38f5d87a8b07a441c874523e577b786a4612bba7789f
-DIST openssl-0.9.8zf.tar.gz 3822386 SHA256 d5245a29128984192acc5b1fc01e37429b7a01c53cadcb2645e546718b300edb SHA512 8a68f024c31b7de25e19732ad556a27d69cface8e7a546ca4221873053a270e5e36336626f7fe857bbbec5427204bddbb5fc9dea8d7a187a8db6719d970431ab WHIRLPOOL 842e5bc71a12bf363fe797e95faf988ae949aa15f8faee935ee8861e4093e9d4e0b766b24dda8d415f29d2ee2821050cfc3ce095d265d59574e7fe0af4024c66
 DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 06500060639930e471050474f537fcd28ec934af92ee282d78b52460fbe8f580 SHA512 c757454de321d168ac6d89fe2859966a9f07a8b28305bf697af9018db13fc457e0883346b3d35977461ab058442375563554ecb2a8756a687ff9fc2fdd9103c9 WHIRLPOOL 55ecf50a264a2ddd9b5755b5d90b9b736d2f27e0ba2fd529ccff3b68bbd726d1f60460182a0d215ae6712dbc4d3ef2df11339fb2d8424e049f54c3e904fcfab0
-DIST openssl-1.0.0r.tar.gz 4095201 SHA256 6538b33a1b95681c86ac8c5cc54d22835f0f0a5bf42ee6df4138c672d7e75f17 SHA512 a65292a7b43f7d0637952476356a95908b5843ca17f717158dd4d2171113192f04c92f4f9133bb4750172f06367dae64733aa239b90c52d4d9323f467012428f WHIRLPOOL 71c7d726a3a5d70735d4b34c3e00c15fa2ef8640801f8a265e4e92cf01db4a517630084dd7632850f3df6f4dbd848a3a7ec908a71db996a45c29f1ac53ac7877
-DIST openssl-1.0.1l.tar.gz 4429979 SHA256 b2cf4d48fe5d49f240c61c9e624193a6f232b5ed0baf010681e725963c40d1d4 SHA512 27fe42f33815a3aafff75f2b9a5604c328fe5945c5cecaca74e5d2c2a1e066d64ddcc1fdb14b54fc7523cc730ab8a57d7d56b2879c289e86673f91fee0cca65e WHIRLPOOL 79f5698585c68ba647fcdfc4b342a43d06d69230658ca1bc265dd10d8da939c3e27b9a4125bd2adfbf50002b1dddef18be086dfc23a5050e69fb77350131909f
-DIST openssl-1.0.1m.tar.gz 4533406 SHA256 095f0b7b09116c0c5526422088058dc7e6e000aa14d22acca6a4e2babcdfef74 SHA512 f37b60cb4449674d5c06a4056acc3d11f1c9773da6111148fa3fbf8d14362ba1ff5eb5e0c0e06c2b5c84543b2b974584617e393ca83de2230cbbe69b52975afc WHIRLPOOL c33cc05debc31d5044be4de58267e1a07281f28f9d68f4288d3da1c3cdfcff6939a47abe1f50b377272d0dbd9475ae5fec84919b0c53d37e0bd3d94c44f68c91
-DIST openssl-1.0.1n.tar.gz 4545564 SHA256 3581a405ccbe0fd1f6f17ea41773f77cdd51db55c01e1b4d8549e519882c6caf SHA512 439e37879e379b77ae0e912222771ac54c0dcc4ad187b8e2eb6771df6cf71d56c4369931f4e16b8922b9d4a22e8f0aa9802c6828b8406fba7481426eade628aa WHIRLPOOL 8c08fc98863c444db3c1fee6970d1866123b7a525f4fe303016c0cf040351f7cb71f49a00ac1f1948ae9b7edaf9a4e5664814415447c8a88d4c49fe9014411d5
-DIST openssl-1.0.1o.tar.gz 4546659 SHA256 16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13 SHA512 dc05fc6f47239330ad0c36f27049f02752bb168b7b1234b12760e42a920d41dd47d1e652dfee897b4c99729308fbb59cab80b93c8614acf498215a8b80607fbf WHIRLPOOL af7505625730ea6e59517289fcc6044b24e0826b2538463f36e876ae96ca7d591627ca09386e6a69e8234df88fec11fb9e2a098c2f6996592a0f74cecbf4af30
 DIST openssl-1.0.1p.tar.gz 4560208 SHA256 bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5 WHIRLPOOL 2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819
-DIST openssl-1.0.2.tar.gz 5265809 SHA256 8c48baf3babe0d505d16cfc0cf272589c66d3624264098213db0fb00034728e9 SHA512 dea46225a5445edc4986b02b99fbc90153819374b9a9bfdd892b60cd18ac7fefaf21a7e9d2bb05d0e3bfa4d2704e0ee24b06cc8e7081a542d7598cc9e73c67c5 WHIRLPOOL fe628a38125390deb75728b31427c308efbf65637a569fd1f139f6313fea533514ef05bf3d01bbdc793f77eb259400c95c53074a294d32d73576939d16f22e25
 DIST openssl-1.0.2a.tar.gz 5262089 SHA256 15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a SHA512 02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4 WHIRLPOOL a590c71794f5d29b80afa28b18621b7535e96b714b3690d793c1422a90b09a89cbcb912841d400c5982a8197bb02c13051190e96ba0e4d530509b48b43067cd7
 DIST openssl-1.0.2b.tar.gz 5281009 SHA256 d5d488cc9f0a07974195a7427094ea3cab9800a4e90178b989aa621fbc238e3f SHA512 563eb662113668bb9ccf17a6e36697ad6392321ac1a32aa2cada9d8f4047651c2fa4da61f508ee3e1834fea343dbba189e09c1d6cabe5d1de5e3e6d022c31f4f WHIRLPOOL d828dc76842d25f02f211031b3ab9a2a8fd44975e9aaf87d0fd5fca9935a27b61c3e4f896a2186194f1a7b4d668fc48cafc5be9f7c670017ba342ce40113935f
 DIST openssl-1.0.2c.tar.gz 5280670 SHA256 0038ba37f35a6367c58f17a7a7f687953ef8ce4f9684bbdec63e62515ed36a83 SHA512 2a68e8b017d0d3e34e4f9d33b77abd960b3d04e418f106e852684a2ff247dc8ea390b7d6a42d130fd84d821a15e84e77b68b3677433433ef5c10d156333b9dae WHIRLPOOL c59878c3bd5e8904913b97d71a15ef1eaafcfb4eb58c691ba4fb38bf81752308d0ef4a902e53aec4c6e7585677f2404d29cdea0832d14206fabf28d744af2622

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.0 b/dev-libs/openssl/files/gentoo.config-1.0.0
deleted file mode 100644
index 475bda3..0000000
--- a/dev-libs/openssl/files/gentoo.config-1.0.0
+++ /dev/null
@@ -1,159 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-#
-# Openssl doesn't play along nicely with cross-compiling
-# like autotools based projects, so let's teach it new tricks.
-#
-# Review the bundled 'config' script to see why kind of targets
-# we can pass to the 'Configure' script.
-
-
-# Testing routines
-if [[ $1 == "test" ]] ; then
-	for c in \
-		"arm-gentoo-linux-uclibc      |linux-generic32 -DL_ENDIAN" \
-		"armv5b-linux-gnu             |linux-armv4 -DB_ENDIAN" \
-		"x86_64-pc-linux-gnu          |linux-x86_64" \
-		"alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
-		"i686-pc-linux-gnu            |linux-elf" \
-		"whatever-gentoo-freebsdX.Y   |BSD-generic32" \
-		"i686-gentoo-freebsdX.Y       |BSD-x86-elf" \
-		"sparc64-alpha-freebsdX.Y     |BSD-sparc64" \
-		"ia64-gentoo-freebsd5.99234   |BSD-ia64" \
-		"x86_64-gentoo-freebsdX.Y     |BSD-x86_64" \
-		"hppa64-aldsF-linux-gnu5.3    |linux-generic32 -DB_ENDIAN" \
-		"powerpc-gentOO-linux-uclibc  |linux-ppc" \
-		"powerpc64-unk-linux-gnu      |linux-ppc64" \
-		"x86_64-apple-darwinX         |darwin64-x86_64-cc" \
-		"powerpc64-apple-darwinX      |darwin64-ppc-cc" \
-		"i686-apple-darwinX           |darwin-i386-cc" \
-		"i386-apple-darwinX           |darwin-i386-cc" \
-		"powerpc-apple-darwinX        |darwin-ppc-cc" \
-		"i586-pc-winnt                |winnt-parity" \
-		"s390-ibm-linux-gnu           |linux-generic32 -DB_ENDIAN" \
-		"s390x-linux-gnu              |linux-s390x" \
-	;do
-		CHOST=${c/|*}
-		ret_want=${c/*|}
-		ret_got=$(CHOST=${CHOST} "$0")
-
-		if [[ ${ret_want} == "${ret_got}" ]] ; then
-			echo "PASS: ${CHOST}"
-		else
-			echo "FAIL: ${CHOST}"
-			echo -e "\twanted: ${ret_want}"
-			echo -e "\twe got: ${ret_got}"
-		fi
-	done
-	exit 0
-fi
-[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
-
-
-# Detect the operating system
-case ${CHOST} in
-	*-aix*)          system="aix";;
-	*-darwin*)       system="darwin";;
-	*-freebsd*)      system="BSD";;
-	*-hpux*)         system="hpux";;
-	*-linux*)        system="linux";;
-	*-solaris*)      system="solaris";;
-	*-winnt*)        system="winnt";;
-	x86_64-*-mingw*) system="mingw64";;
-	*mingw*)         system="mingw";;
-	*)               exit 0;;
-esac
-
-
-# Compiler munging
-compiler="gcc"
-if [[ ${CC} == "ccc" ]] ; then
-	compiler=${CC}
-fi
-
-
-# Detect target arch
-machine=""
-chost_machine=${CHOST%%-*}
-case ${system} in
-linux)
-	case ${chost_machine}:${ABI} in
-		alphaev56*)   machine=alpha+bwx-${compiler};;
-		alphaev[678]*)machine=alpha+bwx-${compiler};;
-		alpha*)       machine=alpha-${compiler};;
-		armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
-		armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
-		arm*b*)       machine="generic32 -DB_ENDIAN";;
-		arm*)         machine="generic32 -DL_ENDIAN";;
-		avr*)         machine="generic32 -DL_ENDIAN";;
-		bfin*)        machine="generic32 -DL_ENDIAN";;
-	#	hppa64*)      machine=parisc64;;
-		hppa*)        machine="generic32 -DB_ENDIAN";;
-		i[0-9]86*|\
-		x86_64*:x86)  machine=elf;;
-		ia64*)        machine=ia64;;
-		m68*)         machine="generic32 -DB_ENDIAN";;
-		mips*el*)     machine="generic32 -DL_ENDIAN";;
-		mips*)        machine="generic32 -DB_ENDIAN";;
-		powerpc64*)   machine=ppc64;;
-		powerpc*)     machine=ppc;;
-	#	sh64*)        machine=elf;;
-		sh*b*)        machine="generic32 -DB_ENDIAN";;
-		sh*)          machine="generic32 -DL_ENDIAN";;
-		sparc*v7*)    machine="generic32 -DB_ENDIAN";;
-		sparc64*)     machine=sparcv9;;
-		sparc*)       machine=sparcv8;;
-		s390x*)       machine=s390x;;
-		s390*)        machine="generic32 -DB_ENDIAN";;
-		x86_64*:x32)  machine=x32;;
-		x86_64*)      machine=x86_64;;
-	esac
-	;;
-BSD)
-	case ${chost_machine} in
-		alpha*)       machine=generic64;;
-		i[6-9]86*)    machine=x86-elf;;
-		ia64*)        machine=ia64;;
-		sparc64*)     machine=sparc64;;
-		x86_64*)      machine=x86_64;;
-		*)            machine=generic32;;
-	esac
-	;;
-aix)
-	machine=${compiler}
-	;;
-darwin)
-	case ${chost_machine} in
-		powerpc64)    machine=ppc-cc; system=${system}64;;
-		powerpc)      machine=ppc-cc;;
-		i?86*)        machine=i386-cc;;
-		x86_64)       machine=x86_64-cc; system=${system}64;;
-	esac
-	;;
-hpux)
-	case ${chost_machine} in
-		ia64)	machine=ia64-${compiler} ;;
-	esac
-	;;
-solaris)
-	case ${chost_machine} in
-		i386)         machine=x86-${compiler} ;;
-		x86_64*)      machine=x86_64-${compiler}; system=${system}64;;
-		sparcv9*)     machine=sparcv9-${compiler}; system=${system}64;;
-		sparc*)       machine=sparcv8-${compiler};;
-	esac
-	;;
-winnt)
-	machine=parity
-	;;
-mingw*)
-	# special case ... no xxx-yyy style name
-	echo ${system}
-	;;
-esac
-
-
-# If we have something, show it
-[[ -n ${machine} ]] && echo ${system}-${machine}

diff --git a/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch b/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch
deleted file mode 100644
index facb77d..0000000
--- a/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch
+++ /dev/null
@@ -1,326 +0,0 @@
---- openssl-0.9.8ze/crypto/asn1/a_type.c
-+++ openssl-0.9.8ze/crypto/asn1/a_type.c
-@@ -121,6 +121,9 @@
- 	case V_ASN1_OBJECT:
- 		result = OBJ_cmp(a->value.object, b->value.object);
- 		break;
-+	case V_ASN1_BOOLEAN:
-+		result = a->value.boolean - b->value.boolean;
-+		break;
- 	case V_ASN1_NULL:
- 		result = 0;	/* They do not have content. */
- 		break;
---- openssl-0.9.8ze/crypto/asn1/tasn_dec.c
-+++ openssl-0.9.8ze/crypto/asn1/tasn_dec.c
-@@ -128,11 +128,17 @@
- 	{
- 	ASN1_TLC c;
- 	ASN1_VALUE *ptmpval = NULL;
--	if (!pval)
--		pval = &ptmpval;
- 	c.valid = 0;
--	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
--		return *pval;
-+	if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
-+	    ptmpval = *pval;
-+	if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
-+	    if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
-+		if (*pval)
-+		    ASN1_item_free(*pval, it);
-+		*pval = ptmpval;
-+	    }
-+	    return ptmpval;
-+	}
- 	return NULL;
- 	}
- 
-@@ -309,9 +315,16 @@
- 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
- 				goto auxerr;
- 
--		/* Allocate structure */
--		if (!*pval && !ASN1_item_ex_new(pval, it))
--			{
-+		if (*pval) {
-+		    /* Free up and zero CHOICE value if initialised */
-+		    i = asn1_get_choice_selector(pval, it);
-+		    if ((i >= 0) && (i < it->tcount)) {
-+			tt = it->templates + i;
-+			pchptr = asn1_get_field_ptr(pval, tt);
-+			ASN1_template_free(pchptr, tt);
-+			asn1_set_choice_selector(pval, -1, it);
-+		    }
-+		} else if (!ASN1_item_ex_new(pval, it)) {
- 			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
- 						ERR_R_NESTED_ASN1_ERROR);
- 			goto err;
-@@ -405,6 +418,17 @@
- 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
- 				goto auxerr;
- 
-+		/* Free up and zero any ADB found */
-+		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
-+		    if (tt->flags & ASN1_TFLG_ADB_MASK) {
-+			const ASN1_TEMPLATE *seqtt;
-+			ASN1_VALUE **pseqval;
-+			seqtt = asn1_do_adb(pval, tt, 1);
-+			pseqval = asn1_get_field_ptr(pval, seqtt);
-+			ASN1_template_free(pseqval, seqtt);
-+		    }
-+		}
-+
- 		/* Get each field entry */
- 		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
- 			{
---- openssl-0.9.8ze/crypto/pkcs7/pk7_doit.c
-+++ openssl-0.9.8ze/crypto/pkcs7/pk7_doit.c
-@@ -151,6 +151,25 @@
- 	EVP_PKEY *pkey;
- 	ASN1_OCTET_STRING *os=NULL;
- 
-+    if (p7 == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
-+	return NULL;
-+    }
-+    /*
-+     * The content field in the PKCS7 ContentInfo is optional, but that really
-+     * only applies to inner content (precisely, detached signatures).
-+     *
-+     * When reading content, missing outer content is therefore treated as an
-+     * error.
-+     *
-+     * When creating content, PKCS7_content_new() must be called before
-+     * calling this method, so a NULL p7->d is always an error.
-+     */
-+    if (p7->d.ptr == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
-+	return NULL;
-+    }
-+
- 	i=OBJ_obj2nid(p7->type);
- 	p7->state=PKCS7_S_HEADER;
- 
-@@ -344,6 +363,16 @@
- 	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
- 	PKCS7_RECIP_INFO *ri=NULL;
- 
-+    if (p7 == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
-+	return NULL;
-+    }
-+    
-+    if (p7->d.ptr == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
-+	return NULL;
-+    }
-+
- 	i=OBJ_obj2nid(p7->type);
- 	p7->state=PKCS7_S_HEADER;
- 
-@@ -637,6 +666,16 @@
- 	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
- 	ASN1_OCTET_STRING *os=NULL;
- 
-+    if (p7 == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
-+	return 0;
-+    }
-+
-+    if (p7->d.ptr == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
-+	return 0;
-+    }
-+
- 	EVP_MD_CTX_init(&ctx_tmp);
- 	i=OBJ_obj2nid(p7->type);
- 	p7->state=PKCS7_S_HEADER;
-@@ -668,6 +707,7 @@
- 		/* If detached data then the content is excluded */
- 		if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
- 			M_ASN1_OCTET_STRING_free(os);
-+			os = NULL;
- 			p7->d.sign->contents->d.data = NULL;
- 		}
- 		break;
-@@ -678,6 +718,7 @@
- 		if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
- 			{
- 			M_ASN1_OCTET_STRING_free(os);
-+			os = NULL;
- 			p7->d.digest->contents->d.data = NULL;
- 			}
- 		break;
-@@ -815,6 +856,11 @@
- 
- 	if (!PKCS7_is_detached(p7))
- 		{
-+		/*
-+		 * NOTE(emilia): I think we only reach os == NULL here because detached
-+		 */
-+		if (os == NULL)
-+		    goto err;
- 		btmp=BIO_find_type(bio,BIO_TYPE_MEM);
- 		if (btmp == NULL)
- 			{
-@@ -849,6 +895,16 @@
- 	STACK_OF(X509) *cert;
- 	X509 *x509;
- 
-+    if (p7 == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
-+	return 0;
-+    }
-+
-+    if (p7->d.ptr == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
-+	return 0;
-+    }
-+
- 	if (PKCS7_type_is_signed(p7))
- 		{
- 		cert=p7->d.sign->cert;
---- openssl-0.9.8ze/crypto/pkcs7/pk7_lib.c
-+++ openssl-0.9.8ze/crypto/pkcs7/pk7_lib.c
-@@ -70,6 +70,7 @@
- 
- 	switch (cmd)
- 		{
-+	/* NOTE(emilia): does not support detached digested data. */
- 	case PKCS7_OP_SET_DETACHED_SIGNATURE:
- 		if (nid == NID_pkcs7_signed)
- 			{
-@@ -473,6 +474,8 @@
- 
- STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
- 	{
-+	if (p7 == NULL || p7->d.ptr == NULL)
-+		return NULL;
- 	if (PKCS7_type_is_signed(p7))
- 		{
- 		return(p7->d.sign->signer_info);
---- openssl-0.9.8ze/doc/crypto/d2i_X509.pod
-+++ openssl-0.9.8ze/doc/crypto/d2i_X509.pod
-@@ -199,6 +199,12 @@
- persist if they are not present in the new one. As a result the use
- of this "reuse" behaviour is strongly discouraged.
- 
-+Current versions of OpenSSL will not modify B<*px> if an error occurs.
-+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
-+set to the value of the newly decoded structure. As a result B<*px>
-+B<must not> be allocated on the stack or an attempt will be made to
-+free an invalid pointer.
-+
- i2d_X509() will not return an error in many versions of OpenSSL,
- if mandatory fields are not initialized due to a programming error
- then the encoded structure may contain invalid data or omit the
-@@ -210,7 +216,9 @@
- 
- d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
- or B<NULL> if an error occurs. The error code that can be obtained by
--L<ERR_get_error(3)|ERR_get_error(3)>. 
-+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
-+with a valid X509 structure being passed in via B<px> then the object is not
-+modified in the event of error.
- 
- i2d_X509() returns the number of bytes successfully encoded or a negative
- value if an error occurs. The error code can be obtained by
---- openssl-0.9.8ze/ssl/s2_lib.c
-+++ openssl-0.9.8ze/ssl/s2_lib.c
-@@ -410,7 +410,7 @@
- 
- 		OPENSSL_assert(s->session->master_key_length >= 0
- 		    && s->session->master_key_length
--		    < (int)sizeof(s->session->master_key));
-+		    <= (int)sizeof(s->session->master_key));
- 		EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
- 		EVP_DigestUpdate(&ctx,&c,1);
- 		c++;
---- openssl-0.9.8ze/ssl/s2_srvr.c
-+++ openssl-0.9.8ze/ssl/s2_srvr.c
-@@ -446,10 +446,6 @@
- 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
- 		return(-1);
- 		}
--	i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
--		&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
--		(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
--
- 	is_export=SSL_C_IS_EXPORT(s->session->cipher);
- 	
- 	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
-@@ -467,21 +463,59 @@
- 	else
- 		ek=5;
- 
-+	/*
-+	 * The format of the CLIENT-MASTER-KEY message is
-+	 * 1 byte message type
-+	 * 3 bytes cipher
-+	 * 2-byte clear key length (stored in s->s2->tmp.clear)
-+	 * 2-byte encrypted key length (stored in s->s2->tmp.enc)
-+	 * 2-byte key args length (IV etc)
-+	 * clear key
-+	 * encrypted key
-+	 * key args
-+	 *
-+	 * If the cipher is an export cipher, then the encrypted key bytes
-+	 * are a fixed portion of the total key (5 or 8 bytes). The size of
-+	 * this portion is in |ek|. If the cipher is not an export cipher,
-+	 * then the entire key material is encrypted (i.e., clear key length
-+	 * must be zero).
-+	 */
-+	if ((!is_export && s->s2->tmp.clear != 0) ||
-+	    (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
-+	    ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-+	    SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
-+	    return -1;
-+	}
-+	/*
-+	 * The encrypted blob must decrypt to the encrypted portion of the key.
-+	 * Decryption can't be expanding, so if we don't have enough encrypted
-+	 * bytes to fit the key in the buffer, stop now.
-+	 */
-+	if ((is_export && s->s2->tmp.enc < ek) ||
-+	    (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
-+	    ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-+	    SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
-+	    return -1;
-+	}
-+
-+	i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
-+				    &(p[s->s2->tmp.clear]),
-+				    &(p[s->s2->tmp.clear]),
-+				    (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
-+				    RSA_PKCS1_PADDING);
-+
- 	/* bad decrypt */
- #if 1
- 	/* If a bad decrypt, continue with protocol but with a
- 	 * random master secret (Bleichenbacher attack) */
--	if ((i < 0) ||
--		((!is_export && (i != EVP_CIPHER_key_length(c)))
--		|| (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
--			(unsigned int)EVP_CIPHER_key_length(c))))))
--		{
-+	if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
-+			|| (is_export && i != ek))) {
- 		ERR_clear_error();
- 		if (is_export)
- 			i=ek;
- 		else
- 			i=EVP_CIPHER_key_length(c);
--		if (RAND_pseudo_bytes(p,i) <= 0)
-+		if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
- 			return 0;
- 		}
- #else
-@@ -505,7 +539,8 @@
- 		}
- #endif
- 
--	if (is_export) i+=s->s2->tmp.clear;
-+	if (is_export)
-+		i = EVP_CIPHER_key_length(c);
- 
- 	if (i > SSL_MAX_MASTER_KEY_LENGTH)
- 		{

diff --git a/dev-libs/openssl/files/openssl-1.0.0e-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.0e-parallel-build.patch
deleted file mode 100644
index e1a030f..0000000
--- a/dev-libs/openssl/files/openssl-1.0.0e-parallel-build.patch
+++ /dev/null
@@ -1,315 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=2084
-
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -247,17 +247,17 @@
- build_libs: build_crypto build_ssl build_engines
- 
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
--build_ssl:
-+build_ssl: build_crypto
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
--build_engines:
-+build_engines: build_crypto
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
-+	+@dir=engines; target=all; $(BUILD_ONE_CMD)
--build_apps:
-+build_apps: build_libs
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
-+	+@dir=apps; target=all; $(BUILD_ONE_CMD)
--build_tests:
-+build_tests: build_libs
--	@dir=test; target=all; $(BUILD_ONE_CMD)
-+	+@dir=test; target=all; $(BUILD_ONE_CMD)
--build_tools:
-+build_tools: build_libs
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	+@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -497,9 +497,9 @@
- dist_pem_h:
- 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
- 
--install: all install_docs install_sw
-+install: install_docs install_sw
- 
--install_sw:
-+install_dirs:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -508,6 +508,13 @@
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+	@$(PERL) $(TOP)/util/mkdir-p.pl \
-+		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
- 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- 	do \
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-@@ -511,7 +511,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- 	@set -e; for i in $(LIBS) ;\
- 	do \
- 		if [ -f "$$i" ]; then \
-@@ -593,12 +600,7 @@
- 		done; \
- 	done
- 
--install_docs:
--	@$(PERL) $(TOP)/util/mkdir-p.pl \
--		$(INSTALL_PREFIX)$(MANDIR)/man1 \
--		$(INSTALL_PREFIX)$(MANDIR)/man3 \
--		$(INSTALL_PREFIX)$(MANDIR)/man5 \
--		$(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
- 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- 	here="`pwd`"; \
- 	filecase=; \
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -85,11 +85,11 @@
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
--	@target=files; $(RECURSIVE_MAKE)
-+	+@target=files; $(RECURSIVE_MAKE)
- 
- links:
- 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) | subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	$(RANLIB) $(LIB) || echo Never mind.
- 
-@@ -110,7 +110,7 @@
- 	fi
- 
- libs:
--	@target=lib; $(RECURSIVE_MAKE)
-+	+@target=lib; $(RECURSIVE_MAKE)
- 
- install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -119,7 +119,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- lint:
- 	@target=lint; $(RECURSIVE_MAKE)
---- a/engines/Makefile
-+++ b/engines/Makefile
-@@ -72,7 +72,7 @@
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) | subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- tags:
- 	ctags $(SRC)
---- a/test/Makefile
-+++ b/test/Makefile
-@@ -123,7 +123,7 @@
- tags:
- 	ctags $(SRC)
- 
--tests:	exe apps $(TESTS)
-+tests:	exe $(TESTS)
- 
- apps:
- 	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -345,106 +345,106 @@
- 		link_app.$${shlib_target}
- 
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
--	@target=$(RSATEST); $(BUILD_CMD)
-+	+@target=$(RSATEST); $(BUILD_CMD)
- 
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
--	@target=$(BNTEST); $(BUILD_CMD)
-+	+@target=$(BNTEST); $(BUILD_CMD)
- 
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
--	@target=$(ECTEST); $(BUILD_CMD)
-+	+@target=$(ECTEST); $(BUILD_CMD)
- 
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
--	@target=$(EXPTEST); $(BUILD_CMD)
-+	+@target=$(EXPTEST); $(BUILD_CMD)
- 
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
--	@target=$(IDEATEST); $(BUILD_CMD)
-+	+@target=$(IDEATEST); $(BUILD_CMD)
- 
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
--	@target=$(MD2TEST); $(BUILD_CMD)
-+	+@target=$(MD2TEST); $(BUILD_CMD)
- 
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
--	@target=$(SHATEST); $(BUILD_CMD)
-+	+@target=$(SHATEST); $(BUILD_CMD)
- 
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
--	@target=$(SHA1TEST); $(BUILD_CMD)
-+	+@target=$(SHA1TEST); $(BUILD_CMD)
- 
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
--	@target=$(SHA256TEST); $(BUILD_CMD)
-+	+@target=$(SHA256TEST); $(BUILD_CMD)
- 
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
--	@target=$(SHA512TEST); $(BUILD_CMD)
-+	+@target=$(SHA512TEST); $(BUILD_CMD)
- 
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
--	@target=$(RMDTEST); $(BUILD_CMD)
-+	+@target=$(RMDTEST); $(BUILD_CMD)
- 
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
--	@target=$(MDC2TEST); $(BUILD_CMD)
-+	+@target=$(MDC2TEST); $(BUILD_CMD)
- 
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
--	@target=$(MD4TEST); $(BUILD_CMD)
-+	+@target=$(MD4TEST); $(BUILD_CMD)
- 
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
--	@target=$(MD5TEST); $(BUILD_CMD)
-+	+@target=$(MD5TEST); $(BUILD_CMD)
- 
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
--	@target=$(HMACTEST); $(BUILD_CMD)
-+	+@target=$(HMACTEST); $(BUILD_CMD)
- 
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
--	@target=$(WPTEST); $(BUILD_CMD)
-+	+@target=$(WPTEST); $(BUILD_CMD)
- 
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
--	@target=$(RC2TEST); $(BUILD_CMD)
-+	+@target=$(RC2TEST); $(BUILD_CMD)
- 
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
--	@target=$(BFTEST); $(BUILD_CMD)
-+	+@target=$(BFTEST); $(BUILD_CMD)
- 
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
--	@target=$(CASTTEST); $(BUILD_CMD)
-+	+@target=$(CASTTEST); $(BUILD_CMD)
- 
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
--	@target=$(RC4TEST); $(BUILD_CMD)
-+	+@target=$(RC4TEST); $(BUILD_CMD)
- 
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
--	@target=$(RC5TEST); $(BUILD_CMD)
-+	+@target=$(RC5TEST); $(BUILD_CMD)
- 
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
--	@target=$(DESTEST); $(BUILD_CMD)
-+	+@target=$(DESTEST); $(BUILD_CMD)
- 
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
--	@target=$(RANDTEST); $(BUILD_CMD)
-+	+@target=$(RANDTEST); $(BUILD_CMD)
- 
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
--	@target=$(DHTEST); $(BUILD_CMD)
-+	+@target=$(DHTEST); $(BUILD_CMD)
- 
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
--	@target=$(DSATEST); $(BUILD_CMD)
-+	+@target=$(DSATEST); $(BUILD_CMD)
- 
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
--	@target=$(METHTEST); $(BUILD_CMD)
-+	+@target=$(METHTEST); $(BUILD_CMD)
- 
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
--	@target=$(SSLTEST); $(BUILD_CMD)
-+	+@target=$(SSLTEST); $(BUILD_CMD)
- 
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
--	@target=$(ENGINETEST); $(BUILD_CMD)
-+	+@target=$(ENGINETEST); $(BUILD_CMD)
- 
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
--	@target=$(EVPTEST); $(BUILD_CMD)
-+	+@target=$(EVPTEST); $(BUILD_CMD)
- 
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
--	@target=$(ECDSATEST); $(BUILD_CMD)
-+	+@target=$(ECDSATEST); $(BUILD_CMD)
- 
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
--	@target=$(ECDHTEST); $(BUILD_CMD)
-+	+@target=$(ECDHTEST); $(BUILD_CMD)
- 
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
--	@target=$(IGETEST); $(BUILD_CMD)
-+	+@target=$(IGETEST); $(BUILD_CMD)
- 
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
--	@target=$(JPAKETEST); $(BUILD_CMD)
-+	+@target=$(JPAKETEST); $(BUILD_CMD)
- 
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
--	@target=$(ASN1TEST); $(BUILD_CMD)
-+	+@target=$(ASN1TEST); $(BUILD_CMD)
- 
- #$(AESTEST).o: $(AESTEST).c
- #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -457,7 +457,7 @@
- #	fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--	@target=dummytest; $(BUILD_CMD)
-+	+@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 

diff --git a/dev-libs/openssl/files/openssl-1.0.0r-x32.patch b/dev-libs/openssl/files/openssl-1.0.0r-x32.patch
deleted file mode 100644
index 2d715eb..0000000
--- a/dev-libs/openssl/files/openssl-1.0.0r-x32.patch
+++ /dev/null
@@ -1,76 +0,0 @@
---- openssl-1.0.0r/Configure
-+++ openssl-1.0.0r/Configure
-@@ -353,6 +353,7 @@ my %table=(
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x32",	"gcc:-DL_ENDIAN 	-DTERMIO -O2 -pipe -g -feliminate-unused-debug-types -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- #### SPARC Linux setups
- # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
---- openssl-1.0.0r/crypto/bn/asm/x86_64-gcc.c
-+++ openssl-1.0.0r/crypto/bn/asm/x86_64-gcc.c
-@@ -55,7 +55,7 @@
-  *    machine.
-  */
- 
--# ifdef _WIN64
-+# if defined _WIN64 || !defined __LP64__
- #  define BN_ULONG unsigned long long
- # else
- #  define BN_ULONG unsigned long
-@@ -211,9 +211,9 @@ BN_ULONG bn_add_words(BN_ULONG *rp, cons
- 
-     asm volatile ("       subq    %2,%2           \n"
-                   ".p2align 4                     \n"
--                  "1:     movq    (%4,%2,8),%0    \n"
--                  "       adcq    (%5,%2,8),%0    \n"
--                  "       movq    %0,(%3,%2,8)    \n"
-+                  "1:     movq    (%q4,%2,8),%0   \n"
-+                  "       adcq    (%q5,%2,8),%0   \n"
-+                  "       movq    %0,(%q3,%2,8)   \n"
-                   "       leaq    1(%2),%2        \n"
-                   "       loop    1b              \n"
-                   "       sbbq    %0,%0           \n":"=&a" (ret), "+c"(n),
-@@ -235,9 +235,9 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, cons
- 
-     asm volatile ("       subq    %2,%2           \n"
-                   ".p2align 4                     \n"
--                  "1:     movq    (%4,%2,8),%0    \n"
--                  "       sbbq    (%5,%2,8),%0    \n"
--                  "       movq    %0,(%3,%2,8)    \n"
-+                  "1:     movq    (%q4,%2,8),%0   \n"
-+                  "       sbbq    (%q5,%2,8),%0   \n"
-+                  "       movq    %0,(%q3,%2,8)   \n"
-                   "       leaq    1(%2),%2        \n"
-                   "       loop    1b              \n"
-                   "       sbbq    %0,%0           \n":"=&a" (ret), "+c"(n),
---- openssl-1.0.0r/crypto/bn/bn_exp.c
-+++ openssl-1.0.0r/crypto/bn/bn_exp.c
-@@ -564,7 +564,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBU
-  * multiple.
-  */
- #define MOD_EXP_CTIME_ALIGN(x_) \
--        ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
-+        ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ADDR)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
- 
- /*
-  * This variant of BN_mod_exp_mont() uses fixed windows and the special
---- openssl-1.0.0r/crypto/bn/bn.h
-+++ openssl-1.0.0r/crypto/bn/bn.h
-@@ -174,6 +174,15 @@ extern "C" {
- # endif
- 
- /*
-+ * Address type.
-+ */
-+#ifdef _WIN64
-+#define BN_ADDR unsigned long long
-+#else
-+#define BN_ADDR unsigned long
-+#endif
-+
-+/*
-  * assuming long is 64bit - this is the DEC Alpha unsigned long long is only
-  * 64 bits :-(, don't define BN_LLONG for the DEC Alpha
-  */

diff --git a/dev-libs/openssl/files/openssl-1.0.1-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.1-parallel-build.patch
deleted file mode 100644
index 19f859a..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1-parallel-build.patch
+++ /dev/null
@@ -1,354 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=2084
-
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -247,17 +247,17 @@
- build_libs: build_crypto build_ssl build_engines
- 
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
--build_ssl:
-+build_ssl: build_crypto
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
--build_engines:
-+build_engines: build_crypto
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
-+	+@dir=engines; target=all; $(BUILD_ONE_CMD)
--build_apps:
-+build_apps: build_libs
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
-+	+@dir=apps; target=all; $(BUILD_ONE_CMD)
--build_tests:
-+build_tests: build_libs
--	@dir=test; target=all; $(BUILD_ONE_CMD)
-+	+@dir=test; target=all; $(BUILD_ONE_CMD)
--build_tools:
-+build_tools: build_libs
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	+@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -497,9 +497,9 @@
- dist_pem_h:
- 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
- 
--install: all install_docs install_sw
-+install: install_docs install_sw
- 
--install_sw:
-+install_dirs:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -508,6 +508,13 @@
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+	@$(PERL) $(TOP)/util/mkdir-p.pl \
-+		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
- 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- 	do \
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-@@ -511,7 +511,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- 	do \
- 		if [ -f "$$i" ]; then \
-@@ -593,12 +600,7 @@
- 		done; \
- 	done
- 
--install_docs:
--	@$(PERL) $(TOP)/util/mkdir-p.pl \
--		$(INSTALL_PREFIX)$(MANDIR)/man1 \
--		$(INSTALL_PREFIX)$(MANDIR)/man3 \
--		$(INSTALL_PREFIX)$(MANDIR)/man5 \
--		$(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
- 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- 	here="`pwd`"; \
- 	filecase=; \
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -105,6 +105,7 @@ LINK_SO=	\
-     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
-     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${SHAREDCMD} $${SHAREDFLAGS} \
- 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +124,7 @@ SYMLINK_SO=	\
- 			done; \
- 		fi; \
- 		if [ -n "$$SHLIB_SOVER" ]; then \
-+			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- 		fi; \
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -85,11 +85,11 @@
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
--	@target=files; $(RECURSIVE_MAKE)
-+	+@target=files; $(RECURSIVE_MAKE)
- 
- links:
- 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) | subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	$(RANLIB) $(LIB) || echo Never mind.
- 
-@@ -110,7 +110,7 @@
- 	fi
- 
- libs:
--	@target=lib; $(RECURSIVE_MAKE)
-+	+@target=lib; $(RECURSIVE_MAKE)
- 
- install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -119,7 +119,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- lint:
- 	@target=lint; $(RECURSIVE_MAKE)
---- a/engines/Makefile
-+++ b/engines/Makefile
-@@ -72,7 +72,7 @@
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) | subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- tags:
- 	ctags $(SRC)
---- a/test/Makefile
-+++ b/test/Makefile
-@@ -123,7 +123,7 @@
- tags:
- 	ctags $(SRC)
- 
--tests:	exe apps $(TESTS)
-+tests:	exe $(TESTS)
- 
- apps:
- 	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -365,109 +365,109 @@
- 		link_app.$${shlib_target}
- 
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
--	@target=$(RSATEST); $(BUILD_CMD)
-+	+@target=$(RSATEST); $(BUILD_CMD)
- 
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
--	@target=$(BNTEST); $(BUILD_CMD)
-+	+@target=$(BNTEST); $(BUILD_CMD)
- 
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
--	@target=$(ECTEST); $(BUILD_CMD)
-+	+@target=$(ECTEST); $(BUILD_CMD)
- 
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
--	@target=$(EXPTEST); $(BUILD_CMD)
-+	+@target=$(EXPTEST); $(BUILD_CMD)
- 
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
--	@target=$(IDEATEST); $(BUILD_CMD)
-+	+@target=$(IDEATEST); $(BUILD_CMD)
- 
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
--	@target=$(MD2TEST); $(BUILD_CMD)
-+	+@target=$(MD2TEST); $(BUILD_CMD)
- 
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
--	@target=$(SHATEST); $(BUILD_CMD)
-+	+@target=$(SHATEST); $(BUILD_CMD)
- 
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
--	@target=$(SHA1TEST); $(BUILD_CMD)
-+	+@target=$(SHA1TEST); $(BUILD_CMD)
- 
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
--	@target=$(SHA256TEST); $(BUILD_CMD)
-+	+@target=$(SHA256TEST); $(BUILD_CMD)
- 
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
--	@target=$(SHA512TEST); $(BUILD_CMD)
-+	+@target=$(SHA512TEST); $(BUILD_CMD)
- 
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
--	@target=$(RMDTEST); $(BUILD_CMD)
-+	+@target=$(RMDTEST); $(BUILD_CMD)
- 
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
--	@target=$(MDC2TEST); $(BUILD_CMD)
-+	+@target=$(MDC2TEST); $(BUILD_CMD)
- 
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
--	@target=$(MD4TEST); $(BUILD_CMD)
-+	+@target=$(MD4TEST); $(BUILD_CMD)
- 
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
--	@target=$(MD5TEST); $(BUILD_CMD)
-+	+@target=$(MD5TEST); $(BUILD_CMD)
- 
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
--	@target=$(HMACTEST); $(BUILD_CMD)
-+	+@target=$(HMACTEST); $(BUILD_CMD)
- 
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
--	@target=$(WPTEST); $(BUILD_CMD)
-+	+@target=$(WPTEST); $(BUILD_CMD)
- 
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
--	@target=$(RC2TEST); $(BUILD_CMD)
-+	+@target=$(RC2TEST); $(BUILD_CMD)
- 
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
--	@target=$(BFTEST); $(BUILD_CMD)
-+	+@target=$(BFTEST); $(BUILD_CMD)
- 
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
--	@target=$(CASTTEST); $(BUILD_CMD)
-+	+@target=$(CASTTEST); $(BUILD_CMD)
- 
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
--	@target=$(RC4TEST); $(BUILD_CMD)
-+	+@target=$(RC4TEST); $(BUILD_CMD)
- 
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
--	@target=$(RC5TEST); $(BUILD_CMD)
-+	+@target=$(RC5TEST); $(BUILD_CMD)
- 
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
--	@target=$(DESTEST); $(BUILD_CMD)
-+	+@target=$(DESTEST); $(BUILD_CMD)
- 
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
--	@target=$(RANDTEST); $(BUILD_CMD)
-+	+@target=$(RANDTEST); $(BUILD_CMD)
- 
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
--	@target=$(DHTEST); $(BUILD_CMD)
-+	+@target=$(DHTEST); $(BUILD_CMD)
- 
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
--	@target=$(DSATEST); $(BUILD_CMD)
-+	+@target=$(DSATEST); $(BUILD_CMD)
- 
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
--	@target=$(METHTEST); $(BUILD_CMD)
-+	+@target=$(METHTEST); $(BUILD_CMD)
- 
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
--	@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)
- 
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
--	@target=$(ENGINETEST); $(BUILD_CMD)
-+	+@target=$(ENGINETEST); $(BUILD_CMD)
- 
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
--	@target=$(EVPTEST); $(BUILD_CMD)
-+	+@target=$(EVPTEST); $(BUILD_CMD)
- 
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
--	@target=$(ECDSATEST); $(BUILD_CMD)
-+	+@target=$(ECDSATEST); $(BUILD_CMD)
- 
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
--	@target=$(ECDHTEST); $(BUILD_CMD)
-+	+@target=$(ECDHTEST); $(BUILD_CMD)
- 
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
--	@target=$(IGETEST); $(BUILD_CMD)
-+	+@target=$(IGETEST); $(BUILD_CMD)
- 
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
--	@target=$(JPAKETEST); $(BUILD_CMD)
-+	+@target=$(JPAKETEST); $(BUILD_CMD)
- 
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
--	@target=$(ASN1TEST); $(BUILD_CMD)
-+	+@target=$(ASN1TEST); $(BUILD_CMD)
- 
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
--	@target=$(SRPTEST); $(BUILD_CMD)
-+	+@target=$(SRPTEST); $(BUILD_CMD)
- 
- #$(AESTEST).o: $(AESTEST).c
- #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -480,7 +480,7 @@
- #	fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--	@target=dummytest; $(BUILD_CMD)
-+	+@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 
---- a/crypto/objects/Makefile
-+++ b/crypto/objects/Makefile
-@@ -44,11 +44,11 @@ obj_dat.h: obj_dat.pl obj_mac.h
- # objects.pl both reads and writes obj_mac.num
- obj_mac.h: objects.pl objects.txt obj_mac.num
- 	$(PERL) objects.pl objects.txt obj_mac.num obj_mac.h
--	@sleep 1; touch obj_mac.h; sleep 1
- 
--obj_xref.h: objxref.pl obj_xref.txt obj_mac.num
-+# This doesn't really need obj_mac.h, but since that rule reads & writes
-+# obj_mac.num, we can't run in parallel with it.
-+obj_xref.h: objxref.pl obj_xref.txt obj_mac.num obj_mac.h
- 	$(PERL) objxref.pl obj_mac.num obj_xref.txt > obj_xref.h
--	@sleep 1; touch obj_xref.h; sleep 1
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

diff --git a/dev-libs/openssl/files/openssl-1.0.1-x32.patch b/dev-libs/openssl/files/openssl-1.0.1-x32.patch
deleted file mode 100644
index 5106cb6..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1-x32.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=51bfed2e26fc13a66e8b5710aa2ce1d7a04af721
-
-UpstreamStatus: Pending
-
-Received from H J Liu @ Intel
-Make the assembly syntax compatible with x32 gcc. Othewise x32 gcc throws errors.
-Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/07/13
-
-ported the patch to the 1.0.0e version
-Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/12/01
-Index: openssl-1.0.0e/Configure
-===================================================================
---- openssl-1.0.0e.orig/Configure
-+++ openssl-1.0.0e/Configure
-@@ -393,6 +393,7 @@ my %table=(
- "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x32",	"gcc:-DL_ENDIAN 	-DTERMIO -O2 -pipe -g -feliminate-unused-debug-types -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "dist",		"cc:-O::(unknown)::::::",
- 
- # Basic configs that should work on any (32 and less bit) box
-Index: openssl-1.0.0e/crypto/bn/asm/x86_64-gcc.c
-===================================================================
---- openssl-1.0.0e.orig/crypto/bn/asm/x86_64-gcc.c
-+++ openssl-1.0.0e/crypto/bn/asm/x86_64-gcc.c
-@@ -55,7 +55,7 @@
-  *    machine.
-  */
- 
--#ifdef _WIN64
-+#if defined _WIN64 || !defined __LP64__
- #define BN_ULONG unsigned long long
- #else
- #define BN_ULONG unsigned long
-@@ -192,9 +192,9 @@ BN_ULONG bn_add_words (BN_ULONG *rp, con
- 	asm (
- 	"	subq	%2,%2		\n"
- 	".p2align 4			\n"
--	"1:	movq	(%4,%2,8),%0	\n"
--	"	adcq	(%5,%2,8),%0	\n"
--	"	movq	%0,(%3,%2,8)	\n"
-+	"1:	movq	(%q4,%2,8),%0	\n"
-+	"	adcq	(%q5,%2,8),%0	\n"
-+	"	movq	%0,(%q3,%2,8)	\n"
- 	"	leaq	1(%2),%2	\n"
- 	"	loop	1b		\n"
- 	"	sbbq	%0,%0		\n"
-@@ -215,9 +215,9 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, con
- 	asm (
- 	"	subq	%2,%2		\n"
- 	".p2align 4			\n"
--	"1:	movq	(%4,%2,8),%0	\n"
--	"	sbbq	(%5,%2,8),%0	\n"
--	"	movq	%0,(%3,%2,8)	\n"
-+	"1:	movq	(%q4,%2,8),%0	\n"
-+	"	sbbq	(%q5,%2,8),%0	\n"
-+	"	movq	%0,(%q3,%2,8)	\n"
- 	"	leaq	1(%2),%2	\n"
- 	"	loop	1b		\n"
- 	"	sbbq	%0,%0		\n"
-Index: openssl-1.0.0e/crypto/bn/bn.h
-===================================================================
---- openssl-1.0.0e.orig/crypto/bn/bn.h
-+++ openssl-1.0.0e/crypto/bn/bn.h
-@@ -172,6 +172,13 @@ extern "C" {
- # endif
- #endif
- 
-+/* Address type.  */
-+#ifdef _WIN64
-+#define BN_ADDR unsigned long long
-+#else
-+#define BN_ADDR unsigned long
-+#endif
-+
- /* assuming long is 64bit - this is the DEC Alpha
-  * unsigned long long is only 64 bits :-(, don't define
-  * BN_LLONG for the DEC Alpha */

diff --git a/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch b/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch
deleted file mode 100644
index 03e4f59..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-https://bugs.gentoo.org/472584
-http://rt.openssl.org/Ticket/Display.html?id=2387&user=guest&pass=guest
-
-fix verification handling in s_client.  when loading paths, make sure
-we properly fallback to setting the default paths.
-
---- a/apps/s_client.c
-+++ b/apps/s_client.c
-@@ -899,7 +899,7 @@
- 	if (!set_cert_key_stuff(ctx,cert,key))
- 		goto end;
- 
--	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-+	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) &&
- 		(!SSL_CTX_set_default_verify_paths(ctx)))
- 		{
- 		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
-

diff --git a/dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch b/dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch
deleted file mode 100644
index 10c1ba2..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch
+++ /dev/null
@@ -1,642 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=2051&user=guest&pass=guest
-
-Forward ported from openssl-1.0.1e-ipv6.patch
-
-Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
-
---- openssl-1.0.1h/apps/s_apps.h
-+++ openssl-1.0.1h/apps/s_apps.h
-@@ -148,7 +148,7 @@
- #define PORT_STR        "4433"
- #define PROTOCOL        "tcp"
- 
--int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
-+int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context, int use_ipv4, int use_ipv6);
- #ifdef HEADER_X509_H
- int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
- #endif
-@@ -156,7 +156,7 @@
- int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
- int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
- #endif
--int init_client(int *sock, char *server, int port, int type);
-+int init_client(int *sock, char *server, int port, int type, int use_ipv4, int use_ipv6);
- int should_retry(int i);
- int extract_port(char *str, short *port_ptr);
- int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
---- openssl-1.0.1h/apps/s_client.c
-+++ openssl-1.0.1h/apps/s_client.c
-@@ -285,6 +285,10 @@
- 	{
- 	BIO_printf(bio_err,"usage: s_client args\n");
- 	BIO_printf(bio_err,"\n");
-+	BIO_printf(bio_err," -4             - use IPv4 only\n");
-+#if OPENSSL_USE_IPV6
-+	BIO_printf(bio_err," -6             - use IPv6 only\n");
-+#endif
- 	BIO_printf(bio_err," -host host     - use -connect instead\n");
- 	BIO_printf(bio_err," -port port     - use -connect instead\n");
- 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
-@@ -568,6 +572,7 @@
- 	int sbuf_len,sbuf_off;
- 	fd_set readfds,writefds;
- 	short port=PORT;
-+	int use_ipv4, use_ipv6;
- 	int full_log=1;
- 	char *host=SSL_HOST_NAME;
- 	char *cert_file=NULL,*key_file=NULL;
-@@ -613,7 +618,11 @@
- #endif
- 	char *sess_in = NULL;
- 	char *sess_out = NULL;
--	struct sockaddr peer;
-+#if OPENSSL_USE_IPV6
-+	struct sockaddr_storage peer;
-+#else
-+	struct sockaddr_in peer;
-+#endif
- 	int peerlen = sizeof(peer);
- 	int enable_timeouts = 0 ;
- 	long socket_mtu = 0;
-@@ -628,6 +637,12 @@
- 
- 	meth=SSLv23_client_method();
- 
-+	use_ipv4 = 1;
-+#if OPENSSL_USE_IPV6
-+	use_ipv6 = 1;
-+#else
-+	use_ipv6 = 0;
-+#endif
- 	apps_startup();
- 	c_Pause=0;
- 	c_quiet=0;
-@@ -949,6 +964,18 @@
- 			jpake_secret = *++argv;
- 			}
- #endif
-+		else if (strcmp(*argv,"-4") == 0)
-+			{
-+			use_ipv4 = 1;
-+			use_ipv6 = 0;
-+			}
-+#if OPENSSL_USE_IPV6
-+		else if (strcmp(*argv,"-6") == 0)
-+			{
-+			use_ipv4 = 0;
-+			use_ipv6 = 1;
-+			}
-+#endif
- #ifndef OPENSSL_NO_SRTP
- 		else if (strcmp(*argv,"-use_srtp") == 0)
- 			{
-@@ -1260,7 +1287,7 @@
- 
- re_start:
- 
--	if (init_client(&s,host,port,socket_type) == 0)
-+	if (init_client(&s,host,port,socket_type,use_ipv4,use_ipv6) == 0)
- 		{
- 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
- 		SHUTDOWN(s);
-@@ -1286,7 +1313,7 @@
- 		{
- 
- 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
--		if (getsockname(s, &peer, (void *)&peerlen) < 0)
-+		if (getsockname(s, (struct sockaddr *)&peer, (void *)&peerlen) < 0)
- 			{
- 			BIO_printf(bio_err, "getsockname:errno=%d\n",
- 				get_last_socket_error());
---- openssl-1.0.1h/apps/s_server.c
-+++ openssl-1.0.1h/apps/s_server.c
-@@ -560,6 +560,10 @@
-         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
- # endif
- #endif
-+	BIO_printf(bio_err," -4            - use IPv4 only\n");
-+#if OPENSSL_USE_IPV6
-+	BIO_printf(bio_err," -6            - use IPv6 only\n");
-+#endif
- 	BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
- 	BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
- 	}
-@@ -947,6 +951,7 @@
- 	int state=0;
- 	const SSL_METHOD *meth=NULL;
- 	int socket_type=SOCK_STREAM;
-+	int use_ipv4, use_ipv6;
- 	ENGINE *e=NULL;
- 	char *inrand=NULL;
- 	int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
-@@ -975,6 +980,12 @@
- #endif
- 	meth=SSLv23_server_method();
- 
-+	use_ipv4 = 1;
-+#if OPENSSL_USE_IPV6
-+	use_ipv6 = 1;
-+#else
-+	use_ipv6 = 0;
-+#endif
- 	local_argc=argc;
- 	local_argv=argv;
- 
-@@ -1323,6 +1334,18 @@
- 			jpake_secret = *(++argv);
- 			}
- #endif
-+		else if (strcmp(*argv,"-4") == 0)
-+			{
-+			use_ipv4 = 1;
-+			use_ipv6 = 0;
-+			}
-+#if OPENSSL_USE_IPV6
-+		else if (strcmp(*argv,"-6") == 0)
-+			{
-+			use_ipv4 = 0;
-+			use_ipv6 = 1;
-+			}
-+#endif
- #ifndef OPENSSL_NO_SRTP
- 		else if (strcmp(*argv,"-use_srtp") == 0)
- 			{
-@@ -1881,9 +1904,9 @@
- 	BIO_printf(bio_s_out,"ACCEPT\n");
- 	(void)BIO_flush(bio_s_out);
- 	if (www)
--		do_server(port,socket_type,&accept_socket,www_body, context);
-+		do_server(port,socket_type,&accept_socket,www_body, context, use_ipv4, use_ipv6);
- 	else
--		do_server(port,socket_type,&accept_socket,sv_body, context);
-+		do_server(port,socket_type,&accept_socket,sv_body, context, use_ipv4, use_ipv6);
- 	print_stats(bio_s_out,ctx);
- 	ret=0;
- end:
---- openssl-1.0.1h/apps/s_socket.c
-+++ openssl-1.0.1h/apps/s_socket.c
-@@ -97,16 +97,16 @@
- #include "netdb.h"
- #endif
- 
--static struct hostent *GetHostByName(char *name);
-+static struct hostent *GetHostByName(char *name, int domain);
- #if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
- static void ssl_sock_cleanup(void);
- #endif
- static int ssl_sock_init(void);
--static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
--static int init_server(int *sock, int port, int type);
--static int init_server_long(int *sock, int port,char *ip, int type);
-+static int init_client_ip(int *sock,unsigned char *ip, int port, int type, int domain);
-+static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6);
-+static int init_server_long(int *sock, int port,char *ip, int type, int use_ipv4, int use_ipv6);
- static int do_accept(int acc_sock, int *sock, char **host);
--static int host_ip(char *str, unsigned char ip[4]);
-+static int host_ip(char *str, unsigned char *ip, int domain);
- 
- #ifdef OPENSSL_SYS_WIN16
- #define SOCKET_PROTOCOL	0 /* more microsoft stupidity */
-@@ -234,38 +234,68 @@
- 	return(1);
- 	}
- 
--int init_client(int *sock, char *host, int port, int type)
-+int init_client(int *sock, char *host, int port, int type, int use_ipv4, int use_ipv6)
- 	{
-+#if OPENSSL_USE_IPV6
-+	unsigned char ip[16];
-+#else
- 	unsigned char ip[4];
-+#endif
- 
--	memset(ip, '\0', sizeof ip);
--	if (!host_ip(host,&(ip[0])))
--		return 0;
--	return init_client_ip(sock,ip,port,type);
--	}
--
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
--	{
--	unsigned long addr;
-+	if (use_ipv4)
-+		if (host_ip(host,ip,AF_INET))
-+			return(init_client_ip(sock,ip,port,type,AF_INET));
-+#if OPENSSL_USE_IPV6
-+	if (use_ipv6)
-+		if (host_ip(host,ip,AF_INET6))
-+			return(init_client_ip(sock,ip,port,type,AF_INET6));
-+#endif
-+	return 0;
-+	}
-+
-+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type, int domain)
-+	{
-+#if OPENSSL_USE_IPV6
-+	struct sockaddr_storage them;
-+	struct sockaddr_in *them_in = (struct sockaddr_in *)&them;
-+	struct sockaddr_in6 *them_in6 = (struct sockaddr_in6 *)&them;
-+#else
- 	struct sockaddr_in them;
-+	struct sockaddr_in *them_in = &them;
-+#endif
-+	socklen_t addr_len;
- 	int s,i;
- 
- 	if (!ssl_sock_init()) return(0);
- 
- 	memset((char *)&them,0,sizeof(them));
--	them.sin_family=AF_INET;
--	them.sin_port=htons((unsigned short)port);
--	addr=(unsigned long)
--		((unsigned long)ip[0]<<24L)|
--		((unsigned long)ip[1]<<16L)|
--		((unsigned long)ip[2]<< 8L)|
--		((unsigned long)ip[3]);
--	them.sin_addr.s_addr=htonl(addr);
-+	if (domain == AF_INET)
-+		{
-+		addr_len = (socklen_t)sizeof(struct sockaddr_in);
-+		them_in->sin_family=AF_INET;
-+		them_in->sin_port=htons((unsigned short)port);
-+#ifndef BIT_FIELD_LIMITS
-+		memcpy(&them_in->sin_addr.s_addr, ip, 4);
-+#else
-+		memcpy(&them_in->sin_addr, ip, 4);
-+#endif
-+		}
-+	else
-+#if OPENSSL_USE_IPV6
-+		{
-+		addr_len = (socklen_t)sizeof(struct sockaddr_in6);
-+		them_in6->sin6_family=AF_INET6;
-+		them_in6->sin6_port=htons((unsigned short)port);
-+		memcpy(&(them_in6->sin6_addr), ip, sizeof(struct in6_addr));
-+		}
-+#else
-+		return(0);
-+#endif
- 
- 	if (type == SOCK_STREAM)
--		s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-+		s=socket(domain,SOCK_STREAM,SOCKET_PROTOCOL);
- 	else /* ( type == SOCK_DGRAM) */
--		s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
-+		s=socket(domain,SOCK_DGRAM,IPPROTO_UDP);
- 			
- 	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
- 
-@@ -277,29 +307,27 @@
- 		if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
- 		}
- #endif
--
--	if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
-+	if (connect(s,(struct sockaddr *)&them,addr_len) == -1)
- 		{ closesocket(s); perror("connect"); return(0); }
- 	*sock=s;
- 	return(1);
- 	}
- 
--int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
-+int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context, int use_ipv4, int use_ipv6)
- 	{
- 	int sock;
- 	char *name = NULL;
- 	int accept_socket = 0;
- 	int i;
- 
--	if (!init_server(&accept_socket,port,type)) return(0);
--
-+	if (!init_server(&accept_socket,port,type, use_ipv4, use_ipv6)) return(0);
- 	if (ret != NULL)
- 		{
- 		*ret=accept_socket;
- 		/* return(1);*/
- 		}
--  	for (;;)
--  		{
-+	for (;;)
-+		{
- 		if (type==SOCK_STREAM)
- 			{
- 			if (do_accept(accept_socket,&sock,&name) == 0)
-@@ -322,41 +350,88 @@
- 		}
- 	}
- 
--static int init_server_long(int *sock, int port, char *ip, int type)
-+static int init_server_long(int *sock, int port, char *ip, int type, int use_ipv4, int use_ipv6)
- 	{
- 	int ret=0;
-+	int domain;
-+#if OPENSSL_USE_IPV6
-+	struct sockaddr_storage server;
-+	struct sockaddr_in *server_in = (struct sockaddr_in *)&server;
-+	struct sockaddr_in6 *server_in6 = (struct sockaddr_in6 *)&server;
-+#else
- 	struct sockaddr_in server;
-+	struct sockaddr_in *server_in = &server;
-+#endif
-+	socklen_t addr_len;
- 	int s= -1;
- 
-+	if (!use_ipv4 && !use_ipv6)
-+		goto err;
-+#if OPENSSL_USE_IPV6
-+	/* we are fine here */
-+#else
-+	if (use_ipv6)
-+		goto err;
-+#endif
- 	if (!ssl_sock_init()) return(0);
- 
--	memset((char *)&server,0,sizeof(server));
--	server.sin_family=AF_INET;
--	server.sin_port=htons((unsigned short)port);
--	if (ip == NULL)
--		server.sin_addr.s_addr=INADDR_ANY;
--	else
--/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
--#ifndef BIT_FIELD_LIMITS
--		memcpy(&server.sin_addr.s_addr,ip,4);
-+#if OPENSSL_USE_IPV6
-+	domain = use_ipv6 ? AF_INET6 : AF_INET;
- #else
--		memcpy(&server.sin_addr,ip,4);
-+	domain = AF_INET;
- #endif
--	
--		if (type == SOCK_STREAM)
--			s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
--		else /* type == SOCK_DGRAM */
--			s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
-+	if (type == SOCK_STREAM)
-+		s=socket(domain,SOCK_STREAM,SOCKET_PROTOCOL);
-+	else /* type == SOCK_DGRAM */
-+		s=socket(domain, SOCK_DGRAM,IPPROTO_UDP);
- 
- 	if (s == INVALID_SOCKET) goto err;
- #if defined SOL_SOCKET && defined SO_REUSEADDR
-+	{
-+	int j = 1;
-+	setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
-+		   (void *) &j, sizeof j);
-+	}
-+#endif
-+#if OPENSSL_USE_IPV6
-+	if ((use_ipv4 == 0) && (use_ipv6 == 1))
-+		{
-+		const int on = 1;
-+
-+		setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-+		           (const void *) &on, sizeof(int));
-+		}
-+#endif
-+	if (domain == AF_INET)
-+		{
-+		addr_len = (socklen_t)sizeof(struct sockaddr_in);
-+		memset(server_in, 0, sizeof(struct sockaddr_in));
-+		server_in->sin_family=AF_INET;
-+		server_in->sin_port = htons((unsigned short)port);
-+		if (ip == NULL)
-+			server_in->sin_addr.s_addr = htonl(INADDR_ANY);
-+		else
-+/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
-+#ifndef BIT_FIELD_LIMITS
-+			memcpy(&server_in->sin_addr.s_addr, ip, 4);
-+#else
-+			memcpy(&server_in->sin_addr, ip, 4);
-+#endif
-+		}
-+#if OPENSSL_USE_IPV6
-+	else
- 		{
--		int j = 1;
--		setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
--			   (void *) &j, sizeof j);
-+		addr_len = (socklen_t)sizeof(struct sockaddr_in6);
-+		memset(server_in6, 0, sizeof(struct sockaddr_in6));
-+		server_in6->sin6_family = AF_INET6;
-+		server_in6->sin6_port = htons((unsigned short)port);
-+		if (ip == NULL)
-+			server_in6->sin6_addr = in6addr_any;
-+		else
-+			memcpy(&server_in6->sin6_addr, ip, sizeof(struct in6_addr));
- 		}
- #endif
--	if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
-+	if (bind(s, (struct sockaddr *)&server, addr_len) == -1)
- 		{
- #ifndef OPENSSL_SYS_WINDOWS
- 		perror("bind");
-@@ -375,16 +450,23 @@
- 	return(ret);
- 	}
- 
--static int init_server(int *sock, int port, int type)
-+static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6)
- 	{
--	return(init_server_long(sock, port, NULL, type));
-+	return(init_server_long(sock, port, NULL, type, use_ipv4, use_ipv6));
- 	}
- 
- static int do_accept(int acc_sock, int *sock, char **host)
- 	{
- 	int ret;
- 	struct hostent *h1,*h2;
--	static struct sockaddr_in from;
-+#if OPENSSL_USE_IPV6
-+	struct sockaddr_storage from;
-+	struct sockaddr_in *from_in = (struct sockaddr_in *)&from;
-+	struct sockaddr_in6 *from_in6 = (struct sockaddr_in6 *)&from;
-+#else
-+	struct sockaddr_in from;
-+	struct sockaddr_in *from_in = &from;
-+#endif
- 	int len;
- /*	struct linger ling; */
- 
-@@ -431,13 +513,23 @@
- */
- 
- 	if (host == NULL) goto end;
-+#if OPENSSL_USE_IPV6
-+	if (from.ss_family == AF_INET)
-+#else
-+	if (from.sin_family == AF_INET)
-+#endif
- #ifndef BIT_FIELD_LIMITS
--	/* I should use WSAAsyncGetHostByName() under windows */
--	h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
--		sizeof(from.sin_addr.s_addr),AF_INET);
-+		/* I should use WSAAsyncGetHostByName() under windows */
-+		h1=gethostbyaddr((char *)&from_in->sin_addr.s_addr,
-+		                 sizeof(from_in->sin_addr.s_addr), AF_INET);
- #else
--	h1=gethostbyaddr((char *)&from.sin_addr,
--		sizeof(struct in_addr),AF_INET);
-+		h1=gethostbyaddr((char *)&from_in->sin_addr,
-+		                 sizeof(struct in_addr), AF_INET);
-+#endif
-+#if OPENSSL_USE_IPV6
-+	else
-+		h1=gethostbyaddr((char *)&from_in6->sin6_addr,
-+		                 sizeof(struct in6_addr), AF_INET6);
- #endif
- 	if (h1 == NULL)
- 		{
-@@ -455,16 +547,25 @@
- 			}
- 		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
- 
--		h2=GetHostByName(*host);
-+#if OPENSSL_USE_IPV6		
-+		h2=GetHostByName(*host, from.ss_family);
-+#else
-+		h2=GetHostByName(*host, from.sin_family);
-+#endif
-+
- 		if (h2 == NULL)
- 			{
- 			BIO_printf(bio_err,"gethostbyname failure\n");
- 			closesocket(ret);
- 			return(0);
- 			}
--		if (h2->h_addrtype != AF_INET)
-+#if OPENSSL_USE_IPV6
-+		if (h2->h_addrtype != from.ss_family)
-+#else
-+		if (h2->h_addrtype != from.sin_family)
-+#endif
- 			{
--			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-+			BIO_printf(bio_err,"gethostbyname addr address is not correct\n");
- 			closesocket(ret);
- 			return(0);
- 			}
-@@ -480,7 +581,7 @@
- 	char *h,*p;
- 
- 	h=str;
--	p=strchr(str,':');
-+	p=strrchr(str,':');
- 	if (p == NULL)
- 		{
- 		BIO_printf(bio_err,"no port defined\n");
-@@ -488,7 +589,7 @@
- 		}
- 	*(p++)='\0';
- 
--	if ((ip != NULL) && !host_ip(str,ip))
-+	if ((ip != NULL) && !host_ip(str,ip,AF_INET))
- 		goto err;
- 	if (host_ptr != NULL) *host_ptr=h;
- 
-@@ -499,48 +600,58 @@
- 	return(0);
- 	}
- 
--static int host_ip(char *str, unsigned char ip[4])
-+static int host_ip(char *str, unsigned char *ip, int domain)
- 	{
--	unsigned int in[4]; 
-+	unsigned int in[4];
-+	unsigned long l;
- 	int i;
- 
--	if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
-+	if ((domain == AF_INET) &&
-+	    (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4))
- 		{
-+		
- 		for (i=0; i<4; i++)
- 			if (in[i] > 255)
- 				{
- 				BIO_printf(bio_err,"invalid IP address\n");
- 				goto err;
- 				}
--		ip[0]=in[0];
--		ip[1]=in[1];
--		ip[2]=in[2];
--		ip[3]=in[3];
--		}
-+		l=htonl((in[0]<<24L)|(in[1]<<16L)|(in[2]<<8L)|in[3]);
-+		memcpy(ip, &l, 4);
-+		return 1;
-+		}
-+#if OPENSSL_USE_IPV6
-+	else if ((domain == AF_INET6) &&
-+	         (inet_pton(AF_INET6, str, ip) == 1))
-+	         return 1;
-+#endif
- 	else
- 		{ /* do a gethostbyname */
- 		struct hostent *he;
- 
- 		if (!ssl_sock_init()) return(0);
- 
--		he=GetHostByName(str);
-+		he=GetHostByName(str,domain);
- 		if (he == NULL)
- 			{
- 			BIO_printf(bio_err,"gethostbyname failure\n");
- 			goto err;
- 			}
- 		/* cast to short because of win16 winsock definition */
--		if ((short)he->h_addrtype != AF_INET)
-+		if ((short)he->h_addrtype != domain)
- 			{
--			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-+			BIO_printf(bio_err,"gethostbyname addr family is not correct\n");
- 			return(0);
- 			}
--		ip[0]=he->h_addr_list[0][0];
--		ip[1]=he->h_addr_list[0][1];
--		ip[2]=he->h_addr_list[0][2];
--		ip[3]=he->h_addr_list[0][3];
-+		if (domain == AF_INET)
-+			memset(ip, 0, 4);
-+#if OPENSSL_USE_IPV6
-+		else
-+			memset(ip, 0, 16);
-+#endif
-+		memcpy(ip, he->h_addr_list[0], he->h_length);
-+		return 1;
- 		}
--	return(1);
- err:
- 	return(0);
- 	}
-@@ -577,7 +688,7 @@
- static unsigned long ghbn_hits=0L;
- static unsigned long ghbn_miss=0L;
- 
--static struct hostent *GetHostByName(char *name)
-+static struct hostent *GetHostByName(char *name, int domain)
- 	{
- 	struct hostent *ret;
- 	int i,lowi=0;
-@@ -592,14 +703,20 @@
- 			}
- 		if (ghbn_cache[i].order > 0)
- 			{
--			if (strncmp(name,ghbn_cache[i].name,128) == 0)
-+			if ((strncmp(name,ghbn_cache[i].name,128) == 0) &&
-+			    (ghbn_cache[i].ent.h_addrtype == domain))
- 				break;
- 			}
- 		}
- 	if (i == GHBN_NUM) /* no hit*/
- 		{
- 		ghbn_miss++;
--		ret=gethostbyname(name);
-+		if (domain == AF_INET)
-+			ret=gethostbyname(name);
-+#if OPENSSL_USE_IPV6
-+		else
-+			ret=gethostbyname2(name, AF_INET6);
-+#endif
- 		if (ret == NULL) return(NULL);
- 		/* else add to cache */
- 		if(strlen(name) < sizeof ghbn_cache[0].name)

diff --git a/dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch b/dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch
deleted file mode 100644
index 811f573..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch
+++ /dev/null
@@ -1,356 +0,0 @@
---- openssl-1.0.1l/crypto/asn1/a_type.c
-+++ openssl-1.0.1l/crypto/asn1/a_type.c
-@@ -124,6 +124,9 @@
- 	case V_ASN1_OBJECT:
- 		result = OBJ_cmp(a->value.object, b->value.object);
- 		break;
-+	case V_ASN1_BOOLEAN:
-+		result = a->value.boolean - b->value.boolean;
-+		break;
- 	case V_ASN1_NULL:
- 		result = 0;	/* They do not have content. */
- 		break;
---- openssl-1.0.1l/crypto/asn1/tasn_dec.c
-+++ openssl-1.0.1l/crypto/asn1/tasn_dec.c
-@@ -130,11 +130,17 @@
- 	{
- 	ASN1_TLC c;
- 	ASN1_VALUE *ptmpval = NULL;
--	if (!pval)
--		pval = &ptmpval;
- 	asn1_tlc_clear_nc(&c);
--	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
--		return *pval;
-+	if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
-+	    ptmpval = *pval;
-+	if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
-+	    if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
-+		if (*pval)
-+		    ASN1_item_free(*pval, it);
-+		*pval = ptmpval;
-+	    }
-+	    return ptmpval;
-+	}
- 	return NULL;
- 	}
- 
-@@ -311,9 +317,16 @@
- 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
- 				goto auxerr;
- 
--		/* Allocate structure */
--		if (!*pval && !ASN1_item_ex_new(pval, it))
--			{
-+		if (*pval) {
-+		    /* Free up and zero CHOICE value if initialised */
-+		    i = asn1_get_choice_selector(pval, it);
-+		    if ((i >= 0) && (i < it->tcount)) {
-+			tt = it->templates + i;
-+			pchptr = asn1_get_field_ptr(pval, tt);
-+			ASN1_template_free(pchptr, tt);
-+			asn1_set_choice_selector(pval, -1, it);
-+		    }
-+		} else if (!ASN1_item_ex_new(pval, it)) {
- 			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
- 						ERR_R_NESTED_ASN1_ERROR);
- 			goto err;
-@@ -407,6 +420,17 @@
- 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
- 				goto auxerr;
- 
-+		/* Free up and zero any ADB found */
-+		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
-+		    if (tt->flags & ASN1_TFLG_ADB_MASK) {
-+			const ASN1_TEMPLATE *seqtt;
-+			ASN1_VALUE **pseqval;
-+			seqtt = asn1_do_adb(pval, tt, 1);
-+			pseqval = asn1_get_field_ptr(pval, seqtt);
-+			ASN1_template_free(pseqval, seqtt);
-+		    }
-+		}
-+
- 		/* Get each field entry */
- 		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
- 			{
---- openssl-1.0.1l/crypto/pkcs7/pk7_doit.c
-+++ openssl-1.0.1l/crypto/pkcs7/pk7_doit.c
-@@ -272,6 +272,25 @@
- 	PKCS7_RECIP_INFO *ri=NULL;
- 	ASN1_OCTET_STRING *os=NULL;
- 
-+    if (p7 == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
-+	return NULL;
-+    }
-+    /*
-+     * The content field in the PKCS7 ContentInfo is optional, but that really
-+     * only applies to inner content (precisely, detached signatures).
-+     *
-+     * When reading content, missing outer content is therefore treated as an
-+     * error.
-+     *
-+     * When creating content, PKCS7_content_new() must be called before
-+     * calling this method, so a NULL p7->d is always an error.
-+     */
-+    if (p7->d.ptr == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
-+	return NULL;
-+    }
-+
- 	i=OBJ_obj2nid(p7->type);
- 	p7->state=PKCS7_S_HEADER;
- 
-@@ -433,6 +452,16 @@
-        unsigned char *ek = NULL, *tkey = NULL;
-        int eklen = 0, tkeylen = 0;
- 
-+    if (p7 == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
-+	return NULL;
-+    }
-+    
-+    if (p7->d.ptr == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
-+	return NULL;
-+    }
-+
- 	i=OBJ_obj2nid(p7->type);
- 	p7->state=PKCS7_S_HEADER;
- 
-@@ -752,6 +781,16 @@
- 	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
- 	ASN1_OCTET_STRING *os=NULL;
- 
-+    if (p7 == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
-+	return 0;
-+    }
-+
-+    if (p7->d.ptr == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
-+	return 0;
-+    }
-+
- 	EVP_MD_CTX_init(&ctx_tmp);
- 	i=OBJ_obj2nid(p7->type);
- 	p7->state=PKCS7_S_HEADER;
-@@ -796,6 +835,7 @@
- 		/* If detached data then the content is excluded */
- 		if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
- 			M_ASN1_OCTET_STRING_free(os);
-+			os = NULL;
- 			p7->d.sign->contents->d.data = NULL;
- 		}
- 		break;
-@@ -806,6 +846,7 @@
- 		if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
- 			{
- 			M_ASN1_OCTET_STRING_free(os);
-+			os = NULL;
- 			p7->d.digest->contents->d.data = NULL;
- 			}
- 		break;
-@@ -878,24 +919,31 @@
- 		M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
- 		}
- 
--	if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
--		{
-+	if (!PKCS7_is_detached(p7)) {
-+	    /*
-+	     * NOTE(emilia): I think we only reach os == NULL here because detached
-+	     * digested data support is broken.
-+	     */
-+	    if (os == NULL)
-+		goto err;
-+	    if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
- 		char *cont;
- 		long contlen;
--		btmp=BIO_find_type(bio,BIO_TYPE_MEM);
--		if (btmp == NULL)
--			{
--			PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
--			goto err;
--			}
-+		btmp = BIO_find_type(bio, BIO_TYPE_MEM);
-+		if (btmp == NULL) {
-+		    PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
-+		    goto err;
-+		}
- 		contlen = BIO_get_mem_data(btmp, &cont);
--		/* Mark the BIO read only then we can use its copy of the data
-+		/*
-+		 * Mark the BIO read only then we can use its copy of the data
- 		 * instead of making an extra copy.
- 		 */
- 		BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
- 		BIO_set_mem_eof_return(btmp, 0);
- 		ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
--		}
-+	    }
-+	}
- 	ret=1;
- err:
- 	EVP_MD_CTX_cleanup(&ctx_tmp);
-@@ -971,6 +1019,16 @@
- 	STACK_OF(X509) *cert;
- 	X509 *x509;
- 
-+    if (p7 == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
-+	return 0;
-+    }
-+
-+    if (p7->d.ptr == NULL) {
-+	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
-+	return 0;
-+    }
-+
- 	if (PKCS7_type_is_signed(p7))
- 		{
- 		cert=p7->d.sign->cert;
---- openssl-1.0.1l/crypto/pkcs7/pk7_lib.c
-+++ openssl-1.0.1l/crypto/pkcs7/pk7_lib.c
-@@ -71,6 +71,7 @@
- 
- 	switch (cmd)
- 		{
-+	/* NOTE(emilia): does not support detached digested data. */
- 	case PKCS7_OP_SET_DETACHED_SIGNATURE:
- 		if (nid == NID_pkcs7_signed)
- 			{
-@@ -459,6 +460,8 @@
- 
- STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
- 	{
-+	if (p7 == NULL || p7->d.ptr == NULL)
-+		return NULL;
- 	if (PKCS7_type_is_signed(p7))
- 		{
- 		return(p7->d.sign->signer_info);
---- openssl-1.0.1l/doc/crypto/d2i_X509.pod
-+++ openssl-1.0.1l/doc/crypto/d2i_X509.pod
-@@ -199,6 +199,12 @@
- persist if they are not present in the new one. As a result the use
- of this "reuse" behaviour is strongly discouraged.
- 
-+Current versions of OpenSSL will not modify B<*px> if an error occurs.
-+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
-+set to the value of the newly decoded structure. As a result B<*px>
-+B<must not> be allocated on the stack or an attempt will be made to
-+free an invalid pointer.
-+
- i2d_X509() will not return an error in many versions of OpenSSL,
- if mandatory fields are not initialized due to a programming error
- then the encoded structure may contain invalid data or omit the
-@@ -210,7 +216,9 @@
- 
- d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
- or B<NULL> if an error occurs. The error code that can be obtained by
--L<ERR_get_error(3)|ERR_get_error(3)>. 
-+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
-+with a valid X509 structure being passed in via B<px> then the object is not
-+modified in the event of error.
- 
- i2d_X509() returns the number of bytes successfully encoded or a negative
- value if an error occurs. The error code can be obtained by
---- openssl-1.0.1l/ssl/s2_lib.c
-+++ openssl-1.0.1l/ssl/s2_lib.c
-@@ -488,7 +488,7 @@
- 
- 		OPENSSL_assert(s->session->master_key_length >= 0
- 		    && s->session->master_key_length
--		    < (int)sizeof(s->session->master_key));
-+		    <= (int)sizeof(s->session->master_key));
- 		EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
- 		EVP_DigestUpdate(&ctx,&c,1);
- 		c++;
---- openssl-1.0.1l/ssl/s2_srvr.c
-+++ openssl-1.0.1l/ssl/s2_srvr.c
-@@ -454,10 +454,6 @@
- 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
- 		return(-1);
- 		}
--	i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
--		&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
--		(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
--
- 	is_export=SSL_C_IS_EXPORT(s->session->cipher);
- 	
- 	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
-@@ -475,21 +471,59 @@
- 	else
- 		ek=5;
- 
-+	/*
-+	 * The format of the CLIENT-MASTER-KEY message is
-+	 * 1 byte message type
-+	 * 3 bytes cipher
-+	 * 2-byte clear key length (stored in s->s2->tmp.clear)
-+	 * 2-byte encrypted key length (stored in s->s2->tmp.enc)
-+	 * 2-byte key args length (IV etc)
-+	 * clear key
-+	 * encrypted key
-+	 * key args
-+	 *
-+	 * If the cipher is an export cipher, then the encrypted key bytes
-+	 * are a fixed portion of the total key (5 or 8 bytes). The size of
-+	 * this portion is in |ek|. If the cipher is not an export cipher,
-+	 * then the entire key material is encrypted (i.e., clear key length
-+	 * must be zero).
-+	 */
-+	if ((!is_export && s->s2->tmp.clear != 0) ||
-+	    (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
-+	    ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-+	    SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
-+	    return -1;
-+	}
-+	/*
-+	 * The encrypted blob must decrypt to the encrypted portion of the key.
-+	 * Decryption can't be expanding, so if we don't have enough encrypted
-+	 * bytes to fit the key in the buffer, stop now.
-+	 */
-+	if ((is_export && s->s2->tmp.enc < ek) ||
-+	    (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
-+	    ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-+	    SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
-+	    return -1;
-+	}
-+
-+	i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
-+				    &(p[s->s2->tmp.clear]),
-+				    &(p[s->s2->tmp.clear]),
-+				    (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
-+				    RSA_PKCS1_PADDING);
-+
- 	/* bad decrypt */
- #if 1
- 	/* If a bad decrypt, continue with protocol but with a
- 	 * random master secret (Bleichenbacher attack) */
--	if ((i < 0) ||
--		((!is_export && (i != EVP_CIPHER_key_length(c)))
--		|| (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
--			(unsigned int)EVP_CIPHER_key_length(c))))))
--		{
-+	if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
-+			|| (is_export && i != ek))) {
- 		ERR_clear_error();
- 		if (is_export)
- 			i=ek;
- 		else
- 			i=EVP_CIPHER_key_length(c);
--		if (RAND_pseudo_bytes(p,i) <= 0)
-+		if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
- 			return 0;
- 		}
- #else
-@@ -513,7 +547,8 @@
- 		}
- #endif
- 
--	if (is_export) i+=s->s2->tmp.clear;
-+	if (is_export)
-+		i = EVP_CIPHER_key_length(c);
- 
- 	if (i > SSL_MAX_MASTER_KEY_LENGTH)
- 		{

diff --git a/dev-libs/openssl/files/openssl-1.0.1m-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.1m-parallel-build.patch
deleted file mode 100644
index db92b79..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1m-parallel-build.patch
+++ /dev/null
@@ -1,364 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=2084
-
---- openssl-1.0.1m/crypto/Makefile
-+++ openssl-1.0.1m/crypto/Makefile
-@@ -85,11 +85,11 @@
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
--	@target=files; $(RECURSIVE_MAKE)
-+	+@target=files; $(RECURSIVE_MAKE)
- 
- links:
- 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) | subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	[ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- 	$(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@
- 	fi
- 
- libs:
--	@target=lib; $(RECURSIVE_MAKE)
-+	+@target=lib; $(RECURSIVE_MAKE)
- 
- install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- lint:
- 	@target=lint; $(RECURSIVE_MAKE)
---- openssl-1.0.1m/crypto/objects/Makefile
-+++ openssl-1.0.1m/crypto/objects/Makefile
-@@ -44,11 +44,11 @@
- # objects.pl both reads and writes obj_mac.num
- obj_mac.h: objects.pl objects.txt obj_mac.num
- 	$(PERL) objects.pl objects.txt obj_mac.num obj_mac.h
--	@sleep 1; touch obj_mac.h; sleep 1
- 
--obj_xref.h: objxref.pl obj_xref.txt obj_mac.num
-+# This doesn't really need obj_mac.h, but since that rule reads & writes
-+# obj_mac.num, we can't run in parallel with it.
-+obj_xref.h: objxref.pl obj_xref.txt obj_mac.num obj_mac.h
- 	$(PERL) objxref.pl obj_mac.num obj_xref.txt > obj_xref.h
--	@sleep 1; touch obj_xref.h; sleep 1
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
---- openssl-1.0.1m/engines/Makefile
-+++ openssl-1.0.1m/engines/Makefile
-@@ -72,7 +72,7 @@
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) | subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- tags:
- 	ctags $(SRC)
---- openssl-1.0.1m/Makefile.org
-+++ openssl-1.0.1m/Makefile.org
-@@ -273,17 +273,17 @@
- build_libs: build_crypto build_ssl build_engines
- 
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
--build_ssl:
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
--build_engines:
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
--build_apps:
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
--build_tests:
--	@dir=test; target=all; $(BUILD_ONE_CMD)
--build_tools:
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+build_ssl: build_crypto
-+	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+build_engines: build_crypto
-+	+@dir=engines; target=all; $(BUILD_ONE_CMD)
-+build_apps: build_libs
-+	+@dir=apps; target=all; $(BUILD_ONE_CMD)
-+build_tests: build_libs
-+	+@dir=test; target=all; $(BUILD_ONE_CMD)
-+build_tools: build_libs
-+	+@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -538,9 +538,9 @@
- dist_pem_h:
- 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
- 
--install: all install_docs install_sw
-+install: install_docs install_sw
- 
--install_sw:
-+install_dirs:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -549,12 +549,19 @@
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+	@$(PERL) $(TOP)/util/mkdir-p.pl \
-+		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
- 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- 	do \
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- 	do \
- 		if [ -f "$$i" ]; then \
-@@ -634,12 +641,7 @@
- 		done; \
- 	done
- 
--install_docs:
--	@$(PERL) $(TOP)/util/mkdir-p.pl \
--		$(INSTALL_PREFIX)$(MANDIR)/man1 \
--		$(INSTALL_PREFIX)$(MANDIR)/man3 \
--		$(INSTALL_PREFIX)$(MANDIR)/man5 \
--		$(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
- 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- 	here="`pwd`"; \
- 	filecase=; \
---- openssl-1.0.1m/Makefile.shared
-+++ openssl-1.0.1m/Makefile.shared
-@@ -105,6 +105,7 @@
-     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
-     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${SHAREDCMD} $${SHAREDFLAGS} \
- 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +123,7 @@
- 			done; \
- 		fi; \
- 		if [ -n "$$SHLIB_SOVER" ]; then \
-+			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- 		fi; \
---- openssl-1.0.1m/test/Makefile
-+++ openssl-1.0.1m/test/Makefile
-@@ -130,7 +130,7 @@
- tags:
- 	ctags $(SRC)
- 
--tests:	exe apps $(TESTS)
-+tests:	exe $(TESTS)
- 
- apps:
- 	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -388,118 +388,118 @@
- 		link_app.$${shlib_target}
- 
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
--	@target=$(RSATEST); $(BUILD_CMD)
-+	+@target=$(RSATEST); $(BUILD_CMD)
- 
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
--	@target=$(BNTEST); $(BUILD_CMD)
-+	+@target=$(BNTEST); $(BUILD_CMD)
- 
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
--	@target=$(ECTEST); $(BUILD_CMD)
-+	+@target=$(ECTEST); $(BUILD_CMD)
- 
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
--	@target=$(EXPTEST); $(BUILD_CMD)
-+	+@target=$(EXPTEST); $(BUILD_CMD)
- 
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
--	@target=$(IDEATEST); $(BUILD_CMD)
-+	+@target=$(IDEATEST); $(BUILD_CMD)
- 
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
--	@target=$(MD2TEST); $(BUILD_CMD)
-+	+@target=$(MD2TEST); $(BUILD_CMD)
- 
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
--	@target=$(SHATEST); $(BUILD_CMD)
-+	+@target=$(SHATEST); $(BUILD_CMD)
- 
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
--	@target=$(SHA1TEST); $(BUILD_CMD)
-+	+@target=$(SHA1TEST); $(BUILD_CMD)
- 
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
--	@target=$(SHA256TEST); $(BUILD_CMD)
-+	+@target=$(SHA256TEST); $(BUILD_CMD)
- 
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
--	@target=$(SHA512TEST); $(BUILD_CMD)
-+	+@target=$(SHA512TEST); $(BUILD_CMD)
- 
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
--	@target=$(RMDTEST); $(BUILD_CMD)
-+	+@target=$(RMDTEST); $(BUILD_CMD)
- 
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
--	@target=$(MDC2TEST); $(BUILD_CMD)
-+	+@target=$(MDC2TEST); $(BUILD_CMD)
- 
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
--	@target=$(MD4TEST); $(BUILD_CMD)
-+	+@target=$(MD4TEST); $(BUILD_CMD)
- 
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
--	@target=$(MD5TEST); $(BUILD_CMD)
-+	+@target=$(MD5TEST); $(BUILD_CMD)
- 
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
--	@target=$(HMACTEST); $(BUILD_CMD)
-+	+@target=$(HMACTEST); $(BUILD_CMD)
- 
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
--	@target=$(WPTEST); $(BUILD_CMD)
-+	+@target=$(WPTEST); $(BUILD_CMD)
- 
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
--	@target=$(RC2TEST); $(BUILD_CMD)
-+	+@target=$(RC2TEST); $(BUILD_CMD)
- 
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
--	@target=$(BFTEST); $(BUILD_CMD)
-+	+@target=$(BFTEST); $(BUILD_CMD)
- 
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
--	@target=$(CASTTEST); $(BUILD_CMD)
-+	+@target=$(CASTTEST); $(BUILD_CMD)
- 
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
--	@target=$(RC4TEST); $(BUILD_CMD)
-+	+@target=$(RC4TEST); $(BUILD_CMD)
- 
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
--	@target=$(RC5TEST); $(BUILD_CMD)
-+	+@target=$(RC5TEST); $(BUILD_CMD)
- 
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
--	@target=$(DESTEST); $(BUILD_CMD)
-+	+@target=$(DESTEST); $(BUILD_CMD)
- 
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
--	@target=$(RANDTEST); $(BUILD_CMD)
-+	+@target=$(RANDTEST); $(BUILD_CMD)
- 
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
--	@target=$(DHTEST); $(BUILD_CMD)
-+	+@target=$(DHTEST); $(BUILD_CMD)
- 
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
--	@target=$(DSATEST); $(BUILD_CMD)
-+	+@target=$(DSATEST); $(BUILD_CMD)
- 
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
--	@target=$(METHTEST); $(BUILD_CMD)
-+	+@target=$(METHTEST); $(BUILD_CMD)
- 
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
--	@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)
- 
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
--	@target=$(ENGINETEST); $(BUILD_CMD)
-+	+@target=$(ENGINETEST); $(BUILD_CMD)
- 
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
--	@target=$(EVPTEST); $(BUILD_CMD)
-+	+@target=$(EVPTEST); $(BUILD_CMD)
- 
- $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
--	@target=$(EVPEXTRATEST); $(BUILD_CMD)
-+	+@target=$(EVPEXTRATEST); $(BUILD_CMD)
- 
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
--	@target=$(ECDSATEST); $(BUILD_CMD)
-+	+@target=$(ECDSATEST); $(BUILD_CMD)
- 
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
--	@target=$(ECDHTEST); $(BUILD_CMD)
-+	+@target=$(ECDHTEST); $(BUILD_CMD)
- 
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
--	@target=$(IGETEST); $(BUILD_CMD)
-+	+@target=$(IGETEST); $(BUILD_CMD)
- 
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
--	@target=$(JPAKETEST); $(BUILD_CMD)
-+	+@target=$(JPAKETEST); $(BUILD_CMD)
- 
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
--	@target=$(ASN1TEST); $(BUILD_CMD)
-+	+@target=$(ASN1TEST); $(BUILD_CMD)
- 
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
--	@target=$(SRPTEST); $(BUILD_CMD)
-+	+@target=$(SRPTEST); $(BUILD_CMD)
- 
- $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
--	@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-+	+@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
- 
- $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
--	@target=$(CONSTTIMETEST) $(BUILD_CMD)
-+	+@target=$(CONSTTIMETEST) $(BUILD_CMD)
- 
- #$(AESTEST).o: $(AESTEST).c
- #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -512,7 +512,7 @@
- #	fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--	@target=dummytest; $(BUILD_CMD)
-+	+@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 

diff --git a/dev-libs/openssl/files/openssl-1.0.1m-s_client-verify.patch b/dev-libs/openssl/files/openssl-1.0.1m-s_client-verify.patch
deleted file mode 100644
index 8aa29e4..0000000
--- a/dev-libs/openssl/files/openssl-1.0.1m-s_client-verify.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://bugs.gentoo.org/472584
-http://rt.openssl.org/Ticket/Display.html?id=2387&user=guest&pass=guest
-
-fix verification handling in s_client.  when loading paths, make sure
-we properly fallback to setting the default paths.
-
-Forward-ported from openssl-1.0.1e-s_client-verify.patch
-
-Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
-
---- openssl-1.0.1m/apps/s_client.c
-+++ openssl-1.0.1m/apps/s_client.c
-@@ -1177,7 +1177,7 @@ int MAIN(int argc, char **argv)
-     if (!set_cert_key_stuff(ctx, cert, key))
-         goto end;
- 
--    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-+    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) &&
-         (!SSL_CTX_set_default_verify_paths(ctx))) {
-         /*
-          * BIO_printf(bio_err,"error setting default verify locations\n");

diff --git a/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0209.patch b/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0209.patch
deleted file mode 100644
index 6d396b4..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0209.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-https://bugs.gentoo.org/541502
-
-From 1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Mon, 9 Feb 2015 11:38:41 +0000
-Subject: [PATCH] Fix a failure to NULL a pointer freed on error.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>
-
-CVE-2015-0209
-
-Reviewed-by: Emilia Käsper <emilia@openssl.org>
----
- crypto/ec/ec_asn1.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
-index 30b7df4..d3e8316 100644
---- a/crypto/ec/ec_asn1.c
-+++ b/crypto/ec/ec_asn1.c
-@@ -1014,8 +1014,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
-             ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
-             goto err;
-         }
--        if (a)
--            *a = ret;
-     } else
-         ret = *a;
- 
-@@ -1067,10 +1065,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
-         }
-     }
- 
-+    if (a)
-+        *a = ret;
-     ok = 1;
-  err:
-     if (!ok) {
--        if (ret)
-+        if (ret && (a == NULL || *a != ret))
-             EC_KEY_free(ret);
-         ret = NULL;
-     }
--- 
-2.3.1
-

diff --git a/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0288.patch b/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0288.patch
deleted file mode 100644
index a6a10b0..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0288.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-https://bugs.gentoo.org/542038
-
-From 28a00bcd8e318da18031b2ac8778c64147cd54f9 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Wed, 18 Feb 2015 00:34:59 +0000
-Subject: [PATCH] Check public key is not NULL.
-
-CVE-2015-0288
-PR#3708
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- crypto/x509/x509_req.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
-index bc6e566..01795f4 100644
---- a/crypto/x509/x509_req.c
-+++ b/crypto/x509/x509_req.c
-@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
-         goto err;
- 
-     pktmp = X509_get_pubkey(x);
-+    if (pktmp == NULL)
-+        goto err;
-     i = X509_REQ_set_pubkey(ret, pktmp);
-     EVP_PKEY_free(pktmp);
-     if (!i)
--- 
-2.3.1
-

diff --git a/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0291.patch b/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0291.patch
deleted file mode 100644
index 852d06e..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0291.patch
+++ /dev/null
@@ -1,459 +0,0 @@
---- openssl-1.0.2/crypto/asn1/a_type.c
-+++ openssl-1.0.2/crypto/asn1/a_type.c
-@@ -119,6 +119,9 @@
-     case V_ASN1_OBJECT:
-         result = OBJ_cmp(a->value.object, b->value.object);
-         break;
-+    case V_ASN1_BOOLEAN:
-+        result = a->value.boolean - b->value.boolean;
-+        break;
-     case V_ASN1_NULL:
-         result = 0;             /* They do not have content. */
-         break;
---- openssl-1.0.2/crypto/asn1/tasn_dec.c
-+++ openssl-1.0.2/crypto/asn1/tasn_dec.c
-@@ -140,11 +140,17 @@
- {
-     ASN1_TLC c;
-     ASN1_VALUE *ptmpval = NULL;
--    if (!pval)
--        pval = &ptmpval;
-     asn1_tlc_clear_nc(&c);
--    if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
--        return *pval;
-+    if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
-+        ptmpval = *pval;
-+    if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
-+        if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
-+            if (*pval)
-+                ASN1_item_free(*pval, it);
-+            *pval = ptmpval;
-+        }
-+        return ptmpval;
-+    }
-     return NULL;
- }
- 
-@@ -304,9 +310,16 @@
-     case ASN1_ITYPE_CHOICE:
-         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
-             goto auxerr;
--
--        /* Allocate structure */
--        if (!*pval && !ASN1_item_ex_new(pval, it)) {
-+        if (*pval) {
-+            /* Free up and zero CHOICE value if initialised */
-+            i = asn1_get_choice_selector(pval, it);
-+            if ((i >= 0) && (i < it->tcount)) {
-+                tt = it->templates + i;
-+                pchptr = asn1_get_field_ptr(pval, tt);
-+                ASN1_template_free(pchptr, tt);
-+                asn1_set_choice_selector(pval, -1, it);
-+            }
-+        } else if (!ASN1_item_ex_new(pval, it)) {
-             ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
-             goto err;
-         }
-@@ -386,6 +399,17 @@
-         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
-             goto auxerr;
- 
-+        /* Free up and zero any ADB found */
-+        for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
-+            if (tt->flags & ASN1_TFLG_ADB_MASK) {
-+                const ASN1_TEMPLATE *seqtt;
-+                ASN1_VALUE **pseqval;
-+                seqtt = asn1_do_adb(pval, tt, 1);
-+                pseqval = asn1_get_field_ptr(pval, seqtt);
-+                ASN1_template_free(pseqval, seqtt);
-+            }
-+        }
-+
-         /* Get each field entry */
-         for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
-             const ASN1_TEMPLATE *seqtt;
---- openssl-1.0.2/crypto/pkcs7/pk7_doit.c
-+++ openssl-1.0.2/crypto/pkcs7/pk7_doit.c
-@@ -261,6 +261,25 @@
-     PKCS7_RECIP_INFO *ri = NULL;
-     ASN1_OCTET_STRING *os = NULL;
- 
-+    if (p7 == NULL) {
-+        PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
-+        return NULL;
-+    }
-+    /*
-+     * The content field in the PKCS7 ContentInfo is optional, but that really
-+     * only applies to inner content (precisely, detached signatures).
-+     *
-+     * When reading content, missing outer content is therefore treated as an
-+     * error.
-+     *
-+     * When creating content, PKCS7_content_new() must be called before
-+     * calling this method, so a NULL p7->d is always an error.
-+     */
-+    if (p7->d.ptr == NULL) {
-+        PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
-+        return NULL;
-+    }
-+
-     i = OBJ_obj2nid(p7->type);
-     p7->state = PKCS7_S_HEADER;
- 
-@@ -411,6 +430,16 @@
-     unsigned char *ek = NULL, *tkey = NULL;
-     int eklen = 0, tkeylen = 0;
- 
-+    if (p7 == NULL) {
-+        PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
-+        return NULL;
-+    }
-+
-+    if (p7->d.ptr == NULL) {
-+        PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
-+        return NULL;
-+    }
-+
-     i = OBJ_obj2nid(p7->type);
-     p7->state = PKCS7_S_HEADER;
- 
-@@ -707,6 +736,16 @@
-     STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
-     ASN1_OCTET_STRING *os = NULL;
- 
-+    if (p7 == NULL) {
-+        PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
-+        return 0;
-+    }
-+
-+    if (p7->d.ptr == NULL) {
-+        PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
-+        return 0;
-+    }
-+
-     EVP_MD_CTX_init(&ctx_tmp);
-     i = OBJ_obj2nid(p7->type);
-     p7->state = PKCS7_S_HEADER;
-@@ -746,6 +785,7 @@
-         /* If detached data then the content is excluded */
-         if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
-             M_ASN1_OCTET_STRING_free(os);
-+            os = NULL;
-             p7->d.sign->contents->d.data = NULL;
-         }
-         break;
-@@ -755,6 +795,7 @@
-         /* If detached data then the content is excluded */
-         if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) {
-             M_ASN1_OCTET_STRING_free(os);
-+            os = NULL;
-             p7->d.digest->contents->d.data = NULL;
-         }
-         break;
-@@ -820,22 +861,30 @@
-         M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
-     }
- 
--    if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) {
--        char *cont;
--        long contlen;
--        btmp = BIO_find_type(bio, BIO_TYPE_MEM);
--        if (btmp == NULL) {
--            PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
--            goto err;
--        }
--        contlen = BIO_get_mem_data(btmp, &cont);
-+    if (!PKCS7_is_detached(p7)) {
-         /*
--         * Mark the BIO read only then we can use its copy of the data
--         * instead of making an extra copy.
-+         * NOTE(emilia): I think we only reach os == NULL here because detached
-+         * digested data support is broken.
-          */
--        BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
--        BIO_set_mem_eof_return(btmp, 0);
--        ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
-+        if (os == NULL)
-+            goto err;
-+        if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
-+            char *cont;
-+            long contlen;
-+            btmp = BIO_find_type(bio, BIO_TYPE_MEM);
-+            if (btmp == NULL) {
-+                PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
-+                goto err;
-+            }
-+            contlen = BIO_get_mem_data(btmp, &cont);
-+            /*
-+             * Mark the BIO read only then we can use its copy of the data
-+             * instead of making an extra copy.
-+             */
-+            BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
-+            BIO_set_mem_eof_return(btmp, 0);
-+            ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
-+        }
-     }
-     ret = 1;
-  err:
-@@ -910,6 +959,16 @@
-     STACK_OF(X509) *cert;
-     X509 *x509;
- 
-+    if (p7 == NULL) {
-+        PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
-+        return 0;
-+    }
-+
-+    if (p7->d.ptr == NULL) {
-+        PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
-+        return 0;
-+    }
-+
-     if (PKCS7_type_is_signed(p7)) {
-         cert = p7->d.sign->cert;
-     } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
---- openssl-1.0.2/crypto/pkcs7/pk7_lib.c
-+++ openssl-1.0.2/crypto/pkcs7/pk7_lib.c
-@@ -70,6 +70,7 @@
-     nid = OBJ_obj2nid(p7->type);
- 
-     switch (cmd) {
-+    /* NOTE(emilia): does not support detached digested data. */
-     case PKCS7_OP_SET_DETACHED_SIGNATURE:
-         if (nid == NID_pkcs7_signed) {
-             ret = p7->detached = (int)larg;
-@@ -444,6 +445,8 @@
- 
- STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
- {
-+    if (p7 == NULL || p7->d.ptr == NULL)
-+        return NULL;
-     if (PKCS7_type_is_signed(p7)) {
-         return (p7->d.sign->signer_info);
-     } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
---- openssl-1.0.2/crypto/rsa/rsa_ameth.c
-+++ openssl-1.0.2/crypto/rsa/rsa_ameth.c
-@@ -698,9 +698,10 @@
-         RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
-         return -1;
-     }
--    if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey))
-+    if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
-         /* Carry on */
-         return 2;
-+    }
-     return -1;
- }
- 
---- openssl-1.0.2/doc/crypto/d2i_X509.pod
-+++ openssl-1.0.2/doc/crypto/d2i_X509.pod
-@@ -207,6 +207,12 @@
- persist if they are not present in the new one. As a result the use
- of this "reuse" behaviour is strongly discouraged.
- 
-+Current versions of OpenSSL will not modify B<*px> if an error occurs.
-+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
-+set to the value of the newly decoded structure. As a result B<*px>
-+B<must not> be allocated on the stack or an attempt will be made to
-+free an invalid pointer.
-+
- i2d_X509() will not return an error in many versions of OpenSSL,
- if mandatory fields are not initialized due to a programming error
- then the encoded structure may contain invalid data or omit the
-@@ -233,7 +239,9 @@
- 
- d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
- or B<NULL> if an error occurs. The error code that can be obtained by
--L<ERR_get_error(3)|ERR_get_error(3)>. 
-+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
-+with a valid X509 structure being passed in via B<px> then the object is not
-+modified in the event of error.
- 
- i2d_X509() returns the number of bytes successfully encoded or a negative
- value if an error occurs. The error code can be obtained by
---- openssl-1.0.2/ssl/d1_lib.c
-+++ openssl-1.0.2/ssl/d1_lib.c
-@@ -543,6 +543,9 @@
- {
-     int ret;
- 
-+    /* Ensure there is no state left over from a previous invocation */
-+    SSL_clear(s);
-+
-     SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
-     s->d1->listen = 1;
- 
---- openssl-1.0.2/ssl/s2_lib.c
-+++ openssl-1.0.2/ssl/s2_lib.c
-@@ -493,7 +493,7 @@
- 
-         OPENSSL_assert(s->session->master_key_length >= 0
-                        && s->session->master_key_length
--                       < (int)sizeof(s->session->master_key));
-+                       <= (int)sizeof(s->session->master_key));
-         EVP_DigestUpdate(&ctx, s->session->master_key,
-                          s->session->master_key_length);
-         EVP_DigestUpdate(&ctx, &c, 1);
---- openssl-1.0.2/ssl/s2_srvr.c
-+++ openssl-1.0.2/ssl/s2_srvr.c
-@@ -454,11 +454,6 @@
-         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY);
-         return (-1);
-     }
--    i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
--                                &(p[s->s2->tmp.clear]),
--                                &(p[s->s2->tmp.clear]),
--                                (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
--                                RSA_PKCS1_PADDING);
- 
-     is_export = SSL_C_IS_EXPORT(s->session->cipher);
- 
-@@ -475,23 +470,61 @@
-     } else
-         ek = 5;
- 
-+    /*
-+     * The format of the CLIENT-MASTER-KEY message is
-+     * 1 byte message type
-+     * 3 bytes cipher
-+     * 2-byte clear key length (stored in s->s2->tmp.clear)
-+     * 2-byte encrypted key length (stored in s->s2->tmp.enc)
-+     * 2-byte key args length (IV etc)
-+     * clear key
-+     * encrypted key
-+     * key args
-+     *
-+     * If the cipher is an export cipher, then the encrypted key bytes
-+     * are a fixed portion of the total key (5 or 8 bytes). The size of
-+     * this portion is in |ek|. If the cipher is not an export cipher,
-+     * then the entire key material is encrypted (i.e., clear key length
-+     * must be zero).
-+     */
-+    if ((!is_export && s->s2->tmp.clear != 0) ||
-+        (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
-+        ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-+        SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
-+        return -1;
-+    }
-+    /*
-+     * The encrypted blob must decrypt to the encrypted portion of the key.
-+     * Decryption can't be expanding, so if we don't have enough encrypted
-+     * bytes to fit the key in the buffer, stop now.
-+     */
-+    if ((is_export && s->s2->tmp.enc < ek) ||
-+        (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
-+        ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-+        SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
-+        return -1;
-+    }
-+
-+    i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
-+                                &(p[s->s2->tmp.clear]),
-+                                &(p[s->s2->tmp.clear]),
-+                                (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
-+                                RSA_PKCS1_PADDING);
-+
-     /* bad decrypt */
- # if 1
-     /*
-      * If a bad decrypt, continue with protocol but with a random master
-      * secret (Bleichenbacher attack)
-      */
--    if ((i < 0) || ((!is_export && (i != EVP_CIPHER_key_length(c)))
--                    || (is_export && ((i != ek)
--                                      || (s->s2->tmp.clear +
--                                          (unsigned int)i != (unsigned int)
--                                          EVP_CIPHER_key_length(c)))))) {
-+    if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
-+                    || (is_export && i != ek))) {
-         ERR_clear_error();
-         if (is_export)
-             i = ek;
-         else
-             i = EVP_CIPHER_key_length(c);
--        if (RAND_pseudo_bytes(p, i) <= 0)
-+        if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
-             return 0;
-     }
- # else
-@@ -513,7 +546,7 @@
- # endif
- 
-     if (is_export)
--        i += s->s2->tmp.clear;
-+        i = EVP_CIPHER_key_length(c);
- 
-     if (i > SSL_MAX_MASTER_KEY_LENGTH) {
-         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
---- openssl-1.0.2/ssl/s3_pkt.c
-+++ openssl-1.0.2/ssl/s3_pkt.c
-@@ -780,7 +780,7 @@
- 
-             i = ssl3_write_pending(s, type, &buf[tot], nw);
-             if (i <= 0) {
--                if (i < 0) {
-+                if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) {
-                     OPENSSL_free(wb->buf);
-                     wb->buf = NULL;
-                 }
---- openssl-1.0.2/ssl/s3_srvr.c
-+++ openssl-1.0.2/ssl/s3_srvr.c
-@@ -2251,10 +2251,17 @@
-     if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) {
-         int idx = -1;
-         EVP_PKEY *skey = NULL;
--        if (n)
-+        if (n) {
-             n2s(p, i);
--        else
-+        } else {
-+            if (alg_k & SSL_kDHE) {
-+                al = SSL_AD_HANDSHAKE_FAILURE;
-+                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-+                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
-+                goto f_err;
-+            }
-             i = 0;
-+        }
-         if (n && n != i + 2) {
-             if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
-                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
---- openssl-1.0.2/ssl/t1_lib.c
-+++ openssl-1.0.2/ssl/t1_lib.c
-@@ -2965,6 +2965,7 @@
-     if (s->cert->shared_sigalgs) {
-         OPENSSL_free(s->cert->shared_sigalgs);
-         s->cert->shared_sigalgs = NULL;
-+        s->cert->shared_sigalgslen = 0;
-     }
-     /* Clear certificate digests and validity flags */
-     for (i = 0; i < SSL_PKEY_NUM; i++) {
-@@ -3618,6 +3619,7 @@
-     if (c->shared_sigalgs) {
-         OPENSSL_free(c->shared_sigalgs);
-         c->shared_sigalgs = NULL;
-+        c->shared_sigalgslen = 0;
-     }
-     /* If client use client signature algorithms if not NULL */
-     if (!s->server && c->client_sigalgs && !is_suiteb) {
-@@ -3640,12 +3642,14 @@
-         preflen = c->peer_sigalgslen;
-     }
-     nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
--    if (!nmatch)
--        return 1;
--    salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
--    if (!salgs)
--        return 0;
--    nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
-+    if (nmatch) {
-+        salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
-+        if (!salgs)
-+            return 0;
-+        nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
-+    } else {
-+        salgs = NULL;
-+    }
-     c->shared_sigalgs = salgs;
-     c->shared_sigalgslen = nmatch;
-     return 1;

diff --git a/dev-libs/openssl/files/openssl-1.0.2-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2-parallel-build.patch
deleted file mode 100644
index 31d3f1d..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2-parallel-build.patch
+++ /dev/null
@@ -1,354 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=2084&user=guest&pass=guest
-
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -247,17 +247,17 @@
- build_libs: build_crypto build_ssl build_engines
- 
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
--build_ssl:
-+build_ssl: build_crypto
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
--build_engines:
-+build_engines: build_crypto
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
-+	+@dir=engines; target=all; $(BUILD_ONE_CMD)
--build_apps:
-+build_apps: build_libs
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
-+	+@dir=apps; target=all; $(BUILD_ONE_CMD)
--build_tests:
-+build_tests: build_libs
--	@dir=test; target=all; $(BUILD_ONE_CMD)
-+	+@dir=test; target=all; $(BUILD_ONE_CMD)
--build_tools:
-+build_tools: build_libs
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	+@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -497,9 +497,9 @@
- dist_pem_h:
- 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
- 
--install: all install_docs install_sw
-+install: install_docs install_sw
- 
--install_sw:
-+install_dirs:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -508,6 +508,13 @@
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+	@$(PERL) $(TOP)/util/mkdir-p.pl \
-+		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-+		$(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
- 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- 	do \
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-@@ -511,7 +511,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- 	do \
- 		if [ -f "$$i" ]; then \
-@@ -593,12 +600,7 @@
- 		done; \
- 	done
- 
--install_docs:
--	@$(PERL) $(TOP)/util/mkdir-p.pl \
--		$(INSTALL_PREFIX)$(MANDIR)/man1 \
--		$(INSTALL_PREFIX)$(MANDIR)/man3 \
--		$(INSTALL_PREFIX)$(MANDIR)/man5 \
--		$(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
- 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
- 	here="`pwd`"; \
- 	filecase=; \
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -105,6 +105,7 @@ LINK_SO=	\
-     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
-     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${SHAREDCMD} $${SHAREDFLAGS} \
- 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +124,7 @@ SYMLINK_SO=	\
- 			done; \
- 		fi; \
- 		if [ -n "$$SHLIB_SOVER" ]; then \
-+			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- 		fi; \
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -85,11 +85,11 @@
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
--	@target=files; $(RECURSIVE_MAKE)
-+	+@target=files; $(RECURSIVE_MAKE)
- 
- links:
- 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) | subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	$(RANLIB) $(LIB) || echo Never mind.
- 
-@@ -110,7 +110,7 @@
- 	fi
- 
- libs:
--	@target=lib; $(RECURSIVE_MAKE)
-+	+@target=lib; $(RECURSIVE_MAKE)
- 
- install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -119,7 +119,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- lint:
- 	@target=lint; $(RECURSIVE_MAKE)
---- a/engines/Makefile
-+++ b/engines/Makefile
-@@ -72,7 +72,7 @@
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) | subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- tags:
- 	ctags $(SRC)
---- a/test/Makefile
-+++ b/test/Makefile
-@@ -123,7 +123,7 @@
- tags:
- 	ctags $(SRC)
- 
--tests:	exe apps $(TESTS)
-+tests:	exe $(TESTS)
- 
- apps:
- 	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -365,109 +365,109 @@
- 		link_app.$${shlib_target}
- 
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
--	@target=$(RSATEST); $(BUILD_CMD)
-+	+@target=$(RSATEST); $(BUILD_CMD)
- 
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
--	@target=$(BNTEST); $(BUILD_CMD)
-+	+@target=$(BNTEST); $(BUILD_CMD)
- 
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
--	@target=$(ECTEST); $(BUILD_CMD)
-+	+@target=$(ECTEST); $(BUILD_CMD)
- 
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
--	@target=$(EXPTEST); $(BUILD_CMD)
-+	+@target=$(EXPTEST); $(BUILD_CMD)
- 
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
--	@target=$(IDEATEST); $(BUILD_CMD)
-+	+@target=$(IDEATEST); $(BUILD_CMD)
- 
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
--	@target=$(MD2TEST); $(BUILD_CMD)
-+	+@target=$(MD2TEST); $(BUILD_CMD)
- 
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
--	@target=$(SHATEST); $(BUILD_CMD)
-+	+@target=$(SHATEST); $(BUILD_CMD)
- 
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
--	@target=$(SHA1TEST); $(BUILD_CMD)
-+	+@target=$(SHA1TEST); $(BUILD_CMD)
- 
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
--	@target=$(SHA256TEST); $(BUILD_CMD)
-+	+@target=$(SHA256TEST); $(BUILD_CMD)
- 
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
--	@target=$(SHA512TEST); $(BUILD_CMD)
-+	+@target=$(SHA512TEST); $(BUILD_CMD)
- 
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
--	@target=$(RMDTEST); $(BUILD_CMD)
-+	+@target=$(RMDTEST); $(BUILD_CMD)
- 
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
--	@target=$(MDC2TEST); $(BUILD_CMD)
-+	+@target=$(MDC2TEST); $(BUILD_CMD)
- 
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
--	@target=$(MD4TEST); $(BUILD_CMD)
-+	+@target=$(MD4TEST); $(BUILD_CMD)
- 
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
--	@target=$(MD5TEST); $(BUILD_CMD)
-+	+@target=$(MD5TEST); $(BUILD_CMD)
- 
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
--	@target=$(HMACTEST); $(BUILD_CMD)
-+	+@target=$(HMACTEST); $(BUILD_CMD)
- 
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
--	@target=$(WPTEST); $(BUILD_CMD)
-+	+@target=$(WPTEST); $(BUILD_CMD)
- 
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
--	@target=$(RC2TEST); $(BUILD_CMD)
-+	+@target=$(RC2TEST); $(BUILD_CMD)
- 
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
--	@target=$(BFTEST); $(BUILD_CMD)
-+	+@target=$(BFTEST); $(BUILD_CMD)
- 
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
--	@target=$(CASTTEST); $(BUILD_CMD)
-+	+@target=$(CASTTEST); $(BUILD_CMD)
- 
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
--	@target=$(RC4TEST); $(BUILD_CMD)
-+	+@target=$(RC4TEST); $(BUILD_CMD)
- 
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
--	@target=$(RC5TEST); $(BUILD_CMD)
-+	+@target=$(RC5TEST); $(BUILD_CMD)
- 
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
--	@target=$(DESTEST); $(BUILD_CMD)
-+	+@target=$(DESTEST); $(BUILD_CMD)
- 
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
--	@target=$(RANDTEST); $(BUILD_CMD)
-+	+@target=$(RANDTEST); $(BUILD_CMD)
- 
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
--	@target=$(DHTEST); $(BUILD_CMD)
-+	+@target=$(DHTEST); $(BUILD_CMD)
- 
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
--	@target=$(DSATEST); $(BUILD_CMD)
-+	+@target=$(DSATEST); $(BUILD_CMD)
- 
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
--	@target=$(METHTEST); $(BUILD_CMD)
-+	+@target=$(METHTEST); $(BUILD_CMD)
- 
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
--	@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)
- 
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
--	@target=$(ENGINETEST); $(BUILD_CMD)
-+	+@target=$(ENGINETEST); $(BUILD_CMD)
- 
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
--	@target=$(EVPTEST); $(BUILD_CMD)
-+	+@target=$(EVPTEST); $(BUILD_CMD)
- 
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
--	@target=$(ECDSATEST); $(BUILD_CMD)
-+	+@target=$(ECDSATEST); $(BUILD_CMD)
- 
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
--	@target=$(ECDHTEST); $(BUILD_CMD)
-+	+@target=$(ECDHTEST); $(BUILD_CMD)
- 
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
--	@target=$(IGETEST); $(BUILD_CMD)
-+	+@target=$(IGETEST); $(BUILD_CMD)
- 
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
--	@target=$(JPAKETEST); $(BUILD_CMD)
-+	+@target=$(JPAKETEST); $(BUILD_CMD)
- 
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
--	@target=$(ASN1TEST); $(BUILD_CMD)
-+	+@target=$(ASN1TEST); $(BUILD_CMD)
- 
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
--	@target=$(SRPTEST); $(BUILD_CMD)
-+	+@target=$(SRPTEST); $(BUILD_CMD)
- 
- #$(AESTEST).o: $(AESTEST).c
- #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -480,7 +480,7 @@
- #	fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--	@target=dummytest; $(BUILD_CMD)
-+	+@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 
---- a/crypto/objects/Makefile
-+++ b/crypto/objects/Makefile
-@@ -44,11 +44,11 @@ obj_dat.h: obj_dat.pl obj_mac.h
- # objects.pl both reads and writes obj_mac.num
- obj_mac.h: objects.pl objects.txt obj_mac.num
- 	$(PERL) objects.pl objects.txt obj_mac.num obj_mac.h
--	@sleep 1; touch obj_mac.h; sleep 1
- 
--obj_xref.h: objxref.pl obj_xref.txt obj_mac.num
-+# This doesn't really need obj_mac.h, but since that rule reads & writes
-+# obj_mac.num, we can't run in parallel with it.
-+obj_xref.h: objxref.pl obj_xref.txt obj_mac.num obj_mac.h
- 	$(PERL) objxref.pl obj_mac.num obj_xref.txt > obj_xref.h
--	@sleep 1; touch obj_xref.h; sleep 1
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

diff --git a/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild b/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild
deleted file mode 100644
index 12eb16d..0000000
--- a/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild
+++ /dev/null
@@ -1,161 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME for ABI compat
-
-EAPI="5"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-PLEVEL=$(echo "${PV##*_p}" | tr '[1-9]' '[a-i]')
-MY_PV=${PV/_p*/${PLEVEL}}
-MY_P=${PN}-${MY_PV}
-S="${WORKDIR}/${MY_P}"
-DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0.9.8"
-KEYWORDS="alpha amd64 arm ~hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r4
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!=dev-libs/openssl-0.9.8*:0"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	test? ( sys-devel/bc )"
-
-# Do not install any docs
-DOCS=()
-
-src_prepare() {
-	epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
-	epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
-	epatch "${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130
-	epatch "${FILESDIR}"/${PN}-0.9.8ze-CVE-2015-0286.patch #543552
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
-		Makefile{,.org} \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-	# update the enginedir path.
-	# punt broken config we don't care about as it fails sanity check.
-	sed -i \
-		-e '/^"debug-ben-debug-64"/d' \
-		-e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \
-		Configure || die
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags -Wa,--noexecstack
-
-	sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906
-	sed -i '/^"debug-bodo/d' Configure # 0.9.8za shipped broken
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-
-	tc-export CC AR RANLIB
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		enable-idea \
-		enable-mdc2 \
-		$(use_ssl !bindist rc5) \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl zlib) \
-		--prefix=/usr \
-		--openssldir=/etc/ssl \
-		shared threads \
-		|| die "Configure failed"
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^LIBDIR=/s|=.*|=$(get_libdir)|" \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts
-	emake -j1 depend
-	emake -j1 build_libs
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	dolib.so lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-0.9.8z_p6.ebuild b/dev-libs/openssl/openssl-0.9.8z_p6.ebuild
deleted file mode 100644
index b2d9ea9..0000000
--- a/dev-libs/openssl/openssl-0.9.8z_p6.ebuild
+++ /dev/null
@@ -1,160 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME for ABI compat
-
-EAPI="5"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-PLEVEL=$(echo "${PV##*_p}" | tr '[1-9]' '[a-i]')
-MY_PV=${PV/_p*/${PLEVEL}}
-MY_P=${PN}-${MY_PV}
-S="${WORKDIR}/${MY_P}"
-DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0.9.8"
-KEYWORDS="alpha amd64 arm ~hppa ~ia64 ~m68k ~mips ppc ~ppc64 ~s390 ~sh ~sparc x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r4
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!=dev-libs/openssl-0.9.8*:0"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	test? ( sys-devel/bc )"
-
-# Do not install any docs
-DOCS=()
-
-src_prepare() {
-	epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
-	epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
-	epatch "${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
-		Makefile{,.org} \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-	# update the enginedir path.
-	# punt broken config we don't care about as it fails sanity check.
-	sed -i \
-		-e '/^"debug-ben-debug-64"/d' \
-		-e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \
-		Configure || die
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags -Wa,--noexecstack
-
-	sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906
-	sed -i '/^"debug-bodo/d' Configure # 0.9.8za shipped broken
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-
-	tc-export CC AR RANLIB
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		enable-idea \
-		enable-mdc2 \
-		$(use_ssl !bindist rc5) \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl zlib) \
-		--prefix=/usr \
-		--openssldir=/etc/ssl \
-		shared threads \
-		|| die "Configure failed"
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^LIBDIR=/s|=.*|=$(get_libdir)|" \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts
-	emake -j1 depend
-	emake -j1 build_libs
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	dolib.so lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.0r.ebuild b/dev-libs/openssl/openssl-1.0.0r.ebuild
deleted file mode 100644
index e719253..0000000
--- a/dev-libs/openssl/openssl-1.0.0r.ebuild
+++ /dev/null
@@ -1,214 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib
-
-REV="1.7"
-DESCRIPTION="full-strength general purpose cryptography library (including SSL v2/v3 and TLS v1)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# Have the sub-libs in RDEPEND with [static-libs] since, logically,
-# our libssl.a depends on libz.a/etc... at runtime.
-LIB_DEPEND="gmp? ( dev-libs/gmp[static-libs(+)] )
-	zlib? ( sys-libs/zlib[static-libs(+)] )
-	kerberos? ( app-crypt/mit-krb5 )"
-RDEPEND="static-libs? ( ${LIB_DEPEND} )
-	!static-libs? ( ${LIB_DEPEND//\[static-libs(+)]} )"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-src_unpack() {
-	unpack ${P}.tar.gz
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${SSL_CNF_DIR}:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-}
-
-src_prepare() {
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-	#epatch "${FILESDIR}"/${PN}-1.0.0d-fbsd-amd64.patch #363089
-	epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-	epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
-	epatch "${FILESDIR}"/${PN}-1.0.0e-parallel-build.patch
-	epatch "${FILESDIR}"/${PN}-1.0.0r-x32.patch
-	epatch_user #332661
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.0 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906
-	./config --test-sanity || die "I AM NOT SANE"
-}
-
-src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		enable-idea \
-		enable-mdc2 \
-		$(use_ssl !bindist rc5) \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl zlib) \
-		--prefix=/usr \
-		--openssldir=${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend || die
-	emake all || die
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash || die
-}
-
-src_test() {
-	emake -j1 test || die
-}
-
-src_install() {
-	emake INSTALL_PREFIX="${D}" install || die
-	dobin "${WORKDIR}"/c_rehash || die #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${D}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${D}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${D}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${D}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${D}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${ROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${ROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.1l-r1.ebuild b/dev-libs/openssl/openssl-1.0.1l-r1.ebuild
deleted file mode 100644
index 8f063dc..0000000
--- a/dev-libs/openssl/openssl-1.0.1l-r1.ebuild
+++ /dev/null
@@ -1,260 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140406-r3
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-src_unpack() {
-	unpack ${P}.tar.gz
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-}
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1-x32.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1h-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1e-s_client-verify.patch #472584
-		epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
-		epatch "${FILESDIR}"/${PN}-1.0.1l-CVE-2015-0286.patch #543552
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		$(use_ssl !bindist rc5) \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.1m.ebuild b/dev-libs/openssl/openssl-1.0.1m.ebuild
deleted file mode 100644
index 7f30b56..0000000
--- a/dev-libs/openssl/openssl-1.0.1m.ebuild
+++ /dev/null
@@ -1,259 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140406-r3
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-src_unpack() {
-	unpack ${P}.tar.gz
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-}
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-x32.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-s_client-verify.patch #472584
-		epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		$(use_ssl !bindist rc5) \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.1n.ebuild b/dev-libs/openssl/openssl-1.0.1n.ebuild
deleted file mode 100644
index 0b33ee9..0000000
--- a/dev-libs/openssl/openssl-1.0.1n.ebuild
+++ /dev/null
@@ -1,258 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140406-r3
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-src_unpack() {
-	unpack ${P}.tar.gz
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-}
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-x32.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		$(use_ssl !bindist rc5) \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.1o.ebuild b/dev-libs/openssl/openssl-1.0.1o.ebuild
deleted file mode 100644
index f6c6c16..0000000
--- a/dev-libs/openssl/openssl-1.0.1o.ebuild
+++ /dev/null
@@ -1,258 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140406-r3
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-src_unpack() {
-	unpack ${P}.tar.gz
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-}
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-x32.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1m-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		$(use_ssl !bindist rc5) \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.2-r3.ebuild b/dev-libs/openssl/openssl-1.0.2-r3.ebuild
deleted file mode 100644
index 231155d..0000000
--- a/dev-libs/openssl/openssl-1.0.2-r3.ebuild
+++ /dev/null
@@ -1,263 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	epatch "${FILESDIR}"/${P}-CVE-2015-0209.patch #541502
-	epatch "${FILESDIR}"/${P}-CVE-2015-0288.patch #542038
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.2-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2-s_client-verify.patch #472584
-		epatch "${FILESDIR}"/${PN}-1.0.2-CVE-2015-0291.patch
-
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use sctp && echo "sctp") \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2015-09-20 18:13 Mike Frysinger
  0 siblings, 0 replies; 52+ messages in thread
From: Mike Frysinger @ 2015-09-20 18:13 UTC (permalink / raw
  To: gentoo-commits

commit:     7b2ffc3b84bc53e596a2517aae8c061f2e99fd22
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 20 18:11:11 2015 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 18:12:21 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b2ffc3b

dev-libs/openssl: fix config script for a few targets #560812

We were missing trailing globs for aarch64/be and ppc/le to match the
ABI value.  This also updates the ppc64le target to use the new config
value that is available with the 1.0.2 series.

 dev-libs/openssl/files/gentoo.config-1.0.2 | 165 +++++++++++++++++++++++++++++
 dev-libs/openssl/openssl-1.0.2d.ebuild     |   2 +-
 2 files changed, 166 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2
new file mode 100755
index 0000000..b3f6ced
--- /dev/null
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -0,0 +1,165 @@
+#!/usr/bin/env bash
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+#
+# Openssl doesn't play along nicely with cross-compiling
+# like autotools based projects, so let's teach it new tricks.
+#
+# Review the bundled 'config' script to see why kind of targets
+# we can pass to the 'Configure' script.
+
+
+# Testing routines
+if [[ $1 == "test" ]] ; then
+	for c in \
+		"arm-gentoo-linux-uclibc      |linux-generic32 -DL_ENDIAN" \
+		"armv5b-linux-gnu             |linux-armv4 -DB_ENDIAN" \
+		"x86_64-pc-linux-gnu          |linux-x86_64" \
+		"alpha-linux-gnu              |linux-alpha-gcc" \
+		"alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
+		"i686-pc-linux-gnu            |linux-elf" \
+		"whatever-gentoo-freebsdX.Y   |BSD-generic32" \
+		"i686-gentoo-freebsdX.Y       |BSD-x86-elf" \
+		"sparc64-alpha-freebsdX.Y     |BSD-sparc64" \
+		"ia64-gentoo-freebsd5.99234   |BSD-ia64" \
+		"x86_64-gentoo-freebsdX.Y     |BSD-x86_64" \
+		"hppa64-aldsF-linux-gnu5.3    |linux-generic32 -DB_ENDIAN" \
+		"powerpc-gentOO-linux-uclibc  |linux-ppc" \
+		"powerpc64-unk-linux-gnu      |linux-ppc64" \
+		"powerpc64le-linux-gnu        |linux-ppc64le" \
+		"x86_64-apple-darwinX         |darwin64-x86_64-cc" \
+		"powerpc64-apple-darwinX      |darwin64-ppc-cc" \
+		"i686-apple-darwinX           |darwin-i386-cc" \
+		"i386-apple-darwinX           |darwin-i386-cc" \
+		"powerpc-apple-darwinX        |darwin-ppc-cc" \
+		"i586-pc-winnt                |winnt-parity" \
+		"s390-ibm-linux-gnu           |linux-generic32 -DB_ENDIAN" \
+		"s390x-linux-gnu              |linux64-s390x" \
+	;do
+		CHOST=${c/|*}
+		ret_want=${c/*|}
+		ret_got=$(CHOST=${CHOST} "$0")
+
+		if [[ ${ret_want} == "${ret_got}" ]] ; then
+			echo "PASS: ${CHOST}"
+		else
+			echo "FAIL: ${CHOST}"
+			echo -e "\twanted: ${ret_want}"
+			echo -e "\twe got: ${ret_got}"
+		fi
+	done
+	exit 0
+fi
+[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
+
+
+# Detect the operating system
+case ${CHOST} in
+	*-aix*)          system="aix";;
+	*-darwin*)       system="darwin";;
+	*-freebsd*)      system="BSD";;
+	*-hpux*)         system="hpux";;
+	*-linux*)        system="linux";;
+	*-solaris*)      system="solaris";;
+	*-winnt*)        system="winnt";;
+	x86_64-*-mingw*) system="mingw64";;
+	*mingw*)         system="mingw";;
+	*)               exit 0;;
+esac
+
+
+# Compiler munging
+compiler="gcc"
+if [[ ${CC} == "ccc" ]] ; then
+	compiler=${CC}
+fi
+
+
+# Detect target arch
+machine=""
+chost_machine=${CHOST%%-*}
+case ${system} in
+linux)
+	case ${chost_machine}:${ABI} in
+		aarch64*be*)  machine="generic64 -DB_ENDIAN";;
+		aarch64*)     machine="generic64 -DL_ENDIAN";;
+		alphaev56*|\
+		alphaev[678]*)machine=alpha+bwx-${compiler};;
+		alpha*)       machine=alpha-${compiler};;
+		armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
+		armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
+		arm*b*)       machine="generic32 -DB_ENDIAN";;
+		arm*)         machine="generic32 -DL_ENDIAN";;
+		avr*)         machine="generic32 -DL_ENDIAN";;
+		bfin*)        machine="generic32 -DL_ENDIAN";;
+	#	hppa64*)      machine=parisc64;;
+		hppa*)        machine="generic32 -DB_ENDIAN";;
+		i[0-9]86*|\
+		x86_64*:x86)  machine=elf;;
+		ia64*)        machine=ia64;;
+		m68*)         machine="generic32 -DB_ENDIAN";;
+		mips*el*)     machine="generic32 -DL_ENDIAN";;
+		mips*)        machine="generic32 -DB_ENDIAN";;
+		powerpc64*le*)machine=ppc64le;;
+		powerpc64*)   machine=ppc64;;
+		powerpc*le*)  machine="generic32 -DL_ENDIAN";;
+		powerpc*)     machine=ppc;;
+	#	sh64*)        machine=elf;;
+		sh*b*)        machine="generic32 -DB_ENDIAN";;
+		sh*)          machine="generic32 -DL_ENDIAN";;
+		sparc*v7*)    machine="generic32 -DB_ENDIAN";;
+		sparc64*)     machine=sparcv9;;
+		sparc*)       machine=sparcv8;;
+		s390x*)       machine=s390x system=linux64;;
+		s390*)        machine="generic32 -DB_ENDIAN";;
+		x86_64*:x32)  machine=x32;;
+		x86_64*)      machine=x86_64;;
+	esac
+	;;
+BSD)
+	case ${chost_machine} in
+		alpha*)       machine=generic64;;
+		i[6-9]86*)    machine=x86-elf;;
+		ia64*)        machine=ia64;;
+		sparc64*)     machine=sparc64;;
+		x86_64*)      machine=x86_64;;
+		*)            machine=generic32;;
+	esac
+	;;
+aix)
+	machine=${compiler}
+	;;
+darwin)
+	case ${chost_machine} in
+		powerpc64)    machine=ppc-cc; system=${system}64;;
+		powerpc)      machine=ppc-cc;;
+		i?86*)        machine=i386-cc;;
+		x86_64)       machine=x86_64-cc; system=${system}64;;
+	esac
+	;;
+hpux)
+	case ${chost_machine} in
+		ia64)	machine=ia64-${compiler} ;;
+	esac
+	;;
+solaris)
+	case ${chost_machine} in
+		i386)         machine=x86-${compiler} ;;
+		x86_64*)      machine=x86_64-${compiler}; system=${system}64;;
+		sparcv9*)     machine=sparcv9-${compiler}; system=${system}64;;
+		sparc*)       machine=sparcv8-${compiler};;
+	esac
+	;;
+winnt)
+	machine=parity
+	;;
+mingw*)
+	# special case ... no xxx-yyy style name
+	echo ${system}
+	;;
+esac
+
+
+# If we have something, show it
+[[ -n ${machine} ]] && echo ${system}-${machine}

diff --git a/dev-libs/openssl/openssl-1.0.2d.ebuild b/dev-libs/openssl/openssl-1.0.2d.ebuild
index 8947be6..461e714 100644
--- a/dev-libs/openssl/openssl-1.0.2d.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2d.ebuild
@@ -96,7 +96,7 @@ src_prepare() {
 	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
 
 	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
 	chmod a+rx gentoo.config
 
 	append-flags -fno-strict-aliasing


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2016-01-29  6:59 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2016-01-29  6:59 UTC (permalink / raw
  To: gentoo-commits

commit:     a4af1cd3c4fb7b99b468903efbdc652e2a5bf9c2
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Fri Jan 29 06:58:41 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri Jan 29 06:59:01 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4af1cd3

dev-libs/openssl: Removed old.

Package-Manager: portage-2.2.27
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   4 -
 .../files/openssl-1.0.2-s_client-verify.patch      |  17 --
 .../openssl/files/openssl-1.0.2a-malloc-typo.patch |  38 ---
 .../files/openssl-1.0.2a-parallel-build.patch      | 314 ---------------------
 .../files/openssl-1.0.2d-parallel-build.patch      | 309 --------------------
 dev-libs/openssl/openssl-1.0.2a.ebuild             | 266 -----------------
 dev-libs/openssl/openssl-1.0.2b.ebuild             | 264 -----------------
 dev-libs/openssl/openssl-1.0.2c.ebuild             | 264 -----------------
 dev-libs/openssl/openssl-1.0.2d-r2.ebuild          | 265 -----------------
 dev-libs/openssl/openssl-1.0.2d.ebuild             | 267 ------------------
 10 files changed, 2008 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 17b0441..ddc4c31 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -2,10 +2,6 @@ DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 06500060639930e471050474f537fcd28ec93
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.1p.tar.gz 4560208 SHA256 bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5 WHIRLPOOL 2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819
 DIST openssl-1.0.1r.tar.gz 4547786 SHA256 784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 SHA512 7a5a2efe5d9421ea6f4f86f75ed40b4459b3825355ad18da3bdba28393bc50a6f457b2e1f11a31828f1af0d62a716d258ac7868fb719c9997f3bc750a1723e86 WHIRLPOOL de9c92f5ddb9bcaac967ac735696e739f5762b7d3a0b2430dbfa0c6cd7ac021fdf3c3257255a2fe995f24aa3550d59ce3067f030f09acc5d43b61dfda627686a
-DIST openssl-1.0.2a.tar.gz 5262089 SHA256 15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a SHA512 02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4 WHIRLPOOL a590c71794f5d29b80afa28b18621b7535e96b714b3690d793c1422a90b09a89cbcb912841d400c5982a8197bb02c13051190e96ba0e4d530509b48b43067cd7
-DIST openssl-1.0.2b.tar.gz 5281009 SHA256 d5d488cc9f0a07974195a7427094ea3cab9800a4e90178b989aa621fbc238e3f SHA512 563eb662113668bb9ccf17a6e36697ad6392321ac1a32aa2cada9d8f4047651c2fa4da61f508ee3e1834fea343dbba189e09c1d6cabe5d1de5e3e6d022c31f4f WHIRLPOOL d828dc76842d25f02f211031b3ab9a2a8fd44975e9aaf87d0fd5fca9935a27b61c3e4f896a2186194f1a7b4d668fc48cafc5be9f7c670017ba342ce40113935f
-DIST openssl-1.0.2c.tar.gz 5280670 SHA256 0038ba37f35a6367c58f17a7a7f687953ef8ce4f9684bbdec63e62515ed36a83 SHA512 2a68e8b017d0d3e34e4f9d33b77abd960b3d04e418f106e852684a2ff247dc8ea390b7d6a42d130fd84d821a15e84e77b68b3677433433ef5c10d156333b9dae WHIRLPOOL c59878c3bd5e8904913b97d71a15ef1eaafcfb4eb58c691ba4fb38bf81752308d0ef4a902e53aec4c6e7585677f2404d29cdea0832d14206fabf28d744af2622
-DIST openssl-1.0.2d.tar.gz 5295447 SHA256 671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 SHA512 68a051e92aaed0e7a8b218c185427c534c32f30f50c45f5d2c1f5b7a26d1416e83863d2953c77486acde3b636a148f39faf48246d28a207607ec069f62b13d75 WHIRLPOOL e3d8f0784903c8d6aa05ada7b8b410517c99157a3c2f4ac34c8a9d80c77408bd6ff9e820ded47f6223ccac4a77413174aa625303166ec28fdbf8374a7d4659ec
 DIST openssl-1.0.2e.tar.gz 5256555 SHA256 e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff SHA512 b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f WHIRLPOOL 8e1c1800a66f57fa78dc391e717e4b2bdf0e6e37a837c5ac033d7a4b1a6437451c7e7540c4ec2f75f936a2d2ef4f9293b42c76f51b0c9c93706639589612f196
 DIST openssl-1.0.2f.tar.gz 5258384 SHA256 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 WHIRLPOOL 179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835baaaa04e506fb3fbaed37d31c9
 DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1

diff --git a/dev-libs/openssl/files/openssl-1.0.2-s_client-verify.patch b/dev-libs/openssl/files/openssl-1.0.2-s_client-verify.patch
deleted file mode 100644
index 803a91d..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2-s_client-verify.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-https://bugs.gentoo.org/472584
-http://rt.openssl.org/Ticket/Display.html?id=2387&user=guest&pass=guest
-
-fix verification handling in s_client.  when loading paths, make sure
-we properly fallback to setting the default paths.
-
---- openssl-1.0.2/apps/s_client.c
-+++ openssl-1.0.2/apps/s_client.c
-@@ -1337,7 +1337,7 @@
- 
-     SSL_CTX_set_verify(ctx, verify, verify_callback);
- 
--    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-+    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) &&
-         (!SSL_CTX_set_default_verify_paths(ctx))) {
-         /*
-          * BIO_printf(bio_err,"error setting default verify locations\n");

diff --git a/dev-libs/openssl/files/openssl-1.0.2a-malloc-typo.patch b/dev-libs/openssl/files/openssl-1.0.2a-malloc-typo.patch
deleted file mode 100644
index 831e575..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2a-malloc-typo.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=3758
-
-From 7b4152089fe39c3495508076ab81ed4aca3d65ba Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 21 Mar 2015 05:08:41 -0400
-Subject: [PATCH] fix malloc define typo
-
-Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
-URL: https://bugs.gentoo.org/543828
----
- crypto/bio/bss_dgram.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
-index aef8149..ed275d1 100644
---- a/crypto/bio/bss_dgram.c
-+++ b/crypto/bio/bss_dgram.c
-@@ -1338,7 +1338,7 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
-                 (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
-             authchunks = OPENSSL_malloc(optlen);
-             if (!authchunks) {
--                BIOerr(BIO_F_DGRAM_SCTP_READ, ERR_R_MALLOC_ERROR);
-+                BIOerr(BIO_F_DGRAM_SCTP_READ, ERR_R_MALLOC_FAILURE);
-                 return -1;
-             }
-             memset(authchunks, 0, optlen);
-@@ -1410,7 +1410,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
-         char *tmp;
-         data->saved_message.bio = b;
-         if(!(tmp = OPENSSL_malloc(inl))) {
--            BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_ERROR);
-+            BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_FAILURE);
-             return -1;
-         }
-         if (data->saved_message.data)
--- 
-2.3.3
-

diff --git a/dev-libs/openssl/files/openssl-1.0.2a-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2a-parallel-build.patch
deleted file mode 100644
index f4226c3..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2a-parallel-build.patch
+++ /dev/null
@@ -1,314 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=2084&user=guest&pass=guest
-https://rt.openssl.org/Ticket/Display.html?id=3738&user=guest&pass=guest
-
---- openssl-1.0.2a/crypto/Makefile
-+++ openssl-1.0.2a/crypto/Makefile
-@@ -85,11 +85,11 @@
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
--	@target=files; $(RECURSIVE_MAKE)
-+	+@target=files; $(RECURSIVE_MAKE)
- 
- links:
- 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) | subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- 	$(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@
- 	fi
- 
- libs:
--	@target=lib; $(RECURSIVE_MAKE)
-+	+@target=lib; $(RECURSIVE_MAKE)
- 
- install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- lint:
- 	@target=lint; $(RECURSIVE_MAKE)
---- openssl-1.0.2a/engines/Makefile
-+++ openssl-1.0.2a/engines/Makefile
-@@ -72,7 +72,7 @@
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) | subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- tags:
- 	ctags $(SRC)
---- openssl-1.0.2a/Makefile.org
-+++ openssl-1.0.2a/Makefile.org
-@@ -274,17 +274,17 @@
- build_libs: build_crypto build_ssl build_engines
- 
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
--build_ssl:
-+build_ssl: build_crypto
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
--build_engines:
-+build_engines: build_crypto
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
-+	+@dir=engines; target=all; $(BUILD_ONE_CMD)
--build_apps:
-+build_apps: build_libs
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
-+	+@dir=apps; target=all; $(BUILD_ONE_CMD)
--build_tests:
-+build_tests: build_libs
--	@dir=test; target=all; $(BUILD_ONE_CMD)
-+	+@dir=test; target=all; $(BUILD_ONE_CMD)
--build_tools:
-+build_tools: build_libs
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	+@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -555,7 +555,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- 	do \
- 		if [ -f "$$i" ]; then \
---- openssl-1.0.2a/Makefile.shared
-+++ openssl-1.0.2a/Makefile.shared
-@@ -105,6 +105,7 @@
-     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
-     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${SHAREDCMD} $${SHAREDFLAGS} \
- 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +123,7 @@
- 			done; \
- 		fi; \
- 		if [ -n "$$SHLIB_SOVER" ]; then \
-+			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- 		fi; \
---- openssl-1.0.2a/test/Makefile
-+++ openssl-1.0.2a/test/Makefile
-@@ -133,7 +133,7 @@
- tags:
- 	ctags $(SRC)
- 
--tests:	exe apps $(TESTS)
-+tests:	exe $(TESTS)
- 
- apps:
- 	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -402,121 +402,121 @@
- 		link_app.$${shlib_target}
- 
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
--	@target=$(RSATEST); $(BUILD_CMD)
-+	+@target=$(RSATEST); $(BUILD_CMD)
- 
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
--	@target=$(BNTEST); $(BUILD_CMD)
-+	+@target=$(BNTEST); $(BUILD_CMD)
- 
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
--	@target=$(ECTEST); $(BUILD_CMD)
-+	+@target=$(ECTEST); $(BUILD_CMD)
- 
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
--	@target=$(EXPTEST); $(BUILD_CMD)
-+	+@target=$(EXPTEST); $(BUILD_CMD)
- 
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
--	@target=$(IDEATEST); $(BUILD_CMD)
-+	+@target=$(IDEATEST); $(BUILD_CMD)
- 
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
--	@target=$(MD2TEST); $(BUILD_CMD)
-+	+@target=$(MD2TEST); $(BUILD_CMD)
- 
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
--	@target=$(SHATEST); $(BUILD_CMD)
-+	+@target=$(SHATEST); $(BUILD_CMD)
- 
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
--	@target=$(SHA1TEST); $(BUILD_CMD)
-+	+@target=$(SHA1TEST); $(BUILD_CMD)
- 
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
--	@target=$(SHA256TEST); $(BUILD_CMD)
-+	+@target=$(SHA256TEST); $(BUILD_CMD)
- 
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
--	@target=$(SHA512TEST); $(BUILD_CMD)
-+	+@target=$(SHA512TEST); $(BUILD_CMD)
- 
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
--	@target=$(RMDTEST); $(BUILD_CMD)
-+	+@target=$(RMDTEST); $(BUILD_CMD)
- 
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
--	@target=$(MDC2TEST); $(BUILD_CMD)
-+	+@target=$(MDC2TEST); $(BUILD_CMD)
- 
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
--	@target=$(MD4TEST); $(BUILD_CMD)
-+	+@target=$(MD4TEST); $(BUILD_CMD)
- 
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
--	@target=$(MD5TEST); $(BUILD_CMD)
-+	+@target=$(MD5TEST); $(BUILD_CMD)
- 
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
--	@target=$(HMACTEST); $(BUILD_CMD)
-+	+@target=$(HMACTEST); $(BUILD_CMD)
- 
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
--	@target=$(WPTEST); $(BUILD_CMD)
-+	+@target=$(WPTEST); $(BUILD_CMD)
- 
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
--	@target=$(RC2TEST); $(BUILD_CMD)
-+	+@target=$(RC2TEST); $(BUILD_CMD)
- 
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
--	@target=$(BFTEST); $(BUILD_CMD)
-+	+@target=$(BFTEST); $(BUILD_CMD)
- 
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
--	@target=$(CASTTEST); $(BUILD_CMD)
-+	+@target=$(CASTTEST); $(BUILD_CMD)
- 
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
--	@target=$(RC4TEST); $(BUILD_CMD)
-+	+@target=$(RC4TEST); $(BUILD_CMD)
- 
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
--	@target=$(RC5TEST); $(BUILD_CMD)
-+	+@target=$(RC5TEST); $(BUILD_CMD)
- 
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
--	@target=$(DESTEST); $(BUILD_CMD)
-+	+@target=$(DESTEST); $(BUILD_CMD)
- 
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
--	@target=$(RANDTEST); $(BUILD_CMD)
-+	+@target=$(RANDTEST); $(BUILD_CMD)
- 
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
--	@target=$(DHTEST); $(BUILD_CMD)
-+	+@target=$(DHTEST); $(BUILD_CMD)
- 
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
--	@target=$(DSATEST); $(BUILD_CMD)
-+	+@target=$(DSATEST); $(BUILD_CMD)
- 
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
--	@target=$(METHTEST); $(BUILD_CMD)
-+	+@target=$(METHTEST); $(BUILD_CMD)
- 
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
--	@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)
- 
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
--	@target=$(ENGINETEST); $(BUILD_CMD)
-+	+@target=$(ENGINETEST); $(BUILD_CMD)
- 
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
--	@target=$(EVPTEST); $(BUILD_CMD)
-+	+@target=$(EVPTEST); $(BUILD_CMD)
- 
- $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
--	@target=$(EVPEXTRATEST); $(BUILD_CMD)
-+	+@target=$(EVPEXTRATEST); $(BUILD_CMD)
- 
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
--	@target=$(ECDSATEST); $(BUILD_CMD)
-+	+@target=$(ECDSATEST); $(BUILD_CMD)
- 
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
--	@target=$(ECDHTEST); $(BUILD_CMD)
-+	+@target=$(ECDHTEST); $(BUILD_CMD)
- 
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
--	@target=$(IGETEST); $(BUILD_CMD)
-+	+@target=$(IGETEST); $(BUILD_CMD)
- 
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
--	@target=$(JPAKETEST); $(BUILD_CMD)
-+	+@target=$(JPAKETEST); $(BUILD_CMD)
- 
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
--	@target=$(ASN1TEST); $(BUILD_CMD)
-+	+@target=$(ASN1TEST); $(BUILD_CMD)
- 
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
--	@target=$(SRPTEST); $(BUILD_CMD)
-+	+@target=$(SRPTEST); $(BUILD_CMD)
- 
- $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
--	@target=$(V3NAMETEST); $(BUILD_CMD)
-+	+@target=$(V3NAMETEST); $(BUILD_CMD)
- 
- $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
--	@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-+	+@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
- 
- $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
--	@target=$(CONSTTIMETEST) $(BUILD_CMD)
-+	+@target=$(CONSTTIMETEST) $(BUILD_CMD)
- 
- #$(AESTEST).o: $(AESTEST).c
- #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -529,7 +529,7 @@
- #	fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--	@target=dummytest; $(BUILD_CMD)
-+	+@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 

diff --git a/dev-libs/openssl/files/openssl-1.0.2d-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2d-parallel-build.patch
deleted file mode 100644
index b7aa0ea..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2d-parallel-build.patch
+++ /dev/null
@@ -1,309 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=2084&user=guest&pass=guest
-https://rt.openssl.org/Ticket/Display.html?id=3738&user=guest&pass=guest
-
---- openssl-1.0.2d/crypto/Makefile
-+++ openssl-1.0.2d/crypto/Makefile
-@@ -85,11 +85,11 @@
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
--	@target=files; $(RECURSIVE_MAKE)
-+	+@target=files; $(RECURSIVE_MAKE)
- 
- links:
- 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) | subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- 	$(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@
- 	fi
- 
- libs:
--	@target=lib; $(RECURSIVE_MAKE)
-+	+@target=lib; $(RECURSIVE_MAKE)
- 
- install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- lint:
- 	@target=lint; $(RECURSIVE_MAKE)
---- openssl-1.0.2d/engines/Makefile
-+++ openssl-1.0.2d/engines/Makefile
-@@ -72,7 +72,7 @@
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) | subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- tags:
- 	ctags $(SRC)
---- openssl-1.0.2d/Makefile.org
-+++ openssl-1.0.2d/Makefile.org
-@@ -274,17 +274,17 @@
- build_libs: build_crypto build_ssl build_engines
- 
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
-+	+@dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
-+	+@dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
--	@dir=test; target=all; $(BUILD_ONE_CMD)
-+	+@dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	+@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -555,7 +555,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- 	do \
- 		if [ -f "$$i" ]; then \
---- openssl-1.0.2d/Makefile.shared
-+++ openssl-1.0.2d/Makefile.shared
-@@ -105,6 +105,7 @@
-     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
-     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${SHAREDCMD} $${SHAREDFLAGS} \
- 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +123,7 @@
- 			done; \
- 		fi; \
- 		if [ -n "$$SHLIB_SOVER" ]; then \
-+			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- 		fi; \
---- openssl-1.0.2d/test/Makefile
-+++ openssl-1.0.2d/test/Makefile
-@@ -133,7 +133,7 @@
- tags:
- 	ctags $(SRC)
- 
--tests:	exe apps $(TESTS)
-+tests:	exe $(TESTS)
- 
- apps:
- 	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -402,121 +402,121 @@
- 		link_app.$${shlib_target}
- 
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
--	@target=$(RSATEST); $(BUILD_CMD)
-+	+@target=$(RSATEST); $(BUILD_CMD)
- 
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
--	@target=$(BNTEST); $(BUILD_CMD)
-+	+@target=$(BNTEST); $(BUILD_CMD)
- 
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
--	@target=$(ECTEST); $(BUILD_CMD)
-+	+@target=$(ECTEST); $(BUILD_CMD)
- 
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
--	@target=$(EXPTEST); $(BUILD_CMD)
-+	+@target=$(EXPTEST); $(BUILD_CMD)
- 
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
--	@target=$(IDEATEST); $(BUILD_CMD)
-+	+@target=$(IDEATEST); $(BUILD_CMD)
- 
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
--	@target=$(MD2TEST); $(BUILD_CMD)
-+	+@target=$(MD2TEST); $(BUILD_CMD)
- 
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
--	@target=$(SHATEST); $(BUILD_CMD)
-+	+@target=$(SHATEST); $(BUILD_CMD)
- 
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
--	@target=$(SHA1TEST); $(BUILD_CMD)
-+	+@target=$(SHA1TEST); $(BUILD_CMD)
- 
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
--	@target=$(SHA256TEST); $(BUILD_CMD)
-+	+@target=$(SHA256TEST); $(BUILD_CMD)
- 
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
--	@target=$(SHA512TEST); $(BUILD_CMD)
-+	+@target=$(SHA512TEST); $(BUILD_CMD)
- 
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
--	@target=$(RMDTEST); $(BUILD_CMD)
-+	+@target=$(RMDTEST); $(BUILD_CMD)
- 
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
--	@target=$(MDC2TEST); $(BUILD_CMD)
-+	+@target=$(MDC2TEST); $(BUILD_CMD)
- 
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
--	@target=$(MD4TEST); $(BUILD_CMD)
-+	+@target=$(MD4TEST); $(BUILD_CMD)
- 
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
--	@target=$(MD5TEST); $(BUILD_CMD)
-+	+@target=$(MD5TEST); $(BUILD_CMD)
- 
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
--	@target=$(HMACTEST); $(BUILD_CMD)
-+	+@target=$(HMACTEST); $(BUILD_CMD)
- 
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
--	@target=$(WPTEST); $(BUILD_CMD)
-+	+@target=$(WPTEST); $(BUILD_CMD)
- 
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
--	@target=$(RC2TEST); $(BUILD_CMD)
-+	+@target=$(RC2TEST); $(BUILD_CMD)
- 
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
--	@target=$(BFTEST); $(BUILD_CMD)
-+	+@target=$(BFTEST); $(BUILD_CMD)
- 
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
--	@target=$(CASTTEST); $(BUILD_CMD)
-+	+@target=$(CASTTEST); $(BUILD_CMD)
- 
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
--	@target=$(RC4TEST); $(BUILD_CMD)
-+	+@target=$(RC4TEST); $(BUILD_CMD)
- 
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
--	@target=$(RC5TEST); $(BUILD_CMD)
-+	+@target=$(RC5TEST); $(BUILD_CMD)
- 
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
--	@target=$(DESTEST); $(BUILD_CMD)
-+	+@target=$(DESTEST); $(BUILD_CMD)
- 
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
--	@target=$(RANDTEST); $(BUILD_CMD)
-+	+@target=$(RANDTEST); $(BUILD_CMD)
- 
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
--	@target=$(DHTEST); $(BUILD_CMD)
-+	+@target=$(DHTEST); $(BUILD_CMD)
- 
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
--	@target=$(DSATEST); $(BUILD_CMD)
-+	+@target=$(DSATEST); $(BUILD_CMD)
- 
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
--	@target=$(METHTEST); $(BUILD_CMD)
-+	+@target=$(METHTEST); $(BUILD_CMD)
- 
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
--	@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)
- 
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
--	@target=$(ENGINETEST); $(BUILD_CMD)
-+	+@target=$(ENGINETEST); $(BUILD_CMD)
- 
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
--	@target=$(EVPTEST); $(BUILD_CMD)
-+	+@target=$(EVPTEST); $(BUILD_CMD)
- 
- $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
--	@target=$(EVPEXTRATEST); $(BUILD_CMD)
-+	+@target=$(EVPEXTRATEST); $(BUILD_CMD)
- 
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
--	@target=$(ECDSATEST); $(BUILD_CMD)
-+	+@target=$(ECDSATEST); $(BUILD_CMD)
- 
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
--	@target=$(ECDHTEST); $(BUILD_CMD)
-+	+@target=$(ECDHTEST); $(BUILD_CMD)
- 
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
--	@target=$(IGETEST); $(BUILD_CMD)
-+	+@target=$(IGETEST); $(BUILD_CMD)
- 
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
--	@target=$(JPAKETEST); $(BUILD_CMD)
-+	+@target=$(JPAKETEST); $(BUILD_CMD)
- 
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
--	@target=$(ASN1TEST); $(BUILD_CMD)
-+	+@target=$(ASN1TEST); $(BUILD_CMD)
- 
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
--	@target=$(SRPTEST); $(BUILD_CMD)
-+	+@target=$(SRPTEST); $(BUILD_CMD)
- 
- $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
--	@target=$(V3NAMETEST); $(BUILD_CMD)
-+	+@target=$(V3NAMETEST); $(BUILD_CMD)
- 
- $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
--	@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-+	+@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
- 
- $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
--	@target=$(CONSTTIMETEST) $(BUILD_CMD)
-+	+@target=$(CONSTTIMETEST) $(BUILD_CMD)
- 
- #$(AESTEST).o: $(AESTEST).c
- #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -529,7 +529,7 @@
- #	fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--	@target=dummytest; $(BUILD_CMD)
-+	+@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 

diff --git a/dev-libs/openssl/openssl-1.0.2a.ebuild b/dev-libs/openssl/openssl-1.0.2a.ebuild
deleted file mode 100644
index 6c22a2e..0000000
--- a/dev-libs/openssl/openssl-1.0.2a.ebuild
+++ /dev/null
@@ -1,266 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
-		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2-s_client-verify.patch #472584
-		epatch "${FILESDIR}"/${P}-malloc-typo.patch #543828
-		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.2b.ebuild b/dev-libs/openssl/openssl-1.0.2b.ebuild
deleted file mode 100644
index 3ede9dd..0000000
--- a/dev-libs/openssl/openssl-1.0.2b.ebuild
+++ /dev/null
@@ -1,264 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
-		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.2c.ebuild b/dev-libs/openssl/openssl-1.0.2c.ebuild
deleted file mode 100644
index 3ede9dd..0000000
--- a/dev-libs/openssl/openssl-1.0.2c.ebuild
+++ /dev/null
@@ -1,264 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	sys-apps/diffutils
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? ( sys-devel/bc )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
-		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.2d-r2.ebuild b/dev-libs/openssl/openssl-1.0.2d-r2.ebuild
deleted file mode 100644
index e45dd24..0000000
--- a/dev-libs/openssl/openssl-1.0.2d-r2.ebuild
+++ /dev/null
@@ -1,265 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.2d-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
-		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-		epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.2d.ebuild b/dev-libs/openssl/openssl-1.0.2d.ebuild
deleted file mode 100644
index 98f1978..0000000
--- a/dev-libs/openssl/openssl-1.0.2d.ebuild
+++ /dev/null
@@ -1,267 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-REV="1.7"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	SSL_CNF_DIR="/etc/ssl"
-	sed \
-		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
-		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
-		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
-		> "${WORKDIR}"/c_rehash || die #416717
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.2d-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
-		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-		epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	dobin "${WORKDIR}"/c_rehash #333117
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-
-	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2016-02-09 18:30 Robin H. Johnson
  0 siblings, 0 replies; 52+ messages in thread
From: Robin H. Johnson @ 2016-02-09 18:30 UTC (permalink / raw
  To: gentoo-commits

commit:     6e016d7d3fa7acca6396ddf694865ada101e04a3
Author:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
AuthorDate: Tue Feb  9 18:29:56 2016 +0000
Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Tue Feb  9 18:30:08 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e016d7d

dev-libs/openssl: move large patch to mirrors.

Package-Manager: portage-2.2.27

 dev-libs/openssl/Manifest                          |    1 +
 .../files/openssl-1.0.2e-chacha20poly1305.patch    | 4404 --------------------
 dev-libs/openssl/openssl-1.0.2e-r1.ebuild          |    5 +-
 dev-libs/openssl/openssl-1.0.2f-r1.ebuild          |    5 +-
 4 files changed, 7 insertions(+), 4408 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index ddc4c31..1545e93 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -2,6 +2,7 @@ DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 06500060639930e471050474f537fcd28ec93
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.1p.tar.gz 4560208 SHA256 bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5 WHIRLPOOL 2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819
 DIST openssl-1.0.1r.tar.gz 4547786 SHA256 784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 SHA512 7a5a2efe5d9421ea6f4f86f75ed40b4459b3825355ad18da3bdba28393bc50a6f457b2e1f11a31828f1af0d62a716d258ac7868fb719c9997f3bc750a1723e86 WHIRLPOOL de9c92f5ddb9bcaac967ac735696e739f5762b7d3a0b2430dbfa0c6cd7ac021fdf3c3257255a2fe995f24aa3550d59ce3067f030f09acc5d43b61dfda627686a
+DIST openssl-1.0.2e-chacha20poly1305.patch 140487 SHA256 6a486814bfed8807089152116c2595d97ddc9f5afa9dd54276003ac4d7335adc SHA512 cbf550bd60dc8174910620d4acc6c7ce9f09584004a5833e75f02e095107b8d6b2abfc395a64b5039693e7a37e62da59cc9870bf0bcc14de3660c2e188e6ca1c WHIRLPOOL 7cbe55f498005af163158a323554b10081f1ae13107e32254a0348bed108856e120ef8340f0cd4af5ca310405c9683d1a7c70a34369c8a3359c8ea11b08b6774
 DIST openssl-1.0.2e.tar.gz 5256555 SHA256 e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff SHA512 b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f WHIRLPOOL 8e1c1800a66f57fa78dc391e717e4b2bdf0e6e37a837c5ac033d7a4b1a6437451c7e7540c4ec2f75f936a2d2ef4f9293b42c76f51b0c9c93706639589612f196
 DIST openssl-1.0.2f.tar.gz 5258384 SHA256 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 WHIRLPOOL 179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835baaaa04e506fb3fbaed37d31c9
 DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1

diff --git a/dev-libs/openssl/files/openssl-1.0.2e-chacha20poly1305.patch b/dev-libs/openssl/files/openssl-1.0.2e-chacha20poly1305.patch
deleted file mode 100644
index e66096e..0000000
--- a/dev-libs/openssl/files/openssl-1.0.2e-chacha20poly1305.patch
+++ /dev/null
@@ -1,4404 +0,0 @@
-diff -rNu openssl-1.0.2e/Configure openssl-1.0.2e-modified/Configure
---- openssl-1.0.2e/Configure	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/Configure	2016-02-08 16:12:00.592614754 +0100
-@@ -143,25 +143,25 @@
- my $bits1="THIRTY_TWO_BIT ";
- my $bits2="SIXTY_FOUR_BIT ";
- 
--my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
-+my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o::";
- 
- my $x86_elf_asm="$x86_asm:elf";
- 
--my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o:";
--my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
--my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o::void";
--my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o:::::::::::::void";
--my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o::void";
--my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
-+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o::chacha20_avx.o poly1305_avx.o chacha20_avx2.o poly1305_avx2.o";
-+my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o:::void";
-+my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o:::void";
-+my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o::::::::::::::void";
-+my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o:::void";
-+my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o:::::::::";
- my $mips32_asm=$mips64_asm; $mips32_asm =~ s/\s*sha512\-mips\.o//;
--my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
--my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o::void";
--my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o:";
--my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
--my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
--my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
-+my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o::";
-+my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o:::void";
-+my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o::";
-+my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o:::32";
-+my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o:::64";
-+my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o::";
- my $ppc32_asm=$ppc64_asm;
--my $no_asm="::::::::::::::::void";
-+my $no_asm=":::::::::::::::::void";
- 
- # As for $BSDthreads. Idea is to maintain "collective" set of flags,
- # which would cover all BSD flavors. -pthread applies to them all, 
-@@ -213,7 +213,7 @@
- "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
- "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o::des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o::des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o:::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-@@ -320,7 +320,7 @@
- "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
- "hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
--"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o:::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
-+"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
- 
- # More attempts at unified 10.X and 11.X targets for HP C compiler.
- #
-@@ -577,9 +577,9 @@
- # Visual C targets
- #
- # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
--"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
-+"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::::::::ghash-ia64.o::ias:win32",
- "VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
--"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
-+"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::::::::ghash-ia64.o::ias:win32",
- "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
- # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
- # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
-@@ -707,6 +707,7 @@
- my $idx_cmll_obj = $idx++;
- my $idx_modes_obj = $idx++;
- my $idx_engines_obj = $idx++;
-+my $idx_chapoly_obj = $idx++;
- my $idx_perlasm_scheme = $idx++;
- my $idx_dso_scheme = $idx++;
- my $idx_shared_target = $idx++;
-@@ -749,6 +750,7 @@
- my $bn_asm	="bn_asm.o";
- my $des_enc="des_enc.o fcrypt_b.o";
- my $aes_enc="aes_core.o aes_cbc.o";
-+my $chapoly_enc="";
- my $bf_enc	="bf_enc.o";
- my $cast_enc="c_enc.o";
- my $rc4_enc="rc4_enc.o rc4_skey.o";
-@@ -1207,7 +1209,7 @@
- 
- print "IsMK1MF=$IsMK1MF\n";
- 
--my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
-+my @fields = split(/\s*:\s*/,$table{$target} . ":" x 31 , -1);
- my $cc = $fields[$idx_cc];
- # Allow environment CC to override compiler...
- if($ENV{CC}) {
-@@ -1236,6 +1238,7 @@
- my $cmll_obj = $fields[$idx_cmll_obj];
- my $modes_obj = $fields[$idx_modes_obj];
- my $engines_obj = $fields[$idx_engines_obj];
-+my $chapoly_obj = $fields[$idx_chapoly_obj];
- my $perlasm_scheme = $fields[$idx_perlasm_scheme];
- my $dso_scheme = $fields[$idx_dso_scheme];
- my $shared_target = $fields[$idx_shared_target];
-@@ -1402,7 +1405,7 @@
- 	{
- 	$cpuid_obj=$bn_obj=$ec_obj=
- 	$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=$cmll_obj=
--	$modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj="";
-+	$modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj=$chapoly_obj="";
- 	}
- 
- if (!$no_shared)
-@@ -1555,6 +1558,14 @@
- $cast_obj=$cast_enc	unless ($cast_obj =~ /\.o$/);
- $rc4_obj=$rc4_enc	unless ($rc4_obj =~ /\.o$/);
- $rc5_obj=$rc5_enc	unless ($rc5_obj =~ /\.o$/);
-+if ($chapoly_obj =~ /\.o$/)
-+	{
-+	$cflags.=" -DCHAPOLY_x86_64_ASM";
-+	}
-+else
-+	{
-+	$chapoly_obj=$chapoly_enc;
-+	}
- if ($sha1_obj =~ /\.o$/)
- 	{
- #	$sha1_obj=$sha1_enc;
-@@ -1737,6 +1748,7 @@
- 	s/^WP_ASM_OBJ=.*$/WP_ASM_OBJ= $wp_obj/;
- 	s/^CMLL_ENC=.*$/CMLL_ENC= $cmll_obj/;
- 	s/^MODES_ASM_OBJ.=*$/MODES_ASM_OBJ= $modes_obj/;
-+	s/^CHAPOLY_ENC=.*$/CHAPOLY_ENC= $chapoly_obj/;
- 	s/^ENGINES_ASM_OBJ.=*$/ENGINES_ASM_OBJ= $engines_obj/;
- 	s/^PERLASM_SCHEME=.*$/PERLASM_SCHEME= $perlasm_scheme/;
- 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
-@@ -1799,6 +1811,7 @@
- print "CMLL_ENC      =$cmll_obj\n";
- print "MODES_OBJ     =$modes_obj\n";
- print "ENGINES_OBJ   =$engines_obj\n";
-+print "CHAPOLY_ENC   =$chapoly_obj\n";
- print "PROCESSOR     =$processor\n";
- print "RANLIB        =$ranlib\n";
- print "ARFLAGS       =$arflags\n";
-@@ -2197,7 +2210,7 @@
- 	my ($cc, $cflags, $unistd, $thread_cflag, $sys_id, $lflags,
- 	    $bn_ops, $cpuid_obj, $bn_obj, $ec_obj, $des_obj, $aes_obj, $bf_obj,
- 	    $md5_obj, $sha1_obj, $cast_obj, $rc4_obj, $rmd160_obj,
--	    $rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $engines_obj,
-+	    $rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $engines_obj, $chapoly_obj,
- 	    $perlasm_scheme, $dso_scheme, $shared_target, $shared_cflag,
- 	    $shared_ldflag, $shared_extension, $ranlib, $arflags, $multilib)=
- 	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
-@@ -2228,6 +2241,7 @@
- \$cmll_obj     = $cmll_obj
- \$modes_obj    = $modes_obj
- \$engines_obj  = $engines_obj
-+\$chapoly_obj  = $chapoly_obj
- \$perlasm_scheme = $perlasm_scheme
- \$dso_scheme   = $dso_scheme
- \$shared_target= $shared_target
-diff -rNu openssl-1.0.2e/Makefile.org openssl-1.0.2e-modified/Makefile.org
---- openssl-1.0.2e/Makefile.org	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/Makefile.org	2016-02-08 16:12:00.593614754 +0100
-@@ -91,6 +91,7 @@
- EC_ASM=
- DES_ENC= des_enc.o fcrypt_b.o
- AES_ENC= aes_core.o aes_cbc.o
-+CHAPOLY_ENC=
- BF_ENC= bf_enc.o
- CAST_ENC= c_enc.o
- RC4_ENC= rc4_enc.o
-@@ -148,7 +149,7 @@
- 	bn ec rsa dsa ecdsa dh ecdh dso engine \
- 	buffer bio stack lhash rand err \
- 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
--	cms pqueue ts jpake srp store cmac
-+	cms pqueue ts jpake srp store cmac chacha20poly1305
- # keep in mind that the above list is adjusted by ./Configure
- # according to no-xxx arguments...
- 
-@@ -235,6 +236,7 @@
- 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
- 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
- 		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
-+		CHAPOLY_ENC='$(CHAPOLY_ENC)'			\
- 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
- 		FIPSLIBDIR='${FIPSLIBDIR}'			\
- 		FIPSDIR='${FIPSDIR}'				\
-diff -rNu openssl-1.0.2e/apps/speed.c openssl-1.0.2e-modified/apps/speed.c
---- openssl-1.0.2e/apps/speed.c	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/apps/speed.c	2016-02-08 16:12:00.594614754 +0100
-@@ -226,7 +226,7 @@
- # endif
- 
- # undef BUFSIZE
--# define BUFSIZE ((long)1024*8+1)
-+# define BUFSIZE ((long)1024*8+16)
- static volatile int run = 0;
- 
- static int mr = 0;
-@@ -241,7 +241,7 @@
- static int do_multi(int multi);
- # endif
- 
--# define ALGOR_NUM       30
-+# define ALGOR_NUM       31
- # define SIZE_NUM        5
- # define RSA_NUM         4
- # define DSA_NUM         3
-@@ -256,7 +256,7 @@
-     "aes-128 cbc", "aes-192 cbc", "aes-256 cbc",
-     "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc",
-     "evp", "sha256", "sha512", "whirlpool",
--    "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash"
-+    "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash", "chacha20-poly1305"
- };
- 
- static double results[ALGOR_NUM][SIZE_NUM];
-@@ -516,6 +516,7 @@
- # define D_IGE_192_AES   27
- # define D_IGE_256_AES   28
- # define D_GHASH         29
-+# define D_CHAPOLY       30
-     double d = 0.0;
-     long c[ALGOR_NUM][SIZE_NUM];
- # define R_DSA_512       0
-@@ -972,6 +973,11 @@
-             doit[D_CBC_256_CML] = 1;
-         } else
- # endif
-+# ifndef OPENSSL_NO_CHACHA_POLY
-+       if (strcmp(*argv,"chacha20-poly1305") == 0) {
-+            doit[D_CHAPOLY] = 1;
-+        } else
-+# endif
- # ifndef OPENSSL_NO_RSA
-         if (strcmp(*argv, "rsa") == 0) {
-             rsa_doit[R_RSA_512] = 1;
-@@ -1139,7 +1145,9 @@
-             BIO_printf(bio_err, "rc4");
- # endif
-             BIO_printf(bio_err, "\n");
--
-+# ifndef OPENSSL_NO_CHACHA_POLY
-+            BIO_printf(bio_err,"chacha20-poly1305\n");
-+# endif
- # ifndef OPENSSL_NO_RSA
-             BIO_printf(bio_err, "rsa512   rsa1024  rsa2048  rsa4096\n");
- # endif
-@@ -1370,6 +1378,7 @@
-     c[D_IGE_192_AES][0] = count;
-     c[D_IGE_256_AES][0] = count;
-     c[D_GHASH][0] = count;
-+    c[D_CHAPOLY][0] = count;
- 
-     for (i = 1; i < SIZE_NUM; i++) {
-         c[D_MD2][i] = c[D_MD2][0] * 4 * lengths[0] / lengths[i];
-@@ -1862,6 +1871,23 @@
-         }
-     }
- # endif
-+# ifndef OPENSSL_NO_CHACHA_POLY
-+    if (doit[D_CHAPOLY]) {
-+        EVP_CIPHER_CTX ctx;
-+        EVP_CIPHER_CTX_init(&ctx);
-+        EVP_CipherInit_ex(&ctx,EVP_chacha20_poly1305(),NULL,key32,NULL,1);
-+        for (j=0; j<SIZE_NUM; j++) {
-+            print_message(names[D_CHAPOLY],c[D_CHAPOLY][j],lengths[j]);
-+            Time_F(START);
-+            for (count=0,run=1; COND(c[D_CHAPOLY][j]); count++) {
-+                EVP_CIPHER_CTX_ctrl(&ctx,EVP_CTRL_AEAD_TLS1_AAD,13,buf);
-+                EVP_Cipher(&ctx,buf,buf,(unsigned long)lengths[j]+16);
-+            }
-+            d=Time_F(STOP);
-+            print_result(D_CHAPOLY,j,count,d);
-+        }
-+    }
-+# endif
- # ifndef OPENSSL_NO_IDEA
-     if (doit[D_CBC_IDEA]) {
-         for (j = 0; j < SIZE_NUM; j++) {
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/Makefile openssl-1.0.2e-modified/crypto/chacha20poly1305/Makefile
---- openssl-1.0.2e/crypto/chacha20poly1305/Makefile	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/Makefile	2016-02-08 16:12:00.594614754 +0100
-@@ -0,0 +1,92 @@
-+#
-+#  crypto/chacha20poly1305/Makefile
-+#
-+DIR=	chacha20poly1305
-+TOP=	../..
-+CC=	cc
-+CPP=	$(CC) -E
-+INCLUDES=
-+CFLAG=-g
-+MAKEFILE=	Makefile
-+AR=		ar r
-+
-+
-+CHAPOLY_ENC=
-+
-+CFLAGS= $(INCLUDES) $(CFLAG)
-+ASFLAGS= $(INCLUDES) $(ASFLAG)
-+AFLAGS= $(ASFLAGS)
-+
-+GENERAL=Makefile
-+TEST=chapolytest.c
-+APPS=
-+
-+LIB=$(TOP)/libcrypto.a
-+LIBSRC=chacha20.c poly1305.c
-+LIBOBJ=chacha20.o poly1305.o $(CHAPOLY_ENC)
-+
-+SRC= $(LIBSRC)
-+
-+EXHEADER=chacha20poly1305.h
-+HEADER= $(EXHEADER)
-+
-+ALL=    $(GENERAL) $(SRC) $(HEADER)
-+
-+top:
-+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-+
-+all:	lib
-+
-+lib:	$(LIBOBJ)
-+	$(AR) $(LIB) $(LIBOBJ)
-+	$(RANLIB) $(LIB) || echo Never mind.
-+	@touch lib
-+
-+chacha20_avx.s:asm/chacha20_avx.pl
-+	$(PERL) asm/chacha20_avx.pl $(PERLASM_SCHEME) > $@
-+poly1305_avx.s:asm/poly1305_avx.pl
-+	$(PERL) asm/poly1305_avx.pl $(PERLASM_SCHEME) > $@
-+chacha20_avx2.s:asm/chacha20_avx2.pl
-+	$(PERL) asm/chacha20_avx2.pl $(PERLASM_SCHEME) > $@
-+poly1305_avx2.s:asm/poly1305_avx2.pl
-+	$(PERL) asm/poly1305_avx2.pl $(PERLASM_SCHEME) > $@
-+
-+files:
-+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-+
-+links:
-+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
-+
-+install:
-+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
-+	do  \
-+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-+	done;
-+
-+tags:
-+	ctags $(SRC)
-+
-+tests:
-+
-+lint:
-+	lint -DLINT $(INCLUDES) $(SRC)>fluff
-+
-+depend:
-+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
-+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
-+
-+dclean:
-+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-+	mv -f Makefile.new $(MAKEFILE)
-+
-+clean:
-+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-+
-+# DO NOT DELETE THIS LINE -- make depend depends on it.
-+
-+chacha20.o: ../../include/openssl/chacha20poly1305.h chacha20.c
-+poly1305.o: ../../include/openssl/chacha20poly1305.h poly1305.c
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/asm/chacha20_avx.pl openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/chacha20_avx.pl
---- openssl-1.0.2e/crypto/chacha20poly1305/asm/chacha20_avx.pl	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/chacha20_avx.pl	2016-02-08 16:12:00.595614754 +0100
-@@ -0,0 +1,388 @@
-+#!/usr/bin/env perl
-+
-+##############################################################################
-+#                                                                            #
-+# Copyright 2014 Intel Corporation                                           #
-+#                                                                            #
-+# Licensed under the Apache License, Version 2.0 (the "License");            #
-+# you may not use this file except in compliance with the License.           #
-+# You may obtain a copy of the License at                                    #
-+#                                                                            #
-+#    http://www.apache.org/licenses/LICENSE-2.0                              #
-+#                                                                            #
-+# Unless required by applicable law or agreed to in writing, software        #
-+# distributed under the License is distributed on an "AS IS" BASIS,          #
-+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-+# See the License for the specific language governing permissions and        #
-+# limitations under the License.                                             #
-+#                                                                            #
-+##############################################################################
-+#                                                                            #
-+#  Developers and authors:                                                   #
-+#  Shay Gueron (1, 2), and Vlad Krasnov (1)                                  #
-+#  (1) Intel Corporation, Israel Development Center                          #
-+#  (2) University of Haifa                                                   #
-+#                                                                            #
-+# Related work:                                                              #
-+# M. Goll, S. Gueron, "Vectorization on ChaCha Stream Cipher", IEEE          #
-+#          Proceedings of 11th International Conference on Information       #
-+#          Technology: New Generations (ITNG 2014), 612-615 (2014).          #
-+# M. Goll, S. Gueron, "Vectorization on Poly1305 Message Authentication Code"#
-+#           to be published.                                                 #
-+# A. Langley, chacha20poly1305 for the AEAD head                             #
-+# https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9a8646510b3d0a48e950748f7a2aaa12ed40d5e0  #
-+##############################################################################
-+
-+
-+
-+$flavour = shift;
-+$output  = shift;
-+if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-+
-+$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-+die "can't locate x86_64-xlate.pl";
-+
-+open OUT,"| \"$^X\" $xlate $flavour $output";
-+*STDOUT=*OUT;
-+
-+if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-+		=~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-+	$avx = ($1>=2.19) + ($1>=2.22);
-+}
-+
-+if ($win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
-+	    `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
-+	$avx = ($1>=2.09) + ($1>=2.10);
-+}
-+
-+if ($win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
-+	    `ml64 2>&1` =~ /Version ([0-9]+)\./) {
-+	$avx = ($1>=10) + ($1>=11);
-+}
-+
-+if (`$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
-+	my $ver = $2 + $3/100.0;	# 3.1->3.01, 3.10->3.10
-+	$avx = ($ver>=3.0) + ($ver>=3.01);
-+}
-+
-+if ($avx>=1) {{
-+
-+sub chacha_qr {
-+my ($a,$b,$c,$d,$tmp)=@_;
-+$code.=<<___;
-+
-+	vpaddd	$b, $a, $a	# a += b
-+	vpxor	$a, $d, $d	# d ^= a
-+	vpshufb	.rol16(%rip), $d, $d	# d <<<= 16
-+
-+	vpaddd	$d, $c, $c	# c += d
-+	vpxor	$c, $b, $b	# b ^= c
-+	vpslld	\$12, $b, $tmp
-+	vpsrld	\$20, $b, $b
-+	vpxor	$tmp, $b, $b	# b <<<= 12
-+
-+	vpaddd	$b, $a, $a	# a += b
-+	vpxor	$a, $d, $d	# d ^= a
-+	vpshufb	.rol8(%rip), $d, $d	# d <<<= 8
-+
-+	vpaddd	$d, $c, $c	# c += d
-+	vpxor	$c, $b, $b	# b ^= c
-+
-+	vpslld	\$7, $b, $tmp
-+	vpsrld	\$25, $b, $b
-+	vpxor	$tmp, $b, $b	# b <<<= 7
-+___
-+}
-+
-+
-+$code.=<<___;
-+.text
-+.align 16
-+chacha20_consts:
-+.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
-+.rol8:
-+.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
-+.rol16:
-+.byte 2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13
-+.avxInc:
-+.quad 1,0
-+___
-+
-+{
-+my ($state_4567, $state_89ab, $state_cdef, $tmp,
-+    $v0, $v1, $v2, $v3, $v4, $v5, $v6, $v7,
-+    $v8, $v9, $v10, $v11)=map("%xmm$_",(0..15));
-+
-+my ($out, $in, $in_len, $key_ptr, $nonce_ptr, $counter, $nr)
-+   =("%rdi", "%rsi", "%rdx", "%rcx", "%r8", "%r9", "%rax");
-+
-+$code.=<<___;
-+.globl chacha_20_core_avx
-+.type  chacha_20_core_avx ,\@function,2
-+.align 64
-+chacha_20_core_avx:
-+	vzeroupper
-+
-+	# Init state
-+	vmovdqu	16*0($key_ptr), $state_4567
-+	vmovdqu	16*1($key_ptr), $state_89ab
-+	vmovq	$counter, $state_cdef
-+	vpinsrq	\$1, ($nonce_ptr), $state_cdef, $state_cdef
-+2:
-+	cmp	\$3*64, $in_len
-+	jb	2f
-+
-+	vmovdqa	chacha20_consts(%rip), $v0
-+	vmovdqa	chacha20_consts(%rip), $v4
-+	vmovdqa	chacha20_consts(%rip), $v8
-+
-+	vmovdqa	$state_4567, $v1
-+	vmovdqa	$state_4567, $v5
-+	vmovdqa	$state_4567, $v9
-+
-+	vmovdqa	$state_89ab, $v2
-+	vmovdqa	$state_89ab, $v6
-+	vmovdqa	$state_89ab, $v10
-+
-+	vmovdqa	$state_cdef, $v3
-+	vpaddq	.avxInc(%rip), $v3, $v7
-+	vpaddq	.avxInc(%rip), $v7, $v11
-+
-+	mov	\$10, $nr
-+
-+	1:
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+		&chacha_qr($v4,$v5,$v6,$v7,$tmp);
-+		&chacha_qr($v8,$v9,$v10,$v11,$tmp);
-+$code.=<<___;
-+		vpalignr \$4, $v1, $v1, $v1
-+		vpalignr \$8, $v2, $v2, $v2
-+		vpalignr \$12, $v3, $v3, $v3
-+		vpalignr \$4, $v5, $v5, $v5
-+		vpalignr \$8, $v6, $v6, $v6
-+		vpalignr \$12, $v7, $v7, $v7
-+		vpalignr \$4, $v9, $v9, $v9
-+		vpalignr \$8, $v10, $v10, $v10
-+		vpalignr \$12, $v11, $v11, $v11
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+		&chacha_qr($v4,$v5,$v6,$v7,$tmp);
-+		&chacha_qr($v8,$v9,$v10,$v11,$tmp);
-+$code.=<<___;
-+		vpalignr \$12, $v1, $v1, $v1
-+		vpalignr \$8, $v2, $v2, $v2
-+		vpalignr \$4, $v3, $v3, $v3
-+		vpalignr \$12, $v5, $v5, $v5
-+		vpalignr \$8, $v6, $v6, $v6
-+		vpalignr \$4, $v7, $v7, $v7
-+		vpalignr \$12, $v9, $v9, $v9
-+		vpalignr \$8, $v10, $v10, $v10
-+		vpalignr \$4, $v11, $v11, $v11
-+
-+		dec	$nr
-+
-+	jnz	1b
-+
-+	vpaddd	chacha20_consts(%rip), $v0, $v0
-+	vpaddd	chacha20_consts(%rip), $v4, $v4
-+	vpaddd	chacha20_consts(%rip), $v8, $v8
-+
-+	vpaddd	$state_4567, $v1, $v1
-+	vpaddd	$state_4567, $v5, $v5
-+	vpaddd	$state_4567, $v9, $v9
-+
-+	vpaddd	$state_89ab, $v2, $v2
-+	vpaddd	$state_89ab, $v6, $v6
-+	vpaddd	$state_89ab, $v10, $v10
-+
-+	vpaddd	$state_cdef, $v3, $v3
-+	vpaddq	.avxInc(%rip), $state_cdef, $state_cdef
-+	vpaddd	$state_cdef, $v7, $v7
-+	vpaddq	.avxInc(%rip), $state_cdef, $state_cdef
-+	vpaddd	$state_cdef, $v11, $v11
-+	vpaddq	.avxInc(%rip), $state_cdef, $state_cdef
-+
-+	vpxor	16*0($in), $v0, $v0
-+	vpxor	16*1($in), $v1, $v1
-+	vpxor	16*2($in), $v2, $v2
-+	vpxor	16*3($in), $v3, $v3
-+
-+	vmovdqu	$v0, 16*0($out)
-+	vmovdqu	$v1, 16*1($out)
-+	vmovdqu	$v2, 16*2($out)
-+	vmovdqu	$v3, 16*3($out)
-+
-+	vpxor	16*4($in), $v4, $v4
-+	vpxor	16*5($in), $v5, $v5
-+	vpxor	16*6($in), $v6, $v6
-+	vpxor	16*7($in), $v7, $v7
-+
-+	vmovdqu	$v4, 16*4($out)
-+	vmovdqu	$v5, 16*5($out)
-+	vmovdqu	$v6, 16*6($out)
-+	vmovdqu	$v7, 16*7($out)
-+
-+	vpxor	16*8($in), $v8, $v8
-+	vpxor	16*9($in), $v9, $v9
-+	vpxor	16*10($in), $v10, $v10
-+	vpxor	16*11($in), $v11, $v11
-+
-+	vmovdqu	$v8, 16*8($out)
-+	vmovdqu	$v9, 16*9($out)
-+	vmovdqu	$v10, 16*10($out)
-+	vmovdqu	$v11, 16*11($out)
-+
-+	lea	16*12($in), $in
-+	lea	16*12($out), $out
-+	sub	\$16*12, $in_len
-+
-+	jmp	2b
-+
-+2:
-+	cmp	\$2*64, $in_len
-+	jb	2f
-+
-+	vmovdqa	chacha20_consts(%rip), $v0
-+	vmovdqa	chacha20_consts(%rip), $v4
-+	vmovdqa	$state_4567, $v1
-+	vmovdqa	$state_4567, $v5
-+	vmovdqa	$state_89ab, $v2
-+	vmovdqa	$state_89ab, $v6
-+	vmovdqa	$state_89ab, $v10
-+	vmovdqa	$state_cdef, $v3
-+	vpaddq	.avxInc(%rip), $v3, $v7
-+
-+	mov	\$10, $nr
-+
-+	1:
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+		&chacha_qr($v4,$v5,$v6,$v7,$tmp);
-+$code.=<<___;
-+		vpalignr \$4, $v1, $v1, $v1
-+		vpalignr \$8, $v2, $v2, $v2
-+		vpalignr \$12, $v3, $v3, $v3
-+		vpalignr \$4, $v5, $v5, $v5
-+		vpalignr \$8, $v6, $v6, $v6
-+		vpalignr \$12, $v7, $v7, $v7
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+		&chacha_qr($v4,$v5,$v6,$v7,$tmp);
-+$code.=<<___;
-+		vpalignr \$12, $v1, $v1, $v1
-+		vpalignr \$8, $v2, $v2, $v2
-+		vpalignr \$4, $v3, $v3, $v3
-+		vpalignr \$12, $v5, $v5, $v5
-+		vpalignr \$8, $v6, $v6, $v6
-+		vpalignr \$4, $v7, $v7, $v7
-+
-+		dec	$nr
-+
-+	jnz	1b
-+
-+	vpaddd	chacha20_consts(%rip), $v0, $v0
-+	vpaddd	chacha20_consts(%rip), $v4, $v4
-+
-+	vpaddd	$state_4567, $v1, $v1
-+	vpaddd	$state_4567, $v5, $v5
-+
-+	vpaddd	$state_89ab, $v2, $v2
-+	vpaddd	$state_89ab, $v6, $v6
-+
-+	vpaddd	$state_cdef, $v3, $v3
-+	vpaddq	.avxInc(%rip), $state_cdef, $state_cdef
-+	vpaddd	$state_cdef, $v7, $v7
-+	vpaddq	.avxInc(%rip), $state_cdef, $state_cdef
-+
-+	vpxor	16*0($in), $v0, $v0
-+	vpxor	16*1($in), $v1, $v1
-+	vpxor	16*2($in), $v2, $v2
-+	vpxor	16*3($in), $v3, $v3
-+
-+	vmovdqu	$v0, 16*0($out)
-+	vmovdqu	$v1, 16*1($out)
-+	vmovdqu	$v2, 16*2($out)
-+	vmovdqu	$v3, 16*3($out)
-+
-+	vpxor	16*4($in), $v4, $v4
-+	vpxor	16*5($in), $v5, $v5
-+	vpxor	16*6($in), $v6, $v6
-+	vpxor	16*7($in), $v7, $v7
-+
-+	vmovdqu	$v4, 16*4($out)
-+	vmovdqu	$v5, 16*5($out)
-+	vmovdqu	$v6, 16*6($out)
-+	vmovdqu	$v7, 16*7($out)
-+
-+	lea	16*8($in), $in
-+	lea	16*8($out), $out
-+	sub	\$16*8, $in_len
-+
-+	jmp	2b
-+2:
-+	cmp	\$64, $in_len
-+	jb	2f
-+
-+	vmovdqa	chacha20_consts(%rip), $v0
-+	vmovdqa	$state_4567, $v1
-+	vmovdqa	$state_89ab, $v2
-+	vmovdqa	$state_cdef, $v3
-+
-+	mov	\$10, $nr
-+
-+	1:
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+$code.=<<___;
-+		vpalignr	\$4, $v1, $v1, $v1
-+		vpalignr	\$8, $v2, $v2, $v2
-+		vpalignr	\$12, $v3, $v3, $v3
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+$code.=<<___;
-+		vpalignr	\$12, $v1, $v1, $v1
-+		vpalignr	\$8, $v2, $v2, $v2
-+		vpalignr	\$4, $v3, $v3, $v3
-+
-+		dec	$nr
-+	jnz	1b
-+
-+	vpaddd	chacha20_consts(%rip), $v0, $v0
-+	vpaddd	$state_4567, $v1, $v1
-+	vpaddd	$state_89ab, $v2, $v2
-+	vpaddd	$state_cdef, $v3, $v3
-+	vpaddq	.avxInc(%rip), $state_cdef, $state_cdef
-+
-+	vpxor	16*0($in), $v0, $v0
-+	vpxor	16*1($in), $v1, $v1
-+	vpxor	16*2($in), $v2, $v2
-+	vpxor	16*3($in), $v3, $v3
-+
-+	vmovdqu	$v0, 16*0($out)
-+	vmovdqu	$v1, 16*1($out)
-+	vmovdqu	$v2, 16*2($out)
-+	vmovdqu	$v3, 16*3($out)
-+
-+	lea	16*4($in), $in
-+	lea	16*4($out), $out
-+	sub	\$16*4, $in_len
-+	jmp	2b
-+2:
-+	vzeroupper
-+	ret
-+.size	chacha_20_core_avx,.-chacha_20_core_avx
-+___
-+}
-+}}
-+
-+
-+$code =~ s/\`([^\`]*)\`/eval($1)/gem;
-+
-+print $code;
-+
-+close STDOUT;
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/asm/chacha20_avx2.pl openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/chacha20_avx2.pl
---- openssl-1.0.2e/crypto/chacha20poly1305/asm/chacha20_avx2.pl	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/chacha20_avx2.pl	2016-02-08 16:12:00.595614754 +0100
-@@ -0,0 +1,424 @@
-+#!/usr/bin/env perl
-+
-+##############################################################################
-+#                                                                            #
-+# Copyright 2014 Intel Corporation                                           #
-+#                                                                            #
-+# Licensed under the Apache License, Version 2.0 (the "License");            #
-+# you may not use this file except in compliance with the License.           #
-+# You may obtain a copy of the License at                                    #
-+#                                                                            #
-+#    http://www.apache.org/licenses/LICENSE-2.0                              #
-+#                                                                            #
-+# Unless required by applicable law or agreed to in writing, software        #
-+# distributed under the License is distributed on an "AS IS" BASIS,          #
-+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-+# See the License for the specific language governing permissions and        #
-+# limitations under the License.                                             #
-+#                                                                            #
-+##############################################################################
-+#                                                                            #
-+#  Developers and authors:                                                   #
-+#  Shay Gueron (1, 2), and Vlad Krasnov (1)                                  #
-+#  (1) Intel Corporation, Israel Development Center                          #
-+#  (2) University of Haifa                                                   #
-+#                                                                            #
-+# Related work:                                                              #
-+# M. Goll, S. Gueron, "Vectorization on ChaCha Stream Cipher", IEEE          #
-+#          Proceedings of 11th International Conference on Information       #
-+#          Technology: New Generations (ITNG 2014), 612-615 (2014).          #
-+# M. Goll, S. Gueron, "Vectorization on Poly1305 Message Authentication Code"#
-+#           to be published.                                                 #
-+# A. Langley, chacha20poly1305 for the AEAD head                             #
-+# https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9a8646510b3d0a48e950748f7a2aaa12ed40d5e0  #
-+##############################################################################
-+
-+$flavour = shift;
-+$output  = shift;
-+if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-+
-+$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-+die "can't locate x86_64-xlate.pl";
-+
-+open OUT,"| \"$^X\" $xlate $flavour $output";
-+*STDOUT=*OUT;
-+
-+if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-+		=~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-+	$avx = ($1>=2.19) + ($1>=2.22);
-+}
-+
-+if ($win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
-+	    `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
-+	$avx = ($1>=2.09) + ($1>=2.10);
-+}
-+
-+if ($win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
-+	    `ml64 2>&1` =~ /Version ([0-9]+)\./) {
-+	$avx = ($1>=10) + ($1>=11);
-+}
-+
-+if (`$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
-+	my $ver = $2 + $3/100.0;	# 3.1->3.01, 3.10->3.10
-+	$avx = ($ver>=3.0) + ($ver>=3.01);
-+}
-+
-+if ($avx>=2) {{
-+
-+sub chacha_qr {
-+my ($a,$b,$c,$d,$tmp)=@_;
-+$code.=<<___;
-+
-+	vpaddd	$b, $a, $a	# a += b
-+	vpxor	$a, $d, $d	# d ^= a
-+	vpshufb	.rol16(%rip), $d, $d	# d <<<= 16
-+
-+	vpaddd	$d, $c, $c	# c += d
-+	vpxor	$c, $b, $b	# b ^= c
-+	vpslld	\$12, $b, $tmp
-+	vpsrld	\$20, $b, $b
-+	vpxor	$tmp, $b, $b	# b <<<= 12
-+
-+	vpaddd	$b, $a, $a	# a += b
-+	vpxor	$a, $d, $d	# d ^= a
-+	vpshufb	.rol8(%rip), $d, $d	# d <<<= 8
-+
-+	vpaddd	$d, $c, $c	# c += d
-+	vpxor	$c, $b, $b	# b ^= c
-+
-+	vpslld	\$7, $b, $tmp
-+	vpsrld	\$25, $b, $b
-+	vpxor	$tmp, $b, $b	# b <<<= 7
-+___
-+}
-+
-+
-+$code.=<<___;
-+.text
-+.align 32
-+chacha20_consts:
-+.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
-+.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'
-+.rol8:
-+.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
-+.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14
-+.rol16:
-+.byte 2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13
-+.byte 2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13
-+.avx2Init:
-+.quad 0,0,1,0
-+.avx2Inc:
-+.quad 2,0,2,0
-+___
-+
-+{
-+my ($state_4567, $state_89ab, $state_cdef, $tmp,
-+    $v0, $v1, $v2, $v3, $v4, $v5, $v6, $v7,
-+    $v8, $v9, $v10, $v11)=map("%ymm$_",(0..15));
-+
-+my $state_cdef_xmm="%xmm2";
-+
-+my ($out, $in, $in_len, $key_ptr, $nonce_ptr, $counter, $nr)
-+   =("%rdi", "%rsi", "%rdx", "%rcx", "%r8", "%r9", "%rax");
-+
-+$code.=<<___;
-+.globl chacha_20_core_avx2
-+.type  chacha_20_core_avx2 ,\@function,2
-+.align 64
-+chacha_20_core_avx2:
-+	vzeroupper
-+
-+	# Init state
-+	vbroadcasti128	16*0($key_ptr), $state_4567
-+	vbroadcasti128	16*1($key_ptr), $state_89ab
-+	vmovq		$counter, $state_cdef_xmm
-+	vpinsrq		\$1, ($nonce_ptr), $state_cdef_xmm, $state_cdef_xmm
-+	vperm2i128	\$0x00, $state_cdef, $state_cdef, $state_cdef
-+	vpaddq		.avx2Init(%rip), $state_cdef, $state_cdef
-+
-+2:
-+	cmp	\$6*64, $in_len
-+	jb	2f
-+
-+	vmovdqa	chacha20_consts(%rip), $v0
-+	vmovdqa	chacha20_consts(%rip), $v4
-+	vmovdqa	chacha20_consts(%rip), $v8
-+
-+	vmovdqa	$state_4567, $v1
-+	vmovdqa	$state_4567, $v5
-+	vmovdqa	$state_4567, $v9
-+
-+	vmovdqa	$state_89ab, $v2
-+	vmovdqa	$state_89ab, $v6
-+	vmovdqa	$state_89ab, $v10
-+
-+	vmovdqa	$state_cdef, $v3
-+	vpaddq	.avx2Inc(%rip), $v3, $v7
-+	vpaddq	.avx2Inc(%rip), $v7, $v11
-+
-+	mov	\$10, $nr
-+
-+	1:
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+		&chacha_qr($v4,$v5,$v6,$v7,$tmp);
-+		&chacha_qr($v8,$v9,$v10,$v11,$tmp);
-+$code.=<<___;
-+		vpalignr \$4, $v1, $v1, $v1
-+		vpalignr \$8, $v2, $v2, $v2
-+		vpalignr \$12, $v3, $v3, $v3
-+		vpalignr \$4, $v5, $v5, $v5
-+		vpalignr \$8, $v6, $v6, $v6
-+		vpalignr \$12, $v7, $v7, $v7
-+		vpalignr \$4, $v9, $v9, $v9
-+		vpalignr \$8, $v10, $v10, $v10
-+		vpalignr \$12, $v11, $v11, $v11
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+		&chacha_qr($v4,$v5,$v6,$v7,$tmp);
-+		&chacha_qr($v8,$v9,$v10,$v11,$tmp);
-+$code.=<<___;
-+		vpalignr \$12, $v1, $v1, $v1
-+		vpalignr \$8, $v2, $v2, $v2
-+		vpalignr \$4, $v3, $v3, $v3
-+		vpalignr \$12, $v5, $v5, $v5
-+		vpalignr \$8, $v6, $v6, $v6
-+		vpalignr \$4, $v7, $v7, $v7
-+		vpalignr \$12, $v9, $v9, $v9
-+		vpalignr \$8, $v10, $v10, $v10
-+		vpalignr \$4, $v11, $v11, $v11
-+
-+		dec	$nr
-+
-+	jnz	1b
-+
-+	vpaddd	chacha20_consts(%rip), $v0, $v0
-+	vpaddd	chacha20_consts(%rip), $v4, $v4
-+	vpaddd	chacha20_consts(%rip), $v8, $v8
-+
-+	vpaddd	$state_4567, $v1, $v1
-+	vpaddd	$state_4567, $v5, $v5
-+	vpaddd	$state_4567, $v9, $v9
-+
-+	vpaddd	$state_89ab, $v2, $v2
-+	vpaddd	$state_89ab, $v6, $v6
-+	vpaddd	$state_89ab, $v10, $v10
-+
-+	vpaddd	$state_cdef, $v3, $v3
-+	vpaddq	.avx2Inc(%rip), $state_cdef, $state_cdef
-+	vpaddd	$state_cdef, $v7, $v7
-+	vpaddq	.avx2Inc(%rip), $state_cdef, $state_cdef
-+	vpaddd	$state_cdef, $v11, $v11
-+	vpaddq	.avx2Inc(%rip), $state_cdef, $state_cdef
-+
-+	vperm2i128	\$0x02, $v0, $v1, $tmp
-+	vpxor	32*0($in), $tmp, $tmp
-+	vmovdqu	$tmp, 32*0($out)
-+	vperm2i128	\$0x02, $v2, $v3, $tmp
-+	vpxor	32*1($in), $tmp, $tmp
-+	vmovdqu	$tmp, 32*1($out)
-+	vperm2i128	\$0x13, $v0, $v1, $tmp
-+	vpxor	32*2($in), $tmp, $tmp
-+	vmovdqu	$tmp, 32*2($out)
-+	vperm2i128	\$0x13, $v2, $v3, $tmp
-+	vpxor	32*3($in), $tmp, $tmp
-+	vmovdqu	$tmp, 32*3($out)
-+
-+	vperm2i128	\$0x02, $v4, $v5, $v0
-+	vperm2i128	\$0x02, $v6, $v7, $v1
-+	vperm2i128	\$0x13, $v4, $v5, $v2
-+	vperm2i128	\$0x13, $v6, $v7, $v3
-+
-+	vpxor	32*4($in), $v0, $v0
-+	vpxor	32*5($in), $v1, $v1
-+	vpxor	32*6($in), $v2, $v2
-+	vpxor	32*7($in), $v3, $v3
-+
-+	vmovdqu	$v0, 32*4($out)
-+	vmovdqu	$v1, 32*5($out)
-+	vmovdqu	$v2, 32*6($out)
-+	vmovdqu	$v3, 32*7($out)
-+
-+	vperm2i128	\$0x02, $v8, $v9, $v0
-+	vperm2i128	\$0x02, $v10, $v11, $v1
-+	vperm2i128	\$0x13, $v8, $v9, $v2
-+	vperm2i128	\$0x13, $v10, $v11, $v3
-+
-+	vpxor	32*8($in), $v0, $v0
-+	vpxor	32*9($in), $v1, $v1
-+	vpxor	32*10($in), $v2, $v2
-+	vpxor	32*11($in), $v3, $v3
-+
-+	vmovdqu	$v0, 32*8($out)
-+	vmovdqu	$v1, 32*9($out)
-+	vmovdqu	$v2, 32*10($out)
-+	vmovdqu	$v3, 32*11($out)
-+
-+	lea	64*6($in), $in
-+	lea	64*6($out), $out
-+	sub	\$64*6, $in_len
-+
-+	jmp	2b
-+
-+2:
-+	cmp	\$4*64, $in_len
-+	jb	2f
-+
-+	vmovdqa	chacha20_consts(%rip), $v0
-+	vmovdqa	chacha20_consts(%rip), $v4
-+	vmovdqa	$state_4567, $v1
-+	vmovdqa	$state_4567, $v5
-+	vmovdqa	$state_89ab, $v2
-+	vmovdqa	$state_89ab, $v6
-+	vmovdqa	$state_89ab, $v10
-+	vmovdqa	$state_cdef, $v3
-+	vpaddq	.avx2Inc(%rip), $v3, $v7
-+
-+	mov	\$10, $nr
-+
-+	1:
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+		&chacha_qr($v4,$v5,$v6,$v7,$tmp);
-+$code.=<<___;
-+		vpalignr \$4, $v1, $v1, $v1
-+		vpalignr \$8, $v2, $v2, $v2
-+		vpalignr \$12, $v3, $v3, $v3
-+		vpalignr \$4, $v5, $v5, $v5
-+		vpalignr \$8, $v6, $v6, $v6
-+		vpalignr \$12, $v7, $v7, $v7
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+		&chacha_qr($v4,$v5,$v6,$v7,$tmp);
-+$code.=<<___;
-+		vpalignr \$12, $v1, $v1, $v1
-+		vpalignr \$8, $v2, $v2, $v2
-+		vpalignr \$4, $v3, $v3, $v3
-+		vpalignr \$12, $v5, $v5, $v5
-+		vpalignr \$8, $v6, $v6, $v6
-+		vpalignr \$4, $v7, $v7, $v7
-+
-+		dec	$nr
-+
-+	jnz	1b
-+
-+	vpaddd	chacha20_consts(%rip), $v0, $v0
-+	vpaddd	chacha20_consts(%rip), $v4, $v4
-+
-+	vpaddd	$state_4567, $v1, $v1
-+	vpaddd	$state_4567, $v5, $v5
-+
-+	vpaddd	$state_89ab, $v2, $v2
-+	vpaddd	$state_89ab, $v6, $v6
-+
-+	vpaddd	$state_cdef, $v3, $v3
-+	vpaddq	.avx2Inc(%rip), $state_cdef, $state_cdef
-+	vpaddd	$state_cdef, $v7, $v7
-+	vpaddq	.avx2Inc(%rip), $state_cdef, $state_cdef
-+
-+	vperm2i128	\$0x02, $v0, $v1, $v8
-+	vperm2i128	\$0x02, $v2, $v3, $v9
-+	vperm2i128	\$0x13, $v0, $v1, $v10
-+	vperm2i128	\$0x13, $v2, $v3, $v11
-+
-+	vpxor	32*0($in), $v8, $v8
-+	vpxor	32*1($in), $v9, $v9
-+	vpxor	32*2($in), $v10, $v10
-+	vpxor	32*3($in), $v11, $v11
-+
-+	vmovdqu	$v8, 32*0($out)
-+	vmovdqu	$v9, 32*1($out)
-+	vmovdqu	$v10, 32*2($out)
-+	vmovdqu	$v11, 32*3($out)
-+
-+	vperm2i128	\$0x02, $v4, $v5, $v0
-+	vperm2i128	\$0x02, $v6, $v7, $v1
-+	vperm2i128	\$0x13, $v4, $v5, $v2
-+	vperm2i128	\$0x13, $v6, $v7, $v3
-+
-+	vpxor	32*4($in), $v0, $v0
-+	vpxor	32*5($in), $v1, $v1
-+	vpxor	32*6($in), $v2, $v2
-+	vpxor	32*7($in), $v3, $v3
-+
-+	vmovdqu	$v0, 32*4($out)
-+	vmovdqu	$v1, 32*5($out)
-+	vmovdqu	$v2, 32*6($out)
-+	vmovdqu	$v3, 32*7($out)
-+
-+	lea	64*4($in), $in
-+	lea	64*4($out), $out
-+	sub	\$64*4, $in_len
-+
-+	jmp	2b
-+2:
-+	cmp	\$128, $in_len
-+	jb	2f
-+
-+	vmovdqa	chacha20_consts(%rip), $v0
-+	vmovdqa	$state_4567, $v1
-+	vmovdqa	$state_89ab, $v2
-+	vmovdqa	$state_cdef, $v3
-+
-+	mov	\$10, $nr
-+
-+	1:
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+$code.=<<___;
-+		vpalignr	\$4, $v1, $v1, $v1
-+		vpalignr	\$8, $v2, $v2, $v2
-+		vpalignr	\$12, $v3, $v3, $v3
-+___
-+		&chacha_qr($v0,$v1,$v2,$v3,$tmp);
-+$code.=<<___;
-+		vpalignr	\$12, $v1, $v1, $v1
-+		vpalignr	\$8, $v2, $v2, $v2
-+		vpalignr	\$4, $v3, $v3, $v3
-+
-+		dec	$nr
-+	jnz	1b
-+
-+	vpaddd	chacha20_consts(%rip), $v0, $v0
-+	vpaddd	$state_4567, $v1, $v1
-+	vpaddd	$state_89ab, $v2, $v2
-+	vpaddd	$state_cdef, $v3, $v3
-+	vpaddq	.avx2Inc(%rip), $state_cdef, $state_cdef
-+
-+	vperm2i128	\$0x02, $v0, $v1, $v8
-+	vperm2i128	\$0x02, $v2, $v3, $v9
-+	vperm2i128	\$0x13, $v0, $v1, $v10
-+	vperm2i128	\$0x13, $v2, $v3, $v11
-+
-+	vpxor	32*0($in), $v8, $v8
-+	vpxor	32*1($in), $v9, $v9
-+	vpxor	32*2($in), $v10, $v10
-+	vpxor	32*3($in), $v11, $v11
-+
-+	vmovdqu	$v8, 32*0($out)
-+	vmovdqu	$v9, 32*1($out)
-+	vmovdqu	$v10, 32*2($out)
-+	vmovdqu	$v11, 32*3($out)
-+
-+	lea	64*2($in), $in
-+	lea	64*2($out), $out
-+	sub	\$64*2, $in_len
-+	jmp	2b
-+2:
-+	vzeroupper
-+	ret
-+.size	chacha_20_core_avx2,.-chacha_20_core_avx2
-+___
-+}
-+}}
-+
-+
-+$code =~ s/\`([^\`]*)\`/eval($1)/gem;
-+
-+print $code;
-+
-+close STDOUT;
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/asm/poly1305_avx.pl openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/poly1305_avx.pl
---- openssl-1.0.2e/crypto/chacha20poly1305/asm/poly1305_avx.pl	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/poly1305_avx.pl	2016-02-08 16:12:00.596614754 +0100
-@@ -0,0 +1,717 @@
-+##############################################################################
-+#                                                                            #
-+# Copyright 2014 Intel Corporation                                           #
-+#                                                                            #
-+# Licensed under the Apache License, Version 2.0 (the "License");            #
-+# you may not use this file except in compliance with the License.           #
-+# You may obtain a copy of the License at                                    #
-+#                                                                            #
-+#    http://www.apache.org/licenses/LICENSE-2.0                              #
-+#                                                                            #
-+# Unless required by applicable law or agreed to in writing, software        #
-+# distributed under the License is distributed on an "AS IS" BASIS,          #
-+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-+# See the License for the specific language governing permissions and        #
-+# limitations under the License.                                             #
-+#                                                                            #
-+##############################################################################
-+#                                                                            #
-+#  Developers and authors:                                                   #
-+#  Shay Gueron (1, 2), and Vlad Krasnov (1)                                  #
-+#  (1) Intel Corporation, Israel Development Center                          #
-+#  (2) University of Haifa                                                   #
-+#                                                                            #
-+##############################################################################
-+# state:
-+#  0: r[0] || r^2[0]
-+# 16: r[1] || r^2[1]
-+# 32: r[2] || r^2[2]
-+# 48: r[3] || r^2[3]
-+# 64: r[4] || r^2[4]
-+# 80: r[1]*5 || r^2[1]*5
-+# 96: r[2]*5 || r^2[2]*5
-+#112: r[3]*5 || r^2[3]*5
-+#128: r[4]*5 || r^2[4]*5
-+#144: k
-+#160: A0
-+#164: A1
-+#168: A2
-+#172: A3
-+#176: A4
-+#180: END
-+
-+$flavour = shift;
-+$output  = shift;
-+if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-+
-+$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-+die "can't locate x86_64-xlate.pl";
-+
-+open OUT,"| \"$^X\" $xlate $flavour $output";
-+*STDOUT=*OUT;
-+
-+if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-+                =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-+        $avx = ($1>=2.19) + ($1>=2.22);
-+}
-+
-+if ($win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
-+            `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
-+        $avx = ($1>=2.09) + ($1>=2.10);
-+}
-+
-+if ($win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
-+            `ml64 2>&1` =~ /Version ([0-9]+)\./) {
-+        $avx = ($1>=10) + ($1>=11);
-+}
-+
-+if (`$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
-+        my $ver = $2 + $3/100.0;        # 3.1->3.01, 3.10->3.10
-+        $avx = ($ver>=3.0) + ($ver>=3.01);
-+}
-+
-+if ($avx>=1) {{
-+
-+my ($_r0_, $_r1_, $_r2_, $_r3_, $_r4_, $_r1_x5, $_r2_x5, $_r3_x5, $_r4_x5, $_k_, $_A0_, $_A1_, $_A2_, $_A3_, $_A4_)
-+= (0,16,32,48,64,80,96,112,128,144,160,164,168,172,176);
-+
-+$code.=<<___;
-+.text
-+.align 32
-+.LandMask:
-+.quad 0x3FFFFFF, 0x3FFFFFF
-+.LsetBit:
-+.quad 0x1000000, 0x1000000
-+.LrSet:
-+.quad 0xFFFFFFC0FFFFFFF, 0xFFFFFFC0FFFFFFF
-+.quad 0xFFFFFFC0FFFFFFC, 0xFFFFFFC0FFFFFFC
-+.Lone:
-+.quad 1,0
-+___
-+
-+
-+{
-+my ($A0, $A1, $A2, $A3, $A4,
-+    $r0, $r1, $r2, $r3, $r4,
-+    $T0, $T1, $A5, $A6, $A7, $A8)=map("%xmm$_",(0..15));
-+my ($state, $key)
-+   =("%rdi", "%rsi");
-+
-+$code.=<<___;
-+################################################################################
-+# void poly1305_init_avx(void *state, uint8_t key[32])
-+
-+.globl poly1305_init_avx
-+.type poly1305_init_avx, \@function, 2
-+.align 64
-+poly1305_init_avx:
-+	vzeroupper
-+	# load and convert r
-+	vmovq	8*0($key), $r0
-+	vmovq	8*1($key), $T0
-+	vpand	.LrSet(%rip), $r0, $r0
-+	vpand	.LrSet+16(%rip), $T0, $T0
-+
-+	vpsrlq	\$26, $r0, $r1
-+	vpand	.LandMask(%rip), $r0, $r0
-+	vpsrlq	\$26, $r1, $r2
-+	vpand	.LandMask(%rip), $r1, $r1
-+	vpsllq	\$12, $T0, $T1
-+	vpxor	$T1, $r2, $r2
-+	vpsrlq	\$26, $r2, $r3
-+	vpsrlq	\$40, $T0, $r4
-+	vpand	.LandMask(%rip), $r2, $r2
-+	vpand	.LandMask(%rip), $r3, $r3
-+
-+	# SQR R
-+	vpmuludq	$r0, $r0, $A0
-+	vpmuludq	$r1, $r0, $A1
-+	vpmuludq	$r2, $r0, $A2
-+	vpmuludq	$r3, $r0, $A3
-+	vpmuludq	$r4, $r0, $A4
-+
-+	vpsllq		\$1, $A1, $A1
-+	vpsllq		\$1, $A2, $A2
-+	vpmuludq	$r1, $r1, $T0
-+	vpaddq		$T0, $A2, $A2
-+	vpmuludq	$r2, $r1, $T0
-+	vpaddq		$T0, $A3, $A3
-+	vpmuludq	$r3, $r1, $T0
-+	vpaddq		$T0, $A4, $A4
-+	vpmuludq	$r4, $r1, $A5
-+
-+	vpsllq		\$1, $A3, $A3
-+	vpsllq		\$1, $A4, $A4
-+	vpmuludq	$r2, $r2, $T0
-+	vpaddq		$T0, $A4, $A4
-+	vpmuludq	$r3, $r2, $T0
-+	vpaddq		$T0, $A5, $A5
-+	vpmuludq	$r4, $r2, $A6
-+
-+	vpsllq		\$1, $A5, $A5
-+	vpsllq		\$1, $A6, $A6
-+	vpmuludq	$r3, $r3, $T0
-+	vpaddq		$T0, $A6, $A6
-+	vpmuludq	$r4, $r3, $A7
-+
-+	vpsllq		\$1, $A7, $A7
-+	vpmuludq	$r4, $r4, $A8
-+
-+	# Reduce
-+	vpsrlq	\$26, $A4, $T0
-+	vpand	.LandMask(%rip), $A4, $A4
-+	vpaddq	$T0, $A5, $A5
-+
-+	vpsllq	\$2, $A5, $T0
-+	vpaddq	$T0, $A5, $A5
-+	vpsllq	\$2, $A6, $T0
-+	vpaddq	$T0, $A6, $A6
-+	vpsllq	\$2, $A7, $T0
-+	vpaddq	$T0, $A7, $A7
-+	vpsllq	\$2, $A8, $T0
-+	vpaddq	$T0, $A8, $A8
-+
-+	vpaddq	$A5, $A0, $A0
-+	vpaddq	$A6, $A1, $A1
-+	vpaddq	$A7, $A2, $A2
-+	vpaddq	$A8, $A3, $A3
-+
-+	vpsrlq	\$26, $A0, $T0
-+	vpand	.LandMask(%rip), $A0, $A0
-+	vpaddq	$T0, $A1, $A1
-+	vpsrlq	\$26, $A1, $T0
-+	vpand	.LandMask(%rip), $A1, $A1
-+	vpaddq	$T0, $A2, $A2
-+	vpsrlq	\$26, $A2, $T0
-+	vpand	.LandMask(%rip), $A2, $A2
-+	vpaddq	$T0, $A3, $A3
-+	vpsrlq	\$26, $A3, $T0
-+	vpand	.LandMask(%rip), $A3, $A3
-+	vpaddq	$T0, $A4, $A4
-+
-+	vpunpcklqdq	$r0, $A0, $r0
-+	vpunpcklqdq	$r1, $A1, $r1
-+	vpunpcklqdq	$r2, $A2, $r2
-+	vpunpcklqdq	$r3, $A3, $r3
-+	vpunpcklqdq	$r4, $A4, $r4
-+
-+	vmovdqu	$r0, $_r0_($state)
-+	vmovdqu	$r1, $_r1_($state)
-+	vmovdqu	$r2, $_r2_($state)
-+	vmovdqu	$r3, $_r3_($state)
-+	vmovdqu	$r4, $_r4_($state)
-+
-+	vpsllq	\$2, $r1, $A1
-+	vpsllq	\$2, $r2, $A2
-+	vpsllq	\$2, $r3, $A3
-+	vpsllq	\$2, $r4, $A4
-+
-+	vpaddq	$A1, $r1, $A1
-+	vpaddq	$A2, $r2, $A2
-+	vpaddq	$A3, $r3, $A3
-+	vpaddq	$A4, $r4, $A4
-+
-+	vmovdqu	$A1, $_r1_x5($state)
-+	vmovdqu	$A2, $_r2_x5($state)
-+	vmovdqu	$A3, $_r3_x5($state)
-+	vmovdqu	$A4, $_r4_x5($state)
-+	# Store k
-+	vmovdqu	16*1($key), $T0
-+	vmovdqu	$T0, $_k_($state)
-+	# Init the MAC value
-+	vpxor	$T0, $T0, $T0
-+	vmovdqu	$T0, $_A0_($state)
-+	vmovd	$T0, $_A4_($state)
-+	vzeroupper
-+	ret
-+.size poly1305_init_avx,.-poly1305_init_avx
-+___
-+}
-+
-+{
-+
-+my ($A0, $A1, $A2, $A3, $A4,
-+    $T0, $T1, $R0, $R1, $R2,
-+    $R3, $R4, $AND_MASK)=map("%xmm$_",(0..12));
-+
-+my ($state, $in, $in_len)=("%rdi", "%rsi", "%rdx");
-+
-+$code.=<<___;
-+
-+###############################################################################
-+# void* poly1305_update_avx(void* $state, void* in, uint64_t in_len)
-+.globl poly1305_update_avx
-+.type poly1305_update_avx, \@function, 2
-+.align 64
-+poly1305_update_avx:
-+
-+	vzeroupper
-+	vmovd	$_A0_($state), $A0
-+	vmovd	$_A1_($state), $A1
-+	vmovd	$_A2_($state), $A2
-+	vmovd	$_A3_($state), $A3
-+	vmovd	$_A4_($state), $A4
-+	vmovdqa	.LandMask(%rip), $AND_MASK
-+	# Skip to single block case
-+	cmp	\$32, $in_len
-+	jb	3f
-+1:
-+		cmp	\$16*4, $in_len
-+		jb	1f
-+		sub	\$16*2, $in_len
-+		# load the next two blocks
-+		vmovdqu	16*0($in), $R2
-+		vmovdqu	16*1($in), $R3
-+		add	\$16*2, $in
-+
-+		vpunpcklqdq	$R3, $R2, $R0
-+		vpunpckhqdq	$R3, $R2, $R1
-+
-+		vpsrlq	\$26, $R0, $R2
-+		vpand	$AND_MASK, $R0, $R0
-+		vpaddq	$R0, $A0, $A0
-+
-+		vpsrlq	\$26, $R2, $R0
-+		vpand	$AND_MASK, $R2, $R2
-+		vpaddq	$R2, $A1, $A1
-+
-+		vpsllq	\$12, $R1, $R2
-+		vpxor	$R2, $R0, $R0
-+		vpand	$AND_MASK, $R0, $R0
-+		vpaddq	$R0, $A2, $A2
-+
-+		vpsrlq	\$26, $R2, $R0
-+		vpsrlq	\$40, $R1, $R2
-+		vpand	$AND_MASK, $R0, $R0
-+		vpxor	.LsetBit(%rip), $R2, $R2
-+		vpaddq	$R0, $A3, $A3
-+		vpaddq	$R2, $A4, $A4
-+
-+		# Multiply input by R[0]
-+		vbroadcastss	$_r0_($state), $T0
-+		vpmuludq	$T0, $A0, $R0
-+		vpmuludq	$T0, $A1, $R1
-+		vpmuludq	$T0, $A2, $R2
-+		vpmuludq	$T0, $A3, $R3
-+		vpmuludq	$T0, $A4, $R4
-+		# Multiply input by R[1] (and R[1]*5)
-+		vbroadcastss	$_r1_x5($state), $T0
-+		vpmuludq	$T0, $A4, $T1
-+		vpaddq		$T1, $R0, $R0
-+		vbroadcastss	$_r1_($state), $T0
-+		vpmuludq	$T0, $A0, $T1
-+		vpaddq		$T1, $R1, $R1
-+		vpmuludq	$T0, $A1, $T1
-+		vpaddq		$T1, $R2, $R2
-+		vpmuludq	$T0, $A2, $T1
-+		vpaddq		$T1, $R3, $R3
-+		vpmuludq	$T0, $A3, $T1
-+		vpaddq		$T1, $R4, $R4
-+		# Etc
-+		vbroadcastss	$_r2_x5($state), $T0
-+		vpmuludq	$T0, $A3, $T1
-+		vpaddq		$T1, $R0, $R0
-+		vpmuludq	$T0, $A4, $T1
-+		vpaddq		$T1, $R1, $R1
-+		vbroadcastss	$_r2_($state), $T0
-+		vpmuludq	$T0, $A0, $T1
-+		vpaddq		$T1, $R2, $R2
-+		vpmuludq	$T0, $A1, $T1
-+		vpaddq		$T1, $R3, $R3
-+		vpmuludq	$T0, $A2, $T1
-+		vpaddq		$T1, $R4, $R4
-+
-+		vbroadcastss	$_r3_x5($state), $T0
-+		vpmuludq	$T0, $A2, $T1
-+		vpaddq		$T1, $R0, $R0
-+		vpmuludq	$T0, $A3, $T1
-+		vpaddq		$T1, $R1, $R1
-+		vpmuludq	$T0, $A4, $T1
-+		vpaddq		$T1, $R2, $R2
-+		vbroadcastss	$_r3_($state), $T0
-+		vpmuludq	$T0, $A0, $T1
-+		vpaddq		$T1, $R3, $R3
-+		vpmuludq	$T0, $A1, $T1
-+		vpaddq		$T1, $R4, $R4
-+
-+		vbroadcastss	$_r4_x5($state), $T0
-+		vpmuludq	$T0, $A1, $T1
-+		vpaddq		$T1, $R0, $R0
-+		vpmuludq	$T0, $A2, $T1
-+		vpaddq		$T1, $R1, $R1
-+		vpmuludq	$T0, $A3, $T1
-+		vpaddq		$T1, $R2, $R2
-+		vpmuludq	$T0, $A4, $T1
-+		vpaddq		$T1, $R3, $R3
-+		vbroadcastss	$_r4_($state), $T0
-+		vpmuludq	$T0, $A0, $T1
-+		vpaddq		$T1, $R4, $R4
-+		# Reduce
-+		vpsrlq	\$26, $R3, $T0
-+		vpaddq	$T0, $R4, $R4
-+		vpand	$AND_MASK, $R3, $R3
-+
-+		vpsrlq	\$26, $R4, $T0
-+		vpsllq	\$2, $T0, $T1
-+		vpaddq	$T1, $T0, $T0
-+		vpaddq	$T0, $R0, $R0
-+		vpand	$AND_MASK, $R4, $R4
-+
-+		vpsrlq	\$26, $R0, $T0
-+		vpand	$AND_MASK, $R0, $A0
-+		vpaddq	$T0, $R1, $R1
-+		vpsrlq	\$26, $R1, $T0
-+		vpand	$AND_MASK, $R1, $A1
-+		vpaddq	$T0, $R2, $R2
-+		vpsrlq	\$26, $R2, $T0
-+		vpand	$AND_MASK, $R2, $A2
-+		vpaddq	$T0, $R3, $R3
-+		vpsrlq	\$26, $R3, $T0
-+		vpand	$AND_MASK, $R3, $A3
-+		vpaddq	$T0, $R4, $A4
-+	jmp 1b
-+1:
-+	cmp	\$16*2, $in_len
-+	jb	1f
-+	sub	\$16*2, $in_len
-+	# load the next two blocks
-+	vmovdqu	16*0($in), $R2
-+	vmovdqu	16*1($in), $R3
-+	add	\$16*2, $in
-+
-+	vpunpcklqdq	$R3, $R2, $R0
-+	vpunpckhqdq	$R3, $R2, $R1
-+
-+	vpsrlq	\$26, $R0, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A0, $A0
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpand	$AND_MASK, $R2, $R2
-+	vpaddq	$R2, $A1, $A1
-+
-+	vpsllq	\$12, $R1, $R2
-+	vpxor	$R2, $R0, $R0
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A2, $A2
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpsrlq	\$40, $R1, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpxor	.LsetBit(%rip), $R2, $R2
-+	vpaddq	$R0, $A3, $A3
-+	vpaddq	$R2, $A4, $A4
-+
-+	# Multiply input by R[0]
-+	vmovdqu		$_r0_($state), $T0
-+	vpmuludq	$T0, $A0, $R0
-+	vpmuludq	$T0, $A1, $R1
-+	vpmuludq	$T0, $A2, $R2
-+	vpmuludq	$T0, $A3, $R3
-+	vpmuludq	$T0, $A4, $R4
-+	# Multiply input by R[1] (and R[1]*5)
-+	vmovdqu		$_r1_x5($state), $T0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vmovdqu		$_r1_($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R4, $R4
-+	# Etc
-+	vmovdqu		$_r2_x5($state), $T0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vmovdqu		$_r2_($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	vmovdqu		$_r3_x5($state), $T0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vmovdqu		$_r3_($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	vmovdqu		$_r4_x5($state), $T0
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vmovdqu		$_r4_($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R4, $R4
-+1:
-+	vpsrldq	\$8, $R0, $A0
-+	vpsrldq	\$8, $R1, $A1
-+	vpsrldq	\$8, $R2, $A2
-+	vpsrldq	\$8, $R3, $A3
-+	vpsrldq	\$8, $R4, $A4
-+
-+	vpaddq	$R0, $A0, $A0
-+	vpaddq	$R1, $A1, $A1
-+	vpaddq	$R2, $A2, $A2
-+	vpaddq	$R3, $A3, $A3
-+	vpaddq	$R4, $A4, $A4
-+	# Reduce
-+	vpsrlq	\$26, $A3, $T0
-+	vpaddq	$T0, $A4, $A4
-+	vpand	$AND_MASK, $A3, $A3
-+	vpsrlq	\$26, $A4, $T0
-+	vpsllq	\$2, $T0, $T1
-+	vpaddq	$T1, $T0, $T0
-+	vpaddq	$T0, $A0, $A0
-+	vpand	$AND_MASK, $A4, $A4
-+	vpsrlq	\$26, $A0, $T0
-+	vpand	$AND_MASK, $A0, $A0
-+	vpaddq	$T0, $A1, $A1
-+	vpsrlq	\$26, $A1, $T0
-+	vpand	$AND_MASK, $A1, $A1
-+	vpaddq	$T0, $A2, $A2
-+	vpsrlq	\$26, $A2, $T0
-+	vpand	$AND_MASK, $A2, $A2
-+	vpaddq	$T0, $A3, $A3
-+	vpsrlq	\$26, $A3, $T0
-+	vpand	$AND_MASK, $A3, $A3
-+	vpaddq	$T0, $A4, $A4
-+3:
-+	cmp	\$16, $in_len
-+	jb	1f
-+
-+	# load the next block
-+	vmovq	8*0($in), $R0
-+	vmovq	8*1($in), $R1
-+	add	\$16, $in
-+        sub	\$16, $in_len
-+
-+	vpsrlq	\$26, $R0, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A0, $A0
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpand	$AND_MASK, $R2, $R2
-+	vpaddq	$R2, $A1, $A1
-+
-+	vpsllq	\$12, $R1, $R2
-+	vpxor	$R2, $R0, $R0
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A2, $A2
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpsrlq	\$40, $R1, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpxor	.LsetBit(%rip), $R2, $R2
-+	vpaddq	$R0, $A3, $A3
-+	vpaddq	$R2, $A4, $A4
-+2:
-+	# Multiply input by R[0]
-+	vmovq		$_r0_+8($state), $T0
-+	vpmuludq	$T0, $A0, $R0
-+	vpmuludq	$T0, $A1, $R1
-+	vpmuludq	$T0, $A2, $R2
-+	vpmuludq	$T0, $A3, $R3
-+	vpmuludq	$T0, $A4, $R4
-+	# Multiply input by R[1] (and R[1]*5)
-+	vmovq		$_r1_x5+8($state), $T0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vmovq		$_r1_+8($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R4, $R4
-+	# Etc
-+	vmovq		$_r2_x5+8($state), $T0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vmovq		$_r2_+8($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	vmovq		$_r3_x5+8($state), $T0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vmovq		$_r3_+8($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	vmovq		$_r4_x5+8($state), $T0
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vmovq		$_r4_+8($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	# Reduce
-+	vpsrlq	\$26, $R3, $T0
-+	vpaddq	$T0, $R4, $R4
-+	vpand	$AND_MASK, $R3, $R3
-+	vpsrlq	\$26, $R4, $T0
-+	vpsllq	\$2, $T0, $T1
-+	vpaddq	$T1, $T0, $T0
-+	vpaddq	$T0, $R0, $R0
-+	vpand	$AND_MASK, $R4, $R4
-+	vpsrlq	\$26, $R0, $T0
-+	vpand	$AND_MASK, $R0, $A0
-+	vpaddq	$T0, $R1, $R1
-+	vpsrlq	\$26, $R1, $T0
-+	vpand	$AND_MASK, $R1, $A1
-+	vpaddq	$T0, $R2, $R2
-+	vpsrlq	\$26, $R2, $T0
-+	vpand	$AND_MASK, $R2, $A2
-+	vpaddq	$T0, $R3, $R3
-+	vpsrlq	\$26, $R3, $T0
-+	vpand	$AND_MASK, $R3, $A3
-+	vpaddq	$T0, $R4, $A4
-+
-+1:
-+        test	$in_len, $in_len
-+	jz	1f
-+
-+	vmovdqa	.Lone(%rip), $R0
-+3:
-+	dec	$in_len
-+	vpslldq	\$1, $R0, $R0
-+	vpinsrb	\$0, ($in, $in_len), $R0, $R0
-+	test	$in_len, $in_len
-+	jnz	3b
-+
-+	vpsrldq	\$8, $R0, $R1
-+	vpsrlq	\$26, $R0, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A0, $A0
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpand	$AND_MASK, $R2, $R2
-+	vpaddq	$R2, $A1, $A1
-+
-+	vpsllq	\$12, $R1, $R2
-+	vpxor	$R2, $R0, $R0
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A2, $A2
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpsrlq	\$40, $R1, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A3, $A3
-+	vpaddq	$R2, $A4, $A4
-+        xor	$in_len, $in_len
-+	jmp	2b
-+1:
-+	vmovd	$A0, $_A0_($state)
-+	vmovd	$A1, $_A1_($state)
-+	vmovd	$A2, $_A2_($state)
-+	vmovd	$A3, $_A3_($state)
-+	vmovd	$A4, $_A4_($state)
-+
-+
-+	mov	$in, %rax
-+	vzeroupper
-+	ret
-+.size poly1305_update_avx,.-poly1305_update_avx
-+###############################################################################
-+# void poly1305_finish_avx(void* $state, uint64_t mac[2]);
-+.type poly1305_finish_avx,\@function, 2
-+.globl poly1305_finish_avx
-+poly1305_finish_avx:
-+___
-+my $mac="%rsi";
-+$code.=<<___;
-+	vzeroupper
-+	vmovd	$_A0_($state), $A0
-+	vmovd	$_A1_($state), $A1
-+	vmovd	$_A2_($state), $A2
-+	vmovd	$_A3_($state), $A3
-+	vmovd	$_A4_($state), $A4
-+	# Reduce one last time in case there was a carry from 130 bit
-+	vpsrlq	\$26, $A4, $T0
-+	vpsllq	\$2, $T0, $T1
-+	vpaddq	$T1, $T0, $T0
-+	vpaddq	$T0, $A0, $A0
-+	vpand	.LandMask(%rip), $A4, $A4
-+
-+	vpsrlq	\$26, $A0, $T0
-+	vpand	.LandMask(%rip), $A0, $A0
-+	vpaddq	$T0, $A1, $A1
-+	vpsrlq	\$26, $A1, $T0
-+	vpand	.LandMask(%rip), $A1, $A1
-+	vpaddq	$T0, $A2, $A2
-+	vpsrlq	\$26, $A2, $T0
-+	vpand	.LandMask(%rip), $A2, $A2
-+	vpaddq	$T0, $A3, $A3
-+	vpsrlq	\$26, $A3, $T0
-+	vpand	.LandMask(%rip), $A3, $A3
-+	vpaddq	$T0, $A4, $A4
-+	# Convert to normal
-+	vpsllq	\$26, $A1, $T0
-+	vpxor	$T0, $A0, $A0
-+	vpsllq	\$52, $A2, $T0
-+	vpxor	$T0, $A0, $A0
-+	vpsrlq	\$12, $A2, $A1
-+	vpsllq	\$14, $A3, $T0
-+	vpxor	$T0, $A1, $A1
-+	vpsllq	\$40, $A4, $T0
-+	vpxor	$T0, $A1, $A1
-+	vmovq	$A0, %rax
-+	vmovq	$A1, %rdx
-+
-+	add	$_k_($state), %rax
-+	adc	$_k_+8($state), %rdx
-+	mov	%rax, ($mac)
-+	mov	%rdx, 8($mac)
-+	vzeroupper
-+	ret
-+.size poly1305_finish_avx,.-poly1305_finish_avx
-+___
-+}
-+}}
-+
-+$code =~ s/\`([^\`]*)\`/eval($1)/gem;
-+print $code;
-+close STDOUT;
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/asm/poly1305_avx2.pl openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/poly1305_avx2.pl
---- openssl-1.0.2e/crypto/chacha20poly1305/asm/poly1305_avx2.pl	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/asm/poly1305_avx2.pl	2016-02-08 16:12:00.597614755 +0100
-@@ -0,0 +1,918 @@
-+##############################################################################
-+#                                                                            #
-+# Copyright 2014 Intel Corporation                                           #
-+#                                                                            #
-+# Licensed under the Apache License, Version 2.0 (the "License");            #
-+# you may not use this file except in compliance with the License.           #
-+# You may obtain a copy of the License at                                    #
-+#                                                                            #
-+#    http://www.apache.org/licenses/LICENSE-2.0                              #
-+#                                                                            #
-+# Unless required by applicable law or agreed to in writing, software        #
-+# distributed under the License is distributed on an "AS IS" BASIS,          #
-+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-+# See the License for the specific language governing permissions and        #
-+# limitations under the License.                                             #
-+#                                                                            #
-+##############################################################################
-+#                                                                            #
-+#  Developers and authors:                                                   #
-+#  Shay Gueron (1, 2), and Vlad Krasnov (1)                                  #
-+#  (1) Intel Corporation, Israel Development Center                          #
-+#  (2) University of Haifa                                                   #
-+#                                                                            #
-+##############################################################################
-+# state:
-+#  0: r[0] || r^2[0]
-+# 16: r[1] || r^2[1]
-+# 32: r[2] || r^2[2]
-+# 48: r[3] || r^2[3]
-+# 64: r[4] || r^2[4]
-+# 80: r[1]*5 || r^2[1]*5
-+# 96: r[2]*5 || r^2[2]*5
-+#112: r[3]*5 || r^2[3]*5
-+#128: r[4]*5 || r^2[4]*5
-+#144: k
-+#160: A0
-+#164: A1
-+#168: A2
-+#172: A3
-+#176: A4
-+#180: END
-+
-+$flavour = shift;
-+$output  = shift;
-+if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-+
-+$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-+die "can't locate x86_64-xlate.pl";
-+
-+open OUT,"| \"$^X\" $xlate $flavour $output";
-+*STDOUT=*OUT;
-+
-+if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-+                =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-+        $avx = ($1>=2.19) + ($1>=2.22);
-+}
-+
-+if ($win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
-+            `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
-+        $avx = ($1>=2.09) + ($1>=2.10);
-+}
-+
-+if ($win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
-+            `ml64 2>&1` =~ /Version ([0-9]+)\./) {
-+        $avx = ($1>=10) + ($1>=11);
-+}
-+
-+if (`$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
-+        my $ver = $2 + $3/100.0;        # 3.1->3.01, 3.10->3.10
-+        $avx = ($ver>=3.0) + ($ver>=3.01);
-+}
-+
-+if ($avx>=1) {{
-+
-+my ($_r0_, $_r1_, $_r2_, $_r3_, $_r4_, $_r1_x5, $_r2_x5, $_r3_x5, $_r4_x5, $_k_, $_A0_, $_A1_, $_A2_, $_A3_, $_A4_)
-+= (0,32,64,96,128,160,192,224,256,288,304,308,312,316,320);
-+
-+$code.=<<___;
-+.text
-+.align 32
-+.LandMask:
-+.quad 0x3FFFFFF, 0x3FFFFFF, 0x3FFFFFF, 0x3FFFFFF
-+.LsetBit:
-+.quad 0x1000000, 0x1000000, 0x1000000, 0x1000000
-+.LrSet:
-+.quad 0xFFFFFFC0FFFFFFF, 0xFFFFFFC0FFFFFFF, 0xFFFFFFC0FFFFFFF, 0xFFFFFFC0FFFFFFF
-+.quad 0xFFFFFFC0FFFFFFC, 0xFFFFFFC0FFFFFFC, 0xFFFFFFC0FFFFFFC, 0xFFFFFFC0FFFFFFC
-+
-+.LpermFix:
-+.long 6,7,6,7,6,7,6,7
-+.long 4,5,6,7,6,7,6,7
-+.long 2,3,6,7,4,5,6,7
-+.long 0,1,4,5,2,3,6,7
-+___
-+
-+
-+{
-+my ($A0, $A1, $A2, $A3, $A4,
-+    $r0, $r1, $r2, $r3, $r4,
-+    $T0, $T1, $A5, $A6, $A7, $A8)=map("%xmm$_",(0..15));
-+my ($A0_y, $A1_y, $A2_y, $A3_y, $A4_y,
-+    $r0_y, $r1_y, $r2_y, $r3_y, $r4_y)=map("%ymm$_",(0..9));
-+my ($state, $key)
-+   =("%rdi", "%rsi");
-+
-+$code.=<<___;
-+################################################################################
-+# void poly1305_init_avx2(void *state, uint8_t key[32])
-+
-+.globl poly1305_init_avx2
-+.type poly1305_init_avx2, \@function, 2
-+.align 64
-+poly1305_init_avx2:
-+	vzeroupper
-+
-+	# Store k
-+	vmovdqu	16*1($key), $T0
-+	vmovdqu	$T0, $_k_($state)
-+	# Init the MAC value
-+	vpxor	$T0, $T0, $T0
-+	vmovdqu	$T0, $_A0_($state)
-+	vmovd	$T0, $_A4_($state)
-+	# load and convert r
-+	vmovq	8*0($key), $r0
-+	vmovq	8*1($key), $T0
-+	vpand	.LrSet(%rip), $r0, $r0
-+	vpand	.LrSet+32(%rip), $T0, $T0
-+
-+	vpsrlq	\$26, $r0, $r1
-+	vpand	.LandMask(%rip), $r0, $r0
-+	vpsrlq	\$26, $r1, $r2
-+	vpand	.LandMask(%rip), $r1, $r1
-+	vpsllq	\$12, $T0, $T1
-+	vpxor	$T1, $r2, $r2
-+	vpsrlq	\$26, $r2, $r3
-+	vpsrlq	\$40, $T0, $r4
-+	vpand	.LandMask(%rip), $r2, $r2
-+	vpand	.LandMask(%rip), $r3, $r3
-+	# SQR R
-+	vpmuludq	$r0, $r0, $A0
-+	vpmuludq	$r1, $r0, $A1
-+	vpmuludq	$r2, $r0, $A2
-+	vpmuludq	$r3, $r0, $A3
-+	vpmuludq	$r4, $r0, $A4
-+
-+	vpsllq		\$1, $A1, $A1
-+	vpsllq		\$1, $A2, $A2
-+	vpmuludq	$r1, $r1, $T0
-+	vpaddq		$T0, $A2, $A2
-+	vpmuludq	$r2, $r1, $T0
-+	vpaddq		$T0, $A3, $A3
-+	vpmuludq	$r3, $r1, $T0
-+	vpaddq		$T0, $A4, $A4
-+	vpmuludq	$r4, $r1, $A5
-+
-+	vpsllq		\$1, $A3, $A3
-+	vpsllq		\$1, $A4, $A4
-+	vpmuludq	$r2, $r2, $T0
-+	vpaddq		$T0, $A4, $A4
-+	vpmuludq	$r3, $r2, $T0
-+	vpaddq		$T0, $A5, $A5
-+	vpmuludq	$r4, $r2, $A6
-+
-+	vpsllq		\$1, $A5, $A5
-+	vpsllq		\$1, $A6, $A6
-+	vpmuludq	$r3, $r3, $T0
-+	vpaddq		$T0, $A6, $A6
-+	vpmuludq	$r4, $r3, $A7
-+
-+	vpsllq		\$1, $A7, $A7
-+	vpmuludq	$r4, $r4, $A8
-+
-+	# Reduce
-+	vpsrlq	\$26, $A4, $T0
-+	vpand	.LandMask(%rip), $A4, $A4
-+	vpaddq	$T0, $A5, $A5
-+
-+	vpsllq	\$2, $A5, $T0
-+	vpaddq	$T0, $A5, $A5
-+	vpsllq	\$2, $A6, $T0
-+	vpaddq	$T0, $A6, $A6
-+	vpsllq	\$2, $A7, $T0
-+	vpaddq	$T0, $A7, $A7
-+	vpsllq	\$2, $A8, $T0
-+	vpaddq	$T0, $A8, $A8
-+
-+	vpaddq	$A5, $A0, $A0
-+	vpaddq	$A6, $A1, $A1
-+	vpaddq	$A7, $A2, $A2
-+	vpaddq	$A8, $A3, $A3
-+
-+	vpsrlq	\$26, $A0, $T0
-+	vpand	.LandMask(%rip), $A0, $A0
-+	vpaddq	$T0, $A1, $A1
-+	vpsrlq	\$26, $A1, $T0
-+	vpand	.LandMask(%rip), $A1, $A1
-+	vpaddq	$T0, $A2, $A2
-+	vpsrlq	\$26, $A2, $T0
-+	vpand	.LandMask(%rip), $A2, $A2
-+	vpaddq	$T0, $A3, $A3
-+	vpsrlq	\$26, $A3, $T0
-+	vpand	.LandMask(%rip), $A3, $A3
-+	vpaddq	$T0, $A4, $A4
-+
-+	vpunpcklqdq	$r0, $A0, $r0
-+	vpunpcklqdq	$r1, $A1, $r1
-+	vpunpcklqdq	$r2, $A2, $r2
-+	vpunpcklqdq	$r3, $A3, $r3
-+	vpunpcklqdq	$r4, $A4, $r4
-+
-+	vmovdqu	$r0, $_r0_+16($state)
-+	vmovdqu	$r1, $_r1_+16($state)
-+	vmovdqu	$r2, $_r2_+16($state)
-+	vmovdqu	$r3, $_r3_+16($state)
-+	vmovdqu	$r4, $_r4_+16($state)
-+
-+	vpsllq	\$2, $r1, $A1
-+	vpsllq	\$2, $r2, $A2
-+	vpsllq	\$2, $r3, $A3
-+	vpsllq	\$2, $r4, $A4
-+
-+	vpaddq	$A1, $r1, $A1
-+	vpaddq	$A2, $r2, $A2
-+	vpaddq	$A3, $r3, $A3
-+	vpaddq	$A4, $r4, $A4
-+
-+	vmovdqu	$A1, $_r1_x5+16($state)
-+	vmovdqu	$A2, $_r2_x5+16($state)
-+	vmovdqu	$A3, $_r3_x5+16($state)
-+	vmovdqu	$A4, $_r4_x5+16($state)
-+
-+	# Compute r^3 and r^4
-+	vpshufd	\$0x44, $r0, $A0
-+	vpshufd	\$0x44, $r1, $A1
-+	vpshufd	\$0x44, $r2, $A2
-+	vpshufd	\$0x44, $r3, $A3
-+	vpshufd	\$0x44, $r4, $A4
-+
-+	# Multiply input by R[0]
-+	vmovdqu		$_r0_+16($state), $T0
-+	vpmuludq	$T0, $A0, $r0
-+	vpmuludq	$T0, $A1, $r1
-+	vpmuludq	$T0, $A2, $r2
-+	vpmuludq	$T0, $A3, $r3
-+	vpmuludq	$T0, $A4, $r4
-+	# Multiply input by R[1] (and R[1]*5)
-+	vmovdqu		$_r1_x5+16($state), $T0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $r0, $r0
-+	vmovdqu		$_r1_+16($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $r1, $r1
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $r2, $r2
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $r3, $r3
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $r4, $r4
-+	# Etc
-+	vmovdqu		$_r2_x5+16($state), $T0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $r0, $r0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $r1, $r1
-+	vmovdqu		$_r2_+16($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $r2, $r2
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $r3, $r3
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $r4, $r4
-+
-+	vmovdqu		$_r3_x5+16($state), $T0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $r0, $r0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $r1, $r1
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $r2, $r2
-+	vmovdqu		$_r3_+16($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $r3, $r3
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $r4, $r4
-+
-+	vmovdqu		$_r4_x5+16($state), $T0
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $r0, $r0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $r1, $r1
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $r2, $r2
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $r3, $r3
-+	vmovdqu		$_r4_+16($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $r4, $r4
-+	# Reduce
-+	vpsrlq	\$26, $r3, $T0
-+	vpaddq	$T0, $r4, $r4
-+	vpand	.LandMask(%rip), $r3, $r3
-+	vpsrlq	\$26, $r4, $T0
-+	vpsllq	\$2, $T0, $T1
-+	vpaddq	$T1, $T0, $T0
-+	vpaddq	$T0, $r0, $r0
-+	vpand	.LandMask(%rip), $r4, $r4
-+	vpsrlq	\$26, $r0, $T0
-+	vpand	.LandMask(%rip), $r0, $r0
-+	vpaddq	$T0, $r1, $r1
-+	vpsrlq	\$26, $r1, $T0
-+	vpand	.LandMask(%rip), $r1, $r1
-+	vpaddq	$T0, $r2, $r2
-+	vpsrlq	\$26, $r2, $T0
-+	vpand	.LandMask(%rip), $r2, $r2
-+	vpaddq	$T0, $r3, $r3
-+	vpsrlq	\$26, $r3, $T0
-+	vpand	.LandMask(%rip), $r3, $r3
-+	vpaddq	$T0, $r4, $r4
-+
-+	vmovdqu	$r0, $_r0_($state)
-+	vmovdqu	$r1, $_r1_($state)
-+	vmovdqu	$r2, $_r2_($state)
-+	vmovdqu	$r3, $_r3_($state)
-+	vmovdqu	$r4, $_r4_($state)
-+
-+	vpsllq	\$2, $r1, $A1
-+	vpsllq	\$2, $r2, $A2
-+	vpsllq	\$2, $r3, $A3
-+	vpsllq	\$2, $r4, $A4
-+
-+	vpaddq	$A1, $r1, $A1
-+	vpaddq	$A2, $r2, $A2
-+	vpaddq	$A3, $r3, $A3
-+	vpaddq	$A4, $r4, $A4
-+
-+	vmovdqu	$A1, $_r1_x5($state)
-+	vmovdqu	$A2, $_r2_x5($state)
-+	vmovdqu	$A3, $_r3_x5($state)
-+	vmovdqu	$A4, $_r4_x5($state)
-+
-+	ret
-+.size poly1305_init_avx2,.-poly1305_init_avx2
-+___
-+}
-+
-+{
-+
-+my ($A0, $A1, $A2, $A3, $A4,
-+    $T0, $T1, $R0, $R1, $R2,
-+    $R3, $R4, $AND_MASK, $PERM_MASK, $SET_MASK)=map("%ymm$_",(0..14));
-+
-+my ($A0_x, $A1_x, $A2_x, $A3_x, $A4_x,
-+    $T0_x, $T1_x, $R0_x, $R1_x, $R2_x,
-+    $R3_x, $R4_x, $AND_MASK_x, $PERM_MASK_x, $SET_MASK_x)=map("%xmm$_",(0..14));
-+
-+my ($state, $in, $in_len, $hlp, $rsp_save)=("%rdi", "%rsi", "%rdx", "%rcx", "%rax");
-+
-+$code.=<<___;
-+
-+###############################################################################
-+# void poly1305_update_avx2(void* $state, void* in, uint64_t in_len2)
-+.globl poly1305_update_avx2
-+.type poly1305_update_avx2, \@function, 2
-+.align 64
-+poly1305_update_avx2:
-+
-+	vmovd	$_A0_($state), $A0_x
-+	vmovd	$_A1_($state), $A1_x
-+	vmovd	$_A2_($state), $A2_x
-+	vmovd	$_A3_($state), $A3_x
-+	vmovd	$_A4_($state), $A4_x
-+
-+	vmovdqa	.LandMask(%rip), $AND_MASK
-+1:
-+		cmp	\$32*4, $in_len
-+		jb	1f
-+		sub	\$32*2, $in_len
-+
-+		# load the next four blocks
-+		vmovdqu	32*0($in), $R2
-+		vmovdqu	32*1($in), $R3
-+		add	\$32*2, $in
-+
-+		vpunpcklqdq	$R3, $R2, $R0
-+		vpunpckhqdq	$R3, $R2, $R1
-+
-+		vpermq	\$0xD8, $R0, $R0	# it is possible to rearrange the precomputations, and save this shuffle
-+		vpermq	\$0xD8, $R1, $R1
-+
-+		vpsrlq	\$26, $R0, $R2
-+		vpand	$AND_MASK, $R0, $R0
-+		vpaddq	$R0, $A0, $A0
-+
-+		vpsrlq	\$26, $R2, $R0
-+		vpand	$AND_MASK, $R2, $R2
-+		vpaddq	$R2, $A1, $A1
-+
-+		vpsllq	\$12, $R1, $R2
-+		vpxor	$R2, $R0, $R0
-+		vpand	$AND_MASK, $R0, $R0
-+		vpaddq	$R0, $A2, $A2
-+
-+		vpsrlq	\$26, $R2, $R0
-+		vpsrlq	\$40, $R1, $R2
-+		vpand	$AND_MASK, $R0, $R0
-+		vpxor	.LsetBit(%rip), $R2, $R2
-+		vpaddq	$R0, $A3, $A3
-+		vpaddq	$R2, $A4, $A4
-+
-+		# Multiply input by R[0]
-+		vpbroadcastq	$_r0_($state), $T0
-+		vpmuludq	$T0, $A0, $R0
-+		vpmuludq	$T0, $A1, $R1
-+		vpmuludq	$T0, $A2, $R2
-+		vpmuludq	$T0, $A3, $R3
-+		vpmuludq	$T0, $A4, $R4
-+		# Multiply input by R[1] (and R[1]*5)
-+		vpbroadcastq	$_r1_x5($state), $T0
-+		vpmuludq	$T0, $A4, $T1
-+		vpaddq		$T1, $R0, $R0
-+		vpbroadcastq	$_r1_($state), $T0
-+		vpmuludq	$T0, $A0, $T1
-+		vpaddq		$T1, $R1, $R1
-+		vpmuludq	$T0, $A1, $T1
-+		vpaddq		$T1, $R2, $R2
-+		vpmuludq	$T0, $A2, $T1
-+		vpaddq		$T1, $R3, $R3
-+		vpmuludq	$T0, $A3, $T1
-+		vpaddq		$T1, $R4, $R4
-+		# Etc
-+		vpbroadcastq	$_r2_x5($state), $T0
-+		vpmuludq	$T0, $A3, $T1
-+		vpaddq		$T1, $R0, $R0
-+		vpmuludq	$T0, $A4, $T1
-+		vpaddq		$T1, $R1, $R1
-+		vpbroadcastq	$_r2_($state), $T0
-+		vpmuludq	$T0, $A0, $T1
-+		vpaddq		$T1, $R2, $R2
-+		vpmuludq	$T0, $A1, $T1
-+		vpaddq		$T1, $R3, $R3
-+		vpmuludq	$T0, $A2, $T1
-+		vpaddq		$T1, $R4, $R4
-+
-+		vpbroadcastq	$_r3_x5($state), $T0
-+		vpmuludq	$T0, $A2, $T1
-+		vpaddq		$T1, $R0, $R0
-+		vpmuludq	$T0, $A3, $T1
-+		vpaddq		$T1, $R1, $R1
-+		vpmuludq	$T0, $A4, $T1
-+		vpaddq		$T1, $R2, $R2
-+		vpbroadcastq	$_r3_($state), $T0
-+		vpmuludq	$T0, $A0, $T1
-+		vpaddq		$T1, $R3, $R3
-+		vpmuludq	$T0, $A1, $T1
-+		vpaddq		$T1, $R4, $R4
-+
-+		vpbroadcastq	$_r4_x5($state), $T0
-+		vpmuludq	$T0, $A1, $T1
-+		vpaddq		$T1, $R0, $R0
-+		vpmuludq	$T0, $A2, $T1
-+		vpaddq		$T1, $R1, $R1
-+		vpmuludq	$T0, $A3, $T1
-+		vpaddq		$T1, $R2, $R2
-+		vpmuludq	$T0, $A4, $T1
-+		vpaddq		$T1, $R3, $R3
-+		vpbroadcastq	$_r4_($state), $T0
-+		vpmuludq	$T0, $A0, $T1
-+		vpaddq		$T1, $R4, $R4
-+		# Reduce
-+		vpsrlq	\$26, $R3, $T0
-+		vpaddq	$T0, $R4, $R4
-+		vpand	$AND_MASK, $R3, $R3
-+
-+		vpsrlq	\$26, $R4, $T0
-+		vpsllq	\$2, $T0, $T1
-+		vpaddq	$T1, $T0, $T0
-+		vpaddq	$T0, $R0, $R0
-+		vpand	$AND_MASK, $R4, $R4
-+
-+		vpsrlq	\$26, $R0, $T0
-+		vpand	$AND_MASK, $R0, $A0
-+		vpaddq	$T0, $R1, $R1
-+		vpsrlq	\$26, $R1, $T0
-+		vpand	$AND_MASK, $R1, $A1
-+		vpaddq	$T0, $R2, $R2
-+		vpsrlq	\$26, $R2, $T0
-+		vpand	$AND_MASK, $R2, $A2
-+		vpaddq	$T0, $R3, $R3
-+		vpsrlq	\$26, $R3, $T0
-+		vpand	$AND_MASK, $R3, $A3
-+		vpaddq	$T0, $R4, $A4
-+	jmp 1b
-+1:
-+
-+	cmp	\$32*2, $in_len
-+	jb	1f
-+	sub	\$32*2, $in_len
-+	# load the next four blocks
-+	vmovdqu	32*0($in), $R2
-+	vmovdqu	32*1($in), $R3
-+	add	\$32*2, $in
-+
-+	vpunpcklqdq	$R3, $R2, $R0
-+	vpunpckhqdq	$R3, $R2, $R1
-+
-+	vpermq	\$0xD8, $R0, $R0
-+	vpermq	\$0xD8, $R1, $R1
-+
-+	vpsrlq	\$26, $R0, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A0, $A0
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpand	$AND_MASK, $R2, $R2
-+	vpaddq	$R2, $A1, $A1
-+
-+	vpsllq	\$12, $R1, $R2
-+	vpxor	$R2, $R0, $R0
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A2, $A2
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpsrlq	\$40, $R1, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpxor	.LsetBit(%rip), $R2, $R2
-+	vpaddq	$R0, $A3, $A3
-+	vpaddq	$R2, $A4, $A4
-+
-+	# Multiply input by R[0]
-+	vmovdqu		$_r0_($state), $T0
-+	vpmuludq	$T0, $A0, $R0
-+	vpmuludq	$T0, $A1, $R1
-+	vpmuludq	$T0, $A2, $R2
-+	vpmuludq	$T0, $A3, $R3
-+	vpmuludq	$T0, $A4, $R4
-+	# Multiply input by R[1] (and R[1]*5)
-+	vmovdqu		$_r1_x5($state), $T0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vmovdqu		$_r1_($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R4, $R4
-+	# Etc
-+	vmovdqu		$_r2_x5($state), $T0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vmovdqu		$_r2_($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	vmovdqu		$_r3_x5($state), $T0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vmovdqu		$_r3_($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	vmovdqu		$_r4_x5($state), $T0
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vmovdqu		$_r4_($state), $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R4, $R4
-+	# Reduce
-+	vpsrlq	\$26, $R3, $T0
-+	vpaddq	$T0, $R4, $R4
-+	vpand	$AND_MASK, $R3, $R3
-+	vpsrlq	\$26, $R4, $T0
-+	vpsllq	\$2, $T0, $T1
-+	vpaddq	$T1, $T0, $T0
-+	vpaddq	$T0, $R0, $R0
-+	vpand	$AND_MASK, $R4, $R4
-+	vpsrlq	\$26, $R0, $T0
-+	vpand	$AND_MASK, $R0, $A0
-+	vpaddq	$T0, $R1, $R1
-+	vpsrlq	\$26, $R1, $T0
-+	vpand	$AND_MASK, $R1, $A1
-+	vpaddq	$T0, $R2, $R2
-+	vpsrlq	\$26, $R2, $T0
-+	vpand	$AND_MASK, $R2, $A2
-+	vpaddq	$T0, $R3, $R3
-+	vpsrlq	\$26, $R3, $T0
-+	vpand	$AND_MASK, $R3, $A3
-+	vpaddq	$T0, $R4, $A4
-+
-+	vpsrldq	\$8, $A0, $R0
-+	vpsrldq	\$8, $A1, $R1
-+	vpsrldq	\$8, $A2, $R2
-+	vpsrldq	\$8, $A3, $R3
-+	vpsrldq	\$8, $A4, $R4
-+
-+	vpaddq	$R0, $A0, $A0
-+	vpaddq	$R1, $A1, $A1
-+	vpaddq	$R2, $A2, $A2
-+	vpaddq	$R3, $A3, $A3
-+	vpaddq	$R4, $A4, $A4
-+
-+	vpermq	\$0xAA, $A0, $R0
-+	vpermq	\$0xAA, $A1, $R1
-+	vpermq	\$0xAA, $A2, $R2
-+	vpermq	\$0xAA, $A3, $R3
-+	vpermq	\$0xAA, $A4, $R4
-+
-+	vpaddq	$R0, $A0, $A0
-+	vpaddq	$R1, $A1, $A1
-+	vpaddq	$R2, $A2, $A2
-+	vpaddq	$R3, $A3, $A3
-+	vpaddq	$R4, $A4, $A4
-+1:
-+	test	$in_len, $in_len
-+	jz	5f
-+	# In case 1,2 or 3 blocks remain, we want to multiply them correctly
-+	vmovq	$A0_x, $A0_x
-+	vmovq	$A1_x, $A1_x
-+	vmovq	$A2_x, $A2_x
-+	vmovq	$A3_x, $A3_x
-+	vmovq	$A4_x, $A4_x
-+
-+        mov	.LsetBit(%rip), $hlp
-+	mov	%rsp, $rsp_save
-+        test	\$15, $in_len
-+        jz	1f
-+	xor	$hlp, $hlp
-+	sub	\$64, %rsp
-+	vpxor	$R0, $R0, $R0
-+	vmovdqu	$R0, (%rsp)
-+	vmovdqu	$R0, 32(%rsp)
-+3:
-+	movb	($in, $hlp), %r8b
-+	movb	%r8b, (%rsp, $hlp)
-+	inc	$hlp
-+	cmp	$hlp, $in_len
-+	jne	3b
-+
-+	movb	\$1, (%rsp, $hlp)
-+	xor	$hlp, $hlp
-+	mov	%rsp, $in
-+
-+1:
-+
-+	cmp	\$16, $in_len
-+	ja	2f
-+	vmovq	8*0($in), $R0_x
-+	vmovq	8*1($in), $R1_x
-+	vmovq	$hlp, $SET_MASK_x
-+	vmovdqa	.LpermFix(%rip), $PERM_MASK
-+	jmp	1f
-+2:
-+	cmp	\$32, $in_len
-+	ja	2f
-+	vmovdqu	16*0($in), $R2_x
-+	vmovdqu	16*1($in), $R3_x
-+	vmovq	.LsetBit(%rip), $SET_MASK_x
-+	vpinsrq	\$1, $hlp, $SET_MASK_x, $SET_MASK_x
-+	vmovdqa .LpermFix+32(%rip), $PERM_MASK
-+
-+	vpunpcklqdq	$R3, $R2, $R0
-+	vpunpckhqdq	$R3, $R2, $R1
-+	jmp	1f
-+2:
-+	cmp	\$48, $in_len
-+	ja	2f
-+	vmovdqu	32*0($in), $R2
-+	vmovdqu	32*1($in), $R3_x
-+	vmovq	.LsetBit(%rip), $SET_MASK_x
-+	vpinsrq \$1, $hlp, $SET_MASK_x, $SET_MASK_x
-+	vpermq	\$0xc4, $SET_MASK, $SET_MASK
-+	vmovdqa	.LpermFix+64(%rip), $PERM_MASK
-+
-+	vpunpcklqdq	$R3, $R2, $R0
-+	vpunpckhqdq	$R3, $R2, $R1
-+	jmp	1f
-+2:
-+	vmovdqu 32*0($in), $R2
-+        vmovdqu 32*1($in), $R3
-+        vmovq   .LsetBit(%rip), $SET_MASK_x
-+        vpinsrq \$1, $hlp, $SET_MASK_x, $SET_MASK_x
-+        vpermq  \$0x40, $SET_MASK, $SET_MASK
-+        vmovdqa .LpermFix+96(%rip), $PERM_MASK
-+
-+        vpunpcklqdq     $R3, $R2, $R0
-+        vpunpckhqdq     $R3, $R2, $R1
-+
-+1:
-+	mov	$rsp_save, %rsp
-+
-+	vpsrlq	\$26, $R0, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A0, $A0
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpand	$AND_MASK, $R2, $R2
-+	vpaddq	$R2, $A1, $A1
-+
-+	vpsllq	\$12, $R1, $R2
-+	vpxor	$R2, $R0, $R0
-+	vpand	$AND_MASK, $R0, $R0
-+	vpaddq	$R0, $A2, $A2
-+
-+	vpsrlq	\$26, $R2, $R0
-+	vpsrlq	\$40, $R1, $R2
-+	vpand	$AND_MASK, $R0, $R0
-+	vpxor	$SET_MASK, $R2, $R2
-+	vpaddq	$R0, $A3, $A3
-+	vpaddq	$R2, $A4, $A4
-+
-+	# Multiply input by R[0]
-+	vmovdqu		$_r0_($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A0, $R0
-+	vpmuludq	$T0, $A1, $R1
-+	vpmuludq	$T0, $A2, $R2
-+	vpmuludq	$T0, $A3, $R3
-+	vpmuludq	$T0, $A4, $R4
-+	# Multiply input by R[1] (and R[1]*5)
-+	vmovdqu		$_r1_x5($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vmovdqu		$_r1_($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R4, $R4
-+	# Etc
-+	vmovdqu		$_r2_x5($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vmovdqu		$_r2_($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	vmovdqu		$_r3_x5($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vmovdqu		$_r3_($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R4, $R4
-+
-+	vmovdqu		$_r4_x5($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A1, $T1
-+	vpaddq		$T1, $R0, $R0
-+	vpmuludq	$T0, $A2, $T1
-+	vpaddq		$T1, $R1, $R1
-+	vpmuludq	$T0, $A3, $T1
-+	vpaddq		$T1, $R2, $R2
-+	vpmuludq	$T0, $A4, $T1
-+	vpaddq		$T1, $R3, $R3
-+	vmovdqu		$_r4_($state), $T0
-+	vpermd		$T0, $PERM_MASK, $T0
-+	vpmuludq	$T0, $A0, $T1
-+	vpaddq		$T1, $R4, $R4
-+	# Reduce
-+	vpsrlq	\$26, $R3, $T0
-+	vpaddq	$T0, $R4, $R4
-+	vpand	$AND_MASK, $R3, $R3
-+	vpsrlq	\$26, $R4, $T0
-+	vpsllq	\$2, $T0, $T1
-+	vpaddq	$T1, $T0, $T0
-+	vpaddq	$T0, $R0, $R0
-+	vpand	$AND_MASK, $R4, $R4
-+	vpsrlq	\$26, $R0, $T0
-+	vpand	$AND_MASK, $R0, $A0
-+	vpaddq	$T0, $R1, $R1
-+	vpsrlq	\$26, $R1, $T0
-+	vpand	$AND_MASK, $R1, $A1
-+	vpaddq	$T0, $R2, $R2
-+	vpsrlq	\$26, $R2, $T0
-+	vpand	$AND_MASK, $R2, $A2
-+	vpaddq	$T0, $R3, $R3
-+	vpsrlq	\$26, $R3, $T0
-+	vpand	$AND_MASK, $R3, $A3
-+	vpaddq	$T0, $R4, $A4
-+
-+	vpsrldq	\$8, $A0, $R0
-+	vpsrldq	\$8, $A1, $R1
-+	vpsrldq	\$8, $A2, $R2
-+	vpsrldq	\$8, $A3, $R3
-+	vpsrldq	\$8, $A4, $R4
-+
-+	vpaddq	$R0, $A0, $A0
-+	vpaddq	$R1, $A1, $A1
-+	vpaddq	$R2, $A2, $A2
-+	vpaddq	$R3, $A3, $A3
-+	vpaddq	$R4, $A4, $A4
-+
-+	vpermq	\$0xAA, $A0, $R0
-+	vpermq	\$0xAA, $A1, $R1
-+	vpermq	\$0xAA, $A2, $R2
-+	vpermq	\$0xAA, $A3, $R3
-+	vpermq	\$0xAA, $A4, $R4
-+
-+	vpaddq	$R0, $A0, $A0
-+	vpaddq	$R1, $A1, $A1
-+	vpaddq	$R2, $A2, $A2
-+	vpaddq	$R3, $A3, $A3
-+	vpaddq	$R4, $A4, $A4
-+
-+5:
-+	vmovd	$A0_x, $_A0_($state)
-+	vmovd	$A1_x, $_A1_($state)
-+	vmovd	$A2_x, $_A2_($state)
-+	vmovd	$A3_x, $_A3_($state)
-+	vmovd	$A4_x, $_A4_($state)
-+
-+	ret
-+.size poly1305_update_avx2,.-poly1305_update_avx2
-+###############################################################################
-+# void poly1305_finish_avx2(void* $state, uint8_t mac[16]);
-+.type poly1305_finish_avx2,\@function,2
-+.globl poly1305_finish_avx2
-+poly1305_finish_avx2:
-+___
-+my $mac="%rsi";
-+my ($A0, $A1, $A2, $A3, $A4, $T0, $T1)=map("%xmm$_",(0..6));
-+
-+$code.=<<___;
-+	vmovd	$_A0_($state), $A0
-+	vmovd	$_A1_($state), $A1
-+	vmovd	$_A2_($state), $A2
-+	vmovd	$_A3_($state), $A3
-+	vmovd	$_A4_($state), $A4
-+	# Reduce one last time in case there was a carry from 130 bit
-+	vpsrlq	\$26, $A4, $T0
-+	vpsllq	\$2, $T0, $T1
-+	vpaddq	$T1, $T0, $T0
-+	vpaddq	$T0, $A0, $A0
-+	vpand	.LandMask(%rip), $A4, $A4
-+
-+	vpsrlq	\$26, $A0, $T0
-+	vpand	.LandMask(%rip), $A0, $A0
-+	vpaddq	$T0, $A1, $A1
-+	vpsrlq	\$26, $A1, $T0
-+	vpand	.LandMask(%rip), $A1, $A1
-+	vpaddq	$T0, $A2, $A2
-+	vpsrlq	\$26, $A2, $T0
-+	vpand	.LandMask(%rip), $A2, $A2
-+	vpaddq	$T0, $A3, $A3
-+	vpsrlq	\$26, $A3, $T0
-+	vpand	.LandMask(%rip), $A3, $A3
-+	vpaddq	$T0, $A4, $A4
-+	# Convert to normal
-+	vpsllq	\$26, $A1, $T0
-+	vpxor	$T0, $A0, $A0
-+	vpsllq	\$52, $A2, $T0
-+	vpxor	$T0, $A0, $A0
-+	vpsrlq	\$12, $A2, $A1
-+	vpsllq	\$14, $A3, $T0
-+	vpxor	$T0, $A1, $A1
-+	vpsllq	\$40, $A4, $T0
-+	vpxor	$T0, $A1, $A1
-+	vmovq	$A0, %rax
-+	vmovq	$A1, %rdx
-+
-+	add	$_k_($state), %rax
-+	adc	$_k_+8($state), %rdx
-+	mov	%rax, ($mac)
-+	mov	%rdx, 8($mac)
-+
-+	ret
-+.size poly1305_finish_avx2,.-poly1305_finish_avx2
-+___
-+}
-+}}
-+
-+$code =~ s/\`([^\`]*)\`/eval(\$1)/gem;
-+print $code;
-+close STDOUT;
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/chacha20.c openssl-1.0.2e-modified/crypto/chacha20poly1305/chacha20.c
---- openssl-1.0.2e/crypto/chacha20poly1305/chacha20.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/chacha20.c	2016-02-08 16:12:00.597614755 +0100
-@@ -0,0 +1,157 @@
-+/* Copyright (c) 2014, Google Inc.
-+ *
-+ * Permission to use, copy, modify, and/or distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-+
-+/* Adapted from the public domain, estream code by D. Bernstein. */
-+
-+#include <openssl/chacha20poly1305.h>
-+
-+/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
-+static const char sigma[16] = "expand 32-byte k";
-+
-+#define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n))))
-+#define XOR(v, w) ((v) ^ (w))
-+#define PLUS(x, y) ((x) + (y))
-+#define PLUSONE(v) (PLUS((v), 1))
-+
-+#define U32TO8_LITTLE(p, v)    \
-+  {                            \
-+    (p)[0] = (v >> 0) & 0xff;  \
-+    (p)[1] = (v >> 8) & 0xff;  \
-+    (p)[2] = (v >> 16) & 0xff; \
-+    (p)[3] = (v >> 24) & 0xff; \
-+  }
-+
-+#define U8TO32_LITTLE(p)                              \
-+  (((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) | \
-+   ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24))
-+
-+/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
-+#define QUARTERROUND(a,b,c,d) \
-+  x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]),16); \
-+  x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]),12); \
-+  x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]), 8); \
-+  x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]), 7);
-+
-+/* chacha_core performs |num_rounds| rounds of ChaCha20 on the input words in
-+ * |input| and writes the 64 output bytes to |output|. */
-+static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
-+  uint32_t x[16];
-+  int i;
-+
-+  memcpy(x, input, sizeof(uint32_t) * 16);
-+  for (i = 20; i > 0; i -= 2) {
-+    QUARTERROUND(0, 4, 8, 12)
-+    QUARTERROUND(1, 5, 9, 13)
-+    QUARTERROUND(2, 6, 10, 14)
-+    QUARTERROUND(3, 7, 11, 15)
-+    QUARTERROUND(0, 5, 10, 15)
-+    QUARTERROUND(1, 6, 11, 12)
-+    QUARTERROUND(2, 7, 8, 13)
-+    QUARTERROUND(3, 4, 9, 14)
-+  }
-+
-+  for (i = 0; i < 16; ++i) {
-+    x[i] = PLUS(x[i], input[i]);
-+  }
-+  for (i = 0; i < 16; ++i) {
-+    U32TO8_LITTLE(output + 4 * i, x[i]);
-+  }
-+}
-+
-+void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
-+                      const uint8_t key[32], const uint8_t nonce[8],
-+                      size_t counter) {
-+#ifdef CHAPOLY_x86_64_ASM
-+  uint8_t buf[256];
-+  size_t buf_size, ctr_msk;
-+  void (*core_func)(uint8_t *out, const uint8_t *in, size_t in_len,
-+                      const uint8_t key[32], const uint8_t nonce[8],
-+                      size_t counter) = NULL;
-+#else
-+  uint8_t buf[64];
-+#endif
-+  uint32_t input[16];
-+  size_t todo, i;
-+
-+#ifdef CHAPOLY_x86_64_ASM
-+
-+  if ((OPENSSL_ia32cap_loc()[2] >> 5) & 1)
-+    {
-+    buf_size = 128;
-+    core_func = chacha_20_core_avx2;
-+    ctr_msk = -2;
-+    }
-+  else if ((OPENSSL_ia32cap_loc()[1] >> 28) & 1)
-+    {
-+    buf_size = 64;
-+    core_func = chacha_20_core_avx;
-+    ctr_msk = -1;
-+    }
-+  else goto do_legacy;
-+
-+  core_func(out, in, in_len, key, nonce, counter);
-+  todo = in_len & (~(-buf_size));
-+  if(todo)
-+    {
-+    out += in_len&(-buf_size);
-+    in += in_len&(-buf_size);
-+    counter += (in_len/64) & ctr_msk;
-+    memcpy(buf, in, todo);
-+    core_func(buf, buf, buf_size, key, nonce, counter);
-+    memcpy(out, buf, todo);
-+    memset(buf, 0, buf_size);
-+    }
-+  return;
-+
-+do_legacy:
-+#endif
-+
-+  input[0] = U8TO32_LITTLE(sigma + 0);
-+  input[1] = U8TO32_LITTLE(sigma + 4);
-+  input[2] = U8TO32_LITTLE(sigma + 8);
-+  input[3] = U8TO32_LITTLE(sigma + 12);
-+
-+  input[4] = U8TO32_LITTLE(key + 0);
-+  input[5] = U8TO32_LITTLE(key + 4);
-+  input[6] = U8TO32_LITTLE(key + 8);
-+  input[7] = U8TO32_LITTLE(key + 12);
-+
-+  input[8] = U8TO32_LITTLE(key + 16);
-+  input[9] = U8TO32_LITTLE(key + 20);
-+  input[10] = U8TO32_LITTLE(key + 24);
-+  input[11] = U8TO32_LITTLE(key + 28);
-+
-+  input[12] = counter;
-+  input[13] = (uint64_t)counter >> 32;
-+  input[14] = U8TO32_LITTLE(nonce + 0);
-+  input[15] = U8TO32_LITTLE(nonce + 4);
-+
-+  while (in_len > 0) {
-+    todo = 64;
-+    if (in_len < todo) {
-+      todo = in_len;
-+    }
-+
-+    chacha_core(buf, input);
-+    for (i = 0; i < todo; i++) {
-+      out[i] = in[i] ^ buf[i];
-+    }
-+
-+    out += todo;
-+    in += todo;
-+    in_len -= todo;
-+
-+    ((uint64_t*)input)[6]++;
-+  }
-+}
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/chacha20poly1305.h openssl-1.0.2e-modified/crypto/chacha20poly1305/chacha20poly1305.h
---- openssl-1.0.2e/crypto/chacha20poly1305/chacha20poly1305.h	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/chacha20poly1305.h	2016-02-08 16:12:00.597614755 +0100
-@@ -0,0 +1,63 @@
-+#ifndef OPENSSL_HEADER_POLY1305_H
-+#define OPENSSL_HEADER_POLY1305_H
-+
-+#include <stdint.h>
-+#include <stddef.h>
-+#include <string.h>
-+#include "crypto.h"
-+
-+#ifdef  __cplusplus
-+extern "C" {
-+#endif
-+
-+#define POLY1305_MAC_LEN (16)
-+
-+typedef unsigned char poly1305_state[512];
-+
-+
-+/* CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an
-+ * authentication tag with the one-time key |key|. Note that |key| is a
-+ * one-time key and therefore there is no `reset' method because that would
-+ * enable several messages to be authenticated with the same key. */
-+void CRYPTO_poly1305_init(poly1305_state* state, const uint8_t key[32]);
-+
-+/* CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called
-+ * zero or more times after poly1305_init. */
-+void CRYPTO_poly1305_update(poly1305_state* state, const uint8_t* in,
-+                            size_t in_len);
-+
-+/* CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16
-+ * byte authentication tag to |mac|. */
-+void CRYPTO_poly1305_finish(poly1305_state* state, uint8_t mac[16]);
-+
-+/* CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
-+ * nonce and writes the result to |out|, which may be equal to |in|. The
-+ * initial block counter is specified by |counter|. */
-+void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
-+                      const uint8_t key[32], const uint8_t nonce[8],
-+                      size_t counter);
-+
-+#ifdef CHAPOLY_x86_64_ASM
-+void poly1305_init_avx(poly1305_state* state, const uint8_t key[32]);
-+void poly1305_update_avx(poly1305_state* state, const uint8_t *in, size_t in_len);
-+void poly1305_finish_avx(poly1305_state* state, uint8_t mac[16]);
-+
-+void poly1305_init_avx2(poly1305_state* state, const uint8_t key[32]);
-+void poly1305_update_avx2(poly1305_state* state, const uint8_t *in, size_t in_len);
-+void poly1305_finish_avx2(poly1305_state* state, uint8_t mac[16]);
-+
-+void chacha_20_core_avx(uint8_t *out, const uint8_t *in, size_t in_len,
-+                      const uint8_t key[32], const uint8_t nonce[8],
-+                      size_t counter);
-+
-+void chacha_20_core_avx2(uint8_t *out, const uint8_t *in, size_t in_len,
-+                      const uint8_t key[32], const uint8_t nonce[8],
-+                      size_t counter);
-+#endif
-+
-+
-+#if defined(__cplusplus)
-+}  /* extern C */
-+#endif
-+
-+#endif  /* OPENSSL_HEADER_POLY1305_H */
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/chapolytest.c openssl-1.0.2e-modified/crypto/chacha20poly1305/chapolytest.c
---- openssl-1.0.2e/crypto/chacha20poly1305/chapolytest.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/chapolytest.c	2016-02-08 16:12:00.598614755 +0100
-@@ -0,0 +1,287 @@
-+/* ====================================================================
-+ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <stdint.h>
-+
-+#include <openssl/chacha20poly1305.h>
-+
-+struct chacha_test {
-+	const char *keyhex;
-+	const char *noncehex;
-+	const char *outhex;
-+};
-+
-+struct poly1305_test
-+	{
-+	const char *inputhex;
-+	const char *keyhex;
-+	const char *outhex;
-+	};
-+
-+static const struct chacha_test chacha_tests[] = {
-+	{
-+		"0000000000000000000000000000000000000000000000000000000000000000",
-+		"0000000000000000",
-+		"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586",
-+	},
-+	{
-+		"0000000000000000000000000000000000000000000000000000000000000001",
-+		"0000000000000000",
-+		"4540f05a9f1fb296d7736e7b208e3c96eb4fe1834688d2604f450952ed432d41bbe2a0b6ea7566d2a5d1e7e20d42af2c53d792b1c43fea817e9ad275ae546963",
-+	},
-+	{
-+		"0000000000000000000000000000000000000000000000000000000000000000",
-+		"0000000000000001",
-+		"de9cba7bf3d69ef5e786dc63973f653a0b49e015adbff7134fcb7df137821031e85a050278a7084527214f73efc7fa5b5277062eb7a0433e445f41e31afab757",
-+	},
-+	{
-+		"0000000000000000000000000000000000000000000000000000000000000000",
-+		"0100000000000000",
-+		"ef3fdfd6c61578fbf5cf35bd3dd33b8009631634d21e42ac33960bd138e50d32111e4caf237ee53ca8ad6426194a88545ddc497a0b466e7d6bbdb0041b2f586b",
-+	},
-+	{
-+		"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
-+		"0001020304050607",
-+		"f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb",
-+	},
-+};
-+
-+static const struct poly1305_test poly1305_tests[] = {
-+	{
-+		"",
-+		"c8afaac331ee372cd6082de134943b174710130e9f6fea8d72293850a667d86c",
-+		"4710130e9f6fea8d72293850a667d86c",
-+	},
-+	{
-+		"48656c6c6f20776f726c6421",
-+		"746869732069732033322d62797465206b657920666f7220506f6c7931333035",
-+		"a6f745008f81c916a20dcc74eef2b2f0",
-+	},
-+	{
-+		"0000000000000000000000000000000000000000000000000000000000000000",
-+		"746869732069732033322d62797465206b657920666f7220506f6c7931333035",
-+		"49ec78090e481ec6c26b33b91ccc0307",
-+	},
-+};
-+
-+static unsigned char hex_digit(char h)
-+	{
-+	if (h >= '0' && h <= '9')
-+		return h - '0';
-+	else if (h >= 'a' && h <= 'f')
-+		return h - 'a' + 10;
-+	else if (h >= 'A' && h <= 'F')
-+		return h - 'A' + 10;
-+	else
-+		abort();
-+	}
-+
-+static void hex_decode(unsigned char *out, const char* hex)
-+	{
-+	size_t j = 0;
-+
-+	while (*hex != 0)
-+		{
-+		unsigned char v = hex_digit(*hex++);
-+		v <<= 4;
-+		v |= hex_digit(*hex++);
-+		out[j++] = v;
-+		}
-+	}
-+
-+static void hexdump(unsigned char *a, size_t len)
-+	{
-+	size_t i;
-+
-+	for (i = 0; i < len; i++)
-+		printf("%02x", a[i]);
-+	}
-+
-+/* misalign returns a pointer that points 0 to 15 bytes into |in| such that the
-+ * returned pointer has alignment 1 mod 16. */
-+static void* misalign(void* in)
-+	{
-+	intptr_t x = (intptr_t) in;
-+	x += (17 - (x % 16)) % 16;
-+	return (void*) x;
-+	}
-+
-+int main()
-+	{
-+	unsigned num_tests =
-+		sizeof(chacha_tests) / sizeof(struct chacha_test);
-+	unsigned i;
-+	unsigned char key_bytes[32 + 16];
-+	unsigned char nonce_bytes[8 + 16] = {0};
-+
-+
-+	for (i = 0; i < num_tests; i++)
-+		{
-+		unsigned char *key = misalign(key_bytes);
-+		unsigned char *nonce = misalign(nonce_bytes);
-+
-+		printf("ChaCha20 test #%d\n", i);
-+		const struct chacha_test *test = &chacha_tests[i];
-+		unsigned char *expected, *out_bytes, *zero_bytes, *out, *zeros;
-+		size_t len = strlen(test->outhex);
-+
-+		if (strlen(test->keyhex) != 32*2 ||
-+		    strlen(test->noncehex) != 8*2 ||
-+		    (len & 1) == 1)
-+			return 1;
-+
-+		len /= 2;
-+
-+		hex_decode(key, test->keyhex);
-+		hex_decode(nonce, test->noncehex);
-+
-+		expected = malloc(len);
-+		out_bytes = malloc(len+16);
-+		zero_bytes = malloc(len+16);
-+		/* Attempt to test unaligned inputs. */
-+		out = misalign(out_bytes);
-+		zeros = misalign(zero_bytes);
-+		memset(zeros, 0, len);
-+
-+		hex_decode(expected, test->outhex);
-+		CRYPTO_chacha_20(out, zeros, len, key, nonce, 0);
-+
-+		if (memcmp(out, expected, len) != 0)
-+			{
-+			printf("ChaCha20 test #%d failed.\n", i);
-+			printf("got:      ");
-+			hexdump(out, len);
-+			printf("\nexpected: ");
-+			hexdump(expected, len);
-+			printf("\n");
-+			return 1;
-+			}
-+
-+		/* The last test has a large output. We test whether the
-+		 * counter works as expected by skipping the first 64 bytes of
-+		 * it. */
-+		if (i == num_tests - 1)
-+			{
-+			CRYPTO_chacha_20(out, zeros, len - 64, key, nonce, 1);
-+			if (memcmp(out, expected + 64, len - 64) != 0)
-+				{
-+				printf("ChaCha20 skip test failed.\n");
-+				return 1;
-+				}
-+			}
-+
-+		free(expected);
-+		free(zero_bytes);
-+		free(out_bytes);
-+		}
-+	num_tests =
-+		sizeof(poly1305_tests) / sizeof(struct poly1305_test);
-+	unsigned char key[32], out[16], expected[16];
-+	poly1305_state poly1305;
-+
-+	for (i = 0; i < num_tests; i++)
-+		{
-+		printf("Poly1305 test #%d\n", i);
-+		const struct poly1305_test *test = &poly1305_tests[i];
-+		unsigned char *in;
-+		size_t inlen = strlen(test->inputhex);
-+
-+		if (strlen(test->keyhex) != sizeof(key)*2 ||
-+		    strlen(test->outhex) != sizeof(out)*2 ||
-+		    (inlen & 1) == 1)
-+			return 1;
-+
-+		inlen /= 2;
-+
-+		hex_decode(key, test->keyhex);
-+		hex_decode(expected, test->outhex);
-+
-+		in = malloc(inlen);
-+
-+		hex_decode(in, test->inputhex);
-+
-+#ifdef CHAPOLY_x86_64_ASM
-+		if((OPENSSL_ia32cap_loc()[1] >> 5) & 1) {
-+		    poly1305_init_avx2(&poly1305, key);
-+		    poly1305_update_avx2(&poly1305, in, inlen);
-+		    poly1305_finish_avx2(&poly1305, out);
-+		}
-+		else if ((OPENSSL_ia32cap_loc()[0] >> 60) & 1) {
-+		    poly1305_init_avx(&poly1305, key);
-+		    poly1305_update_avx(&poly1305, in, inlen);
-+		    poly1305_finish_avx(&poly1305, out);
-+		}
-+		else
-+#endif
-+		{
-+		CRYPTO_poly1305_init(&poly1305, key);
-+		CRYPTO_poly1305_update(&poly1305, in, inlen);
-+		CRYPTO_poly1305_finish(&poly1305, out);
-+		}
-+		if (memcmp(out, expected, sizeof(expected)) != 0)
-+			{
-+			printf("Poly1305 test #%d failed.\n", i);
-+			printf("got:      ");
-+			hexdump(out, sizeof(out));
-+			printf("\nexpected: ");
-+			hexdump(expected, sizeof(expected));
-+			printf("\n");
-+			return 1;
-+			}
-+
-+		free(in);
-+		}
-+
-+	printf("PASS\n");
-+	return 0;
-+	}
-diff -rNu openssl-1.0.2e/crypto/chacha20poly1305/poly1305.c openssl-1.0.2e-modified/crypto/chacha20poly1305/poly1305.c
---- openssl-1.0.2e/crypto/chacha20poly1305/poly1305.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/chacha20poly1305/poly1305.c	2016-02-08 16:12:00.598614755 +0100
-@@ -0,0 +1,285 @@
-+/* Copyright (c) 2014, Google Inc.
-+ *
-+ * Permission to use, copy, modify, and/or distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-+
-+/* This implementation of poly1305 is by Andrew Moon
-+ * (https://github.com/floodyberry/poly1305-donna) and released as public
-+ * domain. */
-+
-+#include <openssl/chacha20poly1305.h>
-+#include <string.h>
-+
-+#if !defined(B_ENDIAN)
-+/* We can assume little-endian. */
-+static uint32_t U8TO32_LE(const uint8_t *m) {
-+  uint32_t r;
-+  memcpy(&r, m, sizeof(r));
-+  return r;
-+}
-+
-+static void U32TO8_LE(uint8_t *m, uint32_t v) { memcpy(m, &v, sizeof(v)); }
-+#else
-+static uint32_t U8TO32_LE(const uint8_t *m) {
-+  return (uint32_t)m[0] | (uint32_t)m[1] << 8 | (uint32_t)m[2] << 16 |
-+         (uint32_t)m[3] << 24;
-+}
-+
-+static void U32TO8_LE(uint8_t *m, uint32_t v) {
-+  m[0] = v;
-+  m[1] = v >> 8;
-+  m[2] = v >> 16;
-+  m[3] = v >> 24;
-+}
-+#endif
-+
-+static uint64_t mul32x32_64(uint32_t a, uint32_t b) { return (uint64_t)a * b; }
-+
-+struct poly1305_state_st {
-+  uint32_t r0, r1, r2, r3, r4;
-+  uint32_t s1, s2, s3, s4;
-+  uint32_t h0, h1, h2, h3, h4;
-+  uint8_t buf[16];
-+  unsigned int buf_used;
-+  uint8_t key[16];
-+};
-+
-+/* poly1305_blocks updates |state| given some amount of input data. This
-+ * function may only be called with a |len| that is not a multiple of 16 at the
-+ * end of the data. Otherwise the input must be buffered into 16 byte blocks. */
-+static void poly1305_update(struct poly1305_state_st *state, const uint8_t *in,
-+                            size_t len) {
-+  uint32_t t0, t1, t2, t3;
-+  uint64_t t[5];
-+  uint32_t b;
-+  uint64_t c;
-+  size_t j;
-+  uint8_t mp[16];
-+
-+  if (len < 16) {
-+    goto poly1305_donna_atmost15bytes;
-+  }
-+
-+poly1305_donna_16bytes:
-+  t0 = U8TO32_LE(in);
-+  t1 = U8TO32_LE(in + 4);
-+  t2 = U8TO32_LE(in + 8);
-+  t3 = U8TO32_LE(in + 12);
-+
-+  in += 16;
-+  len -= 16;
-+
-+  state->h0 += t0 & 0x3ffffff;
-+  state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
-+  state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
-+  state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
-+  state->h4 += (t3 >> 8) | (1 << 24);
-+
-+poly1305_donna_mul:
-+  t[0] = mul32x32_64(state->h0, state->r0) + mul32x32_64(state->h1, state->s4) +
-+         mul32x32_64(state->h2, state->s3) + mul32x32_64(state->h3, state->s2) +
-+         mul32x32_64(state->h4, state->s1);
-+  t[1] = mul32x32_64(state->h0, state->r1) + mul32x32_64(state->h1, state->r0) +
-+         mul32x32_64(state->h2, state->s4) + mul32x32_64(state->h3, state->s3) +
-+         mul32x32_64(state->h4, state->s2);
-+  t[2] = mul32x32_64(state->h0, state->r2) + mul32x32_64(state->h1, state->r1) +
-+         mul32x32_64(state->h2, state->r0) + mul32x32_64(state->h3, state->s4) +
-+         mul32x32_64(state->h4, state->s3);
-+  t[3] = mul32x32_64(state->h0, state->r3) + mul32x32_64(state->h1, state->r2) +
-+         mul32x32_64(state->h2, state->r1) + mul32x32_64(state->h3, state->r0) +
-+         mul32x32_64(state->h4, state->s4);
-+  t[4] = mul32x32_64(state->h0, state->r4) + mul32x32_64(state->h1, state->r3) +
-+         mul32x32_64(state->h2, state->r2) + mul32x32_64(state->h3, state->r1) +
-+         mul32x32_64(state->h4, state->r0);
-+
-+  state->h0 = (uint32_t)t[0] & 0x3ffffff;
-+  c = (t[0] >> 26);
-+  t[1] += c;
-+  state->h1 = (uint32_t)t[1] & 0x3ffffff;
-+  b = (uint32_t)(t[1] >> 26);
-+  t[2] += b;
-+  state->h2 = (uint32_t)t[2] & 0x3ffffff;
-+  b = (uint32_t)(t[2] >> 26);
-+  t[3] += b;
-+  state->h3 = (uint32_t)t[3] & 0x3ffffff;
-+  b = (uint32_t)(t[3] >> 26);
-+  t[4] += b;
-+  state->h4 = (uint32_t)t[4] & 0x3ffffff;
-+  b = (uint32_t)(t[4] >> 26);
-+  state->h0 += b * 5;
-+
-+  if (len >= 16)
-+    goto poly1305_donna_16bytes;
-+
-+/* final bytes */
-+poly1305_donna_atmost15bytes:
-+  if (!len)
-+    return;
-+
-+  for (j = 0; j < len; j++)
-+    mp[j] = in[j];
-+  mp[j++] = 1;
-+  for (; j < 16; j++)
-+    mp[j] = 0;
-+  len = 0;
-+
-+  t0 = U8TO32_LE(mp + 0);
-+  t1 = U8TO32_LE(mp + 4);
-+  t2 = U8TO32_LE(mp + 8);
-+  t3 = U8TO32_LE(mp + 12);
-+
-+  state->h0 += t0 & 0x3ffffff;
-+  state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
-+  state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
-+  state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
-+  state->h4 += (t3 >> 8);
-+
-+  goto poly1305_donna_mul;
-+}
-+
-+void CRYPTO_poly1305_init(poly1305_state *statep, const uint8_t key[32]) {
-+  struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
-+  uint32_t t0, t1, t2, t3;
-+
-+  t0 = U8TO32_LE(key + 0);
-+  t1 = U8TO32_LE(key + 4);
-+  t2 = U8TO32_LE(key + 8);
-+  t3 = U8TO32_LE(key + 12);
-+
-+  /* precompute multipliers */
-+  state->r0 = t0 & 0x3ffffff;
-+  t0 >>= 26;
-+  t0 |= t1 << 6;
-+  state->r1 = t0 & 0x3ffff03;
-+  t1 >>= 20;
-+  t1 |= t2 << 12;
-+  state->r2 = t1 & 0x3ffc0ff;
-+  t2 >>= 14;
-+  t2 |= t3 << 18;
-+  state->r3 = t2 & 0x3f03fff;
-+  t3 >>= 8;
-+  state->r4 = t3 & 0x00fffff;
-+
-+  state->s1 = state->r1 * 5;
-+  state->s2 = state->r2 * 5;
-+  state->s3 = state->r3 * 5;
-+  state->s4 = state->r4 * 5;
-+
-+  /* init state */
-+  state->h0 = 0;
-+  state->h1 = 0;
-+  state->h2 = 0;
-+  state->h3 = 0;
-+  state->h4 = 0;
-+
-+  state->buf_used = 0;
-+  memcpy(state->key, key + 16, sizeof(state->key));
-+}
-+
-+void CRYPTO_poly1305_update(poly1305_state *statep, const uint8_t *in,
-+                            size_t in_len) {
-+  unsigned int i;
-+  struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
-+
-+  if (state->buf_used) {
-+    unsigned int todo = 16 - state->buf_used;
-+    if (todo > in_len)
-+      todo = in_len;
-+    for (i = 0; i < todo; i++)
-+      state->buf[state->buf_used + i] = in[i];
-+    state->buf_used += todo;
-+    in_len -= todo;
-+    in += todo;
-+
-+    if (state->buf_used == 16) {
-+      poly1305_update(state, state->buf, 16);
-+      state->buf_used = 0;
-+    }
-+  }
-+
-+  if (in_len >= 16) {
-+    size_t todo = in_len & ~0xf;
-+    poly1305_update(state, in, todo);
-+    in += todo;
-+    in_len &= 0xf;
-+  }
-+
-+  if (in_len) {
-+    for (i = 0; i < in_len; i++)
-+      state->buf[i] = in[i];
-+    state->buf_used = in_len;
-+  }
-+}
-+
-+void CRYPTO_poly1305_finish(poly1305_state *statep, uint8_t mac[16]) {
-+  struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
-+  uint64_t f0, f1, f2, f3;
-+  uint32_t g0, g1, g2, g3, g4;
-+  uint32_t b, nb;
-+
-+  if (state->buf_used)
-+    poly1305_update(state, state->buf, state->buf_used);
-+
-+  b = state->h0 >> 26;
-+  state->h0 = state->h0 & 0x3ffffff;
-+  state->h1 += b;
-+  b = state->h1 >> 26;
-+  state->h1 = state->h1 & 0x3ffffff;
-+  state->h2 += b;
-+  b = state->h2 >> 26;
-+  state->h2 = state->h2 & 0x3ffffff;
-+  state->h3 += b;
-+  b = state->h3 >> 26;
-+  state->h3 = state->h3 & 0x3ffffff;
-+  state->h4 += b;
-+  b = state->h4 >> 26;
-+  state->h4 = state->h4 & 0x3ffffff;
-+  state->h0 += b * 5;
-+
-+  g0 = state->h0 + 5;
-+  b = g0 >> 26;
-+  g0 &= 0x3ffffff;
-+  g1 = state->h1 + b;
-+  b = g1 >> 26;
-+  g1 &= 0x3ffffff;
-+  g2 = state->h2 + b;
-+  b = g2 >> 26;
-+  g2 &= 0x3ffffff;
-+  g3 = state->h3 + b;
-+  b = g3 >> 26;
-+  g3 &= 0x3ffffff;
-+  g4 = state->h4 + b - (1 << 26);
-+
-+  b = (g4 >> 31) - 1;
-+  nb = ~b;
-+  state->h0 = (state->h0 & nb) | (g0 & b);
-+  state->h1 = (state->h1 & nb) | (g1 & b);
-+  state->h2 = (state->h2 & nb) | (g2 & b);
-+  state->h3 = (state->h3 & nb) | (g3 & b);
-+  state->h4 = (state->h4 & nb) | (g4 & b);
-+
-+  f0 = ((state->h0) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
-+  f1 = ((state->h1 >> 6) | (state->h2 << 20)) +
-+       (uint64_t)U8TO32_LE(&state->key[4]);
-+  f2 = ((state->h2 >> 12) | (state->h3 << 14)) +
-+       (uint64_t)U8TO32_LE(&state->key[8]);
-+  f3 = ((state->h3 >> 18) | (state->h4 << 8)) +
-+       (uint64_t)U8TO32_LE(&state->key[12]);
-+
-+  U32TO8_LE(&mac[0], f0);
-+  f1 += (f0 >> 32);
-+  U32TO8_LE(&mac[4], f1);
-+  f2 += (f1 >> 32);
-+  U32TO8_LE(&mac[8], f2);
-+  f3 += (f2 >> 32);
-+  U32TO8_LE(&mac[12], f3);
-+}
-diff -rNu openssl-1.0.2e/crypto/cryptlib.c openssl-1.0.2e-modified/crypto/cryptlib.c
---- openssl-1.0.2e/crypto/cryptlib.c	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/cryptlib.c	2016-02-08 16:12:00.599614755 +0100
-@@ -654,19 +654,9 @@
-         defined(_M_AMD64) || defined(_M_X64)
- 
- extern unsigned int OPENSSL_ia32cap_P[4];
--unsigned long *OPENSSL_ia32cap_loc(void)
-+unsigned int *OPENSSL_ia32cap_loc(void)
- {
--    if (sizeof(long) == 4)
--        /*
--         * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
--         * clear second element to maintain the illusion that vector
--         * is 32-bit.
--         */
--        OPENSSL_ia32cap_P[1] = 0;
--
--    OPENSSL_ia32cap_P[2] = 0;
--
--    return (unsigned long *)OPENSSL_ia32cap_P;
-+    return OPENSSL_ia32cap_P;
- }
- 
- # if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
-diff -rNu openssl-1.0.2e/crypto/crypto.h openssl-1.0.2e-modified/crypto/crypto.h
---- openssl-1.0.2e/crypto/crypto.h	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/crypto.h	2016-02-08 16:12:00.599614755 +0100
-@@ -590,7 +590,7 @@
- void OpenSSLDie(const char *file, int line, const char *assertion);
- # define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
- 
--unsigned long *OPENSSL_ia32cap_loc(void);
-+unsigned int *OPENSSL_ia32cap_loc(void);
- # define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
- int OPENSSL_isservice(void);
- 
-diff -rNu openssl-1.0.2e/crypto/evp/Makefile openssl-1.0.2e-modified/crypto/evp/Makefile
---- openssl-1.0.2e/crypto/evp/Makefile	2015-12-03 15:44:23.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/evp/Makefile	2016-02-08 16:12:00.600614755 +0100
-@@ -29,7 +29,8 @@
- 	c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
- 	evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
- 	e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
--	e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c
-+	e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
-+	e_chacha20poly1305.c
- 
- LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
- 	e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
-@@ -42,7 +43,8 @@
- 	c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
- 	evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
- 	e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
--	e_aes_cbc_hmac_sha1.o e_aes_cbc_hmac_sha256.o e_rc4_hmac_md5.o
-+	e_aes_cbc_hmac_sha1.o e_aes_cbc_hmac_sha256.o e_rc4_hmac_md5.o \
-+	e_chacha20poly1305.o
- 
- SRC= $(LIBSRC)
- 
-@@ -263,6 +265,7 @@
- e_cast.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
- e_cast.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
- e_cast.o: ../../include/openssl/symhacks.h ../cryptlib.h e_cast.c evp_locl.h
-+e_chacha20poly1305.o: ../../include/openssl/chacha20poly1305.h e_chacha20poly1305.c
- e_des.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
- e_des.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
- e_des.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-diff -rNu openssl-1.0.2e/crypto/evp/e_chacha20poly1305.c openssl-1.0.2e-modified/crypto/evp/e_chacha20poly1305.c
---- openssl-1.0.2e/crypto/evp/e_chacha20poly1305.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/evp/e_chacha20poly1305.c	2016-02-08 16:12:00.601614755 +0100
-@@ -0,0 +1,323 @@
-+/* ====================================================================
-+ * Copyright (c) 2001-2014 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ */
-+
-+#include <openssl/opensslconf.h>
-+#ifndef OPENSSL_NO_CHACHA_POLY
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/chacha20poly1305.h>
-+#include "evp_locl.h"
-+#include <openssl/rand.h>
-+
-+typedef struct
-+	{
-+	uint8_t key[32];
-+	/* uint8_t salt[4] */;
-+	uint8_t nonce[8];
-+	poly1305_state poly_state;
-+	size_t aad_l;
-+	size_t ct_l;
-+	int valid;
-+#ifdef CHAPOLY_x86_64_ASM
-+	void (*poly1305_init_ptr)(poly1305_state *, const uint8_t *);
-+	void (*poly1305_update_ptr)(poly1305_state *, const uint8_t *, size_t);
-+	void (*poly1305_finish_ptr)(poly1305_state *, uint8_t *);
-+	#define poly_init aead_ctx->poly1305_init_ptr
-+	#define poly_update poly1305_update_wrapper
-+	#define poly_finish poly1305_finish_wrapper
-+	#define FILL_BUFFER ((size_t)128)
-+	uint8_t poly_buffer[FILL_BUFFER];
-+	uint8_t chacha_buffer[FILL_BUFFER];
-+	uint8_t poly_buffer_used;
-+	uint8_t chacha_used;
-+#else
-+	#define poly_init CRYPTO_poly1305_init
-+	#define poly_update(c,i,l) CRYPTO_poly1305_update(&c->poly_state,i,l)
-+	#define poly_finish(c,m) CRYPTO_poly1305_finish(&c->poly_state,m)
-+#endif
-+	} EVP_CHACHA20_POLY1305_CTX;
-+
-+#ifdef CHAPOLY_x86_64_ASM
-+static void poly1305_update_wrapper(EVP_CHACHA20_POLY1305_CTX *ctx, const uint8_t *in, size_t in_len)
-+	{
-+	int todo;
-+	/* Attempt to fill as many bytes as possible before calling the update function */
-+	if(in_len < FILL_BUFFER || ctx->poly_buffer_used)
-+		{
-+		todo = FILL_BUFFER - ctx->poly_buffer_used;
-+		todo = in_len < todo? in_len : todo;
-+		memcpy(ctx->poly_buffer + ctx->poly_buffer_used, in, todo);
-+		ctx->poly_buffer_used += todo;
-+		in += todo;
-+		in_len -= todo;
-+		if(ctx->poly_buffer_used == FILL_BUFFER)
-+			{
-+			ctx->poly1305_update_ptr(&ctx->poly_state, ctx->poly_buffer, FILL_BUFFER);
-+			ctx->poly_buffer_used = 0;
-+			}
-+		}
-+	if(in_len >= FILL_BUFFER)
-+		{
-+		ctx->poly1305_update_ptr(&ctx->poly_state, in, in_len&(-FILL_BUFFER));
-+		in += in_len&(-FILL_BUFFER);
-+		in_len &= (FILL_BUFFER-1);
-+		}
-+	if(in_len)
-+		{
-+		memcpy(ctx->poly_buffer, in, in_len);
-+		ctx->poly_buffer_used = in_len;
-+		}
-+	}
-+
-+static void poly1305_finish_wrapper(EVP_CHACHA20_POLY1305_CTX *ctx, uint8_t mac[16])
-+	{
-+	if(ctx->poly_buffer_used)
-+		{
-+                if(ctx->poly_buffer_used % 16)
-+			{
-+			memset(ctx->poly_buffer + ctx->poly_buffer_used, 0, 16 - (ctx->poly_buffer_used%16));
-+			}
-+		ctx->poly1305_update_ptr(&ctx->poly_state, ctx->poly_buffer, ctx->poly_buffer_used);
-+		}
-+	ctx->poly1305_finish_ptr(&ctx->poly_state, mac);
-+	memset(ctx->poly_buffer, 0 ,FILL_BUFFER);
-+	}
-+#endif
-+
-+static int EVP_chacha20_poly1305_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc)
-+	{
-+	EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
-+	/* simply copy the chacha key and iv*/
-+	memcpy(aead_ctx->key, key, 32);
-+	/* memcpy(aead_ctx->salt, iv, 4); */
-+	aead_ctx->valid = 0;
-+	return 1;
-+	}
-+
-+static int EVP_chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl)
-+	{
-+	EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
-+	uint8_t poly_block[16];
-+	uint64_t cl;
-+	if(!aead_ctx->valid)
-+		return 0;
-+	if (inl < 16)
-+		return -1;
-+	/* Fix for MAC */
-+	inl -= 16;
-+	/* Encryption */
-+	if(ctx->encrypt)
-+		{
-+#ifdef FILL_BUFFER
-+		/* we can use the buffer we already accumulated during the parallel computation in init */
-+		if(inl<=FILL_BUFFER-64)
-+			{
-+			int i;
-+			for(i=0; i<inl; i++)
-+				out[i] = in[i] ^ aead_ctx->chacha_buffer[i+64];
-+			}
-+		else
-+#endif
-+		CRYPTO_chacha_20(out, in, inl, aead_ctx->key, aead_ctx->nonce, 1);
-+		poly_update(aead_ctx, out, inl);
-+		aead_ctx->ct_l += inl;
-+		cl = aead_ctx->ct_l;
-+		poly_update(aead_ctx, (uint8_t*)&cl, sizeof(cl));
-+		poly_finish(aead_ctx, &out[inl]);
-+		aead_ctx->valid = 0;
-+		return inl+16;
-+		}
-+	/* Decryption */
-+	else
-+		{
-+		/* Fix to accommodate for the MAC */
-+		poly_update(aead_ctx, in, inl);
-+#ifdef FILL_BUFFER
-+		/* we can use the buffer we already accumulated during the parallel computation in init */
-+		if(inl<=FILL_BUFFER-64)
-+			{
-+			int i;
-+			for(i=0; i<inl; i++)
-+				out[i] = in[i] ^ aead_ctx->chacha_buffer[i+64];
-+			}
-+		else
-+#endif
-+		CRYPTO_chacha_20(out, in, inl, aead_ctx->key, aead_ctx->nonce, 1);
-+		aead_ctx->ct_l += inl;
-+		cl = aead_ctx->ct_l;
-+		poly_update(aead_ctx, (uint8_t*)&cl, sizeof(cl));
-+		poly_finish(aead_ctx, poly_block);
-+
-+                uint64_t cmp = ((uint64_t*)poly_block)[0] ^ ((uint64_t*)(in + inl))[0];
-+                cmp |= ((uint64_t*)poly_block)[1] ^ ((uint64_t*)(in + inl))[1];
-+
-+		/*if (memcmp(poly_block, in + inl, POLY1305_MAC_LEN)) */
-+		if (cmp)
-+			{
-+			OPENSSL_cleanse(out, inl);
-+			aead_ctx->valid = 0;
-+			return -1;
-+			}
-+		aead_ctx->valid = 0;
-+		return inl;
-+		}
-+	return 0;
-+	}
-+
-+static int EVP_chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
-+	{
-+	return 1;
-+	}
-+
-+static int EVP_chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
-+	{
-+	EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
-+#ifndef FILL_BUFFER
-+	uint8_t poly1305_key[32];
-+#endif
-+	uint8_t aad[13 + 8];
-+        uint64_t thirteen = 13;
-+
-+	switch(type)
-+		{
-+		case EVP_CTRL_AEAD_TLS1_AAD:
-+			if(arg!=13)
-+				return 0;
-+			/* Initialize poly keys */
-+#ifndef FILL_BUFFER
-+			memset(poly1305_key, 0, sizeof(poly1305_key));
-+#else
-+			memset(aead_ctx->chacha_buffer, 0, FILL_BUFFER);
-+#endif
-+			/* Salt is the IV (not in draft) */
-+			/* memcpy(aead_ctx->nonce, aead_ctx->salt, 4); */
-+			/* Take sequence number from AAD */
-+			/* memcpy(&aead_ctx->nonce[4], ptr, 8); */
-+			memcpy(aead_ctx->nonce, ptr, 8);
-+
-+#ifdef CHAPOLY_x86_64_ASM
-+			aead_ctx->poly_buffer_used = 0;
-+			if((OPENSSL_ia32cap_loc()[2] >> 5) & 1) /* AVX2 */
-+				{
-+				aead_ctx->poly1305_init_ptr = poly1305_init_avx2;
-+				aead_ctx->poly1305_update_ptr = poly1305_update_avx2;
-+				aead_ctx->poly1305_finish_ptr = poly1305_finish_avx2;
-+				}
-+			else if ((OPENSSL_ia32cap_loc()[1] >> 28) & 1) /* AVX */
-+				{
-+				aead_ctx->poly1305_init_ptr = poly1305_init_avx;
-+				aead_ctx->poly1305_update_ptr = poly1305_update_avx;
-+				aead_ctx->poly1305_finish_ptr = poly1305_finish_avx;
-+				}
-+			else						/*C*/
-+				{
-+				aead_ctx->poly1305_init_ptr = CRYPTO_poly1305_init;
-+				aead_ctx->poly1305_update_ptr = CRYPTO_poly1305_update;
-+				aead_ctx->poly1305_finish_ptr = CRYPTO_poly1305_finish;
-+				}
-+
-+#endif
-+#ifndef FILL_BUFFER
-+			CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), aead_ctx->key, aead_ctx->nonce, 0);
-+			poly_init(&aead_ctx->poly_state, poly1305_key);
-+#else
-+			CRYPTO_chacha_20(aead_ctx->chacha_buffer, aead_ctx->chacha_buffer, FILL_BUFFER, aead_ctx->key, aead_ctx->nonce, 0);
-+			poly_init(&aead_ctx->poly_state, aead_ctx->chacha_buffer);
-+			aead_ctx->chacha_used = 64;	/* We keep 64 byte for future use, to accelerate for very short messages */
-+#endif
-+			aead_ctx->aad_l = 0;
-+			aead_ctx->ct_l = 0;
-+			/* Absorb AAD */
-+			memcpy(aad, ptr, arg);
-+                        memcpy(&aad[arg], &thirteen, sizeof(thirteen));
-+			/* If decrypting fix length for tag */
-+			if (!ctx->encrypt)
-+				{
-+				unsigned int len=aad[arg-2]<<8|aad[arg-1];
-+				len -= POLY1305_MAC_LEN;
-+				aad[arg-2] = len>>8;
-+				aad[arg-1] = len & 0xff;
-+				}
-+			poly_update(aead_ctx, aad, arg + sizeof(thirteen));
-+			/* aead_ctx->aad_l += arg; */
-+			aead_ctx->valid = 1;
-+			return POLY1305_MAC_LEN;
-+			break;
-+		default:
-+			return 0;
-+			break;
-+		}
-+	return 0;
-+	}
-+
-+#define CUSTOM_FLAGS	(\
-+		  EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
-+		| EVP_CIPH_ALWAYS_CALL_INIT  \
-+		| EVP_CIPH_CUSTOM_COPY)
-+
-+static const EVP_CIPHER chacha20_poly1305 = {
-+	NID_chacha20_poly1305,	/* nid */
-+	1,	/* block size, sorta */
-+	32,	/* key len */
-+	0,	/* iv len */
-+	CUSTOM_FLAGS|EVP_CIPH_FLAG_AEAD_CIPHER,	/* flags */
-+	EVP_chacha20_poly1305_init,
-+	EVP_chacha20_poly1305_cipher,
-+	EVP_chacha20_poly1305_cleanup,
-+	sizeof(EVP_CHACHA20_POLY1305_CTX), /* ctx size */
-+	NULL, NULL,
-+	EVP_chacha20_poly1305_ctrl,
-+	NULL
-+	};
-+
-+const EVP_CIPHER *EVP_chacha20_poly1305(void)
-+{ return &chacha20_poly1305; }
-+
-+#endif
-diff -rNu openssl-1.0.2e/crypto/evp/evp.h openssl-1.0.2e-modified/crypto/evp/evp.h
---- openssl-1.0.2e/crypto/evp/evp.h	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/evp/evp.h	2016-02-08 16:12:00.601614755 +0100
-@@ -893,6 +893,9 @@
- #  define EVP_camellia_256_cfb EVP_camellia_256_cfb128
- const EVP_CIPHER *EVP_camellia_256_ofb(void);
- # endif
-+# ifndef OPENSSL_NO_CHACHA_POLY
-+const EVP_CIPHER *EVP_chacha20_poly1305(void);
-+# endif
- 
- # ifndef OPENSSL_NO_SEED
- const EVP_CIPHER *EVP_seed_ecb(void);
-diff -rNu openssl-1.0.2e/crypto/objects/obj_dat.h openssl-1.0.2e-modified/crypto/objects/obj_dat.h
---- openssl-1.0.2e/crypto/objects/obj_dat.h	2015-12-03 15:41:29.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/objects/obj_dat.h	2016-02-08 16:12:00.603614755 +0100
-@@ -62,9 +62,9 @@
-  * [including the GNU Public Licence.]
-  */
- 
--#define NUM_NID 958
--#define NUM_SN 951
--#define NUM_LN 951
-+#define NUM_NID 959
-+#define NUM_SN 952
-+#define NUM_LN 952
- #define NUM_OBJ 890
- 
- static const unsigned char lvalues[6255]={
-@@ -2514,6 +2514,8 @@
- 	NID_jurisdictionStateOrProvinceName,11,&(lvalues[6232]),0},
- {"jurisdictionC","jurisdictionCountryName",
- 	NID_jurisdictionCountryName,11,&(lvalues[6243]),0},
-+{"id-chacha20-poly1305","chacha20-poly1305",NID_chacha20_poly1305,0,
-+	NULL,0},
- };
- 
- static const unsigned int sn_objs[NUM_SN]={
-@@ -2954,6 +2956,7 @@
- 362,	/* "id-cct-PKIResponse" */
- 360,	/* "id-cct-crs" */
- 81,	/* "id-ce" */
-+958,	/* "id-chacha20-poly1305" */
- 680,	/* "id-characteristic-two-basis" */
- 263,	/* "id-cmc" */
- 334,	/* "id-cmc-addExtensions" */
-@@ -3728,6 +3731,7 @@
- 677,	/* "certicom-arc" */
- 517,	/* "certificate extensions" */
- 883,	/* "certificateRevocationList" */
-+958,	/* "chacha20-poly1305" */
- 54,	/* "challengePassword" */
- 407,	/* "characteristic-two-field" */
- 395,	/* "clearance" */
-diff -rNu openssl-1.0.2e/crypto/objects/obj_mac.h openssl-1.0.2e-modified/crypto/objects/obj_mac.h
---- openssl-1.0.2e/crypto/objects/obj_mac.h	2015-12-03 15:41:28.000000000 +0100
-+++ openssl-1.0.2e-modified/crypto/objects/obj_mac.h	2016-02-08 16:12:00.604614755 +0100
-@@ -4192,3 +4192,7 @@
- #define LN_jurisdictionCountryName              "jurisdictionCountryName"
- #define NID_jurisdictionCountryName             957
- #define OBJ_jurisdictionCountryName             1L,3L,6L,1L,4L,1L,311L,60L,2L,1L,3L
-+
-+#define SN_chacha20_poly1305    "id-chacha20-poly1305"
-+#define LN_chacha20_poly1305    "chacha20-poly1305"
-+#define NID_chacha20_poly1305   958
-diff -rNu openssl-1.0.2e/ssl/s3_lib.c openssl-1.0.2e-modified/ssl/s3_lib.c
---- openssl-1.0.2e/ssl/s3_lib.c	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/ssl/s3_lib.c	2016-02-08 16:12:00.605614755 +0100
-@@ -2891,6 +2891,53 @@
-      256},
- #endif
- 
-+    /* Chacha20-Poly1305 draft cipher suites */
-+#if !defined(OPENSSL_NO_CHACHA_POLY)
-+    {
-+     1,
-+     TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-+     TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
-+     SSL_kEECDH,
-+     SSL_aRSA,
-+     SSL_CHACHA20POLY1305,
-+     SSL_AEAD,
-+     SSL_TLSV1_2,
-+     SSL_NOT_EXP|SSL_HIGH,
-+     SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-+     256,
-+     0,
-+    },
-+
-+    {
-+     1,
-+     TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-+     TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
-+     SSL_kEECDH,
-+     SSL_aECDSA,
-+     SSL_CHACHA20POLY1305,
-+     SSL_AEAD,
-+     SSL_TLSV1_2,
-+     SSL_NOT_EXP|SSL_HIGH,
-+     SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-+     256,
-+     0,
-+    },
-+
-+    {
-+     1,
-+     TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
-+     TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
-+     SSL_kEDH,
-+     SSL_aRSA,
-+     SSL_CHACHA20POLY1305,
-+     SSL_AEAD,
-+     SSL_TLSV1_2,
-+     SSL_NOT_EXP|SSL_HIGH,
-+     SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-+     256,
-+     0,
-+    },
-+#endif
- /* end of list */
- };
- 
-@@ -4047,6 +4094,7 @@
-     int i, ii, ok;
-     CERT *cert;
-     unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
-+    int use_chacha = 0;
- 
-     /* Let's see which ciphers we can support */
-     cert = s->cert;
-@@ -4080,9 +4128,16 @@
-     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
-         prio = srvr;
-         allow = clnt;
-+       /* Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */
-+        if (sk_SSL_CIPHER_num(clnt) > 0) {
-+            c = sk_SSL_CIPHER_value(clnt, 0);
-+            if (c->algorithm_enc == SSL_CHACHA20POLY1305)
-+                use_chacha = 1;
-+        }
-     } else {
-         prio = clnt;
-         allow = srvr;
-+        use_chacha = 1;
-     }
- 
-     tls1_set_cert_validity(s);
-@@ -4094,6 +4149,11 @@
-         if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
-             continue;
- 
-+        /* Skip ChaCha unless top client priority */
-+        if ((c->algorithm_enc == SSL_CHACHA20POLY1305) &&
-+            !use_chacha)
-+            continue;
-+
-         ssl_set_cert_masks(cert, c);
-         mask_k = cert->mask_k;
-         mask_a = cert->mask_a;
-diff -rNu openssl-1.0.2e/ssl/ssl.h openssl-1.0.2e-modified/ssl/ssl.h
---- openssl-1.0.2e/ssl/ssl.h	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/ssl/ssl.h	2016-02-08 16:12:00.606614755 +0100
-@@ -297,6 +297,7 @@
- # define SSL_TXT_CAMELLIA128     "CAMELLIA128"
- # define SSL_TXT_CAMELLIA256     "CAMELLIA256"
- # define SSL_TXT_CAMELLIA        "CAMELLIA"
-+# define SSL_TXT_CHACHA20        "CHACHA20"
- 
- # define SSL_TXT_MD5             "MD5"
- # define SSL_TXT_SHA1            "SHA1"
-diff -rNu openssl-1.0.2e/ssl/ssl_algs.c openssl-1.0.2e-modified/ssl/ssl_algs.c
---- openssl-1.0.2e/ssl/ssl_algs.c	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/ssl/ssl_algs.c	2016-02-08 16:12:00.606614755 +0100
-@@ -106,6 +106,10 @@
-     EVP_add_cipher(EVP_camellia_256_cbc());
- #endif
- 
-+#ifndef OPENSSL_NO_CHACHA_POLY
-+    EVP_add_cipher(EVP_chacha20_poly1305());
-+#endif
-+
- #ifndef OPENSSL_NO_SEED
-     EVP_add_cipher(EVP_seed_cbc());
- #endif
-diff -rNu openssl-1.0.2e/ssl/ssl_ciph.c openssl-1.0.2e-modified/ssl/ssl_ciph.c
---- openssl-1.0.2e/ssl/ssl_ciph.c	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/ssl/ssl_ciph.c	2016-02-08 16:12:00.607614755 +0100
-@@ -164,7 +164,8 @@
- #define SSL_ENC_SEED_IDX        11
- #define SSL_ENC_AES128GCM_IDX   12
- #define SSL_ENC_AES256GCM_IDX   13
--#define SSL_ENC_NUM_IDX         14
-+#define SSL_ENC_CHACHA20POLY1305_IDX  14
-+#define SSL_ENC_NUM_IDX               15
- 
- static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
-     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-@@ -316,6 +317,7 @@
-     {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA128 | SSL_CAMELLIA256, 0, 0, 0,
-      0, 0, 0},
-+    {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 0, 0, 0},
- 
-     /* MAC aliases */
-     {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0},
-@@ -432,6 +434,9 @@
-     ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] =
-         EVP_get_cipherbyname(SN_aes_256_gcm);
- 
-+    ssl_cipher_methods[SSL_ENC_CHACHA20POLY1305_IDX] =
-+        EVP_get_cipherbyname(SN_chacha20_poly1305);
-+
-     ssl_digest_methods[SSL_MD_MD5_IDX] = EVP_get_digestbyname(SN_md5);
-     ssl_mac_secret_size[SSL_MD_MD5_IDX] =
-         EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
-@@ -582,6 +587,9 @@
-     case SSL_AES256GCM:
-         i = SSL_ENC_AES256GCM_IDX;
-         break;
-+    case SSL_CHACHA20POLY1305:
-+        i = SSL_ENC_CHACHA20POLY1305_IDX;
-+        break;
-     default:
-         i = -1;
-         break;
-@@ -806,6 +814,8 @@
-         (ssl_cipher_methods[SSL_ENC_GOST89_IDX] ==
-          NULL) ? SSL_eGOST2814789CNT : 0;
-     *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED : 0;
-+    *enc |= (ssl_cipher_methods[SSL_ENC_CHACHA20POLY1305_IDX] ==
-+         NULL) ? SSL_CHACHA20POLY1305 : 0;
- 
-     *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX] == NULL) ? SSL_MD5 : 0;
-     *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
-@@ -1824,6 +1834,9 @@
-     case SSL_eGOST2814789CNT:
-         enc = "GOST89(256)";
-         break;
-+    case SSL_CHACHA20POLY1305:
-+        enc = "CHACHA20-POLY1305(256)";
-+        break;
-     default:
-         enc = "unknown";
-         break;
-diff -rNu openssl-1.0.2e/ssl/ssl_locl.h openssl-1.0.2e-modified/ssl/ssl_locl.h
---- openssl-1.0.2e/ssl/ssl_locl.h	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/ssl/ssl_locl.h	2016-02-08 16:12:00.608614755 +0100
-@@ -354,6 +354,7 @@
- # define SSL_SEED                0x00000800L
- # define SSL_AES128GCM           0x00001000L
- # define SSL_AES256GCM           0x00002000L
-+# define SSL_CHACHA20POLY1305    0x00004000L
- 
- # define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
- # define SSL_CAMELLIA            (SSL_CAMELLIA128|SSL_CAMELLIA256)
-diff -rNu openssl-1.0.2e/ssl/tls1.h openssl-1.0.2e-modified/ssl/tls1.h
---- openssl-1.0.2e/ssl/tls1.h	2015-12-03 15:04:23.000000000 +0100
-+++ openssl-1.0.2e-modified/ssl/tls1.h	2016-02-08 16:12:00.608614755 +0100
-@@ -563,6 +563,11 @@
- # define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256        0x0300C031
- # define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384        0x0300C032
- 
-+/* ChaCha20-Poly1305 ciphersuites draft-agl-tls-chacha20poly1305-01 */
-+# define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305             0x0300CC13
-+# define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305           0x0300CC14
-+# define TLS1_CK_DHE_RSA_CHACHA20_POLY1305               0x0300CC15
-+
- /*
-  * XXX * Backward compatibility alert: + * Older versions of OpenSSL gave
-  * some DHE ciphers names with "EDH" + * instead of "DHE".  Going forward, we
-@@ -713,6 +718,11 @@
- # define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256       "ECDH-RSA-AES128-GCM-SHA256"
- # define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384       "ECDH-RSA-AES256-GCM-SHA384"
- 
-+/* ChaCha20-Poly1305 ciphersuites draft-agl-tls-chacha20poly1305-01 */
-+#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305        "ECDHE-RSA-CHACHA20-POLY1305"
-+#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305      "ECDHE-ECDSA-CHACHA20-POLY1305"
-+#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305          "DHE-RSA-CHACHA20-POLY1305"
-+
- # define TLS_CT_RSA_SIGN                 1
- # define TLS_CT_DSS_SIGN                 2
- # define TLS_CT_RSA_FIXED_DH             3
-diff -rNu openssl-1.0.2e/test/Makefile openssl-1.0.2e-modified/test/Makefile
---- openssl-1.0.2e/test/Makefile	2015-12-03 15:44:31.000000000 +0100
-+++ openssl-1.0.2e-modified/test/Makefile	2016-02-08 16:12:00.608614755 +0100
-@@ -70,6 +70,7 @@
- CONSTTIMETEST=  constant_time_test
- VERIFYEXTRATEST=	verify_extra_test
- CLIENTHELLOTEST=	clienthellotest
-+CHAPOLYTEST=	chapolytest
- 
- TESTS=		alltests
- 
-@@ -83,7 +84,7 @@
- 	$(EVPTEST)$(EXE_EXT) $(EVPEXTRATEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \
- 	$(ASN1TEST)$(EXE_EXT) $(V3NAMETEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) \
- 	$(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \
--	$(CLIENTHELLOTEST)$(EXE_EXT)
-+	$(CLIENTHELLOTEST)$(EXE_EXT) $(CHAPOLYTEST)$(EXE_EXT)
- 
- # $(METHTEST)$(EXE_EXT)
- 
-@@ -97,7 +98,7 @@
- 	$(BFTEST).o  $(SSLTEST).o  $(DSATEST).o  $(EXPTEST).o $(RSATEST).o \
- 	$(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \
- 	$(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \
--	$(CLIENTHELLOTEST).o
-+	$(CLIENTHELLOTEST).o $(CHAPOLYTEST).o
- 
- SRC=	$(BNTEST).c $(ECTEST).c  $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
- 	$(MD2TEST).c  $(MD4TEST).c $(MD5TEST).c \
-@@ -108,7 +109,7 @@
- 	$(BFTEST).c  $(SSLTEST).c $(DSATEST).c   $(EXPTEST).c $(RSATEST).c \
- 	$(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \
- 	$(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \
--	$(CLIENTHELLOTEST).c
-+	$(CLIENTHELLOTEST).c $(CHAPOLYTEST).c
- 
- EXHEADER= 
- HEADER=	testutil.h $(EXHEADER)
-@@ -144,7 +145,7 @@
- 	@(cd ..; $(MAKE) DIRS=apps all)
- 
- alltests: \
--	test_des test_idea test_sha test_md4 test_md5 test_hmac \
-+	test_des test_idea test_sha test_md4 test_md5 test_hmac test_chapoly \
- 	test_md2 test_mdc2 test_wp \
- 	test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \
- 	test_rand test_bn test_ec test_ecdsa test_ecdh \
-@@ -361,6 +362,10 @@
- 	@echo $(START) $@
- 	../util/shlib_wrap.sh ./$(CLIENTHELLOTEST)
- 
-+test_chapoly: $(CHAPOLYTEST)$(EXE_EXT)
-+	@echo "Test ChaCha20 and Poly1305"
-+	../util/shlib_wrap.sh ./$(CHAPOLYTEST)
-+
- lint:
- 	lint -DLINT $(INCLUDES) $(SRC)>fluff
- 
-@@ -538,6 +543,9 @@
- $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
- 	@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
- 
-+$(CHAPOLYTEST)$(EXE_EXT): $(CHAPOLYTEST).o
-+	@target=$(CHAPOLYTEST); $(BUILD_CMD)
-+
- #$(AESTEST).o: $(AESTEST).c
- #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
- 
-@@ -606,6 +614,7 @@
- constant_time_test.o: ../crypto/constant_time_locl.h ../e_os.h
- constant_time_test.o: ../include/openssl/e_os2.h
- constant_time_test.o: ../include/openssl/opensslconf.h constant_time_test.c
-+chapolytest.o: ../include/openssl/chacha20poly1305.h chapolytest.c
- destest.o: ../include/openssl/des.h ../include/openssl/des_old.h
- destest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
- destest.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h

diff --git a/dev-libs/openssl/openssl-1.0.2e-r1.ebuild b/dev-libs/openssl/openssl-1.0.2e-r1.ebuild
index ecba596..1d16bf2 100644
--- a/dev-libs/openssl/openssl-1.0.2e-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2e-r1.ebuild
@@ -9,7 +9,8 @@ inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
 MY_P=${P/_/-}
 DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
 HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+         http://dev.gentoo.org/~robbat2/distfiles/${PN}-1.0.2e-chacha20poly1305.patch"
 
 LICENSE="openssl"
 SLOT="0"
@@ -63,7 +64,7 @@ src_prepare() {
 		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
 		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
 		epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-		epatch "${FILESDIR}"/${PN}-1.0.2e-chacha20poly1305.patch
+		epatch "${DISTDIR}"/${PN}-1.0.2e-chacha20poly1305.patch
 
 		epatch_user #332661
 	fi

diff --git a/dev-libs/openssl/openssl-1.0.2f-r1.ebuild b/dev-libs/openssl/openssl-1.0.2f-r1.ebuild
index f5089f5..9725895 100644
--- a/dev-libs/openssl/openssl-1.0.2f-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2f-r1.ebuild
@@ -9,7 +9,8 @@ inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
 MY_P=${P/_/-}
 DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
 HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+         http://dev.gentoo.org/~robbat2/distfiles/${PN}-1.0.2e-chacha20poly1305.patch"
 
 LICENSE="openssl"
 SLOT="0"
@@ -63,7 +64,7 @@ src_prepare() {
 		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
 		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
 		epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-		epatch "${FILESDIR}"/${PN}-1.0.2e-chacha20poly1305.patch
+		epatch "${DISTDIR}"/${PN}-1.0.2e-chacha20poly1305.patch
 
 		epatch_user #332661
 	fi


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2016-03-01 14:24 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2016-03-01 14:24 UTC (permalink / raw
  To: gentoo-commits

commit:     7bf3f3ef8d44f51b7cbfbabc1282da60fcb5f715
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Mar  1 14:05:20 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Mar  1 14:23:22 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bf3f3ef

dev-libs/openssl: Security bump to version 1.0.2g (bug #575548).

Package-Manager: portage-2.2.27
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   1 +
 .../files/openssl-1.0.2g-parallel-build.patch      | 318 +++++++++++++++++++++
 dev-libs/openssl/openssl-1.0.2g.ebuild             | 265 +++++++++++++++++
 3 files changed, 584 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index e16c5f3..6eb6a35 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,2 +1,3 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.2f.tar.gz 5258384 SHA256 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 WHIRLPOOL 179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835baaaa04e506fb3fbaed37d31c9
+DIST openssl-1.0.2g.tar.gz 5266102 SHA256 b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735 WHIRLPOOL aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb

diff --git a/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch
new file mode 100644
index 0000000..3582810
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch
@@ -0,0 +1,318 @@
+--- openssl-1.0.2g/crypto/Makefile
++++ openssl-1.0.2g/crypto/Makefile
+@@ -85,11 +85,11 @@
+ 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+ 
+ subdirs:
+-	@target=all; $(RECURSIVE_MAKE)
++	+@target=all; $(RECURSIVE_MAKE)
+ 
+ files:
+ 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
+-	@target=files; $(RECURSIVE_MAKE)
++	+@target=files; $(RECURSIVE_MAKE)
+ 
+ links:
+ 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+@@ -100,7 +100,7 @@
+ # lib: $(LIB): are splitted to avoid end-less loop
+ lib:	$(LIB)
+ 	@touch lib
+-$(LIB):	$(LIBOBJ)
++$(LIB):	$(LIBOBJ) | subdirs
+ 	$(AR) $(LIB) $(LIBOBJ)
+ 	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+ 	$(RANLIB) $(LIB) || echo Never mind.
+@@ -111,7 +111,7 @@
+ 	fi
+ 
+ libs:
+-	@target=lib; $(RECURSIVE_MAKE)
++	+@target=lib; $(RECURSIVE_MAKE)
+ 
+ install:
+ 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+@@ -120,7 +120,7 @@
+ 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ 	done;
+-	@target=install; $(RECURSIVE_MAKE)
++	+@target=install; $(RECURSIVE_MAKE)
+ 
+ lint:
+ 	@target=lint; $(RECURSIVE_MAKE)
+--- openssl-1.0.2g/engines/Makefile
++++ openssl-1.0.2g/engines/Makefile
+@@ -72,7 +72,7 @@
+ 
+ all:	lib subdirs
+ 
+-lib:	$(LIBOBJ)
++lib:	$(LIBOBJ) | subdirs
+ 	@if [ -n "$(SHARED_LIBS)" ]; then \
+ 		set -e; \
+ 		for l in $(LIBNAMES); do \
+@@ -89,7 +89,7 @@
+ 
+ subdirs:
+ 	echo $(EDIRS)
+-	@target=all; $(RECURSIVE_MAKE)
++	+@target=all; $(RECURSIVE_MAKE)
+ 
+ files:
+ 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+@@ -128,7 +128,7 @@
+ 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ 		done; \
+ 	fi
+-	@target=install; $(RECURSIVE_MAKE)
++	+@target=install; $(RECURSIVE_MAKE)
+ 
+ tags:
+ 	ctags $(SRC)
+--- openssl-1.0.2g/Makefile.org
++++ openssl-1.0.2g/Makefile.org
+@@ -279,17 +279,17 @@
+ build_libssl: build_ssl libssl.pc
+ 
+ build_crypto:
+-	@dir=crypto; target=all; $(BUILD_ONE_CMD)
++	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
+ build_ssl: build_crypto
+-	@dir=ssl; target=all; $(BUILD_ONE_CMD)
++	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
+ build_engines: build_crypto
+-	@dir=engines; target=all; $(BUILD_ONE_CMD)
++	+@dir=engines; target=all; $(BUILD_ONE_CMD)
+ build_apps: build_libs
+-	@dir=apps; target=all; $(BUILD_ONE_CMD)
++	+@dir=apps; target=all; $(BUILD_ONE_CMD)
+ build_tests: build_libs
+-	@dir=test; target=all; $(BUILD_ONE_CMD)
++	+@dir=test; target=all; $(BUILD_ONE_CMD)
+ build_tools: build_libs
+-	@dir=tools; target=all; $(BUILD_ONE_CMD)
++	+@dir=tools; target=all; $(BUILD_ONE_CMD)
+ 
+ all_testapps: build_libs build_testapps
+ build_testapps:
+@@ -544,7 +544,7 @@
+ 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ 	done;
+-	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
++	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+ 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
+ 	do \
+ 		if [ -f "$$i" ]; then \
+--- openssl-1.0.2g/Makefile.shared
++++ openssl-1.0.2g/Makefile.shared
+@@ -105,6 +105,7 @@
+     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
+     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
+     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
++    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
+     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+     $${SHAREDCMD} $${SHAREDFLAGS} \
+ 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+@@ -122,6 +123,7 @@
+ 			done; \
+ 		fi; \
+ 		if [ -n "$$SHLIB_SOVER" ]; then \
++			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
+ 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
+ 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
+ 		fi; \
+--- openssl-1.0.2g/test/Makefile
++++ openssl-1.0.2g/test/Makefile
+@@ -139,7 +139,7 @@
+ tags:
+ 	ctags $(SRC)
+ 
+-tests:	exe apps $(TESTS)
++tests:	exe $(TESTS)
+ 
+ apps:
+ 	@(cd ..; $(MAKE) DIRS=apps all)
+@@ -421,130 +421,130 @@
+ 		link_app.$${shlib_target}
+ 
+ $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
+-	@target=$(RSATEST); $(BUILD_CMD)
++	+@target=$(RSATEST); $(BUILD_CMD)
+ 
+ $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
+-	@target=$(BNTEST); $(BUILD_CMD)
++	+@target=$(BNTEST); $(BUILD_CMD)
+ 
+ $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
+-	@target=$(ECTEST); $(BUILD_CMD)
++	+@target=$(ECTEST); $(BUILD_CMD)
+ 
+ $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
+-	@target=$(EXPTEST); $(BUILD_CMD)
++	+@target=$(EXPTEST); $(BUILD_CMD)
+ 
+ $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
+-	@target=$(IDEATEST); $(BUILD_CMD)
++	+@target=$(IDEATEST); $(BUILD_CMD)
+ 
+ $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
+-	@target=$(MD2TEST); $(BUILD_CMD)
++	+@target=$(MD2TEST); $(BUILD_CMD)
+ 
+ $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
+-	@target=$(SHATEST); $(BUILD_CMD)
++	+@target=$(SHATEST); $(BUILD_CMD)
+ 
+ $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
+-	@target=$(SHA1TEST); $(BUILD_CMD)
++	+@target=$(SHA1TEST); $(BUILD_CMD)
+ 
+ $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
+-	@target=$(SHA256TEST); $(BUILD_CMD)
++	+@target=$(SHA256TEST); $(BUILD_CMD)
+ 
+ $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
+-	@target=$(SHA512TEST); $(BUILD_CMD)
++	+@target=$(SHA512TEST); $(BUILD_CMD)
+ 
+ $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
+-	@target=$(RMDTEST); $(BUILD_CMD)
++	+@target=$(RMDTEST); $(BUILD_CMD)
+ 
+ $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
+-	@target=$(MDC2TEST); $(BUILD_CMD)
++	+@target=$(MDC2TEST); $(BUILD_CMD)
+ 
+ $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
+-	@target=$(MD4TEST); $(BUILD_CMD)
++	+@target=$(MD4TEST); $(BUILD_CMD)
+ 
+ $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
+-	@target=$(MD5TEST); $(BUILD_CMD)
++	+@target=$(MD5TEST); $(BUILD_CMD)
+ 
+ $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
+-	@target=$(HMACTEST); $(BUILD_CMD)
++	+@target=$(HMACTEST); $(BUILD_CMD)
+ 
+ $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
+-	@target=$(WPTEST); $(BUILD_CMD)
++	+@target=$(WPTEST); $(BUILD_CMD)
+ 
+ $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
+-	@target=$(RC2TEST); $(BUILD_CMD)
++	+@target=$(RC2TEST); $(BUILD_CMD)
+ 
+ $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
+-	@target=$(BFTEST); $(BUILD_CMD)
++	+@target=$(BFTEST); $(BUILD_CMD)
+ 
+ $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
+-	@target=$(CASTTEST); $(BUILD_CMD)
++	+@target=$(CASTTEST); $(BUILD_CMD)
+ 
+ $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
+-	@target=$(RC4TEST); $(BUILD_CMD)
++	+@target=$(RC4TEST); $(BUILD_CMD)
+ 
+ $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
+-	@target=$(RC5TEST); $(BUILD_CMD)
++	+@target=$(RC5TEST); $(BUILD_CMD)
+ 
+ $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
+-	@target=$(DESTEST); $(BUILD_CMD)
++	+@target=$(DESTEST); $(BUILD_CMD)
+ 
+ $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
+-	@target=$(RANDTEST); $(BUILD_CMD)
++	+@target=$(RANDTEST); $(BUILD_CMD)
+ 
+ $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
+-	@target=$(DHTEST); $(BUILD_CMD)
++	+@target=$(DHTEST); $(BUILD_CMD)
+ 
+ $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
+-	@target=$(DSATEST); $(BUILD_CMD)
++	+@target=$(DSATEST); $(BUILD_CMD)
+ 
+ $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
+-	@target=$(METHTEST); $(BUILD_CMD)
++	+@target=$(METHTEST); $(BUILD_CMD)
+ 
+ $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
+-	@target=$(SSLTEST); $(FIPS_BUILD_CMD)
++	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)
+ 
+ $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
+-	@target=$(ENGINETEST); $(BUILD_CMD)
++	+@target=$(ENGINETEST); $(BUILD_CMD)
+ 
+ $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
+-	@target=$(EVPTEST); $(BUILD_CMD)
++	+@target=$(EVPTEST); $(BUILD_CMD)
+ 
+ $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
+-	@target=$(EVPEXTRATEST); $(BUILD_CMD)
++	+@target=$(EVPEXTRATEST); $(BUILD_CMD)
+ 
+ $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
+-	@target=$(ECDSATEST); $(BUILD_CMD)
++	+@target=$(ECDSATEST); $(BUILD_CMD)
+ 
+ $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
+-	@target=$(ECDHTEST); $(BUILD_CMD)
++	+@target=$(ECDHTEST); $(BUILD_CMD)
+ 
+ $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
+-	@target=$(IGETEST); $(BUILD_CMD)
++	+@target=$(IGETEST); $(BUILD_CMD)
+ 
+ $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
+-	@target=$(JPAKETEST); $(BUILD_CMD)
++	+@target=$(JPAKETEST); $(BUILD_CMD)
+ 
+ $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
+-	@target=$(ASN1TEST); $(BUILD_CMD)
++	+@target=$(ASN1TEST); $(BUILD_CMD)
+ 
+ $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
+-	@target=$(SRPTEST); $(BUILD_CMD)
++	+@target=$(SRPTEST); $(BUILD_CMD)
+ 
+ $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
+-	@target=$(V3NAMETEST); $(BUILD_CMD)
++	+@target=$(V3NAMETEST); $(BUILD_CMD)
+ 
+ $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
+-	@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
++	+@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
+ 
+ $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
+-	@target=$(CONSTTIMETEST) $(BUILD_CMD)
++	+@target=$(CONSTTIMETEST) $(BUILD_CMD)
+ 
+ $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
+-	@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
++	+@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
+ 
+ $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
+-	@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
++	+@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
+ 
+ $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
+-	@target=$(SSLV2CONFTEST) $(BUILD_CMD)
++	+@target=$(SSLV2CONFTEST) $(BUILD_CMD)
+ 
+ #$(AESTEST).o: $(AESTEST).c
+ #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+@@ -557,7 +557,7 @@
+ #	fi
+ 
+ dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
+-	@target=dummytest; $(BUILD_CMD)
++	+@target=dummytest; $(BUILD_CMD)
+ 
+ # DO NOT DELETE THIS LINE -- make depend depends on it.
+ 

diff --git a/dev-libs/openssl/openssl-1.0.2g.ebuild b/dev-libs/openssl/openssl-1.0.2g.ebuild
new file mode 100644
index 0000000..9fc51c4
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2g.ebuild
@@ -0,0 +1,265 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+# The blocks are temporary just to make sure people upgrade to a
+# version that lack runtime version checking.  We'll drop them in
+# the future.
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)
+	!<net-misc/openssh-5.9_p1-r4
+	!<net-libs/neon-0.29.6-r1"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+		epatch "${FILESDIR}"/${PN}-1.0.2g-parallel-build.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
+		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+		epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
+
+		epatch_user #332661
+	fi
+
+	# disable fips in the build
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	sed -i \
+		-e '/DIRS/s: fips : :g' \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		Makefile.org \
+		|| die
+	# show the actual commands in the log
+	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+	# since we're forcing $(CC) as makedep anyway, just fix
+	# the conditional as always-on
+	# helps clang (#417795), and versioned gcc (#499818)
+	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		enable-tlsext \
+		$(use_ssl asm) \
+		$(use_ssl gmp gmp -lgmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+	# rehash is needed to prep the certs/ dir; do this
+	# separately to avoid parallel build issues.
+	emake rehash
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+	dohtml -r doc/*
+	use rfc3779 && dodoc engines/ccgost/README.gost
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	dodir ${SSL_CNF_DIR}/certs
+	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+
+	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2016-06-25  2:19 Patrick McLean
  0 siblings, 0 replies; 52+ messages in thread
From: Patrick McLean @ 2016-06-25  2:19 UTC (permalink / raw
  To: gentoo-commits

commit:     b4bfc10ce01e37a79da48f2f8349200c7eca78ed
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 25 02:19:01 2016 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Sat Jun 25 02:19:01 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4bfc10c

dev-libs/openssl: Revision bump to 1.0.2h-r2 to fix bug 585142 & bug 585276

This fixes CVE-2016-2177 and CVE-2016-2178.

Package-Manager: portage-2.3.0

 .../files/openssl-1.0.2h-CVE-2016-2177.patch       | 279 +++++++++++++++++++++
 .../files/openssl-1.0.2h-CVE-2016-2178.patch       |  28 +++
 dev-libs/openssl/openssl-1.0.2h-r2.ebuild          | 254 +++++++++++++++++++
 3 files changed, 561 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch
new file mode 100644
index 0000000..ca934c2
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch
@@ -0,0 +1,279 @@
+From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 5 May 2016 11:10:26 +0100
+Subject: [PATCH] Avoid some undefined pointer arithmetic
+
+A common idiom in the codebase is:
+
+if (p + len > limit)
+{
+    return; /* Too long */
+}
+
+Where "p" points to some malloc'd data of SIZE bytes and
+limit == p + SIZE
+
+"len" here could be from some externally supplied data (e.g. from a TLS
+message).
+
+The rules of C pointer arithmetic are such that "p + len" is only well
+defined where len <= SIZE. Therefore the above idiom is actually
+undefined behaviour.
+
+For example this could cause problems if some malloc implementation
+provides an address for "p" such that "p + len" actually overflows for
+values of len that are too big and therefore p + len < limit!
+
+Issue reported by Guido Vranken.
+
+CVE-2016-2177
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+---
+ ssl/s3_srvr.c  | 14 +++++++-------
+ ssl/ssl_sess.c |  2 +-
+ ssl/t1_lib.c   | 56 ++++++++++++++++++++++++++++++--------------------------
+ 3 files changed, 38 insertions(+), 34 deletions(-)
+
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index ab28702..ab7f690 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+         session_length = *(p + SSL3_RANDOM_SIZE);
+ 
+-        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
++        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
+     /* get the session-id */
+     j = *(p++);
+ 
+-    if (p + j > d + n) {
++    if ((d + n) - p < j) {
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+         goto f_err;
+@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
+ 
+     if (SSL_IS_DTLS(s)) {
+         /* cookie stuff */
+-        if (p + 1 > d + n) {
++        if ((d + n) - p < 1) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+         }
+         cookie_len = *(p++);
+ 
+-        if (p + cookie_len > d + n) {
++        if ((d + n ) - p < cookie_len) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
+         }
+     }
+ 
+-    if (p + 2 > d + n) {
++    if ((d + n ) - p < 2) {
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+         goto f_err;
+@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
+     }
+ 
+     /* i bytes of cipher data + 1 byte for compression length later */
+-    if ((p + i + 1) > (d + n)) {
++    if ((d + n) - p < i + 1) {
+         /* not enough data */
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+     /* compression */
+     i = *(p++);
+-    if ((p + i) > (d + n)) {
++    if ((d + n) - p < i) {
+         /* not enough data */
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index b182998..54ee783 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
+     int r;
+ #endif
+ 
+-    if (session_id + len > limit) {
++    if (limit - session_id < len) {
+         fatal = 1;
+         goto err;
+     }
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index fb64607..cdac011 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+         0x02, 0x03,             /* SHA-1/ECDSA */
+     };
+ 
+-    if (data >= (limit - 2))
++    if (limit - data <= 2)
+         return;
+     data += 2;
+ 
+-    if (data > (limit - 4))
++    if (limit - data < 4)
+         return;
+     n2s(data, type);
+     n2s(data, size);
+@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+     if (type != TLSEXT_TYPE_server_name)
+         return;
+ 
+-    if (data + size > limit)
++    if (limit - data < size)
+         return;
+     data += size;
+ 
+@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+         const size_t len1 = sizeof(kSafariExtensionsBlock);
+         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+ 
+-        if (data + len1 + len2 != limit)
++        if (limit - data != (int)(len1 + len2))
+             return;
+         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+             return;
+@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+     } else {
+         const size_t len = sizeof(kSafariExtensionsBlock);
+ 
+-        if (data + len != limit)
++        if (limit - data != (int)(len))
+             return;
+         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+             return;
+@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+     if (data == limit)
+         goto ri_check;
+ 
+-    if (data > (limit - 2))
++    if (limit - data < 2)
+         goto err;
+ 
+     n2s(data, len);
+ 
+-    if (data + len != limit)
++    if (limit - data != len)
+         goto err;
+ 
+-    while (data <= (limit - 4)) {
++    while (limit - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > (limit))
++        if (limit - data < size)
+             goto err;
+ # if 0
+         fprintf(stderr, "Received extension type %d size %d\n", type, size);
+@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
+     if (s->hit || s->cert->srv_ext.meths_count == 0)
+         return 1;
+ 
+-    if (data >= limit - 2)
++    if (limit - data <= 2)
+         return 1;
+     n2s(data, len);
+ 
+-    if (data > limit - len)
++    if (limit - data < len)
+         return 1;
+ 
+-    while (data <= limit - 4) {
++    while (limit - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > limit)
++        if (limit - data < size)
+             return 1;
+         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
+             return 0;
+@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
+                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ # endif
+ 
+-    if (data >= (d + n - 2))
++    if ((d + n) - data <= 2)
+         goto ri_check;
+ 
+     n2s(data, length);
+-    if (data + length != d + n) {
++    if ((d + n) - data != length) {
+         *al = SSL_AD_DECODE_ERROR;
+         return 0;
+     }
+ 
+-    while (data <= (d + n - 4)) {
++    while ((d + n) - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > (d + n))
++        if ((d + n) - data < size)
+             goto ri_check;
+ 
+         if (s->tlsext_debug_cb)
+@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
+     /* Skip past DTLS cookie */
+     if (SSL_IS_DTLS(s)) {
+         i = *(p++);
+-        p += i;
+-        if (p >= limit)
++
++        if (limit - p <= i)
+             return -1;
++
++        p += i;
+     }
+     /* Skip past cipher list */
+     n2s(p, i);
+-    p += i;
+-    if (p >= limit)
++    if (limit - p <= i)
+         return -1;
++    p += i;
++
+     /* Skip past compression algorithm list */
+     i = *(p++);
+-    p += i;
+-    if (p > limit)
++    if (limit - p < i)
+         return -1;
++    p += i;
++
+     /* Now at start of extensions */
+-    if ((p + 2) >= limit)
++    if (limit - p <= 2)
+         return 0;
+     n2s(p, i);
+-    while ((p + 4) <= limit) {
++    while (limit - p >= 4) {
+         unsigned short type, size;
+         n2s(p, type);
+         n2s(p, size);
+-        if (p + size > limit)
++        if (limit - p < size)
+             return 0;
+         if (type == TLSEXT_TYPE_session_ticket) {
+             int r;
+-- 
+1.9.1
+

diff --git a/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2178.patch b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2178.patch
new file mode 100644
index 0000000..a64141f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2178.patch
@@ -0,0 +1,28 @@
+X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fdsa%2Fdsa_ossl.c;h=beb62b2ff058d3e2bde0397fbddd355e11cd457b;hp=ce1da1cd6fa121f1ae0961ac2d2e9f81de4d8c9b;hb=399944622df7bd81af62e67ea967c470534090e2;hpb=0a4c87a90c6cf6628c688868cd5f13e4b9a5f19d
+
+diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
+index ce1da1c..beb62b2 100644
+--- a/crypto/dsa/dsa_ossl.c
++++ b/crypto/dsa/dsa_ossl.c
+@@ -248,9 +248,6 @@
+         if (!BN_rand_range(&k, dsa->q))
+             goto err;
+     while (BN_is_zero(&k)) ;
+-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+-        BN_set_flags(&k, BN_FLG_CONSTTIME);
+-    }
+ 
+     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
+         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+@@ -238,6 +234,11 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+     } else {
+         K = k;
+     }
++
++    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
++        BN_set_flags(K, BN_FLG_CONSTTIME);
++    }
++
+     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
+                    dsa->method_mont_p);
+     if (!BN_mod(r, r, dsa->q, ctx))

diff --git a/dev-libs/openssl/openssl-1.0.2h-r2.ebuild b/dev-libs/openssl/openssl-1.0.2h-r2.ebuild
new file mode 100644
index 0000000..2a2a0dd
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2h-r2.ebuild
@@ -0,0 +1,254 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	# bugs 585142 and 585276
+	epatch "${FILESDIR}"/${P}-CVE-2016-2177.patch
+	epatch "${FILESDIR}"/${P}-CVE-2016-2178.patch
+
+	if ! use vanilla ; then
+		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+		epatch "${FILESDIR}"/${PN}-1.0.2g-parallel-build.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
+		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
+		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+		epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
+
+		epatch_user #332661
+	fi
+
+	# disable fips in the build
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	sed -i \
+		-e '/DIRS/s: fips : :g' \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		Makefile.org \
+		|| die
+	# show the actual commands in the log
+	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+	# since we're forcing $(CC) as makedep anyway, just fix
+	# the conditional as always-on
+	# helps clang (#417795), and versioned gcc (#499818)
+	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		enable-tlsext \
+		$(use_ssl asm) \
+		$(use_ssl gmp gmp -lgmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl sslv2 ssl2) \
+		$(use_ssl sslv3 ssl3) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+	# rehash is needed to prep the certs/ dir; do this
+	# separately to avoid parallel build issues.
+	emake rehash
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+	dohtml -r doc/*
+	use rfc3779 && dodoc engines/ccgost/README.gost
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	dodir ${SSL_CNF_DIR}/certs
+	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2016-08-26 15:52 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2016-08-26 15:52 UTC (permalink / raw
  To: gentoo-commits

commit:     18fd87c2468bf11b7b21a3691cb8b3735672f452
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 26 15:51:57 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri Aug 26 15:52:16 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18fd87c2

dev-libs/openssl: Bump to version 1.1.0

Package-Manager: portage-2.3.0
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   1 +
 dev-libs/openssl/files/openssl-1.1.0-threads.patch |  20 ++
 .../openssl/files/openssl-1.1.0_pre4-ldflags.patch |  11 +
 dev-libs/openssl/openssl-1.1.0.ebuild              | 243 +++++++++++++++++++++
 4 files changed, 275 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 7ca6bf7..732c6d3 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,3 +1,4 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.2g.tar.gz 5266102 SHA256 b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735 WHIRLPOOL aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb
 DIST openssl-1.0.2h.tar.gz 5274412 SHA256 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 WHIRLPOOL 41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6
+DIST openssl-1.1.0.tar.gz 5146831 SHA256 f5c69ff9ac1472c80b868efc1c1c0d8dcfc746d29ebe563de2365dd56dbd8c82 SHA512 6a99d391be7708fdc4eb097d27cea4ce79dc83cc7f52d353af1e222773e586405c0848557d7404716b92b23b775abed45e73c66fe9128f4bd7c09864e79317b0 WHIRLPOOL 9d38954c65073a8d02caa6aa00b1efc197391b38b341662f0d9967ce883f52eed8c3be84ebd6ecc89c494f725218bfd2bef395891a20b40c8dcdf6b31fba2131

diff --git a/dev-libs/openssl/files/openssl-1.1.0-threads.patch b/dev-libs/openssl/files/openssl-1.1.0-threads.patch
new file mode 100644
index 00000000..d4326f6
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0-threads.patch
@@ -0,0 +1,20 @@
+--- openssl-1.1.0/Configurations/10-main.conf
++++ openssl-1.1.0/Configurations/10-main.conf
+@@ -612,7 +612,7 @@
+                                            debug   => "-O0 -g",
+                                            release => "-O3"),
+                                     threads("-pthread")),
+-        ex_libs          => add("-ldl"),
++        ex_libs          => add("-ldl",threads("-lpthread")),
+         bn_ops           => "BN_LLONG RC4_CHAR",
+         thread_scheme    => "pthreads",
+         dso_scheme       => "dlfcn",
+@@ -721,7 +721,7 @@
+         inherit_from     => [ "linux-generic32", asm("x86_elf_asm") ],
+         cflags           => add(picker(default => "-DL_ENDIAN",
+                                        release => "-fomit-frame-pointer")),
+-        ex_libs          => add(picker(debug => "-lefence")),
++        ex_libs          => add(picker(debug => "-lefence"),threads("-lpthread")),
+         bn_ops           => "BN_LLONG",
+     },
+     "linux-aout" => {

diff --git a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch b/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch
new file mode 100644
index 00000000..f0d7e18
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch
@@ -0,0 +1,11 @@
+--- openssl-1.1.0-pre4/Makefile.shared
++++ openssl-1.1.0-pre4/Makefile.shared
+@@ -175,7 +175,7 @@
+ 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
+ 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ 	$(DO_GNU_SO_COMMON)
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
+ 
+ #This is rather special.  It's a special target with which one can link
+ #applications without bothering with any features that have anything to

diff --git a/dev-libs/openssl/openssl-1.1.0.ebuild b/dev-libs/openssl/openssl-1.1.0.ebuild
new file mode 100644
index 00000000..05e1641
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.0.ebuild
@@ -0,0 +1,243 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.1.0_pre4-ldflags.patch #327421
+	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+	"${FILESDIR}"/${PN}-1.1.0-threads.patch
+)
+
+src_prepare() {
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		epatch "${PATCHES[@]}"
+		epatch_user #332661
+	fi
+
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	# Make DOCDIR Gentoo compliant
+	sed -i \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \
+		Configurations/unix-Makefile.tmpl \
+		|| die
+
+	# show the actual commands in the log
+	sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	# Prefixify Configure shebang (#141906)
+	sed \
+		-e "1s,/usr/bin/env,${EPREFIX}&," \
+		-i Configure || die
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	echoit \
+	./${config} \
+		${sslout} \
+		--api=1.1.0 \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		disable-deprecated \
+		$(use_ssl !bindist ec) \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		$(use_ssl asm) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	# Fix quoting for sed
+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAGS=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+		-e 's:\\:\\\\:g' \
+	)
+	sed -i \
+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+	dohtml -r doc/*
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2016-08-26 17:39 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2016-08-26 17:39 UTC (permalink / raw
  To: gentoo-commits

commit:     85c9a35d3eea4416b7d234c40fa8758f721cf404
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 26 17:39:11 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri Aug 26 17:39:55 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85c9a35d

dev-libs/openssl: Fixed broken ldflags patch (thanks to floppym).

Package-Manager: portage-2.3.0
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/openssl/files/openssl-1.1.0-threads.patch   | 20 --------------------
 ...e4-ldflags.patch => openssl-1.1.01-ldflags.patch} |  2 +-
 dev-libs/openssl/openssl-1.1.0.ebuild                |  3 +--
 3 files changed, 2 insertions(+), 23 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.0-threads.patch b/dev-libs/openssl/files/openssl-1.1.0-threads.patch
deleted file mode 100644
index d4326f6..00000000
--- a/dev-libs/openssl/files/openssl-1.1.0-threads.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- openssl-1.1.0/Configurations/10-main.conf
-+++ openssl-1.1.0/Configurations/10-main.conf
-@@ -612,7 +612,7 @@
-                                            debug   => "-O0 -g",
-                                            release => "-O3"),
-                                     threads("-pthread")),
--        ex_libs          => add("-ldl"),
-+        ex_libs          => add("-ldl",threads("-lpthread")),
-         bn_ops           => "BN_LLONG RC4_CHAR",
-         thread_scheme    => "pthreads",
-         dso_scheme       => "dlfcn",
-@@ -721,7 +721,7 @@
-         inherit_from     => [ "linux-generic32", asm("x86_elf_asm") ],
-         cflags           => add(picker(default => "-DL_ENDIAN",
-                                        release => "-fomit-frame-pointer")),
--        ex_libs          => add(picker(debug => "-lefence")),
-+        ex_libs          => add(picker(debug => "-lefence"),threads("-lpthread")),
-         bn_ops           => "BN_LLONG",
-     },
-     "linux-aout" => {

diff --git a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch b/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch
similarity index 88%
rename from dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch
rename to dev-libs/openssl/files/openssl-1.1.01-ldflags.patch
index f0d7e18..95a95f2 100644
--- a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch
+++ b/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch
@@ -5,7 +5,7 @@
  	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
  	$(DO_GNU_SO_COMMON)
 -DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS)"
  
  #This is rather special.  It's a special target with which one can link
  #applications without bothering with any features that have anything to

diff --git a/dev-libs/openssl/openssl-1.1.0.ebuild b/dev-libs/openssl/openssl-1.1.0.ebuild
index 05e1641..0aea4eb 100644
--- a/dev-libs/openssl/openssl-1.1.0.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0.ebuild
@@ -35,9 +35,8 @@ MULTILIB_WRAPPED_HEADERS=(
 )
 
 PATCHES=(
-	"${FILESDIR}"/${PN}-1.1.0_pre4-ldflags.patch #327421
+	"${FILESDIR}"/${PN}-1.1.0-ldflags.patch #327421
 	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-	"${FILESDIR}"/${PN}-1.1.0-threads.patch
 )
 
 src_prepare() {


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2016-10-31  7:11 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2016-10-31  7:11 UTC (permalink / raw
  To: gentoo-commits

commit:     246f6b0590667adffa8967d9ba41bc993119a553
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 31 07:10:08 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Oct 31 07:10:08 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=246f6b05

dev-libs/openssl: Removed vulnerable versions.

Package-Manager: portage-2.3.2
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   2 -
 .../openssl/files/openssl-1.0.0d-windres.patch     |  76 -----
 .../files/openssl-1.0.2g-parallel-build.patch      | 318 ---------------------
 .../files/openssl-1.0.2h-CVE-2016-2177.patch       | 279 ------------------
 .../files/openssl-1.0.2h-CVE-2016-2178.patch       |  28 --
 dev-libs/openssl/openssl-1.0.2h-r2.ebuild          | 254 ----------------
 dev-libs/openssl/openssl-1.0.2i.ebuild             | 249 ----------------
 7 files changed, 1206 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 4d20371..3e6411e 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,5 +1,3 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
-DIST openssl-1.0.2h.tar.gz 5274412 SHA256 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 WHIRLPOOL 41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6
-DIST openssl-1.0.2i.tar.gz 5308232 SHA256 9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f SHA512 41764debd5d64e4e770945f30d682e2c887d9cefb39b358c5c7f9d2cdce34393ed28d49b24e95c4639db2df01c278cbcde71bed2b03f9aafafc76766b03850e3 WHIRLPOOL ba1a4513aaa1de81e36912acfe0b6cf8e0acf7cc71d32b127b5e54eb2f6fc6ce63f4f61e9fc99fecc9e037cdccc496b9d15ea75b594b0fd8721b4478eab1f31d
 DIST openssl-1.0.2j.tar.gz 5307912 SHA256 e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 SHA512 7d6ccae4aa3ccec3a5d128da29c68401cdb1210cba6d212d55235fc3bc63d7085e2f119e2bbee7ddff6b7b5eef07c6196156791724cd2caf313a4c2fef724edd WHIRLPOOL 1f17e80bc10da2eab9d4c1c3a662b0e2b4f7e8bc448aabb44cd98a96ba3d6cd0ef6cf9a3371d44b39a4d11b1a4087c8f0d056272ace6eba5bd2417f7ab9503b7
 DIST openssl-1.1.0b.tar.gz 5162355 SHA256 a45de072bf9be4dea437230aaf036000f0e68c6a665931c57e76b5b036cef6f7 SHA512 b6d66261427f1acc049bf5469a0dc668490e752c2ba4802481809e7e35367213eca17ac9fdc3f23ed5f7a53d303abca78b13a48b169f154043199f2680ccf1a4 WHIRLPOOL bc926b2839f2e85751480ac0a6306bd37ca1ac12759b78654fba6861517bb9979245b95676a60900eab9257334ecf2e1b7d9e406c39a6075054a93ffc1f7a76a

diff --git a/dev-libs/openssl/files/openssl-1.0.0d-windres.patch b/dev-libs/openssl/files/openssl-1.0.0d-windres.patch
deleted file mode 100644
index 0b360d2..00000000
--- a/dev-libs/openssl/files/openssl-1.0.0d-windres.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-URL: http://rt.openssl.org/Ticket/Display.html?id=2558&user=guest&pass=guest
-Subject: make windres controllable via build env var settings
-
-atm, the windres code in openssl is only usable via the cross-compile prefix 
-option unlike all the other build tools. so add support for the standard $RC 
-/ $WINDRES env vars as well.
-
-Index: Configure
-===================================================================
-RCS file: /usr/local/src/openssl/CVSROOT/openssl/Configure,v
-retrieving revision 1.621.2.40
-diff -u -p -r1.621.2.40 Configure
---- Configure	30 Nov 2010 22:19:26 -0000	1.621.2.40
-+++ Configure	4 Jul 2011 23:12:32 -0000
-@@ -1094,6 +1094,7 @@ my $shared_extension = $fields[$idx_shar
- my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib];
- my $ar = $ENV{'AR'} || "ar";
- my $arflags = $fields[$idx_arflags];
-+my $windres = $ENV{'RC'} || $ENV{'WINDRES'} || "windres";
- my $multilib = $fields[$idx_multilib];
- 
- # if $prefix/lib$multilib is not an existing directory, then
-@@ -1511,12 +1512,14 @@ while (<IN>)
- 		s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/;
- 		s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
- 		s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
-+		s/^WINDRES=\s*/WINDRES= \$\(CROSS_COMPILE\)/;
- 		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc";
- 		}
- 	else	{
- 		s/^CC=.*$/CC= $cc/;
- 		s/^AR=\s*ar/AR= $ar/;
- 		s/^RANLIB=.*/RANLIB= $ranlib/;
-+		s/^WINDRES=.*/WINDRES= $windres/;
- 		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
- 		}
- 	s/^CFLAG=.*$/CFLAG= $cflags/;
-Index: Makefile.org
-===================================================================
-RCS file: /usr/local/src/openssl/CVSROOT/openssl/Makefile.org,v
-retrieving revision 1.295.2.10
-diff -u -p -r1.295.2.10 Makefile.org
---- Makefile.org	27 Jan 2010 16:06:58 -0000	1.295.2.10
-+++ Makefile.org	4 Jul 2011 23:13:08 -0000
-@@ -66,6 +66,7 @@ EXE_EXT= 
- ARFLAGS=
- AR=ar $(ARFLAGS) r
- RANLIB= ranlib
-+WINDRES= windres
- NM= nm
- PERL= perl
- TAR= tar
-@@ -180,6 +181,7 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESS
- 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
- 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
- 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
-+		WINDRES='$(WINDRES)'				\
- 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
- 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
- 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
-Index: Makefile.shared
-===================================================================
-RCS file: /usr/local/src/openssl/CVSROOT/openssl/Makefile.shared,v
-retrieving revision 1.72.2.4
-diff -u -p -r1.72.2.4 Makefile.shared
---- Makefile.shared	21 Aug 2010 11:36:49 -0000	1.72.2.4
-+++ Makefile.shared	4 Jul 2011 23:13:52 -0000
-@@ -293,7 +293,7 @@ link_a.cygwin:
- 	fi; \
- 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
- 	$(PERL) util/mkrc.pl $$dll_name | \
--		$(CROSS_COMPILE)windres -o rc.o; \
-+		$(WINDRES) -o rc.o; \
- 	extras="$$extras rc.o"; \
- 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
- 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \

diff --git a/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch
deleted file mode 100644
index 3582810..00000000
--- a/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch
+++ /dev/null
@@ -1,318 +0,0 @@
---- openssl-1.0.2g/crypto/Makefile
-+++ openssl-1.0.2g/crypto/Makefile
-@@ -85,11 +85,11 @@
- 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
--	@target=files; $(RECURSIVE_MAKE)
-+	+@target=files; $(RECURSIVE_MAKE)
- 
- links:
- 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -100,7 +100,7 @@
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:	$(LIB)
- 	@touch lib
--$(LIB):	$(LIBOBJ)
-+$(LIB):	$(LIBOBJ) | subdirs
- 	$(AR) $(LIB) $(LIBOBJ)
- 	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
- 	$(RANLIB) $(LIB) || echo Never mind.
-@@ -111,7 +111,7 @@
- 	fi
- 
- libs:
--	@target=lib; $(RECURSIVE_MAKE)
-+	+@target=lib; $(RECURSIVE_MAKE)
- 
- install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -120,7 +120,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- lint:
- 	@target=lint; $(RECURSIVE_MAKE)
---- openssl-1.0.2g/engines/Makefile
-+++ openssl-1.0.2g/engines/Makefile
-@@ -72,7 +72,7 @@
- 
- all:	lib subdirs
- 
--lib:	$(LIBOBJ)
-+lib:	$(LIBOBJ) | subdirs
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
- 		for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@
- 
- subdirs:
- 	echo $(EDIRS)
--	@target=all; $(RECURSIVE_MAKE)
-+	+@target=all; $(RECURSIVE_MAKE)
- 
- files:
- 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
--	@target=install; $(RECURSIVE_MAKE)
-+	+@target=install; $(RECURSIVE_MAKE)
- 
- tags:
- 	ctags $(SRC)
---- openssl-1.0.2g/Makefile.org
-+++ openssl-1.0.2g/Makefile.org
-@@ -279,17 +279,17 @@
- build_libssl: build_ssl libssl.pc
- 
- build_crypto:
--	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-+	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
--	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-+	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
--	@dir=engines; target=all; $(BUILD_ONE_CMD)
-+	+@dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
--	@dir=apps; target=all; $(BUILD_ONE_CMD)
-+	+@dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
--	@dir=test; target=all; $(BUILD_ONE_CMD)
-+	+@dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
--	@dir=tools; target=all; $(BUILD_ONE_CMD)
-+	+@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -544,7 +544,7 @@
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- 	done;
--	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
- 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
- 	do \
- 		if [ -f "$$i" ]; then \
---- openssl-1.0.2g/Makefile.shared
-+++ openssl-1.0.2g/Makefile.shared
-@@ -105,6 +105,7 @@
-     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
-+    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
-     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${SHAREDCMD} $${SHAREDFLAGS} \
- 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-@@ -122,6 +123,7 @@
- 			done; \
- 		fi; \
- 		if [ -n "$$SHLIB_SOVER" ]; then \
-+			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
- 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
- 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
- 		fi; \
---- openssl-1.0.2g/test/Makefile
-+++ openssl-1.0.2g/test/Makefile
-@@ -139,7 +139,7 @@
- tags:
- 	ctags $(SRC)
- 
--tests:	exe apps $(TESTS)
-+tests:	exe $(TESTS)
- 
- apps:
- 	@(cd ..; $(MAKE) DIRS=apps all)
-@@ -421,130 +421,130 @@
- 		link_app.$${shlib_target}
- 
- $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
--	@target=$(RSATEST); $(BUILD_CMD)
-+	+@target=$(RSATEST); $(BUILD_CMD)
- 
- $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
--	@target=$(BNTEST); $(BUILD_CMD)
-+	+@target=$(BNTEST); $(BUILD_CMD)
- 
- $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
--	@target=$(ECTEST); $(BUILD_CMD)
-+	+@target=$(ECTEST); $(BUILD_CMD)
- 
- $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
--	@target=$(EXPTEST); $(BUILD_CMD)
-+	+@target=$(EXPTEST); $(BUILD_CMD)
- 
- $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
--	@target=$(IDEATEST); $(BUILD_CMD)
-+	+@target=$(IDEATEST); $(BUILD_CMD)
- 
- $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
--	@target=$(MD2TEST); $(BUILD_CMD)
-+	+@target=$(MD2TEST); $(BUILD_CMD)
- 
- $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
--	@target=$(SHATEST); $(BUILD_CMD)
-+	+@target=$(SHATEST); $(BUILD_CMD)
- 
- $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
--	@target=$(SHA1TEST); $(BUILD_CMD)
-+	+@target=$(SHA1TEST); $(BUILD_CMD)
- 
- $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
--	@target=$(SHA256TEST); $(BUILD_CMD)
-+	+@target=$(SHA256TEST); $(BUILD_CMD)
- 
- $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
--	@target=$(SHA512TEST); $(BUILD_CMD)
-+	+@target=$(SHA512TEST); $(BUILD_CMD)
- 
- $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
--	@target=$(RMDTEST); $(BUILD_CMD)
-+	+@target=$(RMDTEST); $(BUILD_CMD)
- 
- $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
--	@target=$(MDC2TEST); $(BUILD_CMD)
-+	+@target=$(MDC2TEST); $(BUILD_CMD)
- 
- $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
--	@target=$(MD4TEST); $(BUILD_CMD)
-+	+@target=$(MD4TEST); $(BUILD_CMD)
- 
- $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
--	@target=$(MD5TEST); $(BUILD_CMD)
-+	+@target=$(MD5TEST); $(BUILD_CMD)
- 
- $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
--	@target=$(HMACTEST); $(BUILD_CMD)
-+	+@target=$(HMACTEST); $(BUILD_CMD)
- 
- $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
--	@target=$(WPTEST); $(BUILD_CMD)
-+	+@target=$(WPTEST); $(BUILD_CMD)
- 
- $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
--	@target=$(RC2TEST); $(BUILD_CMD)
-+	+@target=$(RC2TEST); $(BUILD_CMD)
- 
- $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
--	@target=$(BFTEST); $(BUILD_CMD)
-+	+@target=$(BFTEST); $(BUILD_CMD)
- 
- $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
--	@target=$(CASTTEST); $(BUILD_CMD)
-+	+@target=$(CASTTEST); $(BUILD_CMD)
- 
- $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
--	@target=$(RC4TEST); $(BUILD_CMD)
-+	+@target=$(RC4TEST); $(BUILD_CMD)
- 
- $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
--	@target=$(RC5TEST); $(BUILD_CMD)
-+	+@target=$(RC5TEST); $(BUILD_CMD)
- 
- $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
--	@target=$(DESTEST); $(BUILD_CMD)
-+	+@target=$(DESTEST); $(BUILD_CMD)
- 
- $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
--	@target=$(RANDTEST); $(BUILD_CMD)
-+	+@target=$(RANDTEST); $(BUILD_CMD)
- 
- $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
--	@target=$(DHTEST); $(BUILD_CMD)
-+	+@target=$(DHTEST); $(BUILD_CMD)
- 
- $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
--	@target=$(DSATEST); $(BUILD_CMD)
-+	+@target=$(DSATEST); $(BUILD_CMD)
- 
- $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
--	@target=$(METHTEST); $(BUILD_CMD)
-+	+@target=$(METHTEST); $(BUILD_CMD)
- 
- $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
--	@target=$(SSLTEST); $(FIPS_BUILD_CMD)
-+	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)
- 
- $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
--	@target=$(ENGINETEST); $(BUILD_CMD)
-+	+@target=$(ENGINETEST); $(BUILD_CMD)
- 
- $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
--	@target=$(EVPTEST); $(BUILD_CMD)
-+	+@target=$(EVPTEST); $(BUILD_CMD)
- 
- $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
--	@target=$(EVPEXTRATEST); $(BUILD_CMD)
-+	+@target=$(EVPEXTRATEST); $(BUILD_CMD)
- 
- $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
--	@target=$(ECDSATEST); $(BUILD_CMD)
-+	+@target=$(ECDSATEST); $(BUILD_CMD)
- 
- $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
--	@target=$(ECDHTEST); $(BUILD_CMD)
-+	+@target=$(ECDHTEST); $(BUILD_CMD)
- 
- $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
--	@target=$(IGETEST); $(BUILD_CMD)
-+	+@target=$(IGETEST); $(BUILD_CMD)
- 
- $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
--	@target=$(JPAKETEST); $(BUILD_CMD)
-+	+@target=$(JPAKETEST); $(BUILD_CMD)
- 
- $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
--	@target=$(ASN1TEST); $(BUILD_CMD)
-+	+@target=$(ASN1TEST); $(BUILD_CMD)
- 
- $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
--	@target=$(SRPTEST); $(BUILD_CMD)
-+	+@target=$(SRPTEST); $(BUILD_CMD)
- 
- $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
--	@target=$(V3NAMETEST); $(BUILD_CMD)
-+	+@target=$(V3NAMETEST); $(BUILD_CMD)
- 
- $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
--	@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
-+	+@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
- 
- $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
--	@target=$(CONSTTIMETEST) $(BUILD_CMD)
-+	+@target=$(CONSTTIMETEST) $(BUILD_CMD)
- 
- $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
--	@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
-+	+@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
- 
- $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
--	@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
-+	+@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
- 
- $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
--	@target=$(SSLV2CONFTEST) $(BUILD_CMD)
-+	+@target=$(SSLV2CONFTEST) $(BUILD_CMD)
- 
- #$(AESTEST).o: $(AESTEST).c
- #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -557,7 +557,7 @@
- #	fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--	@target=dummytest; $(BUILD_CMD)
-+	+@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 

diff --git a/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch
deleted file mode 100644
index ca934c2..00000000
--- a/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 5 May 2016 11:10:26 +0100
-Subject: [PATCH] Avoid some undefined pointer arithmetic
-
-A common idiom in the codebase is:
-
-if (p + len > limit)
-{
-    return; /* Too long */
-}
-
-Where "p" points to some malloc'd data of SIZE bytes and
-limit == p + SIZE
-
-"len" here could be from some externally supplied data (e.g. from a TLS
-message).
-
-The rules of C pointer arithmetic are such that "p + len" is only well
-defined where len <= SIZE. Therefore the above idiom is actually
-undefined behaviour.
-
-For example this could cause problems if some malloc implementation
-provides an address for "p" such that "p + len" actually overflows for
-values of len that are too big and therefore p + len < limit!
-
-Issue reported by Guido Vranken.
-
-CVE-2016-2177
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- ssl/s3_srvr.c  | 14 +++++++-------
- ssl/ssl_sess.c |  2 +-
- ssl/t1_lib.c   | 56 ++++++++++++++++++++++++++++++--------------------------
- 3 files changed, 38 insertions(+), 34 deletions(-)
-
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index ab28702..ab7f690 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-         session_length = *(p + SSL3_RANDOM_SIZE);
- 
--        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
-     /* get the session-id */
-     j = *(p++);
- 
--    if (p + j > d + n) {
-+    if ((d + n) - p < j) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
-@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
- 
-     if (SSL_IS_DTLS(s)) {
-         /* cookie stuff */
--        if (p + 1 > d + n) {
-+        if ((d + n) - p < 1) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-         }
-         cookie_len = *(p++);
- 
--        if (p + cookie_len > d + n) {
-+        if ((d + n ) - p < cookie_len) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
-         }
-     }
- 
--    if (p + 2 > d + n) {
-+    if ((d + n ) - p < 2) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
-@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
-     }
- 
-     /* i bytes of cipher data + 1 byte for compression length later */
--    if ((p + i + 1) > (d + n)) {
-+    if ((d + n) - p < i + 1) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-     /* compression */
-     i = *(p++);
--    if ((p + i) > (d + n)) {
-+    if ((d + n) - p < i) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index b182998..54ee783 100644
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-     int r;
- #endif
- 
--    if (session_id + len > limit) {
-+    if (limit - session_id < len) {
-         fatal = 1;
-         goto err;
-     }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index fb64607..cdac011 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         0x02, 0x03,             /* SHA-1/ECDSA */
-     };
- 
--    if (data >= (limit - 2))
-+    if (limit - data <= 2)
-         return;
-     data += 2;
- 
--    if (data > (limit - 4))
-+    if (limit - data < 4)
-         return;
-     n2s(data, type);
-     n2s(data, size);
-@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     if (type != TLSEXT_TYPE_server_name)
-         return;
- 
--    if (data + size > limit)
-+    if (limit - data < size)
-         return;
-     data += size;
- 
-@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         const size_t len1 = sizeof(kSafariExtensionsBlock);
-         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- 
--        if (data + len1 + len2 != limit)
-+        if (limit - data != (int)(len1 + len2))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-             return;
-@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     } else {
-         const size_t len = sizeof(kSafariExtensionsBlock);
- 
--        if (data + len != limit)
-+        if (limit - data != (int)(len))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-             return;
-@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-     if (data == limit)
-         goto ri_check;
- 
--    if (data > (limit - 2))
-+    if (limit - data < 2)
-         goto err;
- 
-     n2s(data, len);
- 
--    if (data + len != limit)
-+    if (limit - data != len)
-         goto err;
- 
--    while (data <= (limit - 4)) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (limit))
-+        if (limit - data < size)
-             goto err;
- # if 0
-         fprintf(stderr, "Received extension type %d size %d\n", type, size);
-@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
-     if (s->hit || s->cert->srv_ext.meths_count == 0)
-         return 1;
- 
--    if (data >= limit - 2)
-+    if (limit - data <= 2)
-         return 1;
-     n2s(data, len);
- 
--    if (data > limit - len)
-+    if (limit - data < len)
-         return 1;
- 
--    while (data <= limit - 4) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > limit)
-+        if (limit - data < size)
-             return 1;
-         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
-             return 0;
-@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
- 
--    if (data >= (d + n - 2))
-+    if ((d + n) - data <= 2)
-         goto ri_check;
- 
-     n2s(data, length);
--    if (data + length != d + n) {
-+    if ((d + n) - data != length) {
-         *al = SSL_AD_DECODE_ERROR;
-         return 0;
-     }
- 
--    while (data <= (d + n - 4)) {
-+    while ((d + n) - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (d + n))
-+        if ((d + n) - data < size)
-             goto ri_check;
- 
-         if (s->tlsext_debug_cb)
-@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-     /* Skip past DTLS cookie */
-     if (SSL_IS_DTLS(s)) {
-         i = *(p++);
--        p += i;
--        if (p >= limit)
-+
-+        if (limit - p <= i)
-             return -1;
-+
-+        p += i;
-     }
-     /* Skip past cipher list */
-     n2s(p, i);
--    p += i;
--    if (p >= limit)
-+    if (limit - p <= i)
-         return -1;
-+    p += i;
-+
-     /* Skip past compression algorithm list */
-     i = *(p++);
--    p += i;
--    if (p > limit)
-+    if (limit - p < i)
-         return -1;
-+    p += i;
-+
-     /* Now at start of extensions */
--    if ((p + 2) >= limit)
-+    if (limit - p <= 2)
-         return 0;
-     n2s(p, i);
--    while ((p + 4) <= limit) {
-+    while (limit - p >= 4) {
-         unsigned short type, size;
-         n2s(p, type);
-         n2s(p, size);
--        if (p + size > limit)
-+        if (limit - p < size)
-             return 0;
-         if (type == TLSEXT_TYPE_session_ticket) {
-             int r;
--- 
-1.9.1
-

diff --git a/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2178.patch b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2178.patch
deleted file mode 100644
index a64141f..00000000
--- a/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2178.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fdsa%2Fdsa_ossl.c;h=beb62b2ff058d3e2bde0397fbddd355e11cd457b;hp=ce1da1cd6fa121f1ae0961ac2d2e9f81de4d8c9b;hb=399944622df7bd81af62e67ea967c470534090e2;hpb=0a4c87a90c6cf6628c688868cd5f13e4b9a5f19d
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index ce1da1c..beb62b2 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -248,9 +248,6 @@
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
-     while (BN_is_zero(&k)) ;
--    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
--        BN_set_flags(&k, BN_FLG_CONSTTIME);
--    }
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -238,6 +234,11 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-     } else {
-         K = k;
-     }
-+
-+    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+        BN_set_flags(K, BN_FLG_CONSTTIME);
-+    }
-+
-     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-                    dsa->method_mont_p);
-     if (!BN_mod(r, r, dsa->q, ctx))

diff --git a/dev-libs/openssl/openssl-1.0.2h-r2.ebuild b/dev-libs/openssl/openssl-1.0.2h-r2.ebuild
deleted file mode 100644
index 333ae66..00000000
--- a/dev-libs/openssl/openssl-1.0.2h-r2.ebuild
+++ /dev/null
@@ -1,254 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	# bugs 585142 and 585276
-	epatch "${FILESDIR}"/${P}-CVE-2016-2177.patch
-	epatch "${FILESDIR}"/${P}-CVE-2016-2178.patch
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
-		epatch "${FILESDIR}"/${PN}-1.0.2g-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
-		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-		epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl sslv2 ssl2) \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}

diff --git a/dev-libs/openssl/openssl-1.0.2i.ebuild b/dev-libs/openssl/openssl-1.0.2i.ebuild
deleted file mode 100644
index ce2aa66..00000000
--- a/dev-libs/openssl/openssl-1.0.2i.ebuild
+++ /dev/null
@@ -1,249 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0"
-KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ia64 ~m68k ~mips ~ppc ppc64 ~s390 ~sh ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
-		epatch "${FILESDIR}"/${PN}-1.0.2i-parallel-build.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-obj-headers.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-install-dirs.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-parallel-symlinking.patch #545028
-		epatch "${FILESDIR}"/${PN}-1.0.2-ipv6.patch
-		epatch "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-		epatch "${FILESDIR}"/${PN}-1.0.1p-default-source.patch #554338
-
-		epatch_user #332661
-	fi
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl sslv2 ssl2) \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-	# rehash is needed to prep the certs/ dir; do this
-	# separately to avoid parallel build issues.
-	emake rehash
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake INSTALL_PREFIX="${D}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
-	dohtml -r doc/*
-	use rfc3779 && dodoc engines/ccgost/README.gost
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2016-11-10 15:40 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2016-11-10 15:40 UTC (permalink / raw
  To: gentoo-commits

commit:     36cc74ed2bb0a39bf145fee0fdec4efc9094fe31
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Thu Nov 10 15:40:07 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Thu Nov 10 15:40:55 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36cc74ed

dev-libs/openssl: Security bump to version 1.1.0c (bug #599358).

Package-Manager: portage-2.3.2

 dev-libs/openssl/Manifest                                     |  2 +-
 dev-libs/openssl/files/openssl-1.1.0-ldflags.patch            | 11 -----------
 .../openssl/{openssl-1.1.0b.ebuild => openssl-1.1.0c.ebuild}  |  1 -
 3 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 3e6411e..a42a05f 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,3 +1,3 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.2j.tar.gz 5307912 SHA256 e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 SHA512 7d6ccae4aa3ccec3a5d128da29c68401cdb1210cba6d212d55235fc3bc63d7085e2f119e2bbee7ddff6b7b5eef07c6196156791724cd2caf313a4c2fef724edd WHIRLPOOL 1f17e80bc10da2eab9d4c1c3a662b0e2b4f7e8bc448aabb44cd98a96ba3d6cd0ef6cf9a3371d44b39a4d11b1a4087c8f0d056272ace6eba5bd2417f7ab9503b7
-DIST openssl-1.1.0b.tar.gz 5162355 SHA256 a45de072bf9be4dea437230aaf036000f0e68c6a665931c57e76b5b036cef6f7 SHA512 b6d66261427f1acc049bf5469a0dc668490e752c2ba4802481809e7e35367213eca17ac9fdc3f23ed5f7a53d303abca78b13a48b169f154043199f2680ccf1a4 WHIRLPOOL bc926b2839f2e85751480ac0a6306bd37ca1ac12759b78654fba6861517bb9979245b95676a60900eab9257334ecf2e1b7d9e406c39a6075054a93ffc1f7a76a
+DIST openssl-1.1.0c.tar.gz 5179668 SHA256 fc436441a2e05752d31b4e46115eb89709a28aef96d4fe786abe92409b2fd6f5 SHA512 e3cfba6c682e5edd6f678df7c1da9c9713880f7dca248e6d62f095185c22ce8fd7571d53a54a119fb5d4422578637746ad2809bb2ba324a5c54564f532307ad9 WHIRLPOOL d6ee4610a6ce5c8d2593bcd9f8a2fc55910006d3f466d0d27409f92b4f60880f96979ccbbdf9da5cf110c59a86e1a906bf20a8eb93338efa9e197bd4755ce4d8

diff --git a/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch b/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch
deleted file mode 100644
index 95a95f2..00000000
--- a/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- openssl-1.1.0-pre4/Makefile.shared
-+++ openssl-1.1.0-pre4/Makefile.shared
-@@ -175,7 +175,7 @@
- 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
- 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- 	$(DO_GNU_SO_COMMON)
--DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS)"
- 
- #This is rather special.  It's a special target with which one can link
- #applications without bothering with any features that have anything to

diff --git a/dev-libs/openssl/openssl-1.1.0b.ebuild b/dev-libs/openssl/openssl-1.1.0c.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.0b.ebuild
rename to dev-libs/openssl/openssl-1.1.0c.ebuild
index 0aea4eb..069cf97 100644
--- a/dev-libs/openssl/openssl-1.1.0b.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0c.ebuild
@@ -35,7 +35,6 @@ MULTILIB_WRAPPED_HEADERS=(
 )
 
 PATCHES=(
-	"${FILESDIR}"/${PN}-1.1.0-ldflags.patch #327421
 	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
 )
 


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2017-12-07 18:13 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2017-12-07 18:13 UTC (permalink / raw
  To: gentoo-commits

commit:     f179eb65b08d179526088fb29abefde8b109ab28
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Thu Dec  7 18:09:10 2017 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Thu Dec  7 18:13:44 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f179eb65

dev-libs/openssl: Bump to v1.0.2n

- EAPI bumped to EAPI=6

- Respin some patches for v1.0.2n

- Patches moved to patch tarball to avoid cluttering up the tree

Bug: https://bugs.gentoo.org/640172
Package-Manager: Portage-2.3.16, Repoman-2.3.6

 dev-libs/openssl/Manifest                  |   2 +
 dev-libs/openssl/files/gentoo.config-1.0.2 |   2 +-
 dev-libs/openssl/openssl-1.0.2n.ebuild     | 251 +++++++++++++++++++++++++++++
 3 files changed, 254 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 720173c3554..e9a8efaa979 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,10 +1,12 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
+DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d SHA512 15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9
 DIST openssl-1.0.2k.tar.gz 5309236 BLAKE2B 97069b9c7aaab2381ae5be989caff6907cd44ab1831d84685c3421ad985889a2bbc3a462decdff9c4c158ace96975de2b9e49e4f1b9f306990c3dc0f03767dad SHA512 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016
 DIST openssl-1.0.2l.tar.gz 5365054 BLAKE2B 0a459a93a0013269dea79bd6df96a434b9dad95b6d98b24a48bc1b1438415c0a8de01b67166ac13a73ae65fb64131568924c3e6f945d862b7e960f05332cf097 SHA512 047d964508ad6025c79caabd8965efd2416dc026a56183d0ef4de7a0a6769ce8e0b4608a3f8393d326f6d03b26a2b067e6e0c750f35b20be190e595e8290c0e3
 DIST openssl-1.0.2l_ec_curve.c 17254 SHA256 43ad99527a9f494c97c1efd4a87b49508455437da5de1b9ecd89b0d36fb764c8 SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15 WHIRLPOOL 5a43777a2886a2e7bd41eeb3a96c90c62b0eaa771249a50eb5996993f43384dca5f24993ed6a6deede2c4f119f896fb11dbc26b72650c909c856bd8c313501f0
 DIST openssl-1.0.2l_ectest.c 30735 SHA256 14f12b1db5121f3f58466f52ad10555c038c281e90e53c0a2f7940a754bb4d80 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19 WHIRLPOOL 0d708b382d97e1f20a03e695f0a990fb9fd6cd8ab8ced29e072d52ca3f09f87d18c287d6134fd5ac2243ca541982f4d9eaa2fa8964d62b6b8f1a4b879e8fd997
 DIST openssl-1.0.2l_hobble-openssl 1302 SHA256 7ec32aab6a1db2124de52c3918cc7f7e487972581e30235447eed15d59415384 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e WHIRLPOOL b9630ce76492bff481d0bd48b72449d1e1d4fbb98c2387c4824d84833796adaba716e10976b3130eed9fd9442511a71604d9944600ba6be5253087f865cefe8c
 DIST openssl-1.0.2m.tar.gz 5373776 BLAKE2B f40cbea061f84087a079d541f7ba841894c86c00827865f0f508ee297df45e8825d7d74bbbe16bf1f81d46f9af503a6191c9e65df674c4a5ae28172b5b03986f SHA512 7619aa223ee50d0f5e270ac9090e95b2b1ba5dfc656c98f625a9a277dda472fb960a4e89a7ba300044cb401b2072b2ca6a6fcce8206d927bf373d1c981806a93
+DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894 SHA512 144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687
 DIST openssl-1.1.0-build.patch 3028 SHA256 c626ac8b34df5d55a7272a741f87f06dc06cc20ac80085048788a2c76c08c25f SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0 WHIRLPOOL 950febb159139b145eb7de5bda1115465fa8551234182e6d15459ab5519213f515b4c3e3a3136d05c440d3eec04a7247461d36c2d45136a6f1963613d5896b3e
 DIST openssl-1.1.0-ec-curves.patch 2967 SHA256 da60dfa01ed244cd3f77f60cc2ef479a36e64a58fa5e242aa03647c698cc1a42 SHA512 8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2 WHIRLPOOL e7293ef84f6c36e8e5f5ec8158023fdca484bc9082e73956bd0cc74a17c880350a49799146c855a37f116d743e7c93e54cbe4aa7f70483e235d03687a15a46a5
 DIST openssl-1.1.0f.tar.gz 5278176 SHA256 12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765 SHA512 340ab3f38c90dea346e543b58bc0eff0adede15be212ad20b7cf38718a7f94fab51996da414855c180540f7488b8bd31d8b9a0d04bb19159f735c46d8f6df22c WHIRLPOOL bb4ce1d100c5eb567de0139e4a1c0a2bb1cd308bd014704d6bb796d3fcfc16b91fe69839068944831746e0b937a6ccb234b5cea3b4911fab4283500ed380f0b6

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2
old mode 100755
new mode 100644
index 95644527068..37b83cc2e7b
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2017 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 #
 # Openssl doesn't play along nicely with cross-compiling

diff --git a/dev-libs/openssl/openssl-1.0.2n.ebuild b/dev-libs/openssl/openssl-1.0.2n.ebuild
new file mode 100644
index 00000000000..f774a362f3a
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2n.ebuild
@@ -0,0 +1,251 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+PATCH_SET="openssl-1.0.2-patches-1.0"
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+	mirror://gentoo/${PATCH_SET}.tar.xz
+	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		eapply "${WORKDIR}"/patch/*.patch
+	fi
+
+	eapply_user
+
+	# disable fips in the build
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	sed -i \
+		-e '/DIRS/s: fips : :g' \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		Makefile.org \
+		|| die
+	# show the actual commands in the log
+	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+	# since we're forcing $(CC) as makedep anyway, just fix
+	# the conditional as always-on
+	# helps clang (#417795), and versioned gcc (#499818)
+	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	# https://github.com/openssl/openssl/issues/2286
+	if use ia64 ; then
+		replace-flags -g3 -g2
+		replace-flags -ggdb3 -ggdb2
+	fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		enable-tlsext \
+		$(use_ssl asm) \
+		$(use_ssl gmp gmp -lgmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl sslv2 ssl2) \
+		$(use_ssl sslv3 ssl3) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+	# rehash is needed to prep the certs/ dir; do this
+	# separately to avoid parallel build issues.
+	emake rehash
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
+	einstalldocs
+
+	use rfc3779 && dodoc engines/ccgost/README.gost
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	dodir ${SSL_CNF_DIR}/certs
+	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2017-12-29  1:57 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2017-12-29  1:57 UTC (permalink / raw
  To: gentoo-commits

commit:     e2a23951221fb5f24e6dfa7d01d17ce4fe64d750
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Dec 29 01:56:56 2017 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Dec 29 01:57:10 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2a23951

dev-libs/openssl: Rev bump to allow building with Perl 5.26

Ebuild changes:
===============
- EAPI bumped to EAPI=6

- Added to for '.' in @INC (thanks to Joakim Gebart Nohlgård)

Closes: https://bugs.gentoo.org/639876
Package-Manager: Portage-2.3.19, Repoman-2.3.6

 .../files/openssl-0.9.8z_p8-perl-5.26.patch        |  13 ++
 dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild       | 167 +++++++++++++++++++++
 2 files changed, 180 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch b/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch
new file mode 100644
index 00000000000..c932b820425
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch
@@ -0,0 +1,13 @@
+https://bugs.gentoo.org/639876
+
+--- a/crypto/des/asm/des-586.pl
++++ b/crypto/des/asm/des-586.pl
+@@ -4,7 +4,7 @@
+ # Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
+ #
+ 
+-push(@INC,"perlasm","../../perlasm");
++push(@INC,".","perlasm","../../perlasm");
+ require "x86asm.pl";
+ require "cbc.pl";
+ require "desboth.pl";

diff --git a/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild b/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild
new file mode 100644
index 00000000000..5fcc6d8ea4e
--- /dev/null
+++ b/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild
@@ -0,0 +1,167 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME for ABI compat
+
+EAPI="6"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+#PLEVEL=$(printf "\\$(printf '%03o' $((${PV##*_p} + 96)))")
+PLEVEL='h' # _p8 -> tr '[1-9]' '[a-i]' -> 'h'
+MY_PV=${PV/_p*/${PLEVEL}}
+MY_P=${PN}-${MY_PV}
+S="${WORKDIR}/${MY_P}"
+DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0.9.8"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r4
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)
+	!=dev-libs/openssl-0.9.8*:0"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+
+# Do not install any docs
+DOCS=()
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
+	"${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
+	"${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130
+	"${FILESDIR}"/${PN}-0.9.8z_p8-perl-5.26.patch
+)
+
+src_prepare() {
+	default
+
+	# disable fips in the build
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	sed -i \
+		-e '/DIRS/s: fips : :g' \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
+		Makefile{,.org} \
+		|| die
+	# show the actual commands in the log
+	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared || die
+	# update the enginedir path.
+	# punt broken config we don't care about as it fails sanity check.
+	sed -i \
+		-e '/^"debug-ben-debug-64"/d' \
+		-e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \
+		Configure || die
+
+	# since we're forcing $(CC) as makedep anyway, just fix
+	# the conditional as always-on
+	# helps clang (#417795), and versioned gcc (#499818)
+	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
+	chmod a+rx gentoo.config || die
+
+	append-flags -fno-strict-aliasing
+	append-flags -Wa,--noexecstack
+
+	sed -i '1s,^:$,#!/usr/bin/perl,' Configure || die #141906
+	sed -i '/^"debug-bodo/d' Configure || die # 0.9.8za shipped broken
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+
+	tc-export CC AR RANLIB
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		enable-idea \
+		enable-mdc2 \
+		$(use_ssl !bindist rc5) \
+		enable-tlsext \
+		$(use_ssl gmp gmp -lgmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl zlib) \
+		--prefix=/usr \
+		--openssldir=/etc/ssl \
+		shared threads \
+		|| die "Configure failed"
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^LIBDIR=/s|=.*|=$(get_libdir)|" \
+		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts
+	emake -j1 depend
+	emake -j1 build_libs
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	dolib.so lib{crypto,ssl}.so.0.9.8
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2018-04-17 20:50 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2018-04-17 20:50 UTC (permalink / raw
  To: gentoo-commits

commit:     30945a68d3d4c98433363ed73475b8233ac02118
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 17 20:50:09 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Apr 17 20:50:30 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30945a68

dev-libs/openssl: Rev bump to add patch for CVE-2018-0737

Bug: https://bugs.gentoo.org/653434
Package-Manager: Portage-2.3.28, Repoman-2.3.9

 dev-libs/openssl/Manifest                          |   1 +
 .../files/openssl-1.1.0h-CVE-2018-0737.patch       |  31 +++
 dev-libs/openssl/openssl-1.0.2o-r1.ebuild          | 251 ++++++++++++++++++
 dev-libs/openssl/openssl-1.1.0h-r1.ebuild          | 284 +++++++++++++++++++++
 4 files changed, 567 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 1b87ae73a6b..51a22aaeb52 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,6 +1,7 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d SHA512 15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9
 DIST openssl-1.0.2-patches-1.2.tar.xz 12208 BLAKE2B 99b7a3538aeeecf8e1939fb08d26e2ce6aa4140488f0f6fc382a4f0dbdd67a0204c4689809e9d170148ad6686d4dbf0c8fc95802712270b0ea5720bc06c8fbbf SHA512 5e5739ab7132e986abe9704739dab2ccd16df9696318ed29762d4ee0245fd2645f9435f7340ba36edd5531a83e48489fc659ad78c09ded0e0d021dd5a3906ea6
+DIST openssl-1.0.2-patches-1.3.tar.xz 12592 BLAKE2B bce0c289ae689091fe62e9c0d7d631cd915fd17beb81b0879931e0414f25c8a08425a08514e28ea7e81c1be23cf162f3bcad7cc3933f2378f53decabd3a7903d SHA512 3ad3efa45eddb733e3db9c406f9f651dbf939bbb13debbcab12b49ecf72490a4868b1563de60ee106483c1b23bd2092fc58c8fc911fe62a019cb97d738163723
 DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894 SHA512 144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687
 DIST openssl-1.0.2o.tar.gz 5329472 BLAKE2B 30226db49be04317da3a76cce68d5aa401decd198f92505bddb0c72a7ef6a79f3c9c06d4a816db734e2a0991ebcab8b207feced26d83639e50c821d9e76ddc45 SHA512 8a2c93657c85143e76785bb32ee836908c31a6f5f8db993fa9777acba6079e630cdddd03edbad65d1587199fc13a1507789eacf038b56eb99139c2091d9df7fd
 DIST openssl-1.1.0-build.patch 3028 BLAKE2B f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0

diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch
new file mode 100644
index 00000000000..34c9cc02fa7
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch
@@ -0,0 +1,31 @@
+From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001
+From: Billy Brumley <bbrumley@gmail.com>
+Date: Wed, 11 Apr 2018 10:10:58 +0300
+Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont
+ both get called with BN_FLG_CONSTTIME flag set.
+
+CVE-2018-0737
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)
+---
+ crypto/rsa/rsa_gen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
+index 9ca5dfe..42b89a8 100644
+--- a/crypto/rsa/rsa_gen.c
++++ b/crypto/rsa/rsa_gen.c
+@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+     if (BN_copy(rsa->e, e_value) == NULL)
+         goto err;
+ 
++    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
++    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+     BN_set_flags(r2, BN_FLG_CONSTTIME);
+     /* generate p and q */
+     for (;;) {
+-- 
+2.7.4
+

diff --git a/dev-libs/openssl/openssl-1.0.2o-r1.ebuild b/dev-libs/openssl/openssl-1.0.2o-r1.ebuild
new file mode 100644
index 00000000000..256e230d7cf
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2o-r1.ebuild
@@ -0,0 +1,251 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+PATCH_SET="openssl-1.0.2-patches-1.3"
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+	mirror://gentoo/${PATCH_SET}.tar.xz
+	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		eapply "${WORKDIR}"/patch/*.patch
+	fi
+
+	eapply_user
+
+	# disable fips in the build
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	sed -i \
+		-e '/DIRS/s: fips : :g' \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		Makefile.org \
+		|| die
+	# show the actual commands in the log
+	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+	# since we're forcing $(CC) as makedep anyway, just fix
+	# the conditional as always-on
+	# helps clang (#417795), and versioned gcc (#499818)
+	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	# https://github.com/openssl/openssl/issues/2286
+	if use ia64 ; then
+		replace-flags -g3 -g2
+		replace-flags -ggdb3 -ggdb2
+	fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		enable-tlsext \
+		$(use_ssl asm) \
+		$(use_ssl gmp gmp -lgmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl sslv2 ssl2) \
+		$(use_ssl sslv3 ssl3) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+	# rehash is needed to prep the certs/ dir; do this
+	# separately to avoid parallel build issues.
+	emake rehash
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
+	einstalldocs
+
+	use rfc3779 && dodoc engines/ccgost/README.gost
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	dodir ${SSL_CNF_DIR}/certs
+	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}

diff --git a/dev-libs/openssl/openssl-1.1.0h-r1.ebuild b/dev-libs/openssl/openssl-1.1.0h-r1.ebuild
new file mode 100644
index 00000000000..d0d225833b6
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.0h-r1.ebuild
@@ -0,0 +1,284 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+# This does not copy the entire Fedora patchset, but JUST the parts that
+# are needed to make it safe to use EC with RESTRICT=bindist.
+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
+SOURCE1=hobble-openssl
+SOURCE12=ec_curve.c
+SOURCE13=ectest.c
+PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
+PATCH37=openssl-1.1.0-ec-curves.patch
+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
+FEDORA_GIT_BRANCH='f27'
+FEDORA_SRC_URI=()
+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
+FEDORA_PATCH=( $PATCH1 $PATCH37 )
+for i in "${FEDORA_SOURCE[@]}" ; do
+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
+done
+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
+done
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+	"${FILESDIR}"/${P}-CVE-2018-0737.patch
+)
+
+src_prepare() {
+	if use bindist; then
+		# This just removes the prefix, and puts it into WORKDIR like the RPM.
+		for i in "${FEDORA_SOURCE[@]}" ; do
+			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
+		done
+		# .spec %prep
+		bash "${WORKDIR}"/"${SOURCE1}" || die
+		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
+		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
+		for i in "${FEDORA_PATCH[@]}" ; do
+			epatch "${DISTDIR}"/"${i}"
+		done
+		# Also see the configure parts below:
+		# enable-ec \
+		# $(use_ssl !bindist ec2m) \
+
+	fi
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		epatch "${PATCHES[@]}"
+	fi
+
+	eapply_user #332661
+
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	# Make DOCDIR Gentoo compliant
+	sed -i \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \
+		Configurations/unix-Makefile.tmpl \
+		|| die
+
+	# show the actual commands in the log
+	sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	# Prefixify Configure shebang (#141906)
+	sed \
+		-e "1s,/usr/bin/env,${EPREFIX}&," \
+		-i Configure || die
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	# Fedora hobbled-EC needs 'no-ec2m'
+	# 'srp' was restricted until early 2017 as well.
+	# "disable-deprecated" option breaks too many consumers.
+	# Don't set it without thorough revdeps testing.
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		enable-ec \
+		$(use_ssl !bindist ec2m) \
+		enable-srp \
+		$(use elibc_musl && echo "no-async") \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		$(use_ssl asm) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	# Fix quoting for sed
+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAGS=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+		-e 's:\\:\\\\:g' \
+	)
+	sed -i \
+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2018-06-11 13:58 Robin H. Johnson
  0 siblings, 0 replies; 52+ messages in thread
From: Robin H. Johnson @ 2018-06-11 13:58 UTC (permalink / raw
  To: gentoo-commits

commit:     93630094c0989383439d077f02be5c65d838fae0
Author:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 11 13:56:19 2018 +0000
Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Mon Jun 11 13:58:33 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93630094

dev-libs/openssl: Add Fedora Hobble-EC patch

With this patch present, USE=bindist should now provide a enough EC
functionality to be used by most packages.

Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
Package-Manager: Portage-2.3.33, Repoman-2.3.9

 .../openssl/files/openssl-1.0.2o-hobble-ecc.patch  | 290 ++++++++++++++++++++
 dev-libs/openssl/openssl-1.0.2o-r5.ebuild          | 296 +++++++++++++++++++++
 2 files changed, 586 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
new file mode 100644
index 00000000000..e105fe45e45
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
@@ -0,0 +1,290 @@
+Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
+
+From https://src.fedoraproject.org/git/rpms/openssl.git
+
+Contains parts of the following patches, rediffed. The patches are on various
+different branches.
+f23 openssl-1.0.2c-ecc-suiteb.patch
+f23 openssl-1.0.2a-fips-ec.patch
+f28 openssl-1.1.0-ec-curves.patch
+
+Signed-off-By: Robin H. Johnson <robbat2@gentoo.org>
+
+diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/apps/speed.c openssl-1.0.2m.mod/apps/speed.c
+--- openssl-1.0.2m.hobble/apps/speed.c	2017-11-02 07:32:57.000000000 -0700
++++ openssl-1.0.2m.mod/apps/speed.c	2018-06-10 19:00:09.264550382 -0700
+@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
+         } else
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+-        if (strcmp(*argv, "ecdsap160") == 0)
+-            ecdsa_doit[R_EC_P160] = 2;
+-        else if (strcmp(*argv, "ecdsap192") == 0)
+-            ecdsa_doit[R_EC_P192] = 2;
++	if (0) {}
+         else if (strcmp(*argv, "ecdsap224") == 0)
+             ecdsa_doit[R_EC_P224] = 2;
+         else if (strcmp(*argv, "ecdsap256") == 0)
+@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
+             ecdsa_doit[R_EC_P384] = 2;
+         else if (strcmp(*argv, "ecdsap521") == 0)
+             ecdsa_doit[R_EC_P521] = 2;
+-        else if (strcmp(*argv, "ecdsak163") == 0)
+-            ecdsa_doit[R_EC_K163] = 2;
+-        else if (strcmp(*argv, "ecdsak233") == 0)
+-            ecdsa_doit[R_EC_K233] = 2;
+-        else if (strcmp(*argv, "ecdsak283") == 0)
+-            ecdsa_doit[R_EC_K283] = 2;
+-        else if (strcmp(*argv, "ecdsak409") == 0)
+-            ecdsa_doit[R_EC_K409] = 2;
+-        else if (strcmp(*argv, "ecdsak571") == 0)
+-            ecdsa_doit[R_EC_K571] = 2;
+-        else if (strcmp(*argv, "ecdsab163") == 0)
+-            ecdsa_doit[R_EC_B163] = 2;
+-        else if (strcmp(*argv, "ecdsab233") == 0)
+-            ecdsa_doit[R_EC_B233] = 2;
+-        else if (strcmp(*argv, "ecdsab283") == 0)
+-            ecdsa_doit[R_EC_B283] = 2;
+-        else if (strcmp(*argv, "ecdsab409") == 0)
+-            ecdsa_doit[R_EC_B409] = 2;
+-        else if (strcmp(*argv, "ecdsab571") == 0)
+-            ecdsa_doit[R_EC_B571] = 2;
+         else if (strcmp(*argv, "ecdsa") == 0) {
+-            for (i = 0; i < EC_NUM; i++)
++            for (i = R_EC_P224; i < R_EC_P521; i++)
+                 ecdsa_doit[i] = 1;
+         } else
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+-        if (strcmp(*argv, "ecdhp160") == 0)
+-            ecdh_doit[R_EC_P160] = 2;
+-        else if (strcmp(*argv, "ecdhp192") == 0)
+-            ecdh_doit[R_EC_P192] = 2;
++	if (0) {}
+         else if (strcmp(*argv, "ecdhp224") == 0)
+             ecdh_doit[R_EC_P224] = 2;
+         else if (strcmp(*argv, "ecdhp256") == 0)
+@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv)
+             ecdh_doit[R_EC_P384] = 2;
+         else if (strcmp(*argv, "ecdhp521") == 0)
+             ecdh_doit[R_EC_P521] = 2;
+-        else if (strcmp(*argv, "ecdhk163") == 0)
+-            ecdh_doit[R_EC_K163] = 2;
+-        else if (strcmp(*argv, "ecdhk233") == 0)
+-            ecdh_doit[R_EC_K233] = 2;
+-        else if (strcmp(*argv, "ecdhk283") == 0)
+-            ecdh_doit[R_EC_K283] = 2;
+-        else if (strcmp(*argv, "ecdhk409") == 0)
+-            ecdh_doit[R_EC_K409] = 2;
+-        else if (strcmp(*argv, "ecdhk571") == 0)
+-            ecdh_doit[R_EC_K571] = 2;
+-        else if (strcmp(*argv, "ecdhb163") == 0)
+-            ecdh_doit[R_EC_B163] = 2;
+-        else if (strcmp(*argv, "ecdhb233") == 0)
+-            ecdh_doit[R_EC_B233] = 2;
+-        else if (strcmp(*argv, "ecdhb283") == 0)
+-            ecdh_doit[R_EC_B283] = 2;
+-        else if (strcmp(*argv, "ecdhb409") == 0)
+-            ecdh_doit[R_EC_B409] = 2;
+-        else if (strcmp(*argv, "ecdhb571") == 0)
+-            ecdh_doit[R_EC_B571] = 2;
+         else if (strcmp(*argv, "ecdh") == 0) {
+-            for (i = 0; i < EC_NUM; i++)
++	    for (i = R_EC_P224; i <= R_EC_P521; i++)
+                 ecdh_doit[i] = 1;
+         } else
+ # endif
+@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv)
+             BIO_printf(bio_err, "dsa512   dsa1024  dsa2048\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+-            BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
++            BIO_printf(bio_err, "ecdsap224 "
+                        "ecdsap256 ecdsap384 ecdsap521\n");
+-            BIO_printf(bio_err,
+-                       "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
+-            BIO_printf(bio_err,
+-                       "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
+             BIO_printf(bio_err, "ecdsa\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+-            BIO_printf(bio_err, "ecdhp160  ecdhp192  ecdhp224 "
++            BIO_printf(bio_err, "ecdhp224 "
+                        "ecdhp256  ecdhp384  ecdhp521\n");
+-            BIO_printf(bio_err,
+-                       "ecdhk163  ecdhk233  ecdhk283  ecdhk409  ecdhk571\n");
+-            BIO_printf(bio_err,
+-                       "ecdhb163  ecdhb233  ecdhb283  ecdhb409  ecdhb571\n");
+             BIO_printf(bio_err, "ecdh\n");
+ # endif
+ 
+@@ -1242,11 +1188,11 @@ int MAIN(int argc, char **argv)
+         for (i = 0; i < DSA_NUM; i++)
+             dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+-        for (i = 0; i < EC_NUM; i++)
++        for (i = R_EC_P224; i <= R_EC_P521; i++)
+             ecdsa_doit[i] = 1;
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+-        for (i = 0; i < EC_NUM; i++)
++        for (i = R_EC_P224; i <= R_EC_P521; i++)
+             ecdh_doit[i] = 1;
+ # endif
+     }
+diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/crypto/ec/ecp_smpl.c openssl-1.0.2m.mod/crypto/ec/ecp_smpl.c
+--- openssl-1.0.2m.hobble/crypto/ec/ecp_smpl.c	2017-11-02 07:32:57.000000000 -0700
++++ openssl-1.0.2m.mod/crypto/ec/ecp_smpl.c	2018-06-10 18:45:36.909911848 -0700
+@@ -187,6 +187,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
+         return 0;
+     }
+ 
++    if (BN_num_bits(p) < 224) {
++        ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
++        return 0;
++    }
++
+     if (ctx == NULL) {
+         ctx = new_ctx = BN_CTX_new();
+         if (ctx == NULL)
+diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/ssl/t1_lib.c openssl-1.0.2m.mod/ssl/t1_lib.c
+--- openssl-1.0.2m.hobble/ssl/t1_lib.c	2017-11-02 07:32:58.000000000 -0700
++++ openssl-1.0.2m.mod/ssl/t1_lib.c	2018-06-10 18:46:55.329811812 -0700
+@@ -271,10 +271,7 @@ static const unsigned char eccurves_auto
+     0, 23,                      /* secp256r1 (23) */
+     /* Other >= 256-bit prime curves. */
+     0, 25,                      /* secp521r1 (25) */
+-    0, 28,                      /* brainpool512r1 (28) */
+-    0, 27,                      /* brainpoolP384r1 (27) */
+     0, 24,                      /* secp384r1 (24) */
+-    0, 26,                      /* brainpoolP256r1 (26) */
+     0, 22,                      /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+     /* >= 256-bit binary curves. */
+@@ -292,10 +289,7 @@ static const unsigned char eccurves_all[
+     0, 23,                      /* secp256r1 (23) */
+     /* Other >= 256-bit prime curves. */
+     0, 25,                      /* secp521r1 (25) */
+-    0, 28,                      /* brainpool512r1 (28) */
+-    0, 27,                      /* brainpoolP384r1 (27) */
+     0, 24,                      /* secp384r1 (24) */
+-    0, 26,                      /* brainpoolP256r1 (26) */
+     0, 22,                      /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+     /* >= 256-bit binary curves. */
+@@ -310,13 +304,6 @@ static const unsigned char eccurves_all[
+      * Remaining curves disabled by default but still permitted if set
+      * via an explicit callback or parameters.
+      */
+-    0, 20,                      /* secp224k1 (20) */
+-    0, 21,                      /* secp224r1 (21) */
+-    0, 18,                      /* secp192k1 (18) */
+-    0, 19,                      /* secp192r1 (19) */
+-    0, 15,                      /* secp160k1 (15) */
+-    0, 16,                      /* secp160r1 (16) */
+-    0, 17,                      /* secp160r2 (17) */
+ # ifndef OPENSSL_NO_EC2M
+     0, 8,                       /* sect239k1 (8) */
+     0, 6,                       /* sect233k1 (6) */
+@@ -351,29 +338,21 @@ static const unsigned char fips_curves_d
+     0, 9,                       /* sect283k1 (9) */
+     0, 10,                      /* sect283r1 (10) */
+ #  endif
+-    0, 22,                      /* secp256k1 (22) */
+     0, 23,                      /* secp256r1 (23) */
+ #  ifndef OPENSSL_NO_EC2M
+     0, 8,                       /* sect239k1 (8) */
+     0, 6,                       /* sect233k1 (6) */
+     0, 7,                       /* sect233r1 (7) */
+ #  endif
+-    0, 20,                      /* secp224k1 (20) */
+-    0, 21,                      /* secp224r1 (21) */
+ #  ifndef OPENSSL_NO_EC2M
+     0, 4,                       /* sect193r1 (4) */
+     0, 5,                       /* sect193r2 (5) */
+ #  endif
+-    0, 18,                      /* secp192k1 (18) */
+-    0, 19,                      /* secp192r1 (19) */
+ #  ifndef OPENSSL_NO_EC2M
+     0, 1,                       /* sect163k1 (1) */
+     0, 2,                       /* sect163r1 (2) */
+     0, 3,                       /* sect163r2 (3) */
+ #  endif
+-    0, 15,                      /* secp160k1 (15) */
+-    0, 16,                      /* secp160r1 (16) */
+-    0, 17,                      /* secp160r2 (17) */
+ };
+ # endif
+ 
+diff -up openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.2a/crypto/ecdh/ecdhtest.c
+--- openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec	2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ecdhtest.c	2015-04-22 19:00:19.721884512 +0200
+@@ -501,11 +501,13 @@ int main(int argc, char *argv[])
+         goto err;
+ 
+     /* NIST PRIME CURVES TESTS */
++# if 0
+     if (!test_ecdh_curve
+         (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
+         goto err;
+     if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
+         goto err;
++# endif
+     if (!test_ecdh_curve
+         (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
+         goto err;
+@@ -536,13 +538,14 @@ int main(int argc, char *argv[])
+     if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
+         goto err;
+ # endif
++# if 0
+     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
+         goto err;
+     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
+         goto err;
+     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
+         goto err;
+-
++# endif
+     ret = 0;
+ 
+  err:
+diff -up openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecdsatest.c
+--- openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec	2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecdsatest.c	2015-04-22 19:00:19.722884536 +0200
+@@ -138,11 +138,14 @@ int restore_rand(void)
+ }
+ 
+ static int fbytes_counter = 0;
+-static const char *numbers[8] = {
++static const char *numbers[10] = {
++    "651056770906015076056810763456358567190100156695615665659",
+     "651056770906015076056810763456358567190100156695615665659",
+     "6140507067065001063065065565667405560006161556565665656654",
+     "8763001015071075675010661307616710783570106710677817767166"
+         "71676178726717",
++    "8763001015071075675010661307616710783570106710677817767166"
++        "71676178726717",
+     "7000000175690566466555057817571571075705015757757057795755"
+         "55657156756655",
+     "1275552191113212300012030439187146164646146646466749494799",
+@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num)
+     int ret;
+     BIGNUM *tmp = NULL;
+ 
+-    if (fbytes_counter >= 8)
++    if (fbytes_counter >= 10)
+         return 0;
+     tmp = BN_new();
+     if (!tmp)
+@@ -532,8 +535,10 @@ int main(void)
+     RAND_seed(rnd_seed, sizeof(rnd_seed));
+ 
+     /* the tests */
++# if 0
+     if (!x9_62_tests(out))
+         goto err;
++# endif
+     if (!test_builtin(out))
+         goto err;
+ 

diff --git a/dev-libs/openssl/openssl-1.0.2o-r5.ebuild b/dev-libs/openssl/openssl-1.0.2o-r5.ebuild
new file mode 100644
index 00000000000..5f43db3451e
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2o-r5.ebuild
@@ -0,0 +1,296 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+PATCH_SET="openssl-1.0.2-patches-1.4"
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+	mirror://gentoo/${PATCH_SET}.tar.xz
+	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
+	https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+# This does not copy the entire Fedora patchset, but JUST the parts that
+# are needed to make it safe to use EC with RESTRICT=bindist.
+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
+SOURCE1=hobble-openssl
+SOURCE12=ec_curve.c
+SOURCE13=ectest.c
+# These are ported instead
+#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
+#PATCH37=openssl-1.1.0-ec-curves.patch
+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
+FEDORA_GIT_BRANCH='f25'
+FEDORA_SRC_URI=()
+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
+FEDORA_PATCH=( $PATCH1 $PATCH37 )
+for i in "${FEDORA_SOURCE[@]}" ; do
+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
+done
+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
+done
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+	if use bindist; then
+		# This just removes the prefix, and puts it into WORKDIR like the RPM.
+		for i in "${FEDORA_SOURCE[@]}" ; do
+			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
+		done
+		# .spec %prep
+		bash "${WORKDIR}"/"${SOURCE1}" || die
+		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
+		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
+		for i in "${FEDORA_PATCH[@]}" ; do
+			eapply "${DISTDIR}"/"${i}"
+		done
+		eapply "${FILESDIR}"/openssl-1.0.2o-hobble-ecc.patch
+		# Also see the configure parts below:
+		# enable-ec \
+		# $(use_ssl !bindist ec2m) \
+		# $(use_ssl !bindist srp) \
+	fi
+
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		eapply "${WORKDIR}"/patch/*.patch
+	fi
+
+	eapply_user
+
+	# disable fips in the build
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	sed -i \
+		-e '/DIRS/s: fips : :g' \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		Makefile.org \
+		|| die
+	# show the actual commands in the log
+	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+	# since we're forcing $(CC) as makedep anyway, just fix
+	# the conditional as always-on
+	# helps clang (#417795), and versioned gcc (#499818)
+	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	# https://github.com/openssl/openssl/issues/2286
+	if use ia64 ; then
+		replace-flags -g3 -g2
+		replace-flags -ggdb3 -ggdb2
+	fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	# Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		enable-ec \
+		$(use_ssl !bindist ec2m) \
+		$(use_ssl !bindist srp) \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		enable-tlsext \
+		$(use_ssl asm) \
+		$(use_ssl gmp gmp -lgmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl sslv2 ssl2) \
+		$(use_ssl sslv3 ssl3) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+	# rehash is needed to prep the certs/ dir; do this
+	# separately to avoid parallel build issues.
+	emake rehash
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake INSTALL_PREFIX="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
+	einstalldocs
+
+	use rfc3779 && dodoc engines/ccgost/README.gost
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	dodir ${SSL_CNF_DIR}/certs
+	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2018-08-14 13:54 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2018-08-14 13:54 UTC (permalink / raw
  To: gentoo-commits

commit:     4ecf2957ca3d36dca9ba2a820bcef7b734780a07
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Aug 14 13:53:31 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Aug 14 13:53:56 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ecf2957

dev-libs/openssl: Bump to version 1.1.0i. Removed old.

Package-Manager: Portage-2.3.46, Repoman-2.3.10

 dev-libs/openssl/Manifest                          |  8 ++---
 .../files/openssl-1.1.0h-CVE-2018-0732.patch       | 39 ----------------------
 .../files/openssl-1.1.0h-CVE-2018-0737.patch       | 31 -----------------
 ...nssl-1.1.0h-r2.ebuild => openssl-1.1.0i.ebuild} |  2 --
 4 files changed, 4 insertions(+), 76 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index c8f76950a4e..f405455302b 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -6,8 +6,8 @@ DIST openssl-1.0.2o_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d46735
 DIST openssl-1.0.2o_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
 DIST openssl-1.1.0-build.patch 3028 BLAKE2B f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0
 DIST openssl-1.1.0-ec-curves.patch 2967 BLAKE2B 1c639514445ea85cf731732aa7901b5a03ddb5f637b0483ab2ec6825433ad978723c5a07316db684bdaca4a12fc673b4e049a49c0cd4dbe5f25a5e2bd3b75cf5 SHA512 8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2
-DIST openssl-1.1.0h.tar.gz 5422717 BLAKE2B 11de1468855c0bb1836fb346c8efdfedd06139a774fc4dbae1b0e95fea7a33aa39b541e3d2d27f83f2b5f4dd3846cca2356020aa6ec81793085842ab78b3a127 SHA512 fb7750fcd98e6126eb5b92e7ed63d811a5cfa3391d98572003d925f6c7b477690df86a9aa1fa6bf6bf33d02c6c7aee6cff50a38faa8911409f310645898fda39
-DIST openssl-1.1.0h_ec_curve.c 18393 BLAKE2B 49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2beeeea15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879
-DIST openssl-1.1.0h_ectest.c 29907 BLAKE2B 73dc800c1de5449f14d7753f7f7b8e672cd36bd4570e6df07f246d1d823c7dbbeef492f25cdd0ebfd693f5956732bc84c9d91fc6a22c854fe4b245ecf3890bda SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae
-DIST openssl-1.1.0h_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
+DIST openssl-1.1.0i.tar.gz 5453234 BLAKE2B ae6bec9c116769d98a77165b96fb7d201fe2ede8ee98e3cb68eba496cc90a5fae38dbcbb68b824c9eeacb25605aa80c3ccca9b4f00725658da3ad646834b0f9d SHA512 4a9d454031f644a3072a980f4ea20df976f6c5c58178549dfa62fd4dcf1417509e3be517d2ccb265c87688836f2993531b142fc5971bac5c41d33060057627df
+DIST openssl-1.1.0i_ec_curve.c 18393 BLAKE2B 49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2beeeea15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879
+DIST openssl-1.1.0i_ectest.c 29908 BLAKE2B b398bafd5d5aea71daa9c3e2749dece9e515950e35547a6191d83987907aae73e090a4b552636af4d1ab2b39f7e3b1ea3fde2012c99f068f9c99d247996c1212 SHA512 e4445f8959b040caca6a7494da2026b840f84348df5d4eab47a68570d274333f62fa0c381955093edd86c857dad98595ffa2980c54afdcf2a8d32f32d0c70450
+DIST openssl-1.1.0i_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
 DIST openssl-1.1.1-pre8.tar.gz 8334954 BLAKE2B 97cd018908925abd5a4eb660b3488b23efb582dd49dd87504e5522b2e9c5c6500417ef4893590a60ce35cfa316de51bfbf3e448e9cb2a5858ecd8ae72722922d SHA512 33b20f8589e0ba67500993635e1ba7f7f7ce2b6fa1eb8d4d7c44711ff047045dde57ad7e0605377c2b030fc954a3fb9b1f1d68feac2080991ef2b1b72a761041

diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch
deleted file mode 100644
index e7dfba43f2a..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001
-From: Guido Vranken <guidovranken@gmail.com>
-Date: Mon, 11 Jun 2018 19:38:54 +0200
-Subject: [PATCH] Reject excessively large primes in DH key generation.
-
-CVE-2018-0732
-
-Signed-off-by: Guido Vranken <guidovranken@gmail.com>
-
-(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/6457)
----
- crypto/dh/dh_key.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index fce9ff47f36..58003d70878 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -78,10 +78,15 @@ static int generate_key(DH *dh)
-     int ok = 0;
-     int generate_new_key = 0;
-     unsigned l;
--    BN_CTX *ctx;
-+    BN_CTX *ctx = NULL;
-     BN_MONT_CTX *mont = NULL;
-     BIGNUM *pub_key = NULL, *priv_key = NULL;
- 
-+    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
-+        return 0;
-+    }
-+
-     ctx = BN_CTX_new();
-     if (ctx == NULL)
-         goto err;

diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch
deleted file mode 100644
index 34c9cc02fa7..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001
-From: Billy Brumley <bbrumley@gmail.com>
-Date: Wed, 11 Apr 2018 10:10:58 +0300
-Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont
- both get called with BN_FLG_CONSTTIME flag set.
-
-CVE-2018-0737
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)
----
- crypto/rsa/rsa_gen.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
-index 9ca5dfe..42b89a8 100644
---- a/crypto/rsa/rsa_gen.c
-+++ b/crypto/rsa/rsa_gen.c
-@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
-     if (BN_copy(rsa->e, e_value) == NULL)
-         goto err;
- 
-+    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
-+    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
-     BN_set_flags(r2, BN_FLG_CONSTTIME);
-     /* generate p and q */
-     for (;;) {
--- 
-2.7.4
-

diff --git a/dev-libs/openssl/openssl-1.1.0h-r2.ebuild b/dev-libs/openssl/openssl-1.1.0i.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.0h-r2.ebuild
rename to dev-libs/openssl/openssl-1.1.0i.ebuild
index 5881fe74d35..9cbb018e24c 100644
--- a/dev-libs/openssl/openssl-1.1.0h-r2.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0i.ebuild
@@ -56,8 +56,6 @@ MULTILIB_WRAPPED_HEADERS=(
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-	"${FILESDIR}"/${P}-CVE-2018-0737.patch
-	"${FILESDIR}"/${P}-CVE-2018-0732.patch
 )
 
 src_prepare() {


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2018-08-31 20:45 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2018-08-31 20:45 UTC (permalink / raw
  To: gentoo-commits

commit:     a759287ff6a18f8e07dcc1b571d1369dbace720c
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 31 20:44:18 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Aug 31 20:45:08 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a759287f

dev-libs/openssl: fix USE=bindist

Update hobble ECC patch against openssl-1.0.2p [Link 1].

Link 1: https://github.com/openssl/openssl/commit/949ff36623eafc3523a9f91784992965018ffb05
Closes: https://bugs.gentoo.org/664254
Package-Manager: Portage-2.3.48, Repoman-2.3.10

 .../openssl/files/openssl-1.0.2p-hobble-ecc.patch  | 283 +++++++++++++++++++++
 dev-libs/openssl/openssl-1.0.2p.ebuild             |   2 +-
 2 files changed, 284 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch
new file mode 100644
index 00000000000..3a458a78360
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch
@@ -0,0 +1,283 @@
+Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
+
+From https://src.fedoraproject.org/git/rpms/openssl.git
+
+Contains parts of the following patches, rediffed. The patches are on various
+different branches.
+f23 openssl-1.0.2c-ecc-suiteb.patch
+f23 openssl-1.0.2a-fips-ec.patch
+f28 openssl-1.1.0-ec-curves.patch
+
+Signed-off-By: Robin H. Johnson <robbat2@gentoo.org>
+
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
+         } else
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+-        if (strcmp(*argv, "ecdsap160") == 0)
+-            ecdsa_doit[R_EC_P160] = 2;
+-        else if (strcmp(*argv, "ecdsap192") == 0)
+-            ecdsa_doit[R_EC_P192] = 2;
++	if (0) {}
+         else if (strcmp(*argv, "ecdsap224") == 0)
+             ecdsa_doit[R_EC_P224] = 2;
+         else if (strcmp(*argv, "ecdsap256") == 0)
+@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
+             ecdsa_doit[R_EC_P384] = 2;
+         else if (strcmp(*argv, "ecdsap521") == 0)
+             ecdsa_doit[R_EC_P521] = 2;
+-        else if (strcmp(*argv, "ecdsak163") == 0)
+-            ecdsa_doit[R_EC_K163] = 2;
+-        else if (strcmp(*argv, "ecdsak233") == 0)
+-            ecdsa_doit[R_EC_K233] = 2;
+-        else if (strcmp(*argv, "ecdsak283") == 0)
+-            ecdsa_doit[R_EC_K283] = 2;
+-        else if (strcmp(*argv, "ecdsak409") == 0)
+-            ecdsa_doit[R_EC_K409] = 2;
+-        else if (strcmp(*argv, "ecdsak571") == 0)
+-            ecdsa_doit[R_EC_K571] = 2;
+-        else if (strcmp(*argv, "ecdsab163") == 0)
+-            ecdsa_doit[R_EC_B163] = 2;
+-        else if (strcmp(*argv, "ecdsab233") == 0)
+-            ecdsa_doit[R_EC_B233] = 2;
+-        else if (strcmp(*argv, "ecdsab283") == 0)
+-            ecdsa_doit[R_EC_B283] = 2;
+-        else if (strcmp(*argv, "ecdsab409") == 0)
+-            ecdsa_doit[R_EC_B409] = 2;
+-        else if (strcmp(*argv, "ecdsab571") == 0)
+-            ecdsa_doit[R_EC_B571] = 2;
+         else if (strcmp(*argv, "ecdsa") == 0) {
+-            for (i = 0; i < EC_NUM; i++)
++            for (i = R_EC_P224; i < R_EC_P521; i++)
+                 ecdsa_doit[i] = 1;
+         } else
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+-        if (strcmp(*argv, "ecdhp160") == 0)
+-            ecdh_doit[R_EC_P160] = 2;
+-        else if (strcmp(*argv, "ecdhp192") == 0)
+-            ecdh_doit[R_EC_P192] = 2;
++	if (0) {}
+         else if (strcmp(*argv, "ecdhp224") == 0)
+             ecdh_doit[R_EC_P224] = 2;
+         else if (strcmp(*argv, "ecdhp256") == 0)
+@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv)
+             ecdh_doit[R_EC_P384] = 2;
+         else if (strcmp(*argv, "ecdhp521") == 0)
+             ecdh_doit[R_EC_P521] = 2;
+-        else if (strcmp(*argv, "ecdhk163") == 0)
+-            ecdh_doit[R_EC_K163] = 2;
+-        else if (strcmp(*argv, "ecdhk233") == 0)
+-            ecdh_doit[R_EC_K233] = 2;
+-        else if (strcmp(*argv, "ecdhk283") == 0)
+-            ecdh_doit[R_EC_K283] = 2;
+-        else if (strcmp(*argv, "ecdhk409") == 0)
+-            ecdh_doit[R_EC_K409] = 2;
+-        else if (strcmp(*argv, "ecdhk571") == 0)
+-            ecdh_doit[R_EC_K571] = 2;
+-        else if (strcmp(*argv, "ecdhb163") == 0)
+-            ecdh_doit[R_EC_B163] = 2;
+-        else if (strcmp(*argv, "ecdhb233") == 0)
+-            ecdh_doit[R_EC_B233] = 2;
+-        else if (strcmp(*argv, "ecdhb283") == 0)
+-            ecdh_doit[R_EC_B283] = 2;
+-        else if (strcmp(*argv, "ecdhb409") == 0)
+-            ecdh_doit[R_EC_B409] = 2;
+-        else if (strcmp(*argv, "ecdhb571") == 0)
+-            ecdh_doit[R_EC_B571] = 2;
+         else if (strcmp(*argv, "ecdh") == 0) {
+-            for (i = 0; i < EC_NUM; i++)
++	    for (i = R_EC_P224; i <= R_EC_P521; i++)
+                 ecdh_doit[i] = 1;
+         } else
+ # endif
+@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv)
+             BIO_printf(bio_err, "dsa512   dsa1024  dsa2048\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+-            BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
++            BIO_printf(bio_err, "ecdsap224 "
+                        "ecdsap256 ecdsap384 ecdsap521\n");
+-            BIO_printf(bio_err,
+-                       "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
+-            BIO_printf(bio_err,
+-                       "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
+             BIO_printf(bio_err, "ecdsa\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+-            BIO_printf(bio_err, "ecdhp160  ecdhp192  ecdhp224 "
++            BIO_printf(bio_err, "ecdhp224 "
+                        "ecdhp256  ecdhp384  ecdhp521\n");
+-            BIO_printf(bio_err,
+-                       "ecdhk163  ecdhk233  ecdhk283  ecdhk409  ecdhk571\n");
+-            BIO_printf(bio_err,
+-                       "ecdhb163  ecdhb233  ecdhb283  ecdhb409  ecdhb571\n");
+             BIO_printf(bio_err, "ecdh\n");
+ # endif
+ 
+@@ -1242,11 +1188,11 @@ int MAIN(int argc, char **argv)
+         for (i = 0; i < DSA_NUM; i++)
+             dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+-        for (i = 0; i < EC_NUM; i++)
++        for (i = R_EC_P224; i <= R_EC_P521; i++)
+             ecdsa_doit[i] = 1;
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+-        for (i = 0; i < EC_NUM; i++)
++        for (i = R_EC_P224; i <= R_EC_P521; i++)
+             ecdh_doit[i] = 1;
+ # endif
+     }
+--- a/crypto/ec/ecp_smpl.c
++++ b/crypto/ec/ecp_smpl.c
+@@ -187,6 +187,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group,
+         return 0;
+     }
+ 
++    if (BN_num_bits(p) < 224) {
++        ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
++        return 0;
++    }
++
+     if (ctx == NULL) {
+         ctx = new_ctx = BN_CTX_new();
+         if (ctx == NULL)
+--- a/crypto/ecdh/ecdhtest.c
++++ b/crypto/ecdh/ecdhtest.c
+@@ -501,11 +501,13 @@ int main(int argc, char *argv[])
+         goto err;
+ 
+     /* NIST PRIME CURVES TESTS */
++# if 0
+     if (!test_ecdh_curve
+         (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
+         goto err;
+     if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
+         goto err;
++# endif
+     if (!test_ecdh_curve
+         (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
+         goto err;
+@@ -536,13 +538,14 @@ int main(int argc, char *argv[])
+     if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
+         goto err;
+ # endif
++# if 0
+     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
+         goto err;
+     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
+         goto err;
+     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
+         goto err;
+-
++# endif
+     ret = 0;
+ 
+  err:
+--- a/crypto/ecdsa/ecdsatest.c
++++ b/crypto/ecdsa/ecdsatest.c
+@@ -138,9 +138,12 @@ int restore_rand(void)
+ }
+ 
+ static int fbytes_counter = 0, use_fake = 0;
+-static const char *numbers[8] = {
++static const char *numbers[10] = {
++    "651056770906015076056810763456358567190100156695615665659",
+     "651056770906015076056810763456358567190100156695615665659",
+     "6140507067065001063065065565667405560006161556565665656654",
++    "8763001015071075675010661307616710783570106710677817767166"
++        "71676178726717",
+     "8763001015071075675010661307616710783570106710677817767166"
+         "71676178726717",
+     "7000000175690566466555057817571571075705015757757057795755"
+@@ -163,7 +166,7 @@ int fbytes(unsigned char *buf, int num)
+ 
+     use_fake = 0;
+ 
+-    if (fbytes_counter >= 8)
++    if (fbytes_counter >= 10)
+         return 0;
+     tmp = BN_new();
+     if (!tmp)
+@@ -539,8 +542,10 @@ int main(void)
+     RAND_seed(rnd_seed, sizeof(rnd_seed));
+ 
+     /* the tests */
++# if 0
+     if (!x9_62_tests(out))
+         goto err;
++# endif
+     if (!test_builtin(out))
+         goto err;
+ 
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -271,10 +271,7 @@ static const unsigned char eccurves_auto[] = {
+     0, 23,                      /* secp256r1 (23) */
+     /* Other >= 256-bit prime curves. */
+     0, 25,                      /* secp521r1 (25) */
+-    0, 28,                      /* brainpool512r1 (28) */
+-    0, 27,                      /* brainpoolP384r1 (27) */
+     0, 24,                      /* secp384r1 (24) */
+-    0, 26,                      /* brainpoolP256r1 (26) */
+     0, 22,                      /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+     /* >= 256-bit binary curves. */
+@@ -292,10 +289,7 @@ static const unsigned char eccurves_all[] = {
+     0, 23,                      /* secp256r1 (23) */
+     /* Other >= 256-bit prime curves. */
+     0, 25,                      /* secp521r1 (25) */
+-    0, 28,                      /* brainpool512r1 (28) */
+-    0, 27,                      /* brainpoolP384r1 (27) */
+     0, 24,                      /* secp384r1 (24) */
+-    0, 26,                      /* brainpoolP256r1 (26) */
+     0, 22,                      /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+     /* >= 256-bit binary curves. */
+@@ -310,13 +304,6 @@ static const unsigned char eccurves_all[] = {
+      * Remaining curves disabled by default but still permitted if set
+      * via an explicit callback or parameters.
+      */
+-    0, 20,                      /* secp224k1 (20) */
+-    0, 21,                      /* secp224r1 (21) */
+-    0, 18,                      /* secp192k1 (18) */
+-    0, 19,                      /* secp192r1 (19) */
+-    0, 15,                      /* secp160k1 (15) */
+-    0, 16,                      /* secp160r1 (16) */
+-    0, 17,                      /* secp160r2 (17) */
+ # ifndef OPENSSL_NO_EC2M
+     0, 8,                       /* sect239k1 (8) */
+     0, 6,                       /* sect233k1 (6) */
+@@ -351,29 +338,21 @@ static const unsigned char fips_curves_default[] = {
+     0, 9,                       /* sect283k1 (9) */
+     0, 10,                      /* sect283r1 (10) */
+ #  endif
+-    0, 22,                      /* secp256k1 (22) */
+     0, 23,                      /* secp256r1 (23) */
+ #  ifndef OPENSSL_NO_EC2M
+     0, 8,                       /* sect239k1 (8) */
+     0, 6,                       /* sect233k1 (6) */
+     0, 7,                       /* sect233r1 (7) */
+ #  endif
+-    0, 20,                      /* secp224k1 (20) */
+-    0, 21,                      /* secp224r1 (21) */
+ #  ifndef OPENSSL_NO_EC2M
+     0, 4,                       /* sect193r1 (4) */
+     0, 5,                       /* sect193r2 (5) */
+ #  endif
+-    0, 18,                      /* secp192k1 (18) */
+-    0, 19,                      /* secp192r1 (19) */
+ #  ifndef OPENSSL_NO_EC2M
+     0, 1,                       /* sect163k1 (1) */
+     0, 2,                       /* sect163r1 (2) */
+     0, 3,                       /* sect163r2 (3) */
+ #  endif
+-    0, 15,                      /* secp160k1 (15) */
+-    0, 16,                      /* secp160r1 (16) */
+-    0, 17,                      /* secp160r2 (17) */
+ };
+ # endif
+ 

diff --git a/dev-libs/openssl/openssl-1.0.2p.ebuild b/dev-libs/openssl/openssl-1.0.2p.ebuild
index 42179a0775b..148b2fd52a7 100644
--- a/dev-libs/openssl/openssl-1.0.2p.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2p.ebuild
@@ -77,7 +77,7 @@ src_prepare() {
 		for i in "${FEDORA_PATCH[@]}" ; do
 			eapply "${DISTDIR}"/"${i}"
 		done
-		eapply "${FILESDIR}"/openssl-1.0.2o-hobble-ecc.patch
+		eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
 		# Also see the configure parts below:
 		# enable-ec \
 		# $(use_ssl !bindist ec2m) \


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2018-10-29 13:08 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2018-10-29 13:08 UTC (permalink / raw
  To: gentoo-commits

commit:     9cf9aa64d52743263e9619c3cd0794557e3b5445
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 29 13:02:33 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Oct 29 13:08:20 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9cf9aa64

dev-libs/openssl: Revbumps to fix CVE-2018-0735

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11

 .../files/openssl-1.1.0i-CVE-2018-0735.patch       | 44 ++++++++++++++++++++++
 .../files/openssl-1.1.1-CVE-2018-0735.patch        | 44 ++++++++++++++++++++++
 ...nssl-1.1.0i.ebuild => openssl-1.1.0i-r1.ebuild} |  5 ++-
 ...penssl-1.1.1.ebuild => openssl-1.1.1-r1.ebuild} |  4 ++
 4 files changed, 95 insertions(+), 2 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch
new file mode 100644
index 00000000000..5762c04fa34
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch
@@ -0,0 +1,44 @@
+From 56fb454d281a023b3f950d969693553d3f3ceea1 Mon Sep 17 00:00:00 2001
+From: Pauli <paul.dale@oracle.com>
+Date: Fri, 26 Oct 2018 10:54:58 +1000
+Subject: [PATCH] Timing vulnerability in ECDSA signature generation
+ (CVE-2018-0735)
+
+Preallocate an extra limb for some of the big numbers to avoid a reallocation
+that can potentially provide a side channel.
+
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+(Merged from https://github.com/openssl/openssl/pull/7486)
+
+(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
+---
+ crypto/ec/ec_mult.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
+index 22bb30ffa1..ff882cce20 100644
+--- a/crypto/ec/ec_mult.c
++++ b/crypto/ec/ec_mult.c
+@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
+      */
+     cardinality_bits = BN_num_bits(cardinality);
+     group_top = bn_get_top(cardinality);
+-    if ((bn_wexpand(k, group_top + 1) == NULL)
+-        || (bn_wexpand(lambda, group_top + 1) == NULL))
++    if ((bn_wexpand(k, group_top + 2) == NULL)
++        || (bn_wexpand(lambda, group_top + 2) == NULL))
+         goto err;
+ 
+     if (!BN_copy(k, scalar))
+@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
+      * k := scalar + 2*cardinality
+      */
+     kbit = BN_is_bit_set(lambda, cardinality_bits);
+-    BN_consttime_swap(kbit, k, lambda, group_top + 1);
++    BN_consttime_swap(kbit, k, lambda, group_top + 2);
+ 
+     group_top = bn_get_top(group->field);
+     if ((bn_wexpand(s->X, group_top) == NULL)
+-- 
+2.19.1
+

diff --git a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch
new file mode 100644
index 00000000000..295f5dbe8d8
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch
@@ -0,0 +1,44 @@
+From b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Mon Sep 17 00:00:00 2001
+From: Pauli <paul.dale@oracle.com>
+Date: Fri, 26 Oct 2018 10:54:58 +1000
+Subject: [PATCH] Timing vulnerability in ECDSA signature generation
+ (CVE-2018-0735)
+
+Preallocate an extra limb for some of the big numbers to avoid a reallocation
+that can potentially provide a side channel.
+
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+(Merged from https://github.com/openssl/openssl/pull/7486)
+
+(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
+---
+ crypto/ec/ec_mult.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
+index 7e1b3650e7..0e0a5e1394 100644
+--- a/crypto/ec/ec_mult.c
++++ b/crypto/ec/ec_mult.c
+@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
+      */
+     cardinality_bits = BN_num_bits(cardinality);
+     group_top = bn_get_top(cardinality);
+-    if ((bn_wexpand(k, group_top + 1) == NULL)
+-        || (bn_wexpand(lambda, group_top + 1) == NULL)) {
++    if ((bn_wexpand(k, group_top + 2) == NULL)
++        || (bn_wexpand(lambda, group_top + 2) == NULL)) {
+         ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
+         goto err;
+     }
+@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
+      * k := scalar + 2*cardinality
+      */
+     kbit = BN_is_bit_set(lambda, cardinality_bits);
+-    BN_consttime_swap(kbit, k, lambda, group_top + 1);
++    BN_consttime_swap(kbit, k, lambda, group_top + 2);
+ 
+     group_top = bn_get_top(group->field);
+     if ((bn_wexpand(s->X, group_top) == NULL)
+-- 
+2.19.1
+

diff --git a/dev-libs/openssl/openssl-1.1.0i.ebuild b/dev-libs/openssl/openssl-1.1.0i-r1.ebuild
similarity index 98%
rename from dev-libs/openssl/openssl-1.1.0i.ebuild
rename to dev-libs/openssl/openssl-1.1.0i-r1.ebuild
index f97d4157d7e..4cc9eb656d0 100644
--- a/dev-libs/openssl/openssl-1.1.0i.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0i-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="6"
@@ -56,6 +56,7 @@ MULTILIB_WRAPPED_HEADERS=(
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+	"${FILESDIR}"/${P}-CVE-2018-0735.patch
 )
 
 src_prepare() {
@@ -98,7 +99,7 @@ src_prepare() {
 		-e $(has noman FEATURES \
 			&& echo '/^install:/s:install_docs::' \
 			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
 		Configurations/unix-Makefile.tmpl \
 		|| die
 

diff --git a/dev-libs/openssl/openssl-1.1.1.ebuild b/dev-libs/openssl/openssl-1.1.1-r1.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.1.ebuild
rename to dev-libs/openssl/openssl-1.1.1-r1.ebuild
index 3b7cd3fc019..01dfbd3ec61 100644
--- a/dev-libs/openssl/openssl-1.1.1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1-r1.ebuild
@@ -34,6 +34,10 @@ MULTILIB_WRAPPED_HEADERS=(
 	usr/include/openssl/opensslconf.h
 )
 
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2018-0735.patch
+)
+
 src_prepare() {
 	# keep this in sync with app-misc/c_rehash
 	SSL_CNF_DIR="/etc/ssl"


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2018-11-12 18:36 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2018-11-12 18:36 UTC (permalink / raw
  To: gentoo-commits

commit:     24a88b7aab48df287482caf912be7b69340a2f35
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 12 18:19:25 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon Nov 12 18:36:44 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24a88b7a

dev-libs/openssl: add patch for CVE-2018-0734

Package-Manager: Portage-2.3.51, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 .../files/openssl-1.1.0i-CVE-2018-0734.patch       | 131 +++++++++++++++++++++
 ...l-1.1.0i-r1.ebuild => openssl-1.1.0i-r2.ebuild} |   1 +
 2 files changed, 132 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch
new file mode 100644
index 00000000000..47b082f4085
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch
@@ -0,0 +1,131 @@
+CVE-2018-0734
+https://github.com/openssl/openssl/commit/415c33563528667868c3c653a612e6fc8736fd79
+https://github.com/openssl/openssl/commit/ef11e19d1365eea2b1851e6f540a0bf365d303e7
+
+--- a/crypto/dsa/dsa_ossl.c
++++ b/crypto/dsa/dsa_ossl.c
+@@ -11,6 +11,7 @@
+ 
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
++#include "internal/bn_int.h"
+ #include <openssl/bn.h>
+ #include <openssl/sha.h>
+ #include "dsa_locl.h"
+@@ -25,6 +26,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
+                          DSA_SIG *sig, DSA *dsa);
+ static int dsa_init(DSA *dsa);
+ static int dsa_finish(DSA *dsa);
++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
++                                      BN_CTX *ctx);
+ 
+ static DSA_METHOD openssl_dsa_meth = {
+     "OpenSSL DSA method",
+@@ -180,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ {
+     BN_CTX *ctx = NULL;
+     BIGNUM *k, *kinv = NULL, *r = *rp;
+-    BIGNUM *l, *m;
++    BIGNUM *l;
+     int ret = 0;
+-    int q_bits;
++    int q_bits, q_words;
+ 
+     if (!dsa->p || !dsa->q || !dsa->g) {
+         DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
+@@ -191,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ 
+     k = BN_new();
+     l = BN_new();
+-    m = BN_new();
+-    if (k == NULL || l == NULL || m == NULL)
++    if (k == NULL || l == NULL)
+         goto err;
+ 
+     if (ctx_in == NULL) {
+@@ -203,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ 
+     /* Preallocate space */
+     q_bits = BN_num_bits(dsa->q);
+-    if (!BN_set_bit(k, q_bits)
+-        || !BN_set_bit(l, q_bits)
+-        || !BN_set_bit(m, q_bits))
++    q_words = bn_get_top(dsa->q);
++    if (!bn_wexpand(k, q_words + 2)
++        || !bn_wexpand(l, q_words + 2))
+         goto err;
+ 
+     /* Get random k */
+@@ -240,14 +242,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+      * small timing information leakage.  We then choose the sum that is
+      * one bit longer than the modulus.
+      *
+-     * TODO: revisit the BN_copy aiming for a memory access agnostic
+-     * conditional copy.
++     * There are some concerns about the efficacy of doing this.  More
++     * specificly refer to the discussion starting with:
++     *     https://github.com/openssl/openssl/pull/7486#discussion_r228323705
++     * The fix is to rework BN so these gymnastics aren't required.
+      */
+     if (!BN_add(l, k, dsa->q)
+-        || !BN_add(m, l, dsa->q)
+-        || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
++        || !BN_add(k, l, dsa->q))
+         goto err;
+ 
++    BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
++
+     if ((dsa)->meth->bn_mod_exp != NULL) {
+             if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
+                                        dsa->method_mont_p))
+@@ -260,8 +265,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+     if (!BN_mod(r, r, dsa->q, ctx))
+         goto err;
+ 
+-    /* Compute  part of 's = inv(k) (m + xr) mod q' */
+-    if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
++    /* Compute part of 's = inv(k) (m + xr) mod q' */
++    if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
+         goto err;
+ 
+     BN_clear_free(*kinvp);
+@@ -275,7 +280,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+         BN_CTX_free(ctx);
+     BN_clear_free(k);
+     BN_clear_free(l);
+-    BN_clear_free(m);
+     return ret;
+ }
+ 
+@@ -395,3 +399,31 @@ static int dsa_finish(DSA *dsa)
+     BN_MONT_CTX_free(dsa->method_mont_p);
+     return (1);
+ }
++
++/*
++ * Compute the inverse of k modulo q.
++ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
++ * mod-exp operation.  Both the exponent and modulus are public information
++ * so a mod-exp that doesn't leak the base is sufficient.  A newly allocated
++ * BIGNUM is returned which the caller must free.
++ */
++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
++                                      BN_CTX *ctx)
++{
++    BIGNUM *res = NULL;
++    BIGNUM *r, *e;
++
++    if ((r = BN_new()) == NULL)
++        return NULL;
++
++    BN_CTX_start(ctx);
++    if ((e = BN_CTX_get(ctx)) != NULL
++            && BN_set_word(r, 2)
++            && BN_sub(e, q, r)
++            && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
++        res = r;
++    else
++        BN_free(r);
++    BN_CTX_end(ctx);
++    return res;
++}

diff --git a/dev-libs/openssl/openssl-1.1.0i-r1.ebuild b/dev-libs/openssl/openssl-1.1.0i-r2.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.0i-r1.ebuild
rename to dev-libs/openssl/openssl-1.1.0i-r2.ebuild
index 4cc9eb656d0..f3862111729 100644
--- a/dev-libs/openssl/openssl-1.1.0i-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0i-r2.ebuild
@@ -56,6 +56,7 @@ MULTILIB_WRAPPED_HEADERS=(
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+	"${FILESDIR}"/${P}-CVE-2018-0734.patch
 	"${FILESDIR}"/${P}-CVE-2018-0735.patch
 )
 


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2019-02-26 15:31 Lars Wendler
  0 siblings, 0 replies; 52+ messages in thread
From: Lars Wendler @ 2019-02-26 15:31 UTC (permalink / raw
  To: gentoo-commits

commit:     a1ced0de770abbc643d994378b9cd11a41605902
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Feb 26 15:12:11 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Feb 26 15:31:41 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1ced0de

dev-libs/openssl: Removed old.

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   4 -
 ...-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch |  27 --
 ...ix-cert-with-rsa-instead-of-rsaEncryption.patch |  97 -----
 ...ix-some-SSL_export_keying_material-issues.patch | 420 ---------------------
 ...a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch |  26 --
 ...ure-build_SYS_str_reasons_preserves_errno.patch |  68 ----
 .../openssl-1.1.1a-preserve-errno-on-dlopen.patch  |  51 ---
 ...-system-error-number-in-a-few-more-places.patch |  57 ---
 ...t-reduce-stack-usage-in-tls13_hkdf_expand.patch |  56 ---
 dev-libs/openssl/openssl-1.0.2q-r200.ebuild        | 248 ------------
 dev-libs/openssl/openssl-1.1.1a-r1.ebuild          | 299 ---------------
 dev-libs/openssl/openssl-1.1.1a.ebuild             | 288 --------------
 12 files changed, 1641 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 3f3dd41c6a0..dd125204215 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -15,10 +15,6 @@ DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ec_curve.c 18401 BL
 DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b
 DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
 DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3 SHA512 de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1
-DIST openssl-1.1.1a.tar.gz 8350547 BLAKE2B 71dae2f44ade3e31983599a491b5efe5da63bbe4f32a2336a8022b282f844a9d898f3b1c3fa825a5973cb16898e8e87fcd73d68e9b602b58f500c3f3e047b199 SHA512 1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34
-DIST openssl-1.1.1a_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
-DIST openssl-1.1.1a_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef
-DIST openssl-1.1.1a_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
 DIST openssl-1.1.1b.tar.gz 8213737 BLAKE2B 7ad9da9548052e2a033a684038f97c420cfffd57994604bcb3fa12640796c8c0aea3d24fb05648ee4940fbec40b81462e81c353da5a41a2575c0585d9718eae8 SHA512 b54025fbb4fe264466f3b0d762aad4be45bd23cd48bdb26d901d4c41a40bfd776177e02230995ab181a695435039dbad313f4b9a563239a70807a2e19ecf045d
 DIST openssl-1.1.1b_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
 DIST openssl-1.1.1b_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
deleted file mode 100644
index 8014be130ab..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3be71a31a1dda204bb95462a92cf7f247e64b939 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Sun, 16 Dec 2018 12:43:59 +0100
-Subject: [PATCH] Fix a minor nit in the hkdflabel size
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7913)
-
-(cherry picked from commit 0b4233f5a4a181a6dcb7c511cd2663e500e659a4)
----
- ssl/tls13_enc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
-index c3021d18aa9..e36b7d3a066 100644
---- a/ssl/tls13_enc.c
-+++ b/ssl/tls13_enc.c
-@@ -41,7 +41,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
-      * + bytes for the hash itself
-      */
-     unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
--                            + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
-+                            + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN
-                             + 1 + EVP_MAX_MD_SIZE];
-     WPACKET pkt;
- 

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch
deleted file mode 100644
index 8f249e22a1d..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From c25ae0fff78cb3cb784ef79167329d5cd55b62de Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Thu, 27 Dec 2018 22:18:21 +0100
-Subject: [PATCH] Fix cert with rsa instead of rsaEncryption as public key
- algorithm
-
-Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
-(Merged from https://github.com/openssl/openssl/pull/7962)
-
-(cherry picked from commit 1f483a69bce11c940309edc437eee6e32294d5f2)
----
- crypto/rsa/rsa_ameth.c        |  9 ++++++---
- test/certs/root-cert-rsa2.pem | 18 ++++++++++++++++++
- test/recipes/25-test_verify.t |  4 +++-
- 3 files changed, 27 insertions(+), 4 deletions(-)
- create mode 100644 test/certs/root-cert-rsa2.pem
-
-diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
-index a6595aec054..75debb3e0a9 100644
---- a/crypto/rsa/rsa_ameth.c
-+++ b/crypto/rsa/rsa_ameth.c
-@@ -34,7 +34,7 @@ static int rsa_param_encode(const EVP_PKEY *pkey,
- 
-     *pstr = NULL;
-     /* If RSA it's just NULL type */
--    if (pkey->ameth->pkey_id == EVP_PKEY_RSA) {
-+    if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
-         *pstrtype = V_ASN1_NULL;
-         return 1;
-     }
-@@ -58,7 +58,7 @@ static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
-     int algptype;
- 
-     X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
--    if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA)
-+    if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
-         return 1;
-     if (algptype == V_ASN1_UNDEF)
-         return 1;
-@@ -109,7 +109,10 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
-         RSA_free(rsa);
-         return 0;
-     }
--    EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
-+    if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
-+        RSA_free(rsa);
-+        return 0;
-+    }
-     return 1;
- }
- 
-diff --git a/test/certs/root-cert-rsa2.pem b/test/certs/root-cert-rsa2.pem
-new file mode 100644
-index 00000000000..b817fdf3e5d
---- /dev/null
-+++ b/test/certs/root-cert-rsa2.pem
-@@ -0,0 +1,18 @@
-+-----BEGIN CERTIFICATE-----
-+MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
-+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
-+DAdSb290IENBMIIBHTAIBgRVCAEBBQADggEPADCCAQoCggEBAOHmAPUGvKBGOHkP
-+Px5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3jIVyk
-+7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcArVREX
-+OjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI0YYq
-+alUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt9gfN
-+biuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337VoIkN+
-+ZiQjr8UCAwEAAaNQME4wHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8G
-+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
-+KoZIhvcNAQELBQADggEBAJ0OIdog3uQ1pmsjv1Qtf1w4If1geOn5uK0EOj2wYBHt
-+NxlFn7l8d9+51QMZFO+RlQJ0s3Webyo1ReuaL2dMn2LGJhWMoSBAwrMALAENU3lv
-+8jioRbfO2OamsdpJpKxQUyUJYudNe+BoKNX/ry3rxezmsFsRr9nDMiJZpmBCXiMm
-+mFFJOJkG0CheexBbMkua4kyStIOwO4rb5bSHszVso/9ucdGHBSC7oRcJXoWSDjBx
-+PdQPPBK5g4yqL8Lz26ehgsmhRKL9k32eVyjDKcIzgpmgcPTfTqNbd1KHQJKx4ssb
-+7nEpGKHalSo5Oq5L9s9qYrUv37kwBY4OpJFtmGaodoI=
-+-----END CERTIFICATE-----
-diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
-index 6c3deab7c67..b80a1cde3ed 100644
---- a/test/recipes/25-test_verify.t
-+++ b/test/recipes/25-test_verify.t
-@@ -27,7 +27,7 @@ sub verify {
-     run(app([@args]));
- }
- 
--plan tests => 134;
-+plan tests => 135;
- 
- # Canonical success
- ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
-@@ -361,6 +361,8 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"]
-     "Not too many names and constraints to check (2)");
- ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ),
-     "Not too many names and constraints to check (3)");
-+ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"),
-+    "Public Key Algorithm rsa instead of rsaEncryption");
- 
- SKIP: {
-     skip "Ed25519 is not supported by this OpenSSL build", 1

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch
deleted file mode 100644
index 2db64d83e45..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch
+++ /dev/null
@@ -1,420 +0,0 @@
-From 0fb2815b873304d145ed00283454fc9f3bd35e6b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 4 Dec 2018 08:37:04 +0000
-Subject: [PATCH] Fix some SSL_export_keying_material() issues
-
-Fix some issues in tls13_hkdf_expand() which impact the above function
-for TLSv1.3. In particular test that we can use the maximum label length
-in TLSv1.3.
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7755)
----
- doc/man3/SSL_export_keying_material.pod |  3 +-
- ssl/ssl_locl.h                          |  2 +-
- ssl/statem/extensions.c                 |  2 +-
- ssl/statem/statem_clnt.c                |  2 +-
- ssl/statem/statem_srvr.c                |  2 +-
- ssl/tls13_enc.c                         | 73 +++++++++++++++++--------
- test/sslapitest.c                       | 48 ++++++++++++----
- test/tls13secretstest.c                 |  2 +-
- 8 files changed, 92 insertions(+), 42 deletions(-)
-
-diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod
-index abebf911fc3..4c81a60ffbb 100644
---- a/doc/man3/SSL_export_keying_material.pod
-+++ b/doc/man3/SSL_export_keying_material.pod
-@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from
- the IANA Exporter Label Registry
- (L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).
- Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
--to be used without registration.
-+to be used without registration. TLSv1.3 imposes a maximum label length of
-+249 bytes.
- 
- Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
- above. Attempting to use it in SSLv3 will result in an error.
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 70e5a1740f9..307131de93a 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -2461,7 +2461,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,
-                              const unsigned char *secret,
-                              const unsigned char *label, size_t labellen,
-                              const unsigned char *data, size_t datalen,
--                             unsigned char *out, size_t outlen);
-+                             unsigned char *out, size_t outlen, int fatal);
- __owur int tls13_derive_key(SSL *s, const EVP_MD *md,
-                             const unsigned char *secret, unsigned char *key,
-                             size_t keylen);
-diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
-index 63e61c6184a..716d6d23e08 100644
---- a/ssl/statem/extensions.c
-+++ b/ssl/statem/extensions.c
-@@ -1506,7 +1506,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
- 
-     /* Generate the binder key */
-     if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
--                           hashsize, binderkey, hashsize)) {
-+                           hashsize, binderkey, hashsize, 1)) {
-         /* SSLfatal() already called */
-         goto err;
-     }
-diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
-index 5a8f1163dfa..a0e495d8e83 100644
---- a/ssl/statem/statem_clnt.c
-+++ b/ssl/statem/statem_clnt.c
-@@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
-                                PACKET_data(&nonce),
-                                PACKET_remaining(&nonce),
-                                s->session->master_key,
--                               hashlen)) {
-+                               hashlen, 1)) {
-             /* SSLfatal() already called */
-             goto err;
-         }
-diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
-index e7c11c4bea4..a8e862ced55 100644
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -4099,7 +4099,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
-                                tick_nonce,
-                                TICKET_NONCE_SIZE,
-                                s->session->master_key,
--                               hashlen)) {
-+                               hashlen, 1)) {
-             /* SSLfatal() already called */
-             goto err;
-         }
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
-index f7ab0fa4704..c3021d18aa9 100644
---- a/ssl/tls13_enc.c
-+++ b/ssl/tls13_enc.c
-@@ -13,7 +13,7 @@
- #include <openssl/evp.h>
- #include <openssl/kdf.h>
- 
--#define TLS13_MAX_LABEL_LEN     246
-+#define TLS13_MAX_LABEL_LEN     249
- 
- /* Always filled with zeros */
- static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
-@@ -22,30 +22,47 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
-  * Given a |secret|; a |label| of length |labellen|; and |data| of length
-  * |datalen| (e.g. typically a hash of the handshake messages), derive a new
-  * secret |outlen| bytes long and store it in the location pointed to be |out|.
-- * The |data| value may be zero length. Returns 1 on success  0 on failure.
-+ * The |data| value may be zero length. Any errors will be treated as fatal if
-+ * |fatal| is set. Returns 1 on success  0 on failure.
-  */
- int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
-                              const unsigned char *label, size_t labellen,
-                              const unsigned char *data, size_t datalen,
--                             unsigned char *out, size_t outlen)
-+                             unsigned char *out, size_t outlen, int fatal)
- {
--    const unsigned char label_prefix[] = "tls13 ";
-+    static const unsigned char label_prefix[] = "tls13 ";
-     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
-     int ret;
-     size_t hkdflabellen;
-     size_t hashlen;
-     /*
--     * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
--     * prefix and label + bytes for the label itself + bytes for the hash
-+     * 2 bytes for length of derived secret + 1 byte for length of combined
-+     * prefix and label + bytes for the label itself + 1 byte length of hash
-+     * + bytes for the hash itself
-      */
-     unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
-                             + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
--                            + EVP_MAX_MD_SIZE];
-+                            + 1 + EVP_MAX_MD_SIZE];
-     WPACKET pkt;
- 
-     if (pctx == NULL)
-         return 0;
- 
-+    if (labellen > TLS13_MAX_LABEL_LEN) {
-+        if (fatal) {
-+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
-+                     ERR_R_INTERNAL_ERROR);
-+        } else {
-+            /*
-+             * Probably we have been called from SSL_export_keying_material(),
-+             * or SSL_export_keying_material_early().
-+             */
-+            SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
-+        }
-+        EVP_PKEY_CTX_free(pctx);
-+        return 0;
-+    }
-+
-     hashlen = EVP_MD_size(md);
- 
-     if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
-@@ -59,8 +76,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
-             || !WPACKET_finish(&pkt)) {
-         EVP_PKEY_CTX_free(pctx);
-         WPACKET_cleanup(&pkt);
--        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
--                 ERR_R_INTERNAL_ERROR);
-+        if (fatal)
-+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
-+                     ERR_R_INTERNAL_ERROR);
-+        else
-+            SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
-         return 0;
-     }
- 
-@@ -74,9 +94,13 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
- 
-     EVP_PKEY_CTX_free(pctx);
- 
--    if (ret != 0)
--        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
--                 ERR_R_INTERNAL_ERROR);
-+    if (ret != 0) {
-+        if (fatal)
-+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
-+                     ERR_R_INTERNAL_ERROR);
-+        else
-+            SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
-+    }
- 
-     return ret == 0;
- }
-@@ -91,7 +115,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
-     static const unsigned char keylabel[] = "key";
- 
-     return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
--                             NULL, 0, key, keylen);
-+                             NULL, 0, key, keylen, 1);
- }
- 
- /*
-@@ -104,7 +128,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
-     static const unsigned char ivlabel[] = "iv";
- 
-     return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
--                             NULL, 0, iv, ivlen);
-+                             NULL, 0, iv, ivlen, 1);
- }
- 
- int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
-@@ -114,7 +138,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
-     static const unsigned char finishedlabel[] = "finished";
- 
-     return tls13_hkdf_expand(s, md, secret, finishedlabel,
--                             sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
-+                             sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
- }
- 
- /*
-@@ -177,7 +201,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
-         if (!tls13_hkdf_expand(s, md, prevsecret,
-                                (unsigned char *)derived_secret_label,
-                                sizeof(derived_secret_label) - 1, hash, mdlen,
--                               preextractsec, mdlen)) {
-+                               preextractsec, mdlen, 1)) {
-             /* SSLfatal() already called */
-             EVP_PKEY_CTX_free(pctx);
-             return 0;
-@@ -337,7 +361,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
-     hashlen = (size_t)hashleni;
- 
-     if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
--                           secret, hashlen)) {
-+                           secret, hashlen, 1)) {
-         /* SSLfatal() already called */
-         goto err;
-     }
-@@ -517,7 +541,8 @@ int tls13_change_cipher_state(SSL *s, int which)
-                                    early_exporter_master_secret,
-                                    sizeof(early_exporter_master_secret) - 1,
-                                    hashval, hashlen,
--                                   s->early_exporter_master_secret, hashlen)) {
-+                                   s->early_exporter_master_secret, hashlen,
-+                                   1)) {
-                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
-                          SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
-                 goto err;
-@@ -604,7 +629,7 @@ int tls13_change_cipher_state(SSL *s, int which)
-                                resumption_master_secret,
-                                sizeof(resumption_master_secret) - 1,
-                                hashval, hashlen, s->resumption_master_secret,
--                               hashlen)) {
-+                               hashlen, 1)) {
-             /* SSLfatal() already called */
-             goto err;
-         }
-@@ -624,7 +649,7 @@ int tls13_change_cipher_state(SSL *s, int which)
-                                exporter_master_secret,
-                                sizeof(exporter_master_secret) - 1,
-                                hash, hashlen, s->exporter_master_secret,
--                               hashlen)) {
-+                               hashlen, 1)) {
-             /* SSLfatal() already called */
-             goto err;
-         }
-@@ -738,10 +763,10 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
-             || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
-             || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
-                                   (const unsigned char *)label, llen,
--                                  data, datalen, exportsecret, hashsize)
-+                                  data, datalen, exportsecret, hashsize, 0)
-             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
-                                   sizeof(exporterlabel) - 1, hash, hashsize,
--                                  out, olen))
-+                                  out, olen, 0))
-         goto err;
- 
-     ret = 1;
-@@ -797,10 +822,10 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
-             || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
-             || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
-                                   (const unsigned char *)label, llen,
--                                  data, datalen, exportsecret, hashsize)
-+                                  data, datalen, exportsecret, hashsize, 0)
-             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
-                                   sizeof(exporterlabel) - 1, hash, hashsize,
--                                  out, olen))
-+                                  out, olen, 0))
-         goto err;
- 
-     ret = 1;
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 108d57e4781..a4bbb4fead4 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -4028,20 +4028,25 @@ static int test_serverinfo(int tst)
-  * no test vectors so all we do is test that both sides of the communication
-  * produce the same results for different protocol versions.
-  */
-+#define SMALL_LABEL_LEN 10
-+#define LONG_LABEL_LEN  249
- static int test_export_key_mat(int tst)
- {
-     int testresult = 0;
-     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
-     SSL *clientssl = NULL, *serverssl = NULL;
--    const char label[] = "test label";
-+    const char label[LONG_LABEL_LEN + 1] = "test label";
-     const unsigned char context[] = "context";
-     const unsigned char *emptycontext = NULL;
-     unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
-     unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
-+    size_t labellen;
-     const int protocols[] = {
-         TLS1_VERSION,
-         TLS1_1_VERSION,
-         TLS1_2_VERSION,
-+        TLS1_3_VERSION,
-+        TLS1_3_VERSION,
-         TLS1_3_VERSION
-     };
- 
-@@ -4058,7 +4063,7 @@ static int test_export_key_mat(int tst)
-         return 1;
- #endif
- #ifdef OPENSSL_NO_TLS1_3
--    if (tst == 3)
-+    if (tst >= 3)
-         return 1;
- #endif
-     if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
-@@ -4076,33 +4081,52 @@ static int test_export_key_mat(int tst)
-                                                 SSL_ERROR_NONE)))
-         goto end;
- 
-+    if (tst == 5) {
-+        /*
-+         * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
-+         * go over that.
-+         */
-+        if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
-+                                                    sizeof(ckeymat1), label,
-+                                                    LONG_LABEL_LEN + 1, context,
-+                                                    sizeof(context) - 1, 1), 0))
-+            goto end;
-+
-+        testresult = 1;
-+        goto end;
-+    } else if (tst == 4) {
-+        labellen = LONG_LABEL_LEN;
-+    } else {
-+        labellen = SMALL_LABEL_LEN;
-+    }
-+
-     if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
-                                                 sizeof(ckeymat1), label,
--                                                sizeof(label) - 1, context,
-+                                                labellen, context,
-                                                 sizeof(context) - 1, 1), 1)
-             || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
-                                                        sizeof(ckeymat2), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        emptycontext,
-                                                        0, 1), 1)
-             || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
-                                                        sizeof(ckeymat3), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        NULL, 0, 0), 1)
-             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
-                                                        sizeof(skeymat1), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        context,
-                                                        sizeof(context) -1, 1),
-                             1)
-             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
-                                                        sizeof(skeymat2), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        emptycontext,
-                                                        0, 1), 1)
-             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
-                                                        sizeof(skeymat3), label,
--                                                       sizeof(label) - 1,
-+                                                       labellen,
-                                                        NULL, 0, 0), 1)
-                /*
-                 * Check that both sides created the same key material with the
-@@ -4131,10 +4155,10 @@ static int test_export_key_mat(int tst)
-      * Check that an empty context and no context produce different results in
-      * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
-      */
--    if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
-+    if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
-                                   sizeof(ckeymat3)))
--            || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
--                                        sizeof(ckeymat3))))
-+            || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
-+                                         sizeof(ckeymat3))))
-         goto end;
- 
-     testresult = 1;
-@@ -5909,7 +5933,7 @@ int setup_tests(void)
-     ADD_ALL_TESTS(test_custom_exts, 3);
- #endif
-     ADD_ALL_TESTS(test_serverinfo, 8);
--    ADD_ALL_TESTS(test_export_key_mat, 4);
-+    ADD_ALL_TESTS(test_export_key_mat, 6);
- #ifndef OPENSSL_NO_TLS1_3
-     ADD_ALL_TESTS(test_export_key_mat_early, 3);
- #endif
-diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
-index 319df17bab0..de318df02b4 100644
---- a/test/tls13secretstest.c
-+++ b/test/tls13secretstest.c
-@@ -226,7 +226,7 @@ static int test_secret(SSL *s, unsigned char *prk,
-     }
- 
-     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
--                           gensecret, hashsize)) {
-+                           gensecret, hashsize, 1)) {
-         TEST_error("Secret generation failed");
-         return 0;
-     }

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
deleted file mode 100644
index c2f8bb638b3..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 3ccccb91ae1c07a4310778b3d7ba74ff4ff787f0 Mon Sep 17 00:00:00 2001
-From: Paul Yang <yang.yang@baishancloud.com>
-Date: Wed, 21 Nov 2018 13:16:27 +0800
-Subject: [PATCH] Fix wrong return value in ssl3_ctx_ctrl
-
-This fixes issue #7677
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7678)
----
- ssl/s3_lib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 866ca4dfa9b..99ae48199c2 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
-                                   EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
-                 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
-                 EVP_PKEY_free(pkdh);
--                return 1;
-+                return 0;
-             }
-             EVP_PKEY_free(ctx->cert->dh_tmp);
-             ctx->cert->dh_tmp = pkdh;

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch b/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch
deleted file mode 100644
index cfa84c73a5b..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 99992ad22019e752c7b103a45f860a48b6bc0972 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 21 Nov 2018 11:44:42 +0000
-Subject: [PATCH] Make sure build_SYS_str_reasons() preserves errno
-
-This function can end up being called during ERR_get_error() if we are
-initialising. ERR_get_error() must preserve errno since it gets called via
-SSL_get_error(). If that function returns SSL_ERROR_SYSCALL then you are
-supposed to inspect errno.
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7680)
-
-(cherry picked from commit 71b1ceffc4c795f5db21861dd1016fbe23a53a53)
----
-
-diff --git a/crypto/err/err.c b/crypto/err/err.c
-index 03cbd73..2eeeab2 100644
---- a/crypto/err/err.c
-+++ b/crypto/err/err.c
-@@ -19,6 +19,7 @@
- #include <openssl/bio.h>
- #include <openssl/opensslconf.h>
- #include "internal/thread_once.h"
-+#include "e_os.h"
- 
- static int err_load_strings(const ERR_STRING_DATA *str);
- 
-@@ -201,6 +202,7 @@ static void build_SYS_str_reasons(void)
-     static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
-     static int init = 1;
-     int i;
-+    int saveerrno = get_last_sys_error();
- 
-     CRYPTO_THREAD_write_lock(err_string_lock);
-     if (!init) {
-@@ -229,6 +231,8 @@ static void build_SYS_str_reasons(void)
-     init = 0;
- 
-     CRYPTO_THREAD_unlock(err_string_lock);
-+    /* openssl_strerror_r could change errno, but we want to preserve it */
-+    set_sys_error(saveerrno);
-     err_load_strings(SYS_str_reasons);
- }
- #endif
-diff --git a/e_os.h b/e_os.h
-index 5340593..8e6efa9 100644
---- a/e_os.h
-+++ b/e_os.h
-@@ -49,6 +49,7 @@
- 
- # define get_last_sys_error()    errno
- # define clear_sys_error()       errno=0
-+# define set_sys_error(e)        errno=(e)
- 
- /********************************************************************
-  The Microsoft section
-@@ -66,8 +67,10 @@
- # ifdef WIN32
- #  undef get_last_sys_error
- #  undef clear_sys_error
-+#  undef set_sys_error
- #  define get_last_sys_error()    GetLastError()
- #  define clear_sys_error()       SetLastError(0)
-+#  define set_sys_error(e)        SetLastError(e)
- #  if !defined(WINNT)
- #   define WIN_CONSOLE_BUG
- #  endif

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch
deleted file mode 100644
index ed8f2dd96be..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ef97becf522fc4e2e9d98e6ae7bcb26651883d9a Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 21 Nov 2018 11:57:04 +0000
-Subject: [PATCH] Preserve errno on dlopen
-
-For the same reasons as in the previous commit we must preserve errno
-across dlopen calls. Some implementations (e.g. solaris) do not preserve
-errno even on a successful dlopen call.
-
-Fixes #6953
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7680)
-
-(cherry picked from commit 3cb4e7dc1cf92022f62b9bbdd59695885a1265ff)
----
- crypto/dso/dso_dlfcn.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
-index ad8899c289a..4240f5f5e30 100644
---- a/crypto/dso/dso_dlfcn.c
-+++ b/crypto/dso/dso_dlfcn.c
-@@ -17,6 +17,7 @@
- #endif
- 
- #include "dso_locl.h"
-+#include "e_os.h"
- 
- #ifdef DSO_DLFCN
- 
-@@ -99,6 +100,7 @@ static int dlfcn_load(DSO *dso)
-     /* See applicable comments in dso_dl.c */
-     char *filename = DSO_convert_filename(dso, NULL);
-     int flags = DLOPEN_FLAG;
-+    int saveerrno = get_last_sys_error();
- 
-     if (filename == NULL) {
-         DSOerr(DSO_F_DLFCN_LOAD, DSO_R_NO_FILENAME);
-@@ -118,6 +120,11 @@ static int dlfcn_load(DSO *dso)
-         ERR_add_error_data(4, "filename(", filename, "): ", dlerror());
-         goto err;
-     }
-+    /*
-+     * Some dlopen() implementations (e.g. solaris) do no preserve errno, even
-+     * on a successful call.
-+     */
-+    set_sys_error(saveerrno);
-     if (!sk_void_push(dso->meth_data, (char *)ptr)) {
-         DSOerr(DSO_F_DLFCN_LOAD, DSO_R_STACK_ERROR);
-         goto err;

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch
deleted file mode 100644
index 84c43a3c3e0..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 145419423e1a74ae54cdbd3aed8bb15cbd53c7cc Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Fri, 14 Dec 2018 19:33:55 +0100
-Subject: [PATCH] ERR: preserve system error number in a few more places
-
-It turns out that intialization may change the error number, so we
-need to preserve the system error number in functions where
-initialization is called for.
-These are ERR_get_state() and err_shelve_state()
-
-Fixes #7897
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7902)
-
-(cherry picked from commit 91c5473035aaf2c0d86e4039c2a29a5b70541905)
----
- crypto/err/err.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/crypto/err/err.c b/crypto/err/err.c
-index 5cfb02d821b..aef2543d60b 100644
---- a/crypto/err/err.c
-+++ b/crypto/err/err.c
-@@ -697,6 +697,7 @@ DEFINE_RUN_ONCE_STATIC(err_do_init)
- ERR_STATE *ERR_get_state(void)
- {
-     ERR_STATE *state;
-+    int saveerrno = get_last_sys_error();
- 
-     if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
-         return NULL;
-@@ -728,6 +729,7 @@ ERR_STATE *ERR_get_state(void)
-         OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-     }
- 
-+    set_sys_error(saveerrno);
-     return state;
- }
- 
-@@ -737,6 +739,8 @@ ERR_STATE *ERR_get_state(void)
-  */
- int err_shelve_state(void **state)
- {
-+    int saveerrno = get_last_sys_error();
-+
-     if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
-         return 0;
- 
-@@ -747,6 +751,7 @@ int err_shelve_state(void **state)
-     if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1))
-         return 0;
- 
-+    set_sys_error(saveerrno);
-     return 1;
- }
- 

diff --git a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch b/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
deleted file mode 100644
index 5ea4fb97bfc..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From ed371b8cbac0d0349667558c061c1ae380cf75eb Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Mon, 3 Dec 2018 18:14:57 +0000
-Subject: [PATCH] Revert "Reduce stack usage in tls13_hkdf_expand"
-
-This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d.
-
-SSL_export_keying_material() may use longer label lengths.
-
-Fixes #7712
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/7755)
----
- ssl/tls13_enc.c | 16 ++++------------
- 1 file changed, 4 insertions(+), 12 deletions(-)
-
-diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
-index b6825d20c2d..f7ab0fa4704 100644
---- a/ssl/tls13_enc.c
-+++ b/ssl/tls13_enc.c
-@@ -13,14 +13,7 @@
- #include <openssl/evp.h>
- #include <openssl/kdf.h>
- 
--/*
-- * RFC 8446, 7.1 Key Schedule, says:
-- * Note: With common hash functions, any label longer than 12 characters
-- * requires an additional iteration of the hash function to compute.
-- * The labels in this specification have all been chosen to fit within
-- * this limit.
-- */
--#define TLS13_MAX_LABEL_LEN     12
-+#define TLS13_MAX_LABEL_LEN     246
- 
- /* Always filled with zeros */
- static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
-@@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
-                              const unsigned char *data, size_t datalen,
-                              unsigned char *out, size_t outlen)
- {
--    static const unsigned char label_prefix[] = "tls13 ";
-+    const unsigned char label_prefix[] = "tls13 ";
-     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
-     int ret;
-     size_t hkdflabellen;
-     size_t hashlen;
-     /*
--     * 2 bytes for length of derived secret + 1 byte for length of combined
--     * prefix and label + bytes for the label itself + 1 byte length of hash
--     * + bytes for the hash itself
-+     * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
-+     * prefix and label + bytes for the label itself + bytes for the hash
-      */
-     unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
-                             + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN

diff --git a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild b/dev-libs/openssl/openssl-1.0.2q-r200.ebuild
deleted file mode 100644
index 44b9547d141..00000000000
--- a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild
+++ /dev/null
@@ -1,248 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-# openssl-1.0.2-patches-1.6 contain additional CVE patches
-# which got fixed with this release.
-# Please use 1.7 version number when rolling a new tarball!
-PATCH_SET="openssl-1.0.2-patches-1.5"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	!vanilla? (
-		mirror://gentoo/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz
-	)"
-
-LICENSE="openssl"
-SLOT="1.0.0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	!=dev-libs/openssl-1.0.2*:0"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-
-RESTRICT="test"
-
-# Do not install any docs
-DOCS=()
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-# These are ported instead
-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
-#PATCH37=openssl-1.1.0-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f25'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
-FEDORA_PATCH=( $PATCH1 $PATCH37 )
-for i in "${FEDORA_SOURCE[@]}" ; do
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	if use bindist; then
-		# This just removes the prefix, and puts it into WORKDIR like the RPM.
-		for i in "${FEDORA_SOURCE[@]}" ; do
-			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
-		done
-		# .spec %prep
-		bash "${WORKDIR}"/"${SOURCE1}" || die
-		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
-		for i in "${FEDORA_PATCH[@]}" ; do
-			eapply "${DISTDIR}"/"${i}"
-		done
-		eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-		# $(use_ssl !bindist srp) \
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		eapply "${WORKDIR}"/patch/*.patch
-	fi
-
-	eapply_user
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	# this breaks build with 1.0.2p, not sure if it is needed anymore
-	#sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	# https://github.com/openssl/openssl/issues/2286
-	if use ia64 ; then
-		replace-flags -g3 -g2
-		replace-flags -ggdb3 -ggdb2
-	fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		$(use_ssl !bindist srp) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl sslv2 ssl2) \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX%/}"/usr \
-		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 V=1 depend
-	emake build_libs
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	dolib.so lib{crypto,ssl}.so.${SLOT}
-}

diff --git a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild b/dev-libs/openssl/openssl-1.1.1a-r1.ebuild
deleted file mode 100644
index 0ad3e058c0c..00000000000
--- a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild
+++ /dev/null
@@ -1,299 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
-	"${FILESDIR}"/${P}-make-sure-build_SYS_str_reasons_preserves_errno.patch
-	"${FILESDIR}"/${P}-preserve-errno-on-dlopen.patch
-	"${FILESDIR}"/${P}-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
-	"${FILESDIR}"/${P}-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
-	"${FILESDIR}"/${P}-fix-some-SSL_export_keying_material-issues.patch
-	"${FILESDIR}"/${P}-preserve-system-error-number-in-a-few-more-places.patch
-	"${FILESDIR}"/${P}-fix-a-minor-nit-in-hkdflabel-size.patch
-	"${FILESDIR}"/${P}-fix-cert-with-rsa-instead-of-rsaEncryption.patch
-)
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-PATCH37=openssl-1.1.1-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f29'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
-FEDORA_PATCH=( ${PATCH37} )
-for i in "${FEDORA_SOURCE[@]}" ; do
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	if use bindist; then
-		# This just removes the prefix, and puts it into WORKDIR like the RPM.
-		for i in "${FEDORA_SOURCE[@]}" ; do
-			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
-		done
-		# .spec %prep
-		bash "${WORKDIR}"/"${SOURCE1}" || die
-		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
-		for i in "${FEDORA_PATCH[@]}" ; do
-			eapply "${DISTDIR}"/"${i}"
-		done
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
-			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
-		fi
-	fi
-
-	eapply_user #332661
-
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	# Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	# Prefixify Configure shebang (#141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX%/}&," \
-		-i Configure || die
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m'
-	# 'srp' was restricted until early 2017 as well.
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		enable-srp \
-		$(use elibc_musl && echo "no-async") \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl sslv3 ssl3-method) \
-		$(use_ssl asm) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX%/}"/usr \
-		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	# Fix quoting for sed
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-		-e 's:\\:\\\\:g' \
-	)
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create $ED/usr on our own to avoid a race condition #665130
-	if [[ ! -d "${ED%/}/usr" ]]; then
-		# We can only create this directory once
-		mkdir "${ED%/}"/usr || die
-	fi
-
-	emake DESTDIR="${D%/}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED%/}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED%/}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}

diff --git a/dev-libs/openssl/openssl-1.1.1a.ebuild b/dev-libs/openssl/openssl-1.1.1a.ebuild
deleted file mode 100644
index 5b5bb76c6b7..00000000000
--- a/dev-libs/openssl/openssl-1.1.1a.ebuild
+++ /dev/null
@@ -1,288 +0,0 @@
-# Copyright 1999-2018 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-PATCH37=openssl-1.1.1-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f29'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
-FEDORA_PATCH=( ${PATCH37} )
-for i in "${FEDORA_SOURCE[@]}" ; do
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	if use bindist; then
-		# This just removes the prefix, and puts it into WORKDIR like the RPM.
-		for i in "${FEDORA_SOURCE[@]}" ; do
-			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
-		done
-		# .spec %prep
-		bash "${WORKDIR}"/"${SOURCE1}" || die
-		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
-		for i in "${FEDORA_PATCH[@]}" ; do
-			eapply "${DISTDIR}"/"${i}"
-		done
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
-			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
-		fi
-	fi
-
-	eapply_user #332661
-
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	# Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	# Prefixify Configure shebang (#141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX%/}&," \
-		-i Configure || die
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m'
-	# 'srp' was restricted until early 2017 as well.
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		enable-srp \
-		$(use elibc_musl && echo "no-async") \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl sslv3 ssl3-method) \
-		$(use_ssl asm) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX%/}"/usr \
-		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	# Fix quoting for sed
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-		-e 's:\\:\\\\:g' \
-	)
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create $ED/usr on our own to avoid a race condition #665130
-	if [[ ! -d "${ED%/}/usr" ]]; then
-		# We can only create this directory once
-		mkdir "${ED%/}"/usr || die
-	fi
-
-	emake DESTDIR="${D%/}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED%/}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED%/}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2019-02-27 19:09 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2019-02-27 19:09 UTC (permalink / raw
  To: gentoo-commits

commit:     05ef2e7b732a8571f2d4ef84659b7f972a8cd90e
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Feb 27 19:07:04 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Feb 27 19:07:04 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05ef2e7b

dev-libs/openssl: fix USE=bindist

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 .../files/openssl-1.1.1b-ec-curves-patch.patch     | 207 +++++++++++++++++++++
 ...nssl-1.1.1b.ebuild => openssl-1.1.1b-r1.ebuild} |   8 +-
 2 files changed, 214 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch
new file mode 100644
index 00000000000..c1f53c83823
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch
@@ -0,0 +1,207 @@
+Based on openssl-1.1.1-ec-curves.patch.
+
+Updated for OpenSSL change b6d41ff73392df5af9c931c902ae4cd75c5b61ea.
+
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
+ static double rsa_results[RSA_NUM][2];  /* 2 ops: sign then verify */
+ #endif /* OPENSSL_NO_RSA */
+ 
+-#define R_EC_P160    0
+-#define R_EC_P192    1
+-#define R_EC_P224    2
+-#define R_EC_P256    3
+-#define R_EC_P384    4
+-#define R_EC_P521    5
+-#define R_EC_K163    6
+-#define R_EC_K233    7
+-#define R_EC_K283    8
+-#define R_EC_K409    9
+-#define R_EC_K571    10
+-#define R_EC_B163    11
+-#define R_EC_B233    12
+-#define R_EC_B283    13
+-#define R_EC_B409    14
+-#define R_EC_B571    15
+-#define R_EC_BRP256R1  16
+-#define R_EC_BRP256T1  17
+-#define R_EC_BRP384R1  18
+-#define R_EC_BRP384T1  19
+-#define R_EC_BRP512R1  20
+-#define R_EC_BRP512T1  21
+-#define R_EC_X25519  22
+-#define R_EC_X448    23
++#define R_EC_P224    0
++#define R_EC_P256    1
++#define R_EC_P384    2
++#define R_EC_P521    3
++#define R_EC_X25519  4
++#define R_EC_X448    5
+ #ifndef OPENSSL_NO_EC
+ static OPT_PAIR ecdsa_choices[] = {
+-    {"ecdsap160", R_EC_P160},
+-    {"ecdsap192", R_EC_P192},
+     {"ecdsap224", R_EC_P224},
+     {"ecdsap256", R_EC_P256},
+     {"ecdsap384", R_EC_P384},
+     {"ecdsap521", R_EC_P521},
+-    {"ecdsak163", R_EC_K163},
+-    {"ecdsak233", R_EC_K233},
+-    {"ecdsak283", R_EC_K283},
+-    {"ecdsak409", R_EC_K409},
+-    {"ecdsak571", R_EC_K571},
+-    {"ecdsab163", R_EC_B163},
+-    {"ecdsab233", R_EC_B233},
+-    {"ecdsab283", R_EC_B283},
+-    {"ecdsab409", R_EC_B409},
+-    {"ecdsab571", R_EC_B571},
+-    {"ecdsabrp256r1", R_EC_BRP256R1},
+-    {"ecdsabrp256t1", R_EC_BRP256T1},
+-    {"ecdsabrp384r1", R_EC_BRP384R1},
+-    {"ecdsabrp384t1", R_EC_BRP384T1},
+-    {"ecdsabrp512r1", R_EC_BRP512R1},
+-    {"ecdsabrp512t1", R_EC_BRP512T1}
+ };
+ # define ECDSA_NUM       OSSL_NELEM(ecdsa_choices)
+ 
+ static double ecdsa_results[ECDSA_NUM][2];    /* 2 ops: sign then verify */
+ 
+ static const OPT_PAIR ecdh_choices[] = {
+-    {"ecdhp160", R_EC_P160},
+-    {"ecdhp192", R_EC_P192},
+     {"ecdhp224", R_EC_P224},
+     {"ecdhp256", R_EC_P256},
+     {"ecdhp384", R_EC_P384},
+     {"ecdhp521", R_EC_P521},
+-    {"ecdhk163", R_EC_K163},
+-    {"ecdhk233", R_EC_K233},
+-    {"ecdhk283", R_EC_K283},
+-    {"ecdhk409", R_EC_K409},
+-    {"ecdhk571", R_EC_K571},
+-    {"ecdhb163", R_EC_B163},
+-    {"ecdhb233", R_EC_B233},
+-    {"ecdhb283", R_EC_B283},
+-    {"ecdhb409", R_EC_B409},
+-    {"ecdhb571", R_EC_B571},
+-    {"ecdhbrp256r1", R_EC_BRP256R1},
+-    {"ecdhbrp256t1", R_EC_BRP256T1},
+-    {"ecdhbrp384r1", R_EC_BRP384R1},
+-    {"ecdhbrp384t1", R_EC_BRP384T1},
+-    {"ecdhbrp512r1", R_EC_BRP512R1},
+-    {"ecdhbrp512t1", R_EC_BRP512T1},
+     {"ecdhx25519", R_EC_X25519},
+     {"ecdhx448", R_EC_X448}
+ };
+@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
+         unsigned int bits;
+     } test_curves[] = {
+         /* Prime Curves */
+-        {"secp160r1", NID_secp160r1, 160},
+-        {"nistp192", NID_X9_62_prime192v1, 192},
+         {"nistp224", NID_secp224r1, 224},
+         {"nistp256", NID_X9_62_prime256v1, 256},
+         {"nistp384", NID_secp384r1, 384},
+         {"nistp521", NID_secp521r1, 521},
+-        /* Binary Curves */
+-        {"nistk163", NID_sect163k1, 163},
+-        {"nistk233", NID_sect233k1, 233},
+-        {"nistk283", NID_sect283k1, 283},
+-        {"nistk409", NID_sect409k1, 409},
+-        {"nistk571", NID_sect571k1, 571},
+-        {"nistb163", NID_sect163r2, 163},
+-        {"nistb233", NID_sect233r1, 233},
+-        {"nistb283", NID_sect283r1, 283},
+-        {"nistb409", NID_sect409r1, 409},
+-        {"nistb571", NID_sect571r1, 571},
+-        {"brainpoolP256r1", NID_brainpoolP256r1, 256},
+-        {"brainpoolP256t1", NID_brainpoolP256t1, 256},
+-        {"brainpoolP384r1", NID_brainpoolP384r1, 384},
+-        {"brainpoolP384t1", NID_brainpoolP384t1, 384},
+-        {"brainpoolP512r1", NID_brainpoolP512r1, 512},
+-        {"brainpoolP512t1", NID_brainpoolP512t1, 512},
+         /* Other and ECDH only ones */
+         {"X25519", NID_X25519, 253},
+         {"X448", NID_X448, 448}
+@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
+ #  endif
+ 
+ #  ifndef OPENSSL_NO_EC
+-    ecdsa_c[R_EC_P160][0] = count / 1000;
+-    ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
+-    for (i = R_EC_P192; i <= R_EC_P521; i++) {
++    ecdsa_c[R_EC_P224][0] = count / 1000;
++    ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
++    for (i = R_EC_P256; i <= R_EC_P521; i++) {
+         ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
+         ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
+         if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
+@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
+             }
+         }
+     }
++#if 0
+     ecdsa_c[R_EC_K163][0] = count / 1000;
+     ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
+     for (i = R_EC_K233; i <= R_EC_K571; i++) {
+@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
+             }
+         }
+     }
+-
+-    ecdh_c[R_EC_P160][0] = count / 1000;
+-    for (i = R_EC_P192; i <= R_EC_P521; i++) {
++#endif
++    ecdh_c[R_EC_P224][0] = count / 1000;
++    for (i = R_EC_P256; i <= R_EC_P521; i++) {
+         ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
+         if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
+             ecdh_doit[i] = 0;
+@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
+             }
+         }
+     }
++#if 0
+     ecdh_c[R_EC_K163][0] = count / 1000;
+     for (i = R_EC_K233; i <= R_EC_K571; i++) {
+         ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
+@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
+             }
+         }
+     }
++#endif
+     /* default iteration count for the last two EC Curves */
+     ecdh_c[R_EC_X25519][0] = count / 1800;
+     ecdh_c[R_EC_X448][0] = count / 7200;
+--- a/crypto/ec/ecp_smpl.c
++++ b/crypto/ec/ecp_smpl.c
+@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group,
+         return 0;
+     }
+ 
++    if (BN_num_bits(p) < 224) {
++        ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
++        return 0;
++    }
++
+     if (ctx == NULL) {
+         ctx = new_ctx = BN_CTX_new();
+         if (ctx == NULL)
+--- a/test/ecdsatest.c
++++ b/test/ecdsatest.c
+@@ -176,6 +176,7 @@ static int x9_62_tests(void)
+     if (!change_rand())
+         goto x962_err;
+ 
++#if 0
+     if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1,
+                  "3342403536405981729393488334694600415596881826869351677613",
+                  "5735822328888155254683894997897571951568553642892029982342")))
+@@ -186,6 +187,7 @@ static int x9_62_tests(void)
+                  "3238135532097973577080787768312505059318910517550078427819"
+                              "78505179448783")))
+         goto x962_err;
++#endif
+ 
+ # ifndef OPENSSL_NO_EC2M
+     if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1,

diff --git a/dev-libs/openssl/openssl-1.1.1b.ebuild b/dev-libs/openssl/openssl-1.1.1b-r1.ebuild
similarity index 97%
rename from dev-libs/openssl/openssl-1.1.1b.ebuild
rename to dev-libs/openssl/openssl-1.1.1b-r1.ebuild
index ad888b7d6a6..5e05c9dcab0 100644
--- a/dev-libs/openssl/openssl-1.1.1b.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1b-r1.ebuild
@@ -64,12 +64,18 @@ src_prepare() {
 		for i in "${FEDORA_SOURCE[@]}" ; do
 			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
 		done
+
 		# .spec %prep
 		bash "${WORKDIR}"/"${SOURCE1}" || die
 		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
 		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
 		for i in "${FEDORA_PATCH[@]}" ; do
-			eapply "${DISTDIR}"/"${i}"
+			if [[ "${i}" == "${PATCH37}" ]] ; then
+				# apply our own for OpenSSL 1.1.1b adjusted version of this patch
+				eapply "${FILESDIR}"/openssl-1.1.1b-ec-curves-patch.patch
+			else
+				eapply "${DISTDIR}"/"${i}"
+			fi
 		done
 		# Also see the configure parts below:
 		# enable-ec \


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2019-03-06 16:56 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2019-03-06 16:56 UTC (permalink / raw
  To: gentoo-commits

commit:     402e35c0c3cfbd46457cad5983c217ea8de6fe8e
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Mar  6 16:55:03 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Mar  6 16:55:03 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=402e35c0

dev-libs/openssl: add patch for CVE-2019-1543

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 .../files/openssl-1.1.1b-CVE-2019-1543.patch       |  66 +++++
 dev-libs/openssl/openssl-1.1.0j-r1.ebuild          | 299 +++++++++++++++++++++
 dev-libs/openssl/openssl-1.1.1b-r2.ebuild          | 299 +++++++++++++++++++++
 3 files changed, 664 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch
new file mode 100644
index 00000000000..4d478c484c9
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch
@@ -0,0 +1,66 @@
+From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Mar 2019 14:39:15 +0000
+Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305
+
+ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
+every encryption operation. RFC 7539 specifies that the nonce value (IV)
+should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
+front pads the nonce with 0 bytes if it is less than 12 bytes. However it
+also incorrectly allows a nonce to be set of up to 16 bytes. In this case
+only the last 12 bytes are significant and any additional leading bytes are
+ignored.
+
+It is a requirement of using this cipher that nonce values are unique.
+Messages encrypted using a reused nonce value are susceptible to serious
+confidentiality and integrity attacks. If an application changes the
+default nonce length to be longer than 12 bytes and then makes a change to
+the leading bytes of the nonce expecting the new value to be a new unique
+nonce then such an application could inadvertently encrypt messages with a
+reused nonce.
+
+Additionally the ignored bytes in a long nonce are not covered by the
+integrity guarantee of this cipher. Any application that relies on the
+integrity of these ignored leading bytes of a long nonce may be further
+affected.
+
+Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
+because no such use sets such a long nonce value. However user
+applications that use this cipher directly and set a non-default nonce
+length to be longer than 12 bytes may be vulnerable.
+
+CVE-2019-1543
+
+Fixes #8345
+
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/8406)
+
+(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)
+---
+ crypto/evp/e_chacha20_poly1305.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
+index c1917bb86a6..d3e2c622a1b 100644
+--- a/crypto/evp/e_chacha20_poly1305.c
++++ b/crypto/evp/e_chacha20_poly1305.c
+@@ -30,6 +30,8 @@ typedef struct {
+ 
+ #define data(ctx)   ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
+ 
++#define CHACHA20_POLY1305_MAX_IVLEN     12
++
+ static int chacha_init_key(EVP_CIPHER_CTX *ctx,
+                            const unsigned char user_key[CHACHA_KEY_SIZE],
+                            const unsigned char iv[CHACHA_CTR_SIZE], int enc)
+@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+         return 1;
+ 
+     case EVP_CTRL_AEAD_SET_IVLEN:
+-        if (arg <= 0 || arg > CHACHA_CTR_SIZE)
++        if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
+             return 0;
+         actx->nonce_len = arg;
+         return 1;

diff --git a/dev-libs/openssl/openssl-1.1.0j-r1.ebuild b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild
new file mode 100644
index 00000000000..b21a33a9e0f
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild
@@ -0,0 +1,299 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+# This does not copy the entire Fedora patchset, but JUST the parts that
+# are needed to make it safe to use EC with RESTRICT=bindist.
+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
+SOURCE1=hobble-openssl
+SOURCE12=ec_curve.c
+SOURCE13=ectest.c
+PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
+PATCH37=openssl-1.1.0-ec-curves.patch
+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
+FEDORA_GIT_BRANCH='f28'
+FEDORA_GIT_COMMIT="d2ede125556ac99aa0faa7744c703af3f559094e"
+FEDORA_SRC_URI=()
+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
+FEDORA_PATCH=( $PATCH1 $PATCH37 )
+for i in "${FEDORA_SOURCE[@]}" ; do
+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH}&id=${FEDORA_GIT_COMMIT} -> ${P}_${FEDORA_GIT_COMMIT}_${i}" )
+done
+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH}&id=${FEDORA_GIT_COMMIT} -> ${i%.patch}_${FEDORA_GIT_COMMIT}.patch" )
+done
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+	"${FILESDIR}"/${PN}-1.1.1b-CVE-2019-1543.patch
+)
+
+src_prepare() {
+	if use bindist; then
+		# we need to patch the patch but we cannot patch in DISTDIR...
+		mkdir "${WORKDIR}"/fedora_patches || die
+		for i in "${FEDORA_PATCH[@]}" ; do
+			cp "${DISTDIR}"/"${i%.patch}_${FEDORA_GIT_COMMIT}.patch" "${WORKDIR}"/fedora_patches || die
+		done
+
+		# now patch the path, due to OpenSSL change cb193560e0da17a41b40ce574a2349f1d4d59ed1
+		sed -i -e 's#test/evptests.txt#test/recipes/30-test_evp_data/evppkey.txt#g' \
+			"${WORKDIR}"/fedora_patches/openssl-1.1.0-build_d2ede125556ac99aa0faa7744c703af3f559094e.patch || \
+			die
+
+		# This just removes the prefix, and puts it into WORKDIR like the RPM.
+		for i in "${FEDORA_SOURCE[@]}" ; do
+			cp -f "${DISTDIR}"/"${P}_${FEDORA_GIT_COMMIT}_${i}" "${WORKDIR}"/"${i}" || die
+		done
+		# .spec %prep
+		bash "${WORKDIR}"/"${SOURCE1}" || die
+		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
+		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
+		for i in "${FEDORA_PATCH[@]}" ; do
+			#eapply "${DISTDIR}"/"${i%.patch}_${FEDORA_GIT_COMMIT}.patch"
+			eapply "${WORKDIR}/fedora_patches/${i%.patch}_${FEDORA_GIT_COMMIT}.patch"
+		done
+		# Also see the configure parts below:
+		# enable-ec \
+		# $(use_ssl !bindist ec2m) \
+
+	fi
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		eapply "${PATCHES[@]}"
+	fi
+
+	eapply_user #332661
+
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	# Make DOCDIR Gentoo compliant
+	sed -i \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+		Configurations/unix-Makefile.tmpl \
+		|| die
+
+	# show the actual commands in the log
+	sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	# Prefixify Configure shebang (#141906)
+	sed \
+		-e "1s,/usr/bin/env,${EPREFIX}&," \
+		-i Configure || die
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	# Fedora hobbled-EC needs 'no-ec2m'
+	# 'srp' was restricted until early 2017 as well.
+	# "disable-deprecated" option breaks too many consumers.
+	# Don't set it without thorough revdeps testing.
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		enable-ec \
+		$(use_ssl !bindist ec2m) \
+		enable-srp \
+		$(use elibc_musl && echo "no-async") \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		$(use_ssl asm) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	# Fix quoting for sed
+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAGS=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+		-e 's:\\:\\\\:g' \
+	)
+	sed -i \
+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED%/}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED%/}"/usr/share/man || die
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			# We don't want to "|| die" here
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}

diff --git a/dev-libs/openssl/openssl-1.1.1b-r2.ebuild b/dev-libs/openssl/openssl-1.1.1b-r2.ebuild
new file mode 100644
index 00000000000..98e70d05803
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1b-r2.ebuild
@@ -0,0 +1,299 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+[[ "${PV}" = *_pre* ]] || \
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+	"${FILESDIR}"/${P}-CVE-2019-1543.patch
+)
+
+# This does not copy the entire Fedora patchset, but JUST the parts that
+# are needed to make it safe to use EC with RESTRICT=bindist.
+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
+SOURCE1=hobble-openssl
+SOURCE12=ec_curve.c
+SOURCE13=ectest.c
+PATCH37=openssl-1.1.1-ec-curves.patch
+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
+FEDORA_GIT_BRANCH='f29'
+FEDORA_SRC_URI=()
+FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
+FEDORA_PATCH=( ${PATCH37} )
+for i in "${FEDORA_SOURCE[@]}" ; do
+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
+done
+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
+done
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+	if use bindist; then
+		# This just removes the prefix, and puts it into WORKDIR like the RPM.
+		for i in "${FEDORA_SOURCE[@]}" ; do
+			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
+		done
+
+		# .spec %prep
+		bash "${WORKDIR}"/"${SOURCE1}" || die
+		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
+		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
+		for i in "${FEDORA_PATCH[@]}" ; do
+			if [[ "${i}" == "${PATCH37}" ]] ; then
+				# apply our own for OpenSSL 1.1.1b adjusted version of this patch
+				eapply "${FILESDIR}"/openssl-1.1.1b-ec-curves-patch.patch
+			else
+				eapply "${DISTDIR}"/"${i}"
+			fi
+		done
+		# Also see the configure parts below:
+		# enable-ec \
+		# $(use_ssl !bindist ec2m) \
+
+	fi
+
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
+			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
+		fi
+	fi
+
+	eapply_user #332661
+
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	# Make DOCDIR Gentoo compliant
+	sed -i \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+		Configurations/unix-Makefile.tmpl \
+		|| die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	# Prefixify Configure shebang (#141906)
+	sed \
+		-e "1s,/usr/bin/env,${EPREFIX%/}&," \
+		-i Configure || die
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	# Fedora hobbled-EC needs 'no-ec2m'
+	# 'srp' was restricted until early 2017 as well.
+	# "disable-deprecated" option breaks too many consumers.
+	# Don't set it without thorough revdeps testing.
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		enable-ec \
+		$(use_ssl !bindist ec2m) \
+		enable-srp \
+		$(use elibc_musl && echo "no-async") \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		$(use_ssl sslv3 ssl3) \
+		$(use_ssl sslv3 ssl3-method) \
+		$(use_ssl asm) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX%/}"/usr \
+		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	# Fix quoting for sed
+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAGS=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+		-e 's:\\:\\\\:g' \
+	)
+	sed -i \
+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	# We need to create $ED/usr on our own to avoid a race condition #665130
+	if [[ ! -d "${ED%/}/usr" ]]; then
+		# We can only create this directory once
+		mkdir "${ED%/}"/usr || die
+	fi
+
+	emake DESTDIR="${D%/}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED%/}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED%/}"/usr/share/man || die
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			# We don't want to "|| die" here
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2019-06-14 17:46 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2019-06-14 17:46 UTC (permalink / raw
  To: gentoo-commits

commit:     01e98e158d3cb02427d8a73678b56b83c5285843
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Tue May 28 19:00:54 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Jun 14 17:46:34 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01e98e15

dev-libs/openssl: Remove compat slots (moved to *-compat)

Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
Bug: https://bugs.gentoo.org/687984
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   1 -
 dev-libs/openssl/files/gentoo.config-0.9.8         | 144 ------------
 .../openssl/files/openssl-0.9.8e-bsd-sparc64.patch |  25 ---
 .../openssl/files/openssl-0.9.8h-ldflags.patch     |  29 ---
 .../openssl/files/openssl-0.9.8m-binutils.patch    |  24 --
 .../files/openssl-0.9.8z_p8-perl-5.26.patch        |  13 --
 dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild       | 163 --------------
 dev-libs/openssl/openssl-1.0.2r-r200.ebuild        | 248 ---------------------
 8 files changed, 647 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 26e97789fde..ae40847f77d 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,4 +1,3 @@
-DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
 DIST openssl-1.0.2r.tar.gz 5348369 BLAKE2B 9f9c2d2fe6eaf9acacab29b394a318f30c38e831a5f9c193b2da660f9d04acbf407d8b752274783765416c0f5ba557c24ee293ad7fb7d727771db289e6acc901 SHA512 6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235
 DIST openssl-1.0.2r_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15

diff --git a/dev-libs/openssl/files/gentoo.config-0.9.8 b/dev-libs/openssl/files/gentoo.config-0.9.8
deleted file mode 100644
index 02698250c19..00000000000
--- a/dev-libs/openssl/files/gentoo.config-0.9.8
+++ /dev/null
@@ -1,144 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 1999-2009 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-#
-# Openssl doesn't play along nicely with cross-compiling
-# like autotools based projects, so let's teach it new tricks.
-#
-# Review the bundled 'config' script to see why kind of targets
-# we can pass to the 'Configure' script.
-
-
-# Testing routines
-if [[ $1 == "test" ]] ; then
-	for c in \
-		"arm-gentoo-linux-uclibc      |linux-generic32 -DL_ENDIAN" \
-		"armv5b-linux-gnu             |linux-generic32 -DB_ENDIAN" \
-		"x86_64-pc-linux-gnu          |linux-x86_64" \
-		"alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
-		"i686-pc-linux-gnu            |linux-elf" \
-		"whatever-gentoo-freebsdX.Y   |BSD-generic32" \
-		"i686-gentoo-freebsdX.Y       |BSD-x86-elf" \
-		"sparc64-alpha-freebsdX.Y     |BSD-sparc64" \
-		"ia64-gentoo-freebsd5.99234   |BSD-ia64" \
-		"x86_64-gentoo-freebsdX.Y     |BSD-x86_64" \
-		"hppa64-aldsF-linux-gnu5.3    |linux-generic32 -DB_ENDIAN" \
-		"powerpc-gentOO-linux-uclibc  |linux-ppc" \
-		"powerpc64-unk-linux-gnu      |linux-ppc64" \
-		"x86_64-apple-darwinX         |darwin64-x86_64-cc" \
-		"powerpc64-apple-darwinX      |darwin64-ppc-cc" \
-		"i686-apple-darwinX           |darwin-i386-cc" \
-		"i386-apple-darwinX           |darwin-i386-cc" \
-		"powerpc-apple-darwinX        |darwin-ppc-cc" \
-		"i586-pc-winnt                |winnt-parity" \
-	;do
-		CHOST=${c/|*}
-		ret_want=${c/*|}
-		ret_got=$(CHOST=${CHOST} "$0")
-
-		if [[ ${ret_want} == "${ret_got}" ]] ; then
-			echo "PASS: ${CHOST}"
-		else
-			echo "FAIL: ${CHOST}"
-			echo -e "\twanted: ${ret_want}"
-			echo -e "\twe got: ${ret_got}"
-		fi
-	done
-	exit 0
-fi
-[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
-
-
-# Detect the operating system
-case ${CHOST} in
-	*-aix*)      system="aix";;
-	*-darwin*)   system="darwin";;
-	*-freebsd*)  system="BSD";;
-	*-hpux*)     system="hpux";;
-	*-linux*)    system="linux";;
-	*-solaris*)  system="solaris";;
-	*-winnt*)    system="winnt";;
-	*)           exit 0;;
-esac
-
-
-# Compiler munging
-compiler="gcc"
-if [[ ${CC} == "ccc" ]] ; then
-	compiler=${CC}
-fi
-
-
-# Detect target arch
-machine=""
-chost_machine=${CHOST%%-*}
-case ${system} in
-linux)
-	case ${chost_machine} in
-		alphaev56*)   machine=alpha+bwx-${compiler};;
-		alphaev[678]*)machine=alpha+bwx-${compiler};;
-		alpha*)       machine=alpha-${compiler};;
-		arm*b*)       machine="generic32 -DB_ENDIAN";;
-		arm*)         machine="generic32 -DL_ENDIAN";;
-	#	hppa64*)      machine=parisc64;;
-		hppa*)        machine="generic32 -DB_ENDIAN";;
-		i[0-9]86*)    machine=elf;;
-		ia64*)        machine=ia64;;
-		m68*)         machine="generic32 -DB_ENDIAN";;
-		mips*el*)     machine="generic32 -DL_ENDIAN";;
-		mips*)        machine="generic32 -DB_ENDIAN";;
-		powerpc64*)   machine=ppc64;;
-		powerpc*)     machine=ppc;;
-	#	sh64*)        machine=elf;;
-		sh*b*)        machine="generic32 -DB_ENDIAN";;
-		sh*)          machine="generic32 -DL_ENDIAN";;
-		sparc*v7*)    machine="generic32 -DB_ENDIAN";;
-		sparc64*)     machine=sparcv9;;
-		sparc*)       machine=sparcv8;;
-		s390x*)       machine="generic64 -DB_ENDIAN";;
-		s390*)        machine="generic32 -DB_ENDIAN";;
-		x86_64*)      machine=x86_64;;
-	esac
-	;;
-BSD)
-	case ${chost_machine} in
-		alpha*)       machine=generic64;;
-		i[6-9]86*)    machine=x86-elf;;
-		ia64*)        machine=ia64;;
-		sparc64*)     machine=sparc64;;
-		x86_64*)      machine=x86_64;;
-		*)            machine=generic32;;
-	esac
-	;;
-aix)
-	machine=${compiler}
-	;;
-darwin)
-	case ${chost_machine} in
-		powerpc64)    machine=ppc-cc; system=${system}64;;
-		powerpc)      machine=ppc-cc;;
-		i?86*)        machine=i386-cc;;
-		x86_64)       machine=x86_64-cc; system=${system}64;;
-	esac
-	;;
-hpux)
-	case ${chost_machine} in
-		ia64)	machine=ia64-${compiler} ;;
-	esac
-	;;
-solaris)
-	case ${chost_machine} in
-		i386)         machine=x86-${compiler} ;;
-		x86_64*)      machine=x86_64-${compiler}; system=${system}64;;
-		sparcv9*)     machine=sparcv9-${compiler}; system=${system}64;;
-		sparc*)       machine=sparcv8-${compiler};;
-	esac
-	;;
-winnt)
-	machine=parity
-	;;
-esac
-
-
-# If we have something, show it
-[[ -n ${machine} ]] && echo ${system}-${machine}

diff --git a/dev-libs/openssl/files/openssl-0.9.8e-bsd-sparc64.patch b/dev-libs/openssl/files/openssl-0.9.8e-bsd-sparc64.patch
deleted file mode 100644
index a798164a906..00000000000
--- a/dev-libs/openssl/files/openssl-0.9.8e-bsd-sparc64.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -365,7 +365,7 @@
- # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it
- # simply *happens* to work around a compiler bug in gcc 3.3.3,
- # triggered by RIPEMD160 code.
--"BSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:::des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"BSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:ULTRASPARC::SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:::des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "BSD-ia64",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "BSD-x86_64",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- 
-
-the -B flag is a no-op nowadays
-
---- a/crypto/des/Makefile
-+++ b/crypto/des/Makefile
-@@ -62,7 +62,7 @@
- 	$(CC) $(CFLAGS) -o des des.o cbc3_enc.o $(LIB)
- 
- des_enc-sparc.S:	asm/des_enc.m4
--	m4 -B 8192 asm/des_enc.m4 > des_enc-sparc.S
-+	m4 asm/des_enc.m4 > des_enc-sparc.S
- 
- # ELF
- dx86-elf.s:	asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl

diff --git a/dev-libs/openssl/files/openssl-0.9.8h-ldflags.patch b/dev-libs/openssl/files/openssl-0.9.8h-ldflags.patch
deleted file mode 100644
index 64cc7bde050..00000000000
--- a/dev-libs/openssl/files/openssl-0.9.8h-ldflags.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-http://bugs.gentoo.org/181438
-http://bugs.gentoo.org/327421
-https://rt.openssl.org/Ticket/Display.html?id=3332&user=guest&pass=guest
-
-make sure we respect LDFLAGS
-
-also make sure we don't add useless -rpath flags to the system libdir
-
---- openssl-0.9.8h/Makefile.org
-+++ openssl-0.9.8h/Makefile.org
-@@ -180,6 +181,7 @@
- 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \
- 		DEPFLAG='-DOPENSSL_NO_DEPRECATED ${DEPFLAG}'	\
- 		MAKEDEPPROG='${MAKEDEPPROG}'			\
-+		LDFLAGS='${LDFLAGS}'		\
- 		SHARED_LDFLAGS='${SHARED_LDFLAGS}'		\
- 		KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}'	\
- 		EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}'	\
---- openssl-0.9.8h/Makefile.shared
-+++ openssl-0.9.8h/Makefile.shared
-@@ -153,7 +153,7 @@
- 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
- 
--DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(LDFLAGS) $(CFLAGS)"
- 
- #This is rather special.  It's a special target with which one can link
- #applications without bothering with any features that have anything to

diff --git a/dev-libs/openssl/files/openssl-0.9.8m-binutils.patch b/dev-libs/openssl/files/openssl-0.9.8m-binutils.patch
deleted file mode 100644
index 9fa79b9a65f..00000000000
--- a/dev-libs/openssl/files/openssl-0.9.8m-binutils.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-http://bugs.gentoo.org/289130
-
-Ripped from Fedora
-
---- openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils	2009-11-12 15:17:29.000000000 +0100
-+++ openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl	2009-11-12 17:24:18.000000000 +0100
-@@ -150,7 +150,7 @@ ___
- sub BODY_20_39 {
- my ($i,$a,$b,$c,$d,$e,$f)=@_;
- my $j=$i+1;
--my $K=($i<40)?0x6ed9eba1:0xca62c1d6;
-+my $K=($i<40)?0x6ed9eba1:-0x359d3e2a;
- $code.=<<___ if ($i<79);
- 	lea	$K($xi,$e),$f
- 	mov	`4*($j%16)`(%rsp),$xi
-@@ -187,7 +187,7 @@ sub BODY_40_59 {
- my ($i,$a,$b,$c,$d,$e,$f)=@_;
- my $j=$i+1;
- $code.=<<___;
--	lea	0x8f1bbcdc($xi,$e),$f
-+	lea	-0x70e44324($xi,$e),$f
- 	mov	`4*($j%16)`(%rsp),$xi
- 	mov	$b,$t0
- 	mov	$b,$t1

diff --git a/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch b/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch
deleted file mode 100644
index c932b820425..00000000000
--- a/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-https://bugs.gentoo.org/639876
-
---- a/crypto/des/asm/des-586.pl
-+++ b/crypto/des/asm/des-586.pl
-@@ -4,7 +4,7 @@
- # Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
- #
- 
--push(@INC,"perlasm","../../perlasm");
-+push(@INC,".","perlasm","../../perlasm");
- require "x86asm.pl";
- require "cbc.pl";
- require "desboth.pl";

diff --git a/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild b/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild
deleted file mode 100644
index c64a38b4f3a..00000000000
--- a/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild
+++ /dev/null
@@ -1,163 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME for ABI compat
-
-EAPI="6"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-#PLEVEL=$(printf "\\$(printf '%03o' $((${PV##*_p} + 96)))")
-PLEVEL='h' # _p8 -> tr '[1-9]' '[a-i]' -> 'h'
-MY_PV=${PV/_p*/${PLEVEL}}
-MY_P=${PN}-${MY_PV}
-S="${WORKDIR}/${MY_P}"
-DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
-
-LICENSE="openssl"
-SLOT="0.9.8"
-KEYWORDS="~alpha amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~x86-fbsd"
-IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	!=dev-libs/openssl-0.9.8*:0"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-
-# Do not install any docs
-DOCS=()
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
-	"${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
-	"${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130
-	"${FILESDIR}"/${PN}-0.9.8z_p8-perl-5.26.patch
-)
-
-src_prepare() {
-	default
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
-		Makefile{,.org} \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared || die
-	# update the enginedir path.
-	# punt broken config we don't care about as it fails sanity check.
-	sed -i \
-		-e '/^"debug-ben-debug-64"/d' \
-		-e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \
-		Configure || die
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
-	chmod a+rx gentoo.config || die
-
-	append-flags -fno-strict-aliasing
-	append-flags -Wa,--noexecstack
-
-	sed -i '1s,^:$,#!/usr/bin/perl,' Configure || die #141906
-	sed -i '/^"debug-bodo/d' Configure || die # 0.9.8za shipped broken
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-
-	tc-export CC AR RANLIB
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      5,724,428 03/03/2015    https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		$(use_ssl !bindist ec) \
-		enable-idea \
-		enable-mdc2 \
-		$(use_ssl !bindist rc5) \
-		enable-tlsext \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl zlib) \
-		--prefix=/usr \
-		--openssldir=/etc/ssl \
-		shared threads \
-		|| die "Configure failed"
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^LIBDIR=/s|=.*|=$(get_libdir)|" \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts
-	emake -j1 depend
-	emake -j1 build_libs
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	dolib.so lib{crypto,ssl}.so.0.9.8
-}

diff --git a/dev-libs/openssl/openssl-1.0.2r-r200.ebuild b/dev-libs/openssl/openssl-1.0.2r-r200.ebuild
deleted file mode 100644
index 44b9547d141..00000000000
--- a/dev-libs/openssl/openssl-1.0.2r-r200.ebuild
+++ /dev/null
@@ -1,248 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
-
-# openssl-1.0.2-patches-1.6 contain additional CVE patches
-# which got fixed with this release.
-# Please use 1.7 version number when rolling a new tarball!
-PATCH_SET="openssl-1.0.2-patches-1.5"
-MY_P=${P/_/-}
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	!vanilla? (
-		mirror://gentoo/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
-		https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz
-	)"
-
-LICENSE="openssl"
-SLOT="1.0.0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	!=dev-libs/openssl-1.0.2*:0"
-DEPEND="${RDEPEND}
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-	)"
-
-RESTRICT="test"
-
-# Do not install any docs
-DOCS=()
-
-# This does not copy the entire Fedora patchset, but JUST the parts that
-# are needed to make it safe to use EC with RESTRICT=bindist.
-# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
-SOURCE1=hobble-openssl
-SOURCE12=ec_curve.c
-SOURCE13=ectest.c
-# These are ported instead
-#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
-#PATCH37=openssl-1.1.0-ec-curves.patch
-FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
-FEDORA_GIT_BRANCH='f25'
-FEDORA_SRC_URI=()
-FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
-FEDORA_PATCH=( $PATCH1 $PATCH37 )
-for i in "${FEDORA_SOURCE[@]}" ; do
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
-done
-for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
-	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
-done
-SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
-
-S="${WORKDIR}/${MY_P}"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-src_prepare() {
-	if use bindist; then
-		# This just removes the prefix, and puts it into WORKDIR like the RPM.
-		for i in "${FEDORA_SOURCE[@]}" ; do
-			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
-		done
-		# .spec %prep
-		bash "${WORKDIR}"/"${SOURCE1}" || die
-		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
-		for i in "${FEDORA_PATCH[@]}" ; do
-			eapply "${DISTDIR}"/"${i}"
-		done
-		eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-		# $(use_ssl !bindist srp) \
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		eapply "${WORKDIR}"/patch/*.patch
-	fi
-
-	eapply_user
-
-	# disable fips in the build
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	sed -i \
-		-e '/DIRS/s: fips : :g' \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
-		Makefile.org \
-		|| die
-	# show the actual commands in the log
-	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
-
-	# since we're forcing $(CC) as makedep anyway, just fix
-	# the conditional as always-on
-	# helps clang (#417795), and versioned gcc (#499818)
-	# this breaks build with 1.0.2p, not sure if it is needed anymore
-	#sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	# https://github.com/openssl/openssl/issues/2286
-	if use ia64 ; then
-		replace-flags -g3 -g2
-		replace-flags -ggdb3 -ggdb2
-	fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
-	echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		$(use_ssl !bindist srp) \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		enable-tlsext \
-		$(use_ssl asm) \
-		$(use_ssl gmp gmp -lgmp) \
-		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl sslv2 ssl2) \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX%/}"/usr \
-		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAG=::' \
-		-e 's:-fomit-frame-pointer ::g' \
-		-e 's:-O[0-9] ::g' \
-		-e 's:-march=[-a-z0-9]* ::g' \
-		-e 's:-mcpu=[-a-z0-9]* ::g' \
-		-e 's:-m[a-z0-9]* ::g' \
-	)
-	sed -i \
-		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
-		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 V=1 depend
-	emake build_libs
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	dolib.so lib{crypto,ssl}.so.${SLOT}
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2019-08-23 18:10 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2019-08-23 18:10 UTC (permalink / raw
  To: gentoo-commits

commit:     2c20225928fed2fb4c7512f4655207478ada6caf
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 23 17:33:18 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Aug 23 18:10:18 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c202259

dev-libs/openssl: fix fuzz test

Package-Manager: Portage-2.3.72, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 .../openssl/files/openssl-1.1.0k-fix-test_fuzz.patch  | 19 +++++++++++++++++++
 dev-libs/openssl/openssl-1.1.0k-r1.ebuild             |  1 +
 2 files changed, 20 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch b/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch
new file mode 100644
index 00000000000..2c4cc31257c
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch
@@ -0,0 +1,19 @@
+Test fuzz was forgotten when
+
+   Perl: Use our own globbing wrapper rather than File::Glob::glob
+
+was backported to openssl-1.1.0 branch.
+
+Link: https://github.com/openssl/openssl/commit/b81cfa07ada850fd287d0a0c82ba280907f18ce7
+
+--- a/test/recipes/90-test_fuzz.t
++++ b/test/recipes/90-test_fuzz.t
+@@ -9,7 +9,7 @@
+ use strict;
+ use warnings;
+ 
+-use if $^O ne "VMS", 'File::Glob' => qw/glob/;
++use OpenSSL::Glob;
+ use OpenSSL::Test qw/:DEFAULT srctop_file/;
+ use OpenSSL::Test::Utils;
+ 

diff --git a/dev-libs/openssl/openssl-1.1.0k-r1.ebuild b/dev-libs/openssl/openssl-1.1.0k-r1.ebuild
index 5bc111be0f8..f8ee7f73587 100644
--- a/dev-libs/openssl/openssl-1.1.0k-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0k-r1.ebuild
@@ -53,6 +53,7 @@ SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
 	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+	"${FILESDIR}"/${PN}-1.1.0k-fix-test_fuzz.patch
 )
 
 S="${WORKDIR}/${MY_P}"


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2019-09-11 23:30 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2019-09-11 23:30 UTC (permalink / raw
  To: gentoo-commits

commit:     4019a4b1ce71d416d04cafcb76d6be4719e8ecbd
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Sep 11 23:19:30 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Sep 11 23:29:57 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4019a4b1

dev-libs/openssl: bump to v1.1.0l

Package-Manager: Portage-2.3.75, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   2 +
 .../openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch |  30 ++
 dev-libs/openssl/openssl-1.1.0l.ebuild             | 305 +++++++++++++++++++++
 3 files changed, 337 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index c6474b63d35..fd03dd1eb9b 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -9,6 +9,8 @@ DIST openssl-1.0.2s_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d46735
 DIST openssl-1.0.2s_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
 DIST openssl-1.1.0k-bindist-1.0.tar.xz 11716 BLAKE2B c491ba0899c44dbcc63f85b255548c439c965a20a04ac2a6324a4122c4691b7c95ec18e62be6d708a7ea62ea197d32e5091987cb5043969878f89e5bc26243d4 SHA512 1d5bc9d7b24cf55d32d996e2421d43a1218b605720293f00d07814afb481387856f0dc000ad3c3e4cba2361055668cfe79a945be44ab85a249555f37e683a909
 DIST openssl-1.1.0k.tar.gz 5287321 BLAKE2B fce40a399f5a08d5fe183dfcaab11b211d982885fb9888b25fa41bdd9919ecd203fca6f573363cfb42c9a0776ae69ea50b0f144227a3f28ca0dbadf878d396bc SHA512 65f41a240a97d79504c0e1391fde8ac8692f0993437cdc35e4bc964ecc36e5ef75a62499c4c6cb4ce63f892135e06dba2d3594c8869d935554296fa3c6ccd822
+DIST openssl-1.1.0l-bindist-1.0.tar.xz 13168 BLAKE2B 1fbd1f7bdba08f14e21485175232283c2309687021a526b4a132b676d7f9429577f8f14e180fb4f59ef24bc9c06873a6936e64559a901803a3f1d21453177b50 SHA512 f664a6876a2a9c7467bbc6a436593eb21cc6be51e08408657f34b67fa69cd6bece3cc65f60220d7e41f36b359b5299adf49a59ede7f8f738d6a31e29d2a49714
+DIST openssl-1.1.0l.tar.gz 5294857 BLAKE2B 0e4f30f9e8a22414325bd780dc4e875e962487fbe72967f0392ace959955429192541881a98d097d7bb75ed7238b1817b0c3c2c4da04421512bd538f2b07cdd7 SHA512 81b74149f40ea7d9f7e235820a4f977844653ad1e2b302e65e712c12193f47542fe7e3385fd1e25e3dd074e4e6d04199836cbc492656f5a7692edab5e234f4ad
 DIST openssl-1.1.1c-bindist-1.0.tar.xz 11964 BLAKE2B 8c5190846d13984589a150089d329bb3ecc613788b9462c6f6a1833a040e21cb9bf940140449f09fd797c0e396b0aea073237be374bd16097795b8974c3e7ce5 SHA512 249c6d8c455130b98e3be635f12f323e0cc349f1770648bad591e5de15483917185a473c162ed871a2fa05b47056931e6f12e5fdd9cecee7e6d1c246b862923b
 DIST openssl-1.1.1c.tar.gz 8864262 BLAKE2B bd157b244bedcefb8e646a743732945119b267236789ac69c38856570318aca09299bdaaea3f20294863b633e6fd4dfe124820597185b3b7461cfdf094daadb0 SHA512 8e2c5cc11c120efbb7d7850980cb6eaa782d29b4996b3f3378d37613c1679f852d7cc08a90d62e78fcec3439f06bdbee70064579a8c2adaffd91532a97f646ff
 DIST openssl-1.1.1d-bindist-1.0.tar.xz 13180 BLAKE2B 680bd7400d3dd3930067ee7efa9718b74b30afa9be2397ad80f88031920806b6603b6469beede02b6e7a742abf5f82ebdd7c9b8e69c1ffe223e4860dc9581128 SHA512 9e4296326852010d5cebc204d1a34a34198d8d65460bc91a2bd37c80be892a5ae519513e4b0109e6b51b6faab0e171ef6cdae868868c158711558d147083c06f

diff --git a/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch b/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
new file mode 100644
index 00000000000..35a435df28b
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
@@ -0,0 +1,30 @@
+From bcf6a94c4bc912ad313ea21abdf7e83bbae450e5 Mon Sep 17 00:00:00 2001
+From: Nicola Tuveri <nic.tuv@gmail.com>
+Date: Thu, 12 Sep 2019 01:57:47 +0300
+Subject: [PATCH] Fix no-ec2m in ec_curve.c (1.1.0)
+
+I made a mistake in d4a5dac9f9242c580fb9d0a4389440eccd3494a7 and
+inverted the GF2m and GFp calls in ec_point_get_affine_coordinates, this
+fixes it.
+---
+ crypto/ec/ec_curve.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
+index 2d28d7f70bb..6a58b3a23e0 100644
+--- a/crypto/ec/ec_curve.c
++++ b/crypto/ec/ec_curve.c
+@@ -3200,11 +3200,11 @@ int ec_point_get_affine_coordinates(const EC_GROUP *group,
+ 
+ #ifndef OPENSSL_NO_EC2M
+     if (field_nid == NID_X9_62_characteristic_two_field) {
+-        return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
++        return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
+     } else
+ #endif /* !def(OPENSSL_NO_EC2M) */
+     if (field_nid == NID_X9_62_prime_field) {
+-        return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
++        return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
+     } else {
+         /* this should never happen */
+         return 0;

diff --git a/dev-libs/openssl/openssl-1.1.0l.ebuild b/dev-libs/openssl/openssl-1.1.0l.ebuild
new file mode 100644
index 00000000000..09b9314d05c
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.0l.ebuild
@@ -0,0 +1,305 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+
+# This patch set is based on the following files from Fedora 28,
+# see https://src.fedoraproject.org/rpms/openssl/blob/f28/f/openssl.spec
+# for more details:
+# - hobble-openssl (SOURCE1)
+# - ec_curve.c (SOURCE12) -- MODIFIED
+# - ectest.c (SOURCE13)
+# - openssl-1.1.0-ec-curves.patch (PATCH37) -- MODIFIED
+BINDIST_PATCH_SET="openssl-1.1.0l-bindist-1.0.tar.xz"
+
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+	bindist? (
+		mirror://gentoo/${BINDIST_PATCH_SET}
+		https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
+	)"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+	)"
+PDEPEND="app-misc/ca-certificates"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+	"${FILESDIR}"/${PN}-1.1.0k-fix-test_fuzz.patch
+)
+
+S="${WORKDIR}/${MY_P}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+src_prepare() {
+	if use bindist; then
+		mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
+		bash "${WORKDIR}"/hobble-openssl || die
+
+		cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
+		cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
+
+		eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
+
+		local known_failing_test
+		for known_failing_test in \
+			30-test_evp_extra.t \
+			80-test_ssl_new.t \
+		; do
+			ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
+			rm test/recipes/${known_failing_test} || die
+			eend $?
+		done
+
+		# Also see the configure parts below:
+		# enable-ec \
+		# $(use_ssl !bindist ec2m) \
+	fi
+
+	# keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
+			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
+		fi
+
+		use bindist || eapply "${FILESDIR}"/${PN}-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
+	fi
+
+	eapply_user #332661
+
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	# Make DOCDIR Gentoo compliant
+	sed -i \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+		Configurations/unix-Makefile.tmpl \
+		|| die
+
+	# show the actual commands in the log
+	sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	# Prefixify Configure shebang (#141906)
+	sed \
+		-e "1s,/usr/bin/env,${EPREFIX}&," \
+		-i Configure || die
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	# Fedora hobbled-EC needs 'no-ec2m'
+	# 'srp' was restricted until early 2017 as well.
+	# "disable-deprecated" option breaks too many consumers.
+	# Don't set it without thorough revdeps testing.
+	# Make sure user flags don't get added *yet* to avoid duplicated
+	# flags.
+	CFLAGS= LDFLAGS= echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		enable-ec \
+		$(use_ssl !bindist ec2m) \
+		enable-srp \
+		$(use elibc_musl && echo "no-async") \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		enable-rc5 \
+		$(use_ssl sslv3 ssl3) \
+		$(use_ssl sslv3 ssl3-method) \
+		$(use_ssl asm) \
+		$(use_ssl rfc3779) \
+		$(use_ssl sctp) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAGS=::' \
+		-e 's:\(^\| \)-fomit-frame-pointer::g' \
+		-e 's:\(^\| \)-O[^ ]*::g' \
+		-e 's:\(^\| \)-march=[^ ]*::g' \
+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
+		-e 's:\(^\| \)-m[^ ]*::g' \
+		-e 's:^ *::' \
+		-e 's: *$::' \
+		-e 's: \+: :g' \
+		-e 's:\\:\\\\:g'
+	)
+
+	# Now insert clean default flags with user flags
+	sed -i \
+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	# We need to create $ED/usr on our own to avoid a race condition #665130
+	if [[ ! -d "${ED}/usr" ]]; then
+		# We can only create this directory once
+		mkdir "${ED}"/usr || die
+	fi
+
+	emake DESTDIR="${D}" install
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man || die
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			# We don't want to "|| die" here
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2020-02-25 22:41 Matt Turner
  0 siblings, 0 replies; 52+ messages in thread
From: Matt Turner @ 2020-02-25 22:41 UTC (permalink / raw
  To: gentoo-commits

commit:     e3dec9bf2da04ace6b2e999ff779d117beb65e6e
Author:     Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Tue Feb 25 22:37:15 2020 +0000
Commit:     Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Tue Feb 25 22:40:42 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3dec9bf

dev-libs/openssl: Fix the build on alpha

Closes: https://bugs.gentoo.org/697840
Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>

 ...sl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch | 42 ++++++++++++++++++++++
 dev-libs/openssl/openssl-1.1.1d-r3.ebuild          |  1 +
 2 files changed, 43 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch
new file mode 100644
index 00000000000..3771684b251
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch
@@ -0,0 +1,42 @@
+From 19ded1a717b6c72c3db241f06787a353f1190755 Mon Sep 17 00:00:00 2001
+From: Matt Turner <mattst88@gmail.com>
+Date: Tue, 18 Feb 2020 10:08:27 -0800
+Subject: [PATCH] config: Drop linux-alpha-gcc+bwx
+
+Its entry in Configuration/10-main.conf was dropped in commit
+7ead0c89185c ("Configure: fold related configurations more aggressively
+and clean-up.") probably because all but one of its bn_ops were removed
+(RC4_CHAR remained). Benchmarks on an Alpha EV7 indicate that RC4_INT is
+better than RC4_CHAR so rather than restoring the configuation, remove
+it from config.
+
+CLA: trivial
+Bug: https://bugs.gentoo.org/697840
+
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/11130)
+---
+ config | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/config b/config
+index 2213969f90..e39481ca2a 100755
+--- a/config
++++ b/config
+@@ -498,10 +498,7 @@ case "$GUESSOS" in
+ 	OUT="ios64-cross" ;;
+   alpha-*-linux2)
+         ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
+-	case ${ISA:-generic} in
+-	*[678])	OUT="linux-alpha+bwx-$CC" ;;
+-	*)	OUT="linux-alpha-$CC" ;;
+-	esac
++	OUT="linux-alpha-$CC"
+ 	if [ "$CC" = "gcc" ]; then
+ 	    case ${ISA:-generic} in
+ 	    EV5|EV45)		__CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev5"
+-- 
+2.24.1
+

diff --git a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
index 8800d05fac7..97a1002fac7 100644
--- a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
@@ -50,6 +50,7 @@ PATCHES=(
 	"${FILESDIR}"/${P}-fix-zlib.patch
 	"${FILESDIR}"/${P}-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
 	"${FILESDIR}"/${P}-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch
+	"${FILESDIR}"/${P}-config-Drop-linux-alpha-gcc-bwx.patch
 )
 
 S="${WORKDIR}/${MY_P}"


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2020-06-04 17:53 Thomas Deutschmann
  0 siblings, 0 replies; 52+ messages in thread
From: Thomas Deutschmann @ 2020-06-04 17:53 UTC (permalink / raw
  To: gentoo-commits

commit:     9bce053e42181beb3ae28cc8585516202954a248
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Thu Jun  4 17:53:01 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Thu Jun  4 17:53:01 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bce053e

dev-libs/openssl: security cleanup

Bug: https://bugs.gentoo.org/717442
Package-Manager: Portage-2.3.100, Repoman-2.3.22
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   3 -
 ...sl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch |  42 ---
 ...x-potential-memleaks-w-BN_to_ASN1_INTEGER.patch | 107 -------
 .../openssl/files/openssl-1.1.1d-fix-zlib.patch    |  52 ----
 ...stitched-AES-CBC-HMAC-SHA-implementations.patch |  62 ----
 dev-libs/openssl/openssl-1.1.1d-r3.ebuild          | 328 ---------------------
 dev-libs/openssl/openssl-1.1.1f.ebuild             | 324 --------------------
 7 files changed, 918 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 2d626cc93bd..0153ae0ad1c 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -3,8 +3,5 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1
 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
 DIST openssl-1.1.0l-bindist-1.0.tar.xz 13184 BLAKE2B c09e023458faff17b10d6f20c28462c0851757a20d59b4b751220ab307324d5778252df112ad74fd319407cc75fdd1cd507d48058dd0234dc8c03020c882ed42 SHA512 39720ecee3ec6080c1416f2fb7c9246b89ee55b21be2baabad51eb6823dbe1559450b1ae92fa61ac1cf5ba04ac8c02438aa469bc65eae6905cf1ea486f270793
 DIST openssl-1.1.0l.tar.gz 5294857 BLAKE2B 0e4f30f9e8a22414325bd780dc4e875e962487fbe72967f0392ace959955429192541881a98d097d7bb75ed7238b1817b0c3c2c4da04421512bd538f2b07cdd7 SHA512 81b74149f40ea7d9f7e235820a4f977844653ad1e2b302e65e712c12193f47542fe7e3385fd1e25e3dd074e4e6d04199836cbc492656f5a7692edab5e234f4ad
-DIST openssl-1.1.1d-bindist-1.0.tar.xz 13180 BLAKE2B 680bd7400d3dd3930067ee7efa9718b74b30afa9be2397ad80f88031920806b6603b6469beede02b6e7a742abf5f82ebdd7c9b8e69c1ffe223e4860dc9581128 SHA512 9e4296326852010d5cebc204d1a34a34198d8d65460bc91a2bd37c80be892a5ae519513e4b0109e6b51b6faab0e171ef6cdae868868c158711558d147083c06f
-DIST openssl-1.1.1d.tar.gz 8845861 BLAKE2B d3155f07b487ebd8dd4fe25396c874f9af18b5cfd7e622298d29c4f2c8ce14ad4534609d321314a4bcd0d44414e1306190340daaacd3c8fca061c04498446244 SHA512 2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7
 DIST openssl-1.1.1e-bindist-1.0.tar.xz 16948 BLAKE2B 78e034f1d263cbf5e57c92393f72acd07e86e39a5511a8852bad151371430954e07d787fd82cca55b373d1579bb22b9d29c9d677104ed68291a9d2dffe3ffbbb SHA512 0dbfb378b8f2724db82915e17fd4e43977e3e45030db25cdb9241c0ab842e41ef3d597ef71c4db5103635752dc2059ea6022597511a440f55fb56a5a52d3ccea
-DIST openssl-1.1.1f.tar.gz 9792828 BLAKE2B eba30dd12772cd714666ed8e5371e068623d8bfd4ff45863d10e82c65551654508a27f22f7ef1edadb543ab56f3c4c40ac3bcad665c667eb06ee90c69b24782e SHA512 b00bd9b5ad5298fbceeec6bb19c1ab0c106ca5cfb31178497c58bf7e0e0cf30fcc19c20f84e23af31cc126bf2447d3e4f8461db97bafa7bd78f69561932f000c
 DIST openssl-1.1.1g.tar.gz 9801502 BLAKE2B 5e3dd4725ff89b959a5436d64b521317c6ffeb377418cc24c6d1927fab923423cb5f5fce2f9c2cdee597041c7be156d09668a5fd13dc6ff06d235a83db94cf19 SHA512 01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab

diff --git a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch
deleted file mode 100644
index 3771684b251..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 19ded1a717b6c72c3db241f06787a353f1190755 Mon Sep 17 00:00:00 2001
-From: Matt Turner <mattst88@gmail.com>
-Date: Tue, 18 Feb 2020 10:08:27 -0800
-Subject: [PATCH] config: Drop linux-alpha-gcc+bwx
-
-Its entry in Configuration/10-main.conf was dropped in commit
-7ead0c89185c ("Configure: fold related configurations more aggressively
-and clean-up.") probably because all but one of its bn_ops were removed
-(RC4_CHAR remained). Benchmarks on an Alpha EV7 indicate that RC4_INT is
-better than RC4_CHAR so rather than restoring the configuation, remove
-it from config.
-
-CLA: trivial
-Bug: https://bugs.gentoo.org/697840
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/11130)
----
- config | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/config b/config
-index 2213969f90..e39481ca2a 100755
---- a/config
-+++ b/config
-@@ -498,10 +498,7 @@ case "$GUESSOS" in
- 	OUT="ios64-cross" ;;
-   alpha-*-linux2)
-         ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
--	case ${ISA:-generic} in
--	*[678])	OUT="linux-alpha+bwx-$CC" ;;
--	*)	OUT="linux-alpha-$CC" ;;
--	esac
-+	OUT="linux-alpha-$CC"
- 	if [ "$CC" = "gcc" ]; then
- 	    case ${ISA:-generic} in
- 	    EV5|EV45)		__CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev5"
--- 
-2.24.1
-

diff --git a/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch b/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
deleted file mode 100644
index 1f195d0384c..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 515c728dbaa92211d2eafb0041ab9fcd258fdc41 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Mon, 9 Sep 2019 19:12:25 +0200
-Subject: [PATCH] Fix potential memory leaks with BN_to_ASN1_INTEGER
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/9833)
-
-(cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09)
----
- crypto/ec/ec_asn1.c     |  7 +++++--
- crypto/x509v3/v3_asid.c | 26 ++++++++++++++++++++------
- 2 files changed, 25 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
-index 1ce1181fc10..7cbf8de9813 100644
---- a/crypto/ec/ec_asn1.c
-+++ b/crypto/ec/ec_asn1.c
-@@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
-     unsigned char *buffer = NULL;
-     const EC_POINT *point = NULL;
-     point_conversion_form_t form;
-+    ASN1_INTEGER *orig;
- 
-     if (params == NULL) {
-         if ((ret = ECPARAMETERS_new()) == NULL) {
-@@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
-         ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
-         goto err;
-     }
--    ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
-+    ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);
-     if (ret->order == NULL) {
-+        ret->order = orig;
-         ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
-         goto err;
-     }
-@@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
-     /* set the cofactor (optional) */
-     tmp = EC_GROUP_get0_cofactor(group);
-     if (tmp != NULL) {
--        ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
-+        ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);
-         if (ret->cofactor == NULL) {
-+            ret->cofactor = orig;
-             ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
-             goto err;
-         }
-diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
-index 089f2ae29f0..ef2d64826fb 100644
---- a/crypto/x509v3/v3_asid.c
-+++ b/crypto/x509v3/v3_asid.c
-@@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor,
- static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
- {
-     ASN1_INTEGER *a_max_plus_one = NULL;
-+    ASN1_INTEGER *orig;
-     BIGNUM *bn = NULL;
-     int i, ret = 0;
- 
-@@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
-          */
-         if ((bn == NULL && (bn = BN_new()) == NULL) ||
-             ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
--            !BN_add_word(bn, 1) ||
--            (a_max_plus_one =
--             BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
-+            !BN_add_word(bn, 1)) {
-+            X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
-+                      ERR_R_MALLOC_FAILURE);
-+            goto done;
-+        }
-+
-+        if ((a_max_plus_one =
-+                BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
-+            a_max_plus_one = orig;
-             X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
-                       ERR_R_MALLOC_FAILURE);
-             goto done;
-@@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid)
- static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
- {
-     ASN1_INTEGER *a_max_plus_one = NULL;
-+    ASN1_INTEGER *orig;
-     BIGNUM *bn = NULL;
-     int i, ret = 0;
- 
-@@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
-          */
-         if ((bn == NULL && (bn = BN_new()) == NULL) ||
-             ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
--            !BN_add_word(bn, 1) ||
--            (a_max_plus_one =
--             BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
-+            !BN_add_word(bn, 1)) {
-+            X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
-+                      ERR_R_MALLOC_FAILURE);
-+            goto done;
-+        }
-+
-+        if ((a_max_plus_one =
-+                 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
-+            a_max_plus_one = orig;
-             X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
-                       ERR_R_MALLOC_FAILURE);
-             goto done;

diff --git a/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch b/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch
deleted file mode 100644
index 5d2f923a487..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 86ed78676c660b553696cc10c682962522dfeb6c Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Thu, 12 Sep 2019 12:27:36 +0200
-Subject: [PATCH] BIO_f_zlib: Properly handle BIO_CTRL_PENDING and
- BIO_CTRL_WPENDING calls.
-
-There can be data to write in output buffer and data to read that were
-not yet read in the input stream.
-
-Fixes #9866
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/9877)
-
-(cherry picked from commit 6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95)
----
- crypto/comp/c_zlib.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
-index d688deee5f2..7c1be358fd7 100644
---- a/crypto/comp/c_zlib.c
-+++ b/crypto/comp/c_zlib.c
-@@ -598,6 +598,28 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
-         BIO_copy_next_retry(b);
-         break;
- 
-+    case BIO_CTRL_WPENDING:
-+        if (ctx->obuf == NULL)
-+            return 0;
-+
-+        if (ctx->odone) {
-+            ret = ctx->ocount;
-+        } else {
-+            ret = ctx->ocount;
-+            if (ret == 0)
-+                /* Unknown amount pending but we are not finished */
-+                ret = 1;
-+        }
-+        if (ret == 0)
-+            ret = BIO_ctrl(next, cmd, num, ptr);
-+        break;
-+
-+    case BIO_CTRL_PENDING:
-+        ret = ctx->zin.avail_in;
-+        if (ret == 0)
-+            ret = BIO_ctrl(next, cmd, num, ptr);
-+        break;
-+
-     default:
-         ret = BIO_ctrl(next, cmd, num, ptr);
-         break;

diff --git a/dev-libs/openssl/files/openssl-1.1.1d-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch b/dev-libs/openssl/files/openssl-1.1.1d-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch
deleted file mode 100644
index dc8fe7146b7..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.1d-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 61cc715240d2d3f9511ca88043a3e9797c11482f Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Thu, 3 Oct 2019 08:28:31 +0200
-Subject: [PATCH] Define AESNI_ASM if AESNI assembler is included, and use it
-
-Because we have cases where basic assembler support isn't present, but
-AESNI asssembler support is, we need a separate macro that indicates
-that, and use it.
-
-Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-(Merged from https://github.com/openssl/openssl/pull/10080)
----
- Configure                          | 1 +
- crypto/evp/e_aes_cbc_hmac_sha1.c   | 2 +-
- crypto/evp/e_aes_cbc_hmac_sha256.c | 4 ++--
- 3 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/Configure b/Configure
-index 811bee81f54..f498ac2f81b 100755
---- a/Configure
-+++ b/Configure
-@@ -1376,6 +1376,7 @@ unless ($disabled{asm}) {
-     }
-     if ($target{aes_asm_src}) {
-         push @{$config{lib_defines}}, "AES_ASM" if ($target{aes_asm_src} =~ m/\baes-/);;
-+        push @{$config{lib_defines}}, "AESNI_ASM" if ($target{aes_asm_src} =~ m/\baesni-/);;
-         # aes-ctr.fake is not a real file, only indication that assembler
-         # module implements AES_ctr32_encrypt...
-         push @{$config{lib_defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//);
-diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
-index c9f5969162c..27c36b46e7a 100644
---- a/crypto/evp/e_aes_cbc_hmac_sha1.c
-+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
-@@ -33,7 +33,7 @@ typedef struct {
- 
- #define NO_PAYLOAD_LENGTH       ((size_t)-1)
- 
--#if     defined(AES_ASM) &&     ( \
-+#if     defined(AESNI_ASM) &&     ( \
-         defined(__x86_64)       || defined(__x86_64__)  || \
-         defined(_M_AMD64)       || defined(_M_X64)      )
- 
-diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c
-index d5178313ae3..cc622b6faa8 100644
---- a/crypto/evp/e_aes_cbc_hmac_sha256.c
-+++ b/crypto/evp/e_aes_cbc_hmac_sha256.c
-@@ -34,7 +34,7 @@ typedef struct {
- 
- # define NO_PAYLOAD_LENGTH       ((size_t)-1)
- 
--#if     defined(AES_ASM) &&     ( \
-+#if     defined(AESNI_ASM) &&   ( \
-         defined(__x86_64)       || defined(__x86_64__)  || \
-         defined(_M_AMD64)       || defined(_M_X64)      )
- 
-@@ -947,4 +947,4 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha256(void)
- {
-     return NULL;
- }
--#endif
-+#endif  /* AESNI_ASM */

diff --git a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
deleted file mode 100644
index 7de6ff8b593..00000000000
--- a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
+++ /dev/null
@@ -1,328 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-
-# This patch set is based on the following files from Fedora 31,
-# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
-# for more details:
-# - hobble-openssl (SOURCE1)
-# - ec_curve.c (SOURCE12) -- MODIFIED
-# - ectest.c (SOURCE13)
-# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
-BINDIST_PATCH_SET="openssl-1.1.1d-bindist-1.0.tar.xz"
-
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	bindist? (
-		mirror://gentoo/${BINDIST_PATCH_SET}
-		https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
-	)"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )
-	!test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		sys-process/procps
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
-	"${FILESDIR}"/${P}-fix-zlib.patch
-	"${FILESDIR}"/${P}-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
-	"${FILESDIR}"/${P}-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch
-	"${FILESDIR}"/${P}-config-Drop-linux-alpha-gcc-bwx.patch
-)
-
-S="${WORKDIR}/${MY_P}"
-
-# force upgrade to prevent broken login, bug 696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-pkg_setup() {
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl don't work with userpriv!
-	if has test ${FEATURES} && use sctp; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_prepare() {
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	if use bindist; then
-		mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
-		bash "${WORKDIR}"/hobble-openssl || die
-
-		cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
-
-		eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
-
-		local known_failing_test
-		for known_failing_test in \
-			30-test_evp_extra.t \
-			80-test_ssl_new.t \
-		; do
-			ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
-			rm test/recipes/${known_failing_test} || die
-			eend $?
-		done
-
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
-			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
-		fi
-	fi
-
-	eapply_user #332661
-
-	if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
-		ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
-		rm test/recipes/80-test_ssl_new.t || die
-		eend $?
-	fi
-
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	# Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	# Prefixify Configure shebang (#141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX}&," \
-		-i Configure || die
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m'
-	# 'srp' was restricted until early 2017 as well.
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	# Make sure user flags don't get added *yet* to avoid duplicated
-	# flags.
-	CFLAGS= LDFLAGS= echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		enable-srp \
-		$(use elibc_musl && echo "no-async") \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl sslv3 ssl3-method) \
-		$(use_ssl asm) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:\(^\| \)-fomit-frame-pointer::g' \
-		-e 's:\(^\| \)-O[^ ]*::g' \
-		-e 's:\(^\| \)-march=[^ ]*::g' \
-		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-		-e 's:\(^\| \)-m[^ ]*::g' \
-		-e 's:^ *::' \
-		-e 's: *$::' \
-		-e 's: \+: :g' \
-		-e 's:\\:\\\\:g'
-	)
-
-	# Now insert clean default flags with user flags
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create $ED/usr on our own to avoid a race condition #665130
-	if [[ ! -d "${ED}/usr" ]]; then
-		# We can only create this directory once
-		mkdir "${ED}"/usr || die
-	fi
-
-	emake DESTDIR="${D}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}

diff --git a/dev-libs/openssl/openssl-1.1.1f.ebuild b/dev-libs/openssl/openssl-1.1.1f.ebuild
deleted file mode 100644
index 150624048da..00000000000
--- a/dev-libs/openssl/openssl-1.1.1f.ebuild
+++ /dev/null
@@ -1,324 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
-
-MY_P=${P/_/-}
-
-# This patch set is based on the following files from Fedora 31,
-# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
-# for more details:
-# - hobble-openssl (SOURCE1)
-# - ec_curve.c (SOURCE12) -- MODIFIED
-# - ectest.c (SOURCE13)
-# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
-BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz"
-
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	bindist? (
-		mirror://gentoo/${BINDIST_PATCH_SET}
-		https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
-	)"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv s390 sparc ~x86 ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
-RESTRICT="!bindist? ( bindist )
-	!test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		sys-process/procps
-	)"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
-)
-
-S="${WORKDIR}/${MY_P}"
-
-# force upgrade to prevent broken login, bug 696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-pkg_setup() {
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl don't work with userpriv!
-	if has test ${FEATURES} && use sctp; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_prepare() {
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	if use bindist; then
-		mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
-		bash "${WORKDIR}"/hobble-openssl || die
-
-		cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
-		cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
-
-		eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
-
-		local known_failing_test
-		for known_failing_test in \
-			30-test_evp_extra.t \
-			80-test_ssl_new.t \
-		; do
-			ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
-			rm test/recipes/${known_failing_test} || die
-			eend $?
-		done
-
-		# Also see the configure parts below:
-		# enable-ec \
-		# $(use_ssl !bindist ec2m) \
-	fi
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
-			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
-		fi
-	fi
-
-	eapply_user #332661
-
-	if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
-		ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
-		rm test/recipes/80-test_ssl_new.t || die
-		eend $?
-	fi
-
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	# Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	# Prefixify Configure shebang (#141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX}&," \
-		-i Configure || die
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	# Clean out patent-or-otherwise-encumbered code
-	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
-	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
-	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
-	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
-	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	#if ! use bindist ; then
-	#	echo "__uint128_t i;" > "${T}"/128.c
-	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#	fi
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# Fedora hobbled-EC needs 'no-ec2m'
-	# 'srp' was restricted until early 2017 as well.
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	# Make sure user flags don't get added *yet* to avoid duplicated
-	# flags.
-	CFLAGS= LDFLAGS= echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		$(use_ssl !bindist ec2m) \
-		enable-srp \
-		$(use elibc_musl && echo "no-async") \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl sslv3 ssl3-method) \
-		$(use_ssl asm) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:\(^\| \)-fomit-frame-pointer::g' \
-		-e 's:\(^\| \)-O[^ ]*::g' \
-		-e 's:\(^\| \)-march=[^ ]*::g' \
-		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-		-e 's:\(^\| \)-m[^ ]*::g' \
-		-e 's:^ *::' \
-		-e 's: *$::' \
-		-e 's: \+: :g' \
-		-e 's:\\:\\\\:g'
-	)
-
-	# Now insert clean default flags with user flags
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create $ED/usr on our own to avoid a race condition #665130
-	if [[ ! -d "${ED}/usr" ]]; then
-		# We can only create this directory once
-		mkdir "${ED}"/usr || die
-	fi
-
-	emake DESTDIR="${D}" install
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2022-07-05 22:15 Mike Gilbert
  0 siblings, 0 replies; 52+ messages in thread
From: Mike Gilbert @ 2022-07-05 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     db6f7217c034a620288ea0ef95227707c3fb55ea
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Tue Jul  5 22:13:46 2022 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Tue Jul  5 22:15:18 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6f7217

dev-libs/openssl: add 3.0.5

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   2 +
 .../openssl/files/openssl-3.0.5-test-memcmp.patch  |  22 ++
 dev-libs/openssl/openssl-3.0.5.ebuild              | 325 +++++++++++++++++++++
 3 files changed, 349 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 86edfb8addcb..d85b9ffd72e4 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -15,3 +15,5 @@ DIST openssl-3.0.3.tar.gz 15058905 BLAKE2B 8141d13dbea2f1febdd4e46aa404e9f3bac51
 DIST openssl-3.0.3.tar.gz.asc 488 BLAKE2B 3f31e3a73706b69683220e05b1b4ddc75dc3e7e12652dca711e4aa0eb3c023ef736aee9ade15172d7f28e1e1af03e86d4854ec6c3d167cad42882f483c5e56d4 SHA512 04afe65c6af1ae43a9967462383a6a4f567f5acff19ec1952cd6fce2dc3c3d4dfb3cb54126562724c148f40dcb66668abf727282d35730bbf36f82b5c6bacace
 DIST openssl-3.0.4.tar.gz 15069605 BLAKE2B e8ef09d74aa128fee0ddc347458a41cde65af07a6e6836889a0230cd7989e46b5d10a4930eb7a63c0cf93485914ec33665d14637b6c27fd442c0e9becb2d2a86 SHA512 478cd801dc4787688e6d9062969ae738c24f869bb186f717ad3be54ae8f2630e5cd845c504efd3405ea1ecda07ebee00014cc6ef7bca9585a6240cf89d516557
 DIST openssl-3.0.4.tar.gz.asc 488 BLAKE2B 54f652ae78c6f39aef970fd7372808c876d37a823cc31431d770db67caf11342d1045992e393242d4c73253e4e16640dd9bd56203864394e907976918909e5dc SHA512 c30af3cda92b06cff864ed33c17d8dcb8c7d429ed8419f96d19d3049dfaa268c73ec7753815a134b069ae7f4ea20fb4bcdd04f86d33628592ce4500777494c85
+DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B 7bf89e042417c003ef02a8bb1278590a52ce4a3d50f66795c66b750f90248840edb0d3352811caaaaff708c7e65b77384142e316916a6c311f1d2b4747f44816 SHA512 782b0df3d0252468aa696bd74a3b661810499819c0df849aa9698ba0e06a845820dc856aac650fced4be234f1271e576d4317ac3ab1406cf0ffe087d695d20fe
+DIST openssl-3.0.5.tar.gz.asc 862 BLAKE2B 24f1839227be7acec45eb6b748cea7be0b5e66b5cf745814861f7290670733936bf1af2c1dc9357439b31a2ca28f418880d63726d4be6fa994902ac95b51e401 SHA512 516da9ef291601400576adaba7271854af3caa23dc1d70116004360f580e4c28fe61d51e86477d341e4c5bf0ca5f98db8264581ed6cc2c8df124da83ad3e40be

diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
new file mode 100644
index 000000000000..8fa03877581f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
@@ -0,0 +1,22 @@
+From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001
+From: Gregor Jasny <gjasny@googlemail.com>
+Date: Tue, 5 Jul 2022 12:57:06 +0200
+Subject: [PATCH] Add missing header for memcmp
+
+CLA: trivial
+---
+ test/v3ext.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/v3ext.c b/test/v3ext.c
+index 926f3884b138..a8ab64b2714b 100644
+--- a/test/v3ext.c
++++ b/test/v3ext.c
+@@ -8,6 +8,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <string.h>
+ #include <openssl/x509.h>
+ #include <openssl/x509v3.h>
+ #include <openssl/pem.h>

diff --git a/dev-libs/openssl/openssl-3.0.5.ebuild b/dev-libs/openssl/openssl-3.0.5.ebuild
new file mode 100644
index 000000000000..56af5a262265
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.5.ebuild
@@ -0,0 +1,325 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	>=app-misc/c_rehash-1.7-r1
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		sys-process/procps
+	)
+	verify-sig? ( sec-keys/openpgp-keys-openssl )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-test-memcmp.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# - Make sure the man pages are suffixed (bug #302165)
+	# - Don't bother building man pages if they're disabled
+	# - Make DOCDIR Gentoo compliant
+	sed -i \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+		Configurations/unix-Makefile.tmpl \
+		|| die
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# Prefixify Configure shebang (bug #141906)
+	sed \
+		-e "1s,/usr/bin/env,${BROOT}&," \
+		-i Configure || die
+
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+
+	# The config script does stupid stuff to prompt the user. Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	local sslout=$(./gentoo.config)
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
+
+	# Clean out hardcoded flags that openssl uses
+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAGS=::' \
+		-e 's:\(^\| \)-fomit-frame-pointer::g' \
+		-e 's:\(^\| \)-O[^ ]*::g' \
+		-e 's:\(^\| \)-march=[^ ]*::g' \
+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
+		-e 's:\(^\| \)-m[^ ]*::g' \
+		-e 's:^ *::' \
+		-e 's: *$::' \
+		-e 's: \+: :g' \
+		-e 's:\\:\\\\:g'
+	)
+
+	# Now insert clean default flags with user flags
+	sed -i \
+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+		Makefile \
+		|| die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+
+	emake all
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
+	dodir /usr
+
+	emake DESTDIR="${D}" install
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man || die
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*}
+		d=${d#./}
+		m=${m##*/}
+
+		[[ ${m} == openssl.1* ]] && continue
+
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+
+		mv ${d}/{,ssl-}${m} || die
+
+		# Fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die
+		ln -s ssl-${m} ${d}/openssl-${m} || die
+
+		# Locate any symlinks that point to this man page
+		# We assume that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+
+			rm -f ${d}/${s}
+
+			# We don't want to "|| die" here
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"
+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2022-07-05 23:33 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2022-07-05 23:33 UTC (permalink / raw
  To: gentoo-commits

commit:     1f171e1acbd185d7cd5c5a2689f50d02c7c64caf
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Jul  5 23:33:03 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Jul  5 23:33:03 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f171e1a

dev-libs/openssl: add 1.1.1q

Bug: https://bugs.gentoo.org/856592
Signed-off-by: Sam James <sam <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   2 +
 .../openssl/files/openssl-3.0.5-test-memcmp.patch  |   2 +
 dev-libs/openssl/openssl-1.1.1q.ebuild             | 337 +++++++++++++++++++++
 3 files changed, 341 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index d85b9ffd72e4..f960853b8a8a 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -8,6 +8,8 @@ DIST openssl-1.1.1o.tar.gz 9856386 BLAKE2B 5bd355fd17adf43ba4e3bf1a8036ceb724edd
 DIST openssl-1.1.1o.tar.gz.asc 488 BLAKE2B a03a967e7e2124d1a76ad7765e2f48065f40d32ba102a433be603ee8f86b26a2d246dcb97a95bd694ef3005889ce4f1951f76d39fe1d683f92da1aa3023e9c2d SHA512 da6d88de7c1cd807b6089d50f8bb102c317c0b45ca26e517e3e400c5c65f787d94a1ee522af76279e93790a7fb491348cf25ffcfd66ecb9a9d35209328cb221e
 DIST openssl-1.1.1p.tar.gz 9860217 BLAKE2B 4354753a5e52393c9cc4569954c2cac6d89a1e204fa4f9ca00a60492782d29f8952fb92664cdbb3576c6443d3cb2eacebea51db584738589f3598b40df579b12 SHA512 203470b1cd37bdbfabfec5ef37fc97c991d9943f070c988316f6396b09dae7cea16ac884bd8646dbf7dd1ed40ebde6bdfa5700beee2d714d07c97cc70b4e48d9
 DIST openssl-1.1.1p.tar.gz.asc 488 BLAKE2B e68c8a4c992c2448b48428137f61f91fb89e4814f6e80c5525cea695bcf898326eca729f31b953fbd7ff51b448004101ca78abfbd3138ec2389596faa3eafc2f SHA512 c85d65df1ed0f1ae87b799d794ea43e32c8ecaf85caf6e36fbbd4a890ef1d47710380d3846296e0124898680be66113a959ad974e0448bc00d1253794dc48972
+DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B fc8fd6a62dc291d0bda328a051e253175fb04442cc4b8f45d67c3a5027748a0fc5fb372d0483bc9024ae0bff119c4fac8f1e982a182612427696d6d09f5935f5 SHA512 cb9f184ec4974a3423ef59c8ec86b6bf523d5b887da2087ae58c217249da3246896fdd6966ee9c13aea9e6306783365239197e9f742c508a0e35e5744e3e085f
+DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6 SHA512 03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e
 DIST openssl-3.0.2.tar.gz 15038141 BLAKE2B 140c4c80a0cad89cb0059fef6a4cd421460e6af9a3973f7a3eb5e39f64c0d44794d46e7a869e5235fced139f2249351e37a9ee5ebaa17f2708d63141ebebf919 SHA512 f986850d5be908b4d6b5fd7091bc4652d7378c9bccebfbc5becd7753843c04c1eb61a1749c432139d263dfac33df0b1f6c773664b485cad47542266823a4eb03
 DIST openssl-3.0.2.tar.gz.asc 488 BLAKE2B 2f6482114271c4f512159fa159486a3b3470637d770cd1614fda004918d06ed9ab562e655d1580d2ebb05745ec72987488c2161b72d078017cc157003d4205da SHA512 4303391a58107c76ad9b05510f5bfc95f687f4cb2f9ff5b03fb262ba99b573423ab83f0437471199954496799b343191b889ad9ef8fabdd7ee4ec3ec9b5f1d81
 DIST openssl-3.0.3-test-fixes-expiry.patch.xz 29056 BLAKE2B 11be776b9c4baec770d81ff180581d7d8292261f32ebfcb2cfd399d684cef1b9e7b4575d906f23e8a61d853eafb178e1b0e01d9324dbe598c876c0ef74bcf5e8 SHA512 23bc571dfca453deb4f1812aea5fc1bcf1c27358d8638a66ce7f359a698b09a35bdc86e01db36aa5e59b37cc7e36f0ced6f1463b383fb0d904aada69f5d5cb04

diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
index 8fa03877581f..fc84d82e87da 100644
--- a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
+++ b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
@@ -1,3 +1,5 @@
+https://github.com/openssl/openssl/pull/18719
+
 From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001
 From: Gregor Jasny <gjasny@googlemail.com>
 Date: Tue, 5 Jul 2022 12:57:06 +0200

diff --git a/dev-libs/openssl/openssl-1.1.1q.ebuild b/dev-libs/openssl/openssl-1.1.1q.ebuild
new file mode 100644
index 000000000000..ff51db66bd0d
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1q.ebuild
@@ -0,0 +1,337 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
+
+MY_P=${P/_/-}
+DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+	verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+if [[ ${PV} != *_pre* ]] ; then
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
+fi
+IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		kernel_linux? ( sys-process/procps )
+	)
+	verify-sig? ( sec-keys/openpgp-keys-openssl )"
+PDEPEND="app-misc/ca-certificates"
+
+# force upgrade to prevent broken login, bug #696950
+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+PATCHES=(
+	# General patches which are suitable to always apply
+	# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
+	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
+	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
+	"${FILESDIR}"/${PN}-3.0.5-test-memcmp.patch
+)
+
+pkg_setup() {
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES}; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# - Make sure the man pages are suffixed (bug #302165)
+	# - Don't bother building man pages if they're disabled
+	# - Make DOCDIR Gentoo compliant
+	sed -i \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+		Configurations/unix-Makefile.tmpl \
+		|| die
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# Prefixify Configure shebang (bug #141906)
+	sed \
+		-e "1s,/usr/bin/env,${BROOT}&," \
+		-i Configure || die
+
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+
+	if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
+		# use GNU ld full option, not to confuse it on Solaris
+		sed -i \
+			-e 's/-Wl,-M,/-Wl,--version-script=/' \
+			-e 's/-Wl,-h,/-Wl,--soname=/' \
+			Configurations/10-main.conf || die
+
+		# fix building on Solaris 10
+		# https://github.com/openssl/openssl/issues/6333
+		sed -i \
+			-e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
+			Configurations/10-main.conf || die
+	fi
+
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	local ec_nistp_64_gcc_128
+
+	# Disable it for now though (bug #469976)
+	# echo "__uint128_t i;" > "${T}"/128.c
+	# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	# 	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	# fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	# "disable-deprecated" option breaks too many consumers.
+	# Don't set it without thorough revdeps testing.
+	# Make sure user flags don't get added *yet* to avoid duplicated
+	# flags.
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		${ec_nistp_64_gcc_128}
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use_ssl sslv3 ssl3)
+		$(use_ssl sslv3 ssl3-method)
+		$(use_ssl asm)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl tls-heartbeat heartbeats)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
+
+	# Clean out hardcoded flags that openssl uses
+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAGS=::' \
+		-e 's:\(^\| \)-fomit-frame-pointer::g' \
+		-e 's:\(^\| \)-O[^ ]*::g' \
+		-e 's:\(^\| \)-march=[^ ]*::g' \
+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
+		-e 's:\(^\| \)-m[^ ]*::g' \
+		-e 's:^ *::' \
+		-e 's: *$::' \
+		-e 's: \+: :g' \
+		-e 's:\\:\\\\:g'
+	)
+
+	# Now insert clean default flags with user flags
+	sed -i \
+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+
+	emake all
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
+	dodir /usr
+
+	emake DESTDIR="${D}" install
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man || die
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*}
+		d=${d#./}
+		m=${m##*/}
+
+		[[ ${m} == openssl.1* ]] && continue
+
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+
+		mv ${d}/{,ssl-}${m} || die
+
+		# Fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die
+		ln -s ssl-${m} ${d}/openssl-${m}
+
+		# Locate any symlinks that point to this man page
+		# We assume that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+
+			rm -f ${d}/${s}
+
+			# We don't want to "|| die" here
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"
+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2022-08-29 21:13 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2022-08-29 21:13 UTC (permalink / raw
  To: gentoo-commits

commit:     458daf054634ccaa6e5df1a53339e0f57f2755a6
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 29 20:51:15 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Aug 29 20:51:41 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=458daf05

dev-libs/openssl: drop 1.1.1n, 1.1.1o, 1.1.1o-r1, 1.1.1p

Bug: https://bugs.gentoo.org/856592
Bug: https://bugs.gentoo.org/842489
Signed-off-by: Sam James <sam <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   7 -
 .../files/openssl-1.1.1p-fix-test-build.patch      |  52 ----
 dev-libs/openssl/openssl-1.1.1n.ebuild             | 298 ------------------
 dev-libs/openssl/openssl-1.1.1o-r1.ebuild          | 338 ---------------------
 dev-libs/openssl/openssl-1.1.1o.ebuild             | 318 -------------------
 dev-libs/openssl/openssl-1.1.1p.ebuild             | 337 --------------------
 6 files changed, 1350 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index eb14a155609f..a411ae31d39e 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,13 +1,6 @@
 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
-DIST openssl-1.1.1n.tar.gz 9850712 BLAKE2B af530258d9f7ca4f1bd1c6c344eb385e766e465c9341dd08797676165f67bbb82d3fd549ed7559dc12fb8c9c4db5e04fa6ec7ab729ec1467f5e8bce469ff5398 SHA512 1937796736613dcf4105a54e42ecb61f95a1cea74677156f9459aea0f2c95159359e766089632bf364ee6b0d28d661eb9957bce8fecc9d2436378d8d79e8d0a4
-DIST openssl-1.1.1n.tar.gz.asc 488 BLAKE2B 8fc18fdc884473dc4c243499cc3528691a9ecc184e39e8d942450d41c42d22a96398036ae804af23c4f28d082c62f5babaa275ceb2e13b33b5acfd59a802c186 SHA512 24abc3d187cabed830dcd3189a34c2dc29e0b8013a607011a0e85cc68f0ec48c1de14a005053a4de3a4013cfa9658016ac65cfb8cfac58da55231371926beeda
-DIST openssl-1.1.1o-test-fixes-expiry.patch.xz 6180 BLAKE2B 23ef36d7bd05c98f7fab6de25681a53fa7a558d114548836b6cd90a57c4f4e45dc9fb622936053608b463320605b7df60db2d2caf3811b249f6ead3791a1c081 SHA512 577aec97fb31cd9efe3b30d82c560d3e7da57ae52c4de0f86e951b777a673830baaadcc5eb366c523024d37405531c6d32de26bbbc1e77df15c7822c72e937e6
-DIST openssl-1.1.1o.tar.gz 9856386 BLAKE2B 5bd355fd17adf43ba4e3bf1a8036ceb724edd4f4ab80dc25aecc3d2647372e9db2bc12e2b89791fc4b6f7fd95a7b68e00490d09ca6518d25ab990ee27798e641 SHA512 75b2f1499cb4640229eb6cd35d85cbff2e19db17b959ac4d04b60f1b395b73567f9003521452a0fcfeea9b31b26de0a7bccf476ecf9caae02298f3647cfb7e23
-DIST openssl-1.1.1o.tar.gz.asc 488 BLAKE2B a03a967e7e2124d1a76ad7765e2f48065f40d32ba102a433be603ee8f86b26a2d246dcb97a95bd694ef3005889ce4f1951f76d39fe1d683f92da1aa3023e9c2d SHA512 da6d88de7c1cd807b6089d50f8bb102c317c0b45ca26e517e3e400c5c65f787d94a1ee522af76279e93790a7fb491348cf25ffcfd66ecb9a9d35209328cb221e
-DIST openssl-1.1.1p.tar.gz 9860217 BLAKE2B 4354753a5e52393c9cc4569954c2cac6d89a1e204fa4f9ca00a60492782d29f8952fb92664cdbb3576c6443d3cb2eacebea51db584738589f3598b40df579b12 SHA512 203470b1cd37bdbfabfec5ef37fc97c991d9943f070c988316f6396b09dae7cea16ac884bd8646dbf7dd1ed40ebde6bdfa5700beee2d714d07c97cc70b4e48d9
-DIST openssl-1.1.1p.tar.gz.asc 488 BLAKE2B e68c8a4c992c2448b48428137f61f91fb89e4814f6e80c5525cea695bcf898326eca729f31b953fbd7ff51b448004101ca78abfbd3138ec2389596faa3eafc2f SHA512 c85d65df1ed0f1ae87b799d794ea43e32c8ecaf85caf6e36fbbd4a890ef1d47710380d3846296e0124898680be66113a959ad974e0448bc00d1253794dc48972
 DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B fc8fd6a62dc291d0bda328a051e253175fb04442cc4b8f45d67c3a5027748a0fc5fb372d0483bc9024ae0bff119c4fac8f1e982a182612427696d6d09f5935f5 SHA512 cb9f184ec4974a3423ef59c8ec86b6bf523d5b887da2087ae58c217249da3246896fdd6966ee9c13aea9e6306783365239197e9f742c508a0e35e5744e3e085f
 DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6 SHA512 03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e
 DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B 7bf89e042417c003ef02a8bb1278590a52ce4a3d50f66795c66b750f90248840edb0d3352811caaaaff708c7e65b77384142e316916a6c311f1d2b4747f44816 SHA512 782b0df3d0252468aa696bd74a3b661810499819c0df849aa9698ba0e06a845820dc856aac650fced4be234f1271e576d4317ac3ab1406cf0ffe087d695d20fe

diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
deleted file mode 100644
index 5dca6926dd8f..000000000000
--- a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-https://github.com/openssl/openssl/issues/18619
-https://github.com/openssl/openssl/pull/18634
-https://github.com/openssl/openssl/commit/665ab12ed3f0d78e7cb6a55cdd2b83a2fe150232
-
-From 665ab12ed3f0d78e7cb6a55cdd2b83a2fe150232 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Fri, 17 Jun 2022 10:25:24 +0200
-Subject: [PATCH] Fix compile issues in test/v3ext.c with no-rfc3779
-
-There are no ASIdentifiers if OPENSSL_NO_RFC3779 is defined,
-therefore the test cannot be compiled.
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/18634)
-
-(cherry picked from commit b76efe61ea9710a8f69e1cb8caf1aeb2ba6f1ebe)
----
- test/v3ext.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/test/v3ext.c b/test/v3ext.c
-index e96b6f79b58f..a2adb1a9f0ef 100644
---- a/test/v3ext.c
-+++ b/test/v3ext.c
-@@ -37,6 +37,7 @@ static int test_pathlen(void)
-     return ret;
- }
- 
-+#ifndef OPENSSL_NO_RFC3779
- static int test_asid(void)
- {
-     ASN1_INTEGER *val1 = NULL, *val2 = NULL;
-@@ -113,6 +114,7 @@ static int test_asid(void)
-     ASIdentifiers_free(asid4);
-     return testresult;
- }
-+#endif /* OPENSSL_NO_RFC3779 */
- 
- OPT_TEST_DECLARE_USAGE("cert.pem\n")
- 
-@@ -127,6 +129,8 @@ int setup_tests(void)
-         return 0;
- 
-     ADD_TEST(test_pathlen);
-+#ifndef OPENSSL_NO_RFC3779
-     ADD_TEST(test_asid);
-+#endif /* OPENSSL_NO_RFC3779 */
-     return 1;
- }
-

diff --git a/dev-libs/openssl/openssl-1.1.1n.ebuild b/dev-libs/openssl/openssl-1.1.1n.ebuild
deleted file mode 100644
index 5cfa2b82bf24..000000000000
--- a/dev-libs/openssl/openssl-1.1.1n.ebuild
+++ /dev/null
@@ -1,298 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit flag-o-matic toolchain-funcs multilib-minimal verify-sig
-
-MY_P=${P/_/-}
-
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssl.org.asc
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		kernel_linux? ( sys-process/procps )
-	)
-	verify-sig? ( sec-keys/openpgp-keys-openssl )"
-PDEPEND="app-misc/ca-certificates"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
-	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
-)
-
-S="${WORKDIR}/${MY_P}"
-
-# force upgrade to prevent broken login, bug 696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-pkg_setup() {
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl don't work with userpriv!
-	if use test && use sctp; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_prepare() {
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
-			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
-		fi
-	fi
-
-	eapply_user #332661
-
-	if use test && use sctp && has network-sandbox ${FEATURES}; then
-		ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
-		rm test/recipes/80-test_ssl_new.t || die
-		eend $?
-	fi
-
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	# Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	append-flags -fno-strict-aliasing
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	# Prefixify Configure shebang (#141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX}&," \
-		-i Configure || die
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-
-	if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
-		# use GNU ld full option, not to confuse it on Solaris
-		sed -i \
-			-e 's/-Wl,-M,/-Wl,--version-script=/' \
-			-e 's/-Wl,-h,/-Wl,--soname=/' \
-			Configurations/10-main.conf || die
-
-		# fix building on Solaris 10
-		# https://github.com/openssl/openssl/issues/6333
-		sed -i \
-			-e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
-			Configurations/10-main.conf || die
-	fi
-
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-	echoit() { echo "$@" ; "$@" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	# echo "__uint128_t i;" > "${T}"/128.c
-	# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	# 	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	# fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	# Make sure user flags don't get added *yet* to avoid duplicated
-	# flags.
-	CFLAGS= LDFLAGS= echoit \
-	./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		enable-ec2m \
-		enable-sm2 \
-		enable-srp \
-		$(use elibc_musl && echo "no-async") \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl sslv3 ssl3-method) \
-		$(use_ssl asm) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use_ssl tls-compression zlib) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl weak-ssl-ciphers) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads \
-		|| die
-
-	# Clean out hardcoded flags that openssl uses
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:\(^\| \)-fomit-frame-pointer::g' \
-		-e 's:\(^\| \)-O[^ ]*::g' \
-		-e 's:\(^\| \)-march=[^ ]*::g' \
-		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-		-e 's:\(^\| \)-m[^ ]*::g' \
-		-e 's:^ *::' \
-		-e 's: *$::' \
-		-e 's: \+: :g' \
-		-e 's:\\:\\\\:g'
-	)
-
-	# Now insert clean default flags with user flags
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create $ED/usr on our own to avoid a race condition #665130
-	if [[ ! -d "${ED}/usr" ]]; then
-		# We can only create this directory once
-		mkdir "${ED}"/usr || die
-	fi
-
-	emake DESTDIR="${D}" install
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}

diff --git a/dev-libs/openssl/openssl-1.1.1o-r1.ebuild b/dev-libs/openssl/openssl-1.1.1o-r1.ebuild
deleted file mode 100644
index 0e55dcc43e49..000000000000
--- a/dev-libs/openssl/openssl-1.1.1o-r1.ebuild
+++ /dev/null
@@ -1,338 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
-
-MY_P=${P/_/-}
-DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-test-fixes-expiry.patch.xz
-	verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-S="${WORKDIR}/${MY_P}"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-if [[ ${PV} != *_pre* ]] ; then
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-fi
-IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		kernel_linux? ( sys-process/procps )
-	)
-	verify-sig? ( sec-keys/openpgp-keys-openssl )"
-PDEPEND="app-misc/ca-certificates"
-
-# force upgrade to prevent broken login, bug #696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-PATCHES=(
-	# General patches which are suitable to always apply
-	# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
-	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
-	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
-	"${WORKDIR}"/${P}-test-fixes-expiry.patch
-)
-
-pkg_setup() {
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl doesn't work with userpriv!
-	if use test && use sctp; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_unpack() {
-	# Can delete this once test fix patch is dropped
-	if use verify-sig ; then
-		# Needed for downloaded patch (which is unsigned, which is fine)
-		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
-	fi
-
-	default
-}
-
-src_prepare() {
-	# Allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	# Keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		PATCHES+=(
-			# Add patches which are Gentoo-specific customisations here
-		)
-	fi
-
-	default
-
-	if use test && use sctp && has network-sandbox ${FEATURES}; then
-		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
-		rm test/recipes/80-test_ssl_new.t || die
-	fi
-
-	# - Make sure the man pages are suffixed (bug #302165)
-	# - Don't bother building man pages if they're disabled
-	# - Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# Quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (bug #417795 again)
-	tc-is-clang && append-flags -Qunused-arguments
-
-	# We really, really need to build OpenSSL w/ strict aliasing disabled.
-	# It's filled with violations and it *will* result in miscompiled
-	# code. This has been in the ebuild for > 10 years but even in 2022,
-	# it's still relevant:
-	# - https://github.com/llvm/llvm-project/issues/55255
-	# - https://github.com/openssl/openssl/issues/18225
-	# Don't remove the no strict aliasing bits below!
-	filter-flags -fstrict-aliasing
-	append-flags -fno-strict-aliasing
-
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	# Prefixify Configure shebang (bug #141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX}&," \
-		-i Configure || die
-
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-
-	if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
-		# use GNU ld full option, not to confuse it on Solaris
-		sed -i \
-			-e 's/-Wl,-M,/-Wl,--version-script=/' \
-			-e 's/-Wl,-h,/-Wl,--soname=/' \
-			Configurations/10-main.conf || die
-
-		# fix building on Solaris 10
-		# https://github.com/openssl/openssl/issues/6333
-		sed -i \
-			-e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
-			Configurations/10-main.conf || die
-	fi
-
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	# bug #197996
-	unset APPS
-	# bug #312551
-	unset SCRIPTS
-	# bug #311473
-	unset CROSS_COMPILE
-
-	tc-export AR CC CXX RANLIB RC
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths, bug #460790.
-	local ec_nistp_64_gcc_128
-
-	# Disable it for now though (bug #469976)
-	# echo "__uint128_t i;" > "${T}"/128.c
-	# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	# 	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	# fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	# Make sure user flags don't get added *yet* to avoid duplicated
-	# flags.
-	local myeconfargs=(
-		${sslout}
-
-		$(use cpu_flags_x86_sse2 || echo "no-sse2")
-		enable-camellia
-		enable-ec
-		enable-ec2m
-		enable-sm2
-		enable-srp
-		$(use elibc_musl && echo "no-async")
-		${ec_nistp_64_gcc_128}
-		enable-idea
-		enable-mdc2
-		enable-rc5
-		$(use_ssl sslv3 ssl3)
-		$(use_ssl sslv3 ssl3-method)
-		$(use_ssl asm)
-		$(use_ssl rfc3779)
-		$(use_ssl sctp)
-		$(use test || echo "no-tests")
-		$(use_ssl tls-compression zlib)
-		$(use_ssl tls-heartbeat heartbeats)
-		$(use_ssl weak-ssl-ciphers)
-
-		--prefix="${EPREFIX}"/usr
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
-		--libdir=$(get_libdir)
-
-		shared
-		threads
-	)
-
-	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
-
-	# Clean out hardcoded flags that openssl uses
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:\(^\| \)-fomit-frame-pointer::g' \
-		-e 's:\(^\| \)-O[^ ]*::g' \
-		-e 's:\(^\| \)-march=[^ ]*::g' \
-		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-		-e 's:\(^\| \)-m[^ ]*::g' \
-		-e 's:^ *::' \
-		-e 's: *$::' \
-		-e 's: \+: :g' \
-		-e 's:\\:\\\\:g'
-	)
-
-	# Now insert clean default flags with user flags
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
-	dodir /usr
-
-	emake DESTDIR="${D}" install
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs. But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# Create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*}
-		d=${d#./}
-		m=${m##*/}
-
-		[[ ${m} == openssl.1* ]] && continue
-
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-
-		mv ${d}/{,ssl-}${m} || die
-
-		# Fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die
-		ln -s ssl-${m} ${d}/openssl-${m}
-
-		# Locate any symlinks that point to this man page
-		# We assume that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-
-			rm -f ${d}/${s}
-
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	# bug #254521
-	dodir /etc/sandbox.d
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}

diff --git a/dev-libs/openssl/openssl-1.1.1o.ebuild b/dev-libs/openssl/openssl-1.1.1o.ebuild
deleted file mode 100644
index 730dfb22685e..000000000000
--- a/dev-libs/openssl/openssl-1.1.1o.ebuild
+++ /dev/null
@@ -1,318 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
-
-MY_P=${P/_/-}
-
-DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-test-fixes-expiry.patch.xz
-	verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssl.org.asc
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-[[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		kernel_linux? ( sys-process/procps )
-	)
-	verify-sig? ( sec-keys/openpgp-keys-openssl )"
-PDEPEND="app-misc/ca-certificates"
-
-S="${WORKDIR}/${MY_P}"
-
-# force upgrade to prevent broken login, bug 696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
-	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
-	"${WORKDIR}"/${P}-test-fixes-expiry.patch
-)
-
-pkg_setup() {
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl don't work with userpriv!
-	if use test && use sctp; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_unpack() {
-	# Can delete this once test fix patch is dropped
-	if use verify-sig ; then
-		# Needed for downloaded patch (which is unsigned, which is fine)
-		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
-	fi
-
-	default
-}
-
-src_prepare() {
-	# allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	# keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
-			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
-		fi
-	fi
-
-	eapply_user #332661
-
-	if use test && use sctp && has network-sandbox ${FEATURES}; then
-		ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
-		rm test/recipes/80-test_ssl_new.t || die
-		eend $?
-	fi
-
-	# make sure the man pages are suffixed #302165
-	# don't bother building man pages if they're disabled
-	# Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (#417795 again)
-	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
-
-	# We really, really need to build OpenSSL w/ strict aliasing disabled.
-	# It's filled with violations and it *will* result in miscompiled
-	# code. This has been in the ebuild for > 10 years but even in 2022,
-	# it's still relevant:
-	# - https://github.com/llvm/llvm-project/issues/55255
-	# - https://github.com/openssl/openssl/issues/18225
-	# Don't remove the no strict aliasing bits below!
-	filter-flags -fstrict-aliasing
-	append-flags -fno-strict-aliasing
-
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	# Prefixify Configure shebang (#141906)
-	sed \
-		-e "1s,/usr/bin/env,${EPREFIX}&," \
-		-i Configure || die
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-
-	if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
-		# use GNU ld full option, not to confuse it on Solaris
-		sed -i \
-			-e 's/-Wl,-M,/-Wl,--version-script=/' \
-			-e 's/-Wl,-h,/-Wl,--soname=/' \
-			Configurations/10-main.conf || die
-
-		# fix building on Solaris 10
-		# https://github.com/openssl/openssl/issues/6333
-		sed -i \
-			-e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
-			Configurations/10-main.conf || die
-	fi
-
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	unset APPS #197996
-	unset SCRIPTS #312551
-	unset CROSS_COMPILE #311473
-
-	tc-export CC AR RANLIB RC
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths. #460790
-	local ec_nistp_64_gcc_128
-	# Disable it for now though #469976
-	# echo "__uint128_t i;" > "${T}"/128.c
-	# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	# 	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	# fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	# Make sure user flags don't get added *yet* to avoid duplicated
-	# flags.
-	CFLAGS= LDFLAGS= edo ./${config} \
-		${sslout} \
-		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
-		enable-camellia \
-		enable-ec \
-		enable-ec2m \
-		enable-sm2 \
-		enable-srp \
-		$(use elibc_musl && echo "no-async") \
-		${ec_nistp_64_gcc_128} \
-		enable-idea \
-		enable-mdc2 \
-		enable-rc5 \
-		$(use_ssl sslv3 ssl3) \
-		$(use_ssl sslv3 ssl3-method) \
-		$(use_ssl asm) \
-		$(use_ssl rfc3779) \
-		$(use_ssl sctp) \
-		$(use test || echo "no-tests") \
-		$(use_ssl tls-compression zlib) \
-		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl weak-ssl-ciphers) \
-		--prefix="${EPREFIX}"/usr \
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
-		--libdir=$(get_libdir) \
-		shared threads
-
-	# Clean out hardcoded flags that openssl uses
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:\(^\| \)-fomit-frame-pointer::g' \
-		-e 's:\(^\| \)-O[^ ]*::g' \
-		-e 's:\(^\| \)-march=[^ ]*::g' \
-		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-		-e 's:\(^\| \)-m[^ ]*::g' \
-		-e 's:^ *::' \
-		-e 's: *$::' \
-		-e 's: \+: :g' \
-		-e 's:\\:\\\\:g'
-	)
-
-	# Now insert clean default flags with user flags
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create $ED/usr on our own to avoid a race condition #665130
-	if [[ ! -d "${ED}/usr" ]]; then
-		# We can only create this directory once
-		mkdir "${ED}"/usr || die
-	fi
-
-	emake DESTDIR="${D}" install
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*} ; d=${d#./} ; m=${m##*/}
-		[[ ${m} == openssl.1* ]] && continue
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-		mv ${d}/{,ssl-}${m}
-		# fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
-		ln -s ssl-${m} ${d}/openssl-${m}
-		# locate any symlinks that point to this man page ... we assume
-		# that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-			rm -f ${d}/${s}
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	dodir /etc/sandbox.d #254521
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}

diff --git a/dev-libs/openssl/openssl-1.1.1p.ebuild b/dev-libs/openssl/openssl-1.1.1p.ebuild
deleted file mode 100644
index fef3fdf53f3f..000000000000
--- a/dev-libs/openssl/openssl-1.1.1p.ebuild
+++ /dev/null
@@ -1,337 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
-
-MY_P=${P/_/-}
-DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-S="${WORKDIR}/${MY_P}"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-if [[ ${PV} != *_pre* ]] ; then
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
-fi
-IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-RDEPEND=">=app-misc/c_rehash-1.7-r1
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		kernel_linux? ( sys-process/procps )
-	)
-	verify-sig? ( sec-keys/openpgp-keys-openssl )"
-PDEPEND="app-misc/ca-certificates"
-
-# force upgrade to prevent broken login, bug #696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-PATCHES=(
-	# General patches which are suitable to always apply
-	# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
-	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
-	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
-	"${FILESDIR}"/${P}-fix-test-build.patch
-)
-
-pkg_setup() {
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl doesn't work with userpriv!
-	if use test && use sctp; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_unpack() {
-	# Can delete this once test fix patch is dropped
-	if use verify-sig ; then
-		# Needed for downloaded patch (which is unsigned, which is fine)
-		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
-	fi
-
-	default
-}
-
-src_prepare() {
-	# Allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	# Keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		PATCHES+=(
-			# Add patches which are Gentoo-specific customisations here
-		)
-	fi
-
-	default
-
-	if use test && use sctp && has network-sandbox ${FEATURES}; then
-		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
-		rm test/recipes/80-test_ssl_new.t || die
-	fi
-
-	# - Make sure the man pages are suffixed (bug #302165)
-	# - Don't bother building man pages if they're disabled
-	# - Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# Quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (bug #417795 again)
-	tc-is-clang && append-flags -Qunused-arguments
-
-	# We really, really need to build OpenSSL w/ strict aliasing disabled.
-	# It's filled with violations and it *will* result in miscompiled
-	# code. This has been in the ebuild for > 10 years but even in 2022,
-	# it's still relevant:
-	# - https://github.com/llvm/llvm-project/issues/55255
-	# - https://github.com/openssl/openssl/issues/18225
-	# Don't remove the no strict aliasing bits below!
-	filter-flags -fstrict-aliasing
-	append-flags -fno-strict-aliasing
-
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	# Prefixify Configure shebang (bug #141906)
-	sed \
-		-e "1s,/usr/bin/env,${BROOT}&," \
-		-i Configure || die
-
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-
-	if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
-		# use GNU ld full option, not to confuse it on Solaris
-		sed -i \
-			-e 's/-Wl,-M,/-Wl,--version-script=/' \
-			-e 's/-Wl,-h,/-Wl,--soname=/' \
-			Configurations/10-main.conf || die
-
-		# fix building on Solaris 10
-		# https://github.com/openssl/openssl/issues/6333
-		sed -i \
-			-e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
-			Configurations/10-main.conf || die
-	fi
-
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	# bug #197996
-	unset APPS
-	# bug #312551
-	unset SCRIPTS
-	# bug #311473
-	unset CROSS_COMPILE
-
-	tc-export AR CC CXX RANLIB RC
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths, bug #460790.
-	local ec_nistp_64_gcc_128
-
-	# Disable it for now though (bug #469976)
-	# echo "__uint128_t i;" > "${T}"/128.c
-	# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	# 	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	# fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	# Make sure user flags don't get added *yet* to avoid duplicated
-	# flags.
-	local myeconfargs=(
-		${sslout}
-
-		$(use cpu_flags_x86_sse2 || echo "no-sse2")
-		enable-camellia
-		enable-ec
-		enable-ec2m
-		enable-sm2
-		enable-srp
-		$(use elibc_musl && echo "no-async")
-		${ec_nistp_64_gcc_128}
-		enable-idea
-		enable-mdc2
-		enable-rc5
-		$(use_ssl sslv3 ssl3)
-		$(use_ssl sslv3 ssl3-method)
-		$(use_ssl asm)
-		$(use_ssl rfc3779)
-		$(use_ssl sctp)
-		$(use test || echo "no-tests")
-		$(use_ssl tls-compression zlib)
-		$(use_ssl tls-heartbeat heartbeats)
-		$(use_ssl weak-ssl-ciphers)
-
-		--prefix="${EPREFIX}"/usr
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
-		--libdir=$(get_libdir)
-
-		shared
-		threads
-	)
-
-	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
-
-	# Clean out hardcoded flags that openssl uses
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:\(^\| \)-fomit-frame-pointer::g' \
-		-e 's:\(^\| \)-O[^ ]*::g' \
-		-e 's:\(^\| \)-march=[^ ]*::g' \
-		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-		-e 's:\(^\| \)-m[^ ]*::g' \
-		-e 's:^ *::' \
-		-e 's: *$::' \
-		-e 's: \+: :g' \
-		-e 's:\\:\\\\:g'
-	)
-
-	# Now insert clean default flags with user flags
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile || die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
-	dodir /usr
-
-	emake DESTDIR="${D}" install
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs. But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# Create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*}
-		d=${d#./}
-		m=${m##*/}
-
-		[[ ${m} == openssl.1* ]] && continue
-
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-
-		mv ${d}/{,ssl-}${m} || die
-
-		# Fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die
-		ln -s ssl-${m} ${d}/openssl-${m}
-
-		# Locate any symlinks that point to this man page
-		# We assume that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-
-			rm -f ${d}/${s}
-
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	# bug #254521
-	dodir /etc/sandbox.d
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2022-12-13 18:18 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2022-12-13 18:18 UTC (permalink / raw
  To: gentoo-commits

commit:     ebb2a9a705c6d1cefa9c4bc94cf57da7a03f53b6
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 13 18:14:10 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 18:14:18 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebb2a9a7

dev-libs/openssl: fix CVE-2022-3996 for 3.0.7

Only affects 3.x.

Bug: https://bugs.gentoo.org/885797
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/openssl-3.0.7-x509-CVE-2022-3996.patch   |  35 +++
 dev-libs/openssl/openssl-3.0.7-r1.ebuild           | 338 +++++++++++++++++++++
 2 files changed, 373 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
new file mode 100644
index 000000000000..079a4f508ccb
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
@@ -0,0 +1,35 @@
+https://bugs.gentoo.org/885797
+
+https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
+https://github.com/openssl/openssl/issues/19643
+
+From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
+From: Pauli <pauli@openssl.org>
+Date: Fri, 11 Nov 2022 09:40:19 +1100
+Subject: [PATCH] x509: fix double locking problem
+
+This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
+redundant flag setting.
+
+Fixes #19643
+
+Fixes LOW CVE-2022-3996
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19652)
+
+(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
+--- a/crypto/x509/pcy_map.c
++++ b/crypto/x509/pcy_map.c
+@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
+ 
+     ret = 1;
+  bad_mapping:
+-    if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
+-        x->ex_flags |= EXFLAG_INVALID_POLICY;
+-        CRYPTO_THREAD_unlock(x->lock);
+-    }
+     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
+     return ret;
+ 

diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild b/dev-libs/openssl/openssl-3.0.7-r1.ebuild
new file mode 100644
index 000000000000..4a19c01cc36b
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.7-r1.ebuild
@@ -0,0 +1,338 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	>=app-misc/c_rehash-1.7-r1
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-x509-CVE-2022-3996.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	chmod a+rx gentoo.config || die
+
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# - Make sure the man pages are suffixed (bug #302165)
+	# - Don't bother building man pages if they're disabled
+	# - Make DOCDIR Gentoo compliant
+	sed -i \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+		Configurations/unix-Makefile.tmpl \
+		|| die
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# Prefixify Configure shebang (bug #141906)
+	sed \
+		-e "1s,/usr/bin/env,${BROOT}&," \
+		-i Configure || die
+
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+
+	# The config script does stupid stuff to prompt the user. Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
+
+	# Clean out hardcoded flags that openssl uses
+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAGS=::' \
+		-e 's:\(^\| \)-fomit-frame-pointer::g' \
+		-e 's:\(^\| \)-O[^ ]*::g' \
+		-e 's:\(^\| \)-march=[^ ]*::g' \
+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
+		-e 's:\(^\| \)-m[^ ]*::g' \
+		-e 's:^ *::' \
+		-e 's: *$::' \
+		-e 's: \+: :g' \
+		-e 's:\\:\\\\:g'
+	)
+
+	# Now insert clean default flags with user flags
+	sed -i \
+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+		Makefile \
+		|| die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+
+	emake all
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
+	dodir /usr
+
+	emake DESTDIR="${D}" install
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man || die
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*}
+		d=${d#./}
+		m=${m##*/}
+
+		[[ ${m} == openssl.1* ]] && continue
+
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+
+		mv ${d}/{,ssl-}${m} || die
+
+		# Fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die
+		ln -s ssl-${m} ${d}/openssl-${m} || die
+
+		# Locate any symlinks that point to this man page
+		# We assume that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+
+			rm -f ${d}/${s}
+
+			# We don't want to "|| die" here
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"
+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2022-12-14 23:01 Andreas K. Hüttel
  0 siblings, 0 replies; 52+ messages in thread
From: Andreas K. Hüttel @ 2022-12-14 23:01 UTC (permalink / raw
  To: gentoo-commits

commit:     4b2306f132bd2549bf7e039475ae809f177f2737
Author:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 14 23:00:14 2022 +0000
Commit:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Wed Dec 14 23:00:14 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b2306f1

dev-libs/openssl: Fix build on m68k

See
https://archives.gentoo.org/gentoo-releng-autobuilds/message/f6163c3b954c76a3dd4bb6eeaab38c51

Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.3 | 172 +++++++++++++++++++++++++++++
 dev-libs/openssl/openssl-3.0.7-r1.ebuild   |   2 +-
 2 files changed, 173 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.3 b/dev-libs/openssl/files/gentoo.config-1.0.3
new file mode 100644
index 000000000000..0662f72b6d80
--- /dev/null
+++ b/dev-libs/openssl/files/gentoo.config-1.0.3
@@ -0,0 +1,172 @@
+#!/usr/bin/env bash
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+#
+# Openssl doesn't play along nicely with cross-compiling
+# like autotools based projects, so let's teach it new tricks.
+#
+# Review the bundled 'config' script to see why kind of targets
+# we can pass to the 'Configure' script.
+
+
+# Testing routines
+if [[ $1 == "test" ]] ; then
+	for c in \
+		"arm-gentoo-linux-uclibc      |linux-generic32 -DL_ENDIAN" \
+		"armv5b-linux-gnu             |linux-armv4 -DB_ENDIAN" \
+		"x86_64-pc-linux-gnu          |linux-x86_64" \
+		"alpha-linux-gnu              |linux-alpha-gcc" \
+		"alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
+		"i686-pc-linux-gnu            |linux-elf" \
+		"whatever-gentoo-freebsdX.Y   |BSD-generic32" \
+		"i686-gentoo-freebsdX.Y       |BSD-x86-elf" \
+		"sparc64-alpha-freebsdX.Y     |BSD-sparc64" \
+		"ia64-gentoo-freebsd5.99234   |BSD-ia64" \
+		"x86_64-gentoo-freebsdX.Y     |BSD-x86_64" \
+		"hppa64-aldsF-linux-gnu5.3    |linux-generic32 -DB_ENDIAN" \
+		"powerpc-gentOO-linux-uclibc  |linux-ppc" \
+		"powerpc64-unk-linux-gnu      |linux-ppc64" \
+		"powerpc64le-linux-gnu        |linux-ppc64le" \
+		"x86_64-apple-darwinX         |darwin64-x86_64-cc" \
+		"powerpc64-apple-darwinX      |darwin64-ppc-cc" \
+		"i686-apple-darwinX           |darwin-i386-cc" \
+		"i386-apple-darwinX           |darwin-i386-cc" \
+		"powerpc-apple-darwinX        |darwin-ppc-cc" \
+		"i586-pc-winnt                |winnt-parity" \
+		"s390-ibm-linux-gnu           |linux-generic32 -DB_ENDIAN" \
+		"s390x-linux-gnu              |linux64-s390x" \
+	;do
+		CHOST=${c/|*}
+		ret_want=${c/*|}
+		ret_got=$(CHOST=${CHOST} "$0")
+
+		if [[ ${ret_want} == "${ret_got}" ]] ; then
+			echo "PASS: ${CHOST}"
+		else
+			echo "FAIL: ${CHOST}"
+			echo -e "\twanted: ${ret_want}"
+			echo -e "\twe got: ${ret_got}"
+		fi
+	done
+	exit 0
+fi
+[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
+
+
+# Detect the operating system
+case ${CHOST} in
+	*-aix*)          system="aix";;
+	*-darwin*)       system="darwin";;
+	*-freebsd*)      system="BSD";;
+	*-hpux*)         system="hpux";;
+	*-linux*)        system="linux";;
+	*-solaris*)      system="solaris";;
+	*-winnt*)        system="winnt";;
+	x86_64-*-mingw*) system="mingw64";;
+	*mingw*)         system="mingw";;
+	*)               exit 0;;
+esac
+
+
+# Compiler munging
+compiler="gcc"
+if [[ ${CC} == "ccc" ]] ; then
+	compiler=${CC}
+fi
+
+
+# Detect target arch
+machine=""
+chost_machine=${CHOST%%-*}
+case ${system} in
+linux)
+	case ${chost_machine}:${ABI} in
+		aarch64*be*)  machine="aarch64 -DB_ENDIAN";;
+		aarch64*)     machine="aarch64 -DL_ENDIAN";;
+		alphaev56*|\
+		alphaev[678]*)machine=alpha+bwx-${compiler};;
+		alpha*)       machine=alpha-${compiler};;
+		armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
+		armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
+		arm*b*)       machine="generic32 -DB_ENDIAN";;
+		arm*)         machine="generic32 -DL_ENDIAN";;
+		avr*)         machine="generic32 -DL_ENDIAN";;
+		bfin*)        machine="generic32 -DL_ENDIAN";;
+	#	hppa64*)      machine=parisc64;;
+		hppa*)        machine="generic32 -DB_ENDIAN";;
+		i[0-9]86*|\
+		x86_64*:x86)  machine=elf;;
+		ia64*)        machine=ia64;;
+		loongarch64*) machine="generic64 -DL_ENDIAN";;
+		m68*)         machine="latomic -DB_ENDIAN";;
+		mips*el*)     machine="generic32 -DL_ENDIAN";;
+		mips*)        machine="generic32 -DB_ENDIAN";;
+		powerpc64*le*)machine=ppc64le;;
+		powerpc64*)   machine=ppc64;;
+		powerpc*le*)  machine="generic32 -DL_ENDIAN";;
+		powerpc*)     machine=ppc;;
+		riscv32*)     machine="generic32 -DL_ENDIAN";;
+		riscv64*)     machine="generic64 -DL_ENDIAN";;
+	#	sh64*)        machine=elf;;
+		sh*b*)        machine="generic32 -DB_ENDIAN";;
+		sh*)          machine="generic32 -DL_ENDIAN";;
+		# TODO: Might want to do -mcpu probing like glibc to determine a
+		# better default for sparc-linux-gnu targets.  This logic will
+		# break v7 and older systems when they use it.
+		sparc*v7*)    machine="generic32 -DB_ENDIAN";;
+		sparc64*)     machine=sparcv9 system=linux64;;
+		sparc*v9*)    machine=sparcv9;;
+		sparc*v8*)    machine=sparcv8;;
+		sparc*)       machine=sparcv8;;
+		s390x*)       machine=s390x system=linux64;;
+		s390*)        machine="generic32 -DB_ENDIAN";;
+		x86_64*:x32)  machine=x32;;
+		x86_64*)      machine=x86_64;;
+	esac
+	;;
+BSD)
+	case ${chost_machine} in
+		alpha*)       machine=generic64;;
+		i[6-9]86*)    machine=x86-elf;;
+		ia64*)        machine=ia64;;
+		sparc64*)     machine=sparc64;;
+		x86_64*)      machine=x86_64;;
+		*)            machine=generic32;;
+	esac
+	;;
+aix)
+	machine=${compiler}
+	;;
+darwin)
+	case ${chost_machine} in
+		powerpc64)    machine=ppc-cc; system=${system}64;;
+		powerpc)      machine=ppc-cc;;
+		i?86*)        machine=i386-cc;;
+		x86_64)       machine=x86_64-cc; system=${system}64;;
+	esac
+	;;
+hpux)
+	case ${chost_machine} in
+		ia64)	machine=ia64-${compiler} ;;
+	esac
+	;;
+solaris)
+	case ${chost_machine} in
+		i386)         machine=x86-${compiler} ;;
+		x86_64*)      machine=x86_64-${compiler}; system=${system}64;;
+		sparcv9*)     machine=sparcv9-${compiler}; system=${system}64;;
+		sparc*)       machine=sparcv8-${compiler};;
+	esac
+	;;
+winnt)
+	machine=parity
+	;;
+mingw*)
+	# special case ... no xxx-yyy style name
+	echo ${system}
+	;;
+esac
+
+
+# If we have something, show it
+[[ -n ${machine} ]] && echo ${system}-${machine}

diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild b/dev-libs/openssl/openssl-3.0.7-r1.ebuild
index 4a19c01cc36b..732cdb499d4b 100644
--- a/dev-libs/openssl/openssl-3.0.7-r1.ebuild
+++ b/dev-libs/openssl/openssl-3.0.7-r1.ebuild
@@ -92,7 +92,7 @@ src_unpack() {
 
 src_prepare() {
 	# Allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	cp "${FILESDIR}"/gentoo.config-1.0.3 gentoo.config || die
 	chmod a+rx gentoo.config || die
 
 	# Keep this in sync with app-misc/c_rehash


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2022-12-16 20:47 Andreas K. Hüttel
  0 siblings, 0 replies; 52+ messages in thread
From: Andreas K. Hüttel @ 2022-12-16 20:47 UTC (permalink / raw
  To: gentoo-commits

commit:     93dfaa16b6a326527e0a158839e2d95478e3559f
Author:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Fri Dec 16 20:46:38 2022 +0000
Commit:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Fri Dec 16 20:47:22 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93dfaa16

dev-libs/openssl: Use new config file in -r2, update mips defs for testing

Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.4 | 176 +++++++++++++++++++++++++++++
 dev-libs/openssl/openssl-3.0.7-r2.ebuild   |   2 +-
 2 files changed, 177 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4
new file mode 100644
index 000000000000..edbf22a56dff
--- /dev/null
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -0,0 +1,176 @@
+#!/usr/bin/env bash
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+#
+# Openssl doesn't play along nicely with cross-compiling
+# like autotools based projects, so let's teach it new tricks.
+#
+# Review the bundled 'config' script to see why kind of targets
+# we can pass to the 'Configure' script.
+
+
+# Testing routines
+if [[ $1 == "test" ]] ; then
+	for c in \
+		"arm-gentoo-linux-uclibc      |linux-generic32 -DL_ENDIAN" \
+		"armv5b-linux-gnu             |linux-armv4 -DB_ENDIAN" \
+		"x86_64-pc-linux-gnu          |linux-x86_64" \
+		"alpha-linux-gnu              |linux-alpha-gcc" \
+		"alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
+		"i686-pc-linux-gnu            |linux-elf" \
+		"whatever-gentoo-freebsdX.Y   |BSD-generic32" \
+		"i686-gentoo-freebsdX.Y       |BSD-x86-elf" \
+		"sparc64-alpha-freebsdX.Y     |BSD-sparc64" \
+		"ia64-gentoo-freebsd5.99234   |BSD-ia64" \
+		"x86_64-gentoo-freebsdX.Y     |BSD-x86_64" \
+		"hppa64-aldsF-linux-gnu5.3    |linux-generic32 -DB_ENDIAN" \
+		"powerpc-gentOO-linux-uclibc  |linux-ppc" \
+		"powerpc64-unk-linux-gnu      |linux-ppc64" \
+		"powerpc64le-linux-gnu        |linux-ppc64le" \
+		"x86_64-apple-darwinX         |darwin64-x86_64-cc" \
+		"powerpc64-apple-darwinX      |darwin64-ppc-cc" \
+		"i686-apple-darwinX           |darwin-i386-cc" \
+		"i386-apple-darwinX           |darwin-i386-cc" \
+		"powerpc-apple-darwinX        |darwin-ppc-cc" \
+		"i586-pc-winnt                |winnt-parity" \
+		"s390-ibm-linux-gnu           |linux-generic32 -DB_ENDIAN" \
+		"s390x-linux-gnu              |linux64-s390x" \
+	;do
+		CHOST=${c/|*}
+		ret_want=${c/*|}
+		ret_got=$(CHOST=${CHOST} "$0")
+
+		if [[ ${ret_want} == "${ret_got}" ]] ; then
+			echo "PASS: ${CHOST}"
+		else
+			echo "FAIL: ${CHOST}"
+			echo -e "\twanted: ${ret_want}"
+			echo -e "\twe got: ${ret_got}"
+		fi
+	done
+	exit 0
+fi
+[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
+
+
+# Detect the operating system
+case ${CHOST} in
+	*-aix*)          system="aix";;
+	*-darwin*)       system="darwin";;
+	*-freebsd*)      system="BSD";;
+	*-hpux*)         system="hpux";;
+	*-linux*)        system="linux";;
+	*-solaris*)      system="solaris";;
+	*-winnt*)        system="winnt";;
+	x86_64-*-mingw*) system="mingw64";;
+	*mingw*)         system="mingw";;
+	*)               exit 0;;
+esac
+
+
+# Compiler munging
+compiler="gcc"
+if [[ ${CC} == "ccc" ]] ; then
+	compiler=${CC}
+fi
+
+
+# Detect target arch
+machine=""
+chost_machine=${CHOST%%-*}
+case ${system} in
+linux)
+	case ${chost_machine}:${ABI} in
+		aarch64*be*)  machine="aarch64 -DB_ENDIAN";;
+		aarch64*)     machine="aarch64 -DL_ENDIAN";;
+		alphaev56*|\
+		alphaev[678]*)machine=alpha+bwx-${compiler};;
+		alpha*)       machine=alpha-${compiler};;
+		armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
+		armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
+		arm*b*)       machine="generic32 -DB_ENDIAN";;
+		arm*)         machine="generic32 -DL_ENDIAN";;
+		avr*)         machine="generic32 -DL_ENDIAN";;
+		bfin*)        machine="generic32 -DL_ENDIAN";;
+	#	hppa64*)      machine=parisc64;;
+		hppa*)        machine="generic32 -DB_ENDIAN";;
+		i[0-9]86*|\
+		x86_64*:x86)  machine=elf;;
+		ia64*)        machine=ia64;;
+		loongarch64*) machine="generic64 -DL_ENDIAN";;
+		m68*)         machine="latomic -DB_ENDIAN";;
+		mips*el*:o32) machine="mips32 -DL_ENDIAN";;
+		mips*:o32)    machine="mips32 -DB_ENDIAN";;
+		mips*el*:n32) machine="mips64 -DL_ENDIAN";;
+		mips*:n32)    machine="mips64 -DB_ENDIAN";;
+		mips*el*:n64) machine="mips64 -DL_ENDIAN" system=linux64;;
+		mips*:n64)    machine="mips64 -DB_ENDIAN" system=linux64;;
+		powerpc64*le*)machine=ppc64le;;
+		powerpc64*)   machine=ppc64;;
+		powerpc*le*)  machine="generic32 -DL_ENDIAN";;
+		powerpc*)     machine=ppc;;
+		riscv32*)     machine="generic32 -DL_ENDIAN";;
+		riscv64*)     machine="generic64 -DL_ENDIAN";;
+	#	sh64*)        machine=elf;;
+		sh*b*)        machine="generic32 -DB_ENDIAN";;
+		sh*)          machine="generic32 -DL_ENDIAN";;
+		# TODO: Might want to do -mcpu probing like glibc to determine a
+		# better default for sparc-linux-gnu targets.  This logic will
+		# break v7 and older systems when they use it.
+		sparc*v7*)    machine="generic32 -DB_ENDIAN";;
+		sparc64*)     machine=sparcv9 system=linux64;;
+		sparc*v9*)    machine=sparcv9;;
+		sparc*v8*)    machine=sparcv8;;
+		sparc*)       machine=sparcv8;;
+		s390x*)       machine=s390x system=linux64;;
+		s390*)        machine="generic32 -DB_ENDIAN";;
+		x86_64*:x32)  machine=x32;;
+		x86_64*)      machine=x86_64;;
+	esac
+	;;
+BSD)
+	case ${chost_machine} in
+		alpha*)       machine=generic64;;
+		i[6-9]86*)    machine=x86-elf;;
+		ia64*)        machine=ia64;;
+		sparc64*)     machine=sparc64;;
+		x86_64*)      machine=x86_64;;
+		*)            machine=generic32;;
+	esac
+	;;
+aix)
+	machine=${compiler}
+	;;
+darwin)
+	case ${chost_machine} in
+		powerpc64)    machine=ppc-cc; system=${system}64;;
+		powerpc)      machine=ppc-cc;;
+		i?86*)        machine=i386-cc;;
+		x86_64)       machine=x86_64-cc; system=${system}64;;
+	esac
+	;;
+hpux)
+	case ${chost_machine} in
+		ia64)	machine=ia64-${compiler} ;;
+	esac
+	;;
+solaris)
+	case ${chost_machine} in
+		i386)         machine=x86-${compiler} ;;
+		x86_64*)      machine=x86_64-${compiler}; system=${system}64;;
+		sparcv9*)     machine=sparcv9-${compiler}; system=${system}64;;
+		sparc*)       machine=sparcv8-${compiler};;
+	esac
+	;;
+winnt)
+	machine=parity
+	;;
+mingw*)
+	# special case ... no xxx-yyy style name
+	echo ${system}
+	;;
+esac
+
+
+# If we have something, show it
+[[ -n ${machine} ]] && echo ${system}-${machine}

diff --git a/dev-libs/openssl/openssl-3.0.7-r2.ebuild b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
index 5ec2da26dfd6..4cbd0bd5374b 100644
--- a/dev-libs/openssl/openssl-3.0.7-r2.ebuild
+++ b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
@@ -93,7 +93,7 @@ src_unpack() {
 
 src_prepare() {
 	# Allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.3 gentoo.config || die
+	cp "${FILESDIR}"/gentoo.config-1.0.4 gentoo.config || die
 	chmod a+rx gentoo.config || die
 
 	# Keep this in sync with app-misc/c_rehash


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2022-12-17 19:19 Andreas K. Hüttel
  0 siblings, 0 replies; 52+ messages in thread
From: Andreas K. Hüttel @ 2022-12-17 19:19 UTC (permalink / raw
  To: gentoo-commits

commit:     46e080f168be4b67e832229997c2b200fe269e34
Author:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Sat Dec 17 19:19:14 2022 +0000
Commit:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Sat Dec 17 19:19:14 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46e080f1

dev-libs/openssl: keyword 3.0.7-r2 for ~loong

Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.4 | 2 +-
 dev-libs/openssl/openssl-3.0.7-r2.ebuild   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4
index edbf22a56dff..98f8d1af64ac 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -97,7 +97,7 @@ linux)
 		i[0-9]86*|\
 		x86_64*:x86)  machine=elf;;
 		ia64*)        machine=ia64;;
-		loongarch64*) machine="generic64 -DL_ENDIAN";;
+		loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
 		m68*)         machine="latomic -DB_ENDIAN";;
 		mips*el*:o32) machine="mips32 -DL_ENDIAN";;
 		mips*:o32)    machine="mips32 -DB_ENDIAN";;

diff --git a/dev-libs/openssl/openssl-3.0.7-r2.ebuild b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
index 4ee76298915b..2bccbd686aa0 100644
--- a/dev-libs/openssl/openssl-3.0.7-r2.ebuild
+++ b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
@@ -19,7 +19,7 @@ else
 	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
 		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
 	#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
-	KEYWORDS="~alpha ~amd64 ~arm64 ~mips"
+	KEYWORDS="~alpha ~amd64 ~arm64 ~loong ~mips"
 fi
 
 S="${WORKDIR}"/${MY_P}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-02-12 23:23 Mike Gilbert
  0 siblings, 0 replies; 52+ messages in thread
From: Mike Gilbert @ 2023-02-12 23:23 UTC (permalink / raw
  To: gentoo-commits

commit:     c3fb91dafb05c7665a96a6d97ad2a5ed69791f3c
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 12 23:21:09 2023 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sun Feb 12 23:23:10 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3fb91da

dev-libs/openssl: fix Configure on mips

Closes: https://bugs.gentoo.org/894140
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 .../openssl/files/openssl-3.0.8-mips-cflags.patch  | 30 ++++++++++++++++++++++
 dev-libs/openssl/openssl-1.1.1t-r1.ebuild          |  1 +
 dev-libs/openssl/openssl-3.0.8.ebuild              |  5 ++++
 3 files changed, 36 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch b/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch
new file mode 100644
index 000000000000..111681f27d07
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch
@@ -0,0 +1,30 @@
+https://bugs.gentoo.org/894140
+https://github.com/openssl/openssl/issues/20214
+
+From d500b51791cd56e73065e3a7f4487fc33f31c91c Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Sun, 12 Feb 2023 17:56:58 -0500
+Subject: [PATCH] Fix Configure test for -mips in CFLAGS
+
+We want to add -mips2 or -mips3 only if the user hasn't already
+specified a mips version in CFLAGS. The existing test was a
+double-negative.
+
+Fixes: https://github.com/openssl/openssl/issues/20214
+---
+ Configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Configure b/Configure
+index b6bbec0a85c4..ec48614d6b99 100755
+--- a/Configure
++++ b/Configure
+@@ -1475,7 +1475,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+         }
+ 
+ if ($target =~ /linux.*-mips/ && !$disabled{asm}
+-        && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
++        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+         # minimally required architecture flags for assembly modules
+         my $value;
+         $value = '-mips2' if ($target =~ /mips32/);

diff --git a/dev-libs/openssl/openssl-1.1.1t-r1.ebuild b/dev-libs/openssl/openssl-1.1.1t-r1.ebuild
index 89d9f7f6c010..7261dbf43506 100644
--- a/dev-libs/openssl/openssl-1.1.1t-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1t-r1.ebuild
@@ -47,6 +47,7 @@ PATCHES=(
 	# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
 	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
 	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
 )
 
 pkg_setup() {

diff --git a/dev-libs/openssl/openssl-3.0.8.ebuild b/dev-libs/openssl/openssl-3.0.8.ebuild
index e259080c01c3..37799cd36092 100644
--- a/dev-libs/openssl/openssl-3.0.8.ebuild
+++ b/dev-libs/openssl/openssl-3.0.8.ebuild
@@ -50,6 +50,10 @@ MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/openssl/configuration.h
 )
 
+PATCHES=(
+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+)
+
 pkg_setup() {
 	if use ktls ; then
 		if kernel_is -lt 4 18 ; then
@@ -99,6 +103,7 @@ src_prepare() {
 	# that gets blown away anyways by the Configure script in src_configure
 	rm -f Makefile
 
+
 	if ! use vanilla ; then
 		PATCHES+=(
 			# Add patches which are Gentoo-specific customisations here


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-03-14 19:48 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2023-03-14 19:48 UTC (permalink / raw
  To: gentoo-commits

commit:     568c16c5c05f87f999b04925544cd1ee344319c1
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 14 19:38:22 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Mar 14 19:48:32 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=568c16c5

dev-libs/openssl: drop 3.0.7-r1, 3.0.7-r4

Signed-off-by: Sam James <sam <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   2 -
 .../files/openssl-3.0.7-x509-CVE-2022-3996.patch   |  35 ---
 dev-libs/openssl/openssl-3.0.7-r1.ebuild           | 338 ---------------------
 dev-libs/openssl/openssl-3.0.7-r4.ebuild           | 264 ----------------
 4 files changed, 639 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 31e236b00955..f45d7d6c5109 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -5,7 +5,5 @@ DIST openssl-1.1.1s.tar.gz 9868981 BLAKE2B ecd19eaf84dbc80448b51651abe52a89cc005
 DIST openssl-1.1.1s.tar.gz.asc 858 BLAKE2B d95f0f80d460feac737f84ed629c45aaf5e453103ef202ec7d33cf33b89ad83a9007429433b10754b725d7963b1960e350b64e8bdfe569ad149e26bef462eeca SHA512 aa6e5e940448297a90c46ba162f8e6ee324c2e202a9283328c31f996dc2259dd9f5f981d94d1cf1dd3cc73c44647b473602dacb857b9719bf066931b43b899e6
 DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e857728625d31ab3244881cafa91c099a817a09def7746bce4133585bfc90b769f43527e77a81ed13e60a8c2fb4d8d SHA512 628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c
 DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b
-DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424
-DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1
 DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
 DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6

diff --git a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
deleted file mode 100644
index 079a4f508ccb..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-https://bugs.gentoo.org/885797
-
-https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
-https://github.com/openssl/openssl/issues/19643
-
-From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
-From: Pauli <pauli@openssl.org>
-Date: Fri, 11 Nov 2022 09:40:19 +1100
-Subject: [PATCH] x509: fix double locking problem
-
-This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
-redundant flag setting.
-
-Fixes #19643
-
-Fixes LOW CVE-2022-3996
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19652)
-
-(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
---- a/crypto/x509/pcy_map.c
-+++ b/crypto/x509/pcy_map.c
-@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
- 
-     ret = 1;
-  bad_mapping:
--    if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
--        x->ex_flags |= EXFLAG_INVALID_POLICY;
--        CRYPTO_THREAD_unlock(x->lock);
--    }
-     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
-     return ret;
- 

diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild b/dev-libs/openssl/openssl-3.0.7-r1.ebuild
deleted file mode 100644
index a1bcc6a59545..000000000000
--- a/dev-libs/openssl/openssl-3.0.7-r1.ebuild
+++ /dev/null
@@ -1,338 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
-
-DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
-
-MY_P=${P/_/-}
-
-if [[ ${PV} == 9999 ]] ; then
-	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
-
-	inherit git-r3
-else
-	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
-fi
-
-S="${WORKDIR}"/${MY_P}
-
-LICENSE="Apache-2.0"
-SLOT="0/3" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-COMMON_DEPEND="
-	>=app-misc/c_rehash-1.7-r1
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		sys-process/procps
-	)
-	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
-
-DEPEND="${COMMON_DEPEND}"
-RDEPEND="${COMMON_DEPEND}"
-PDEPEND="app-misc/ca-certificates"
-
-MULTILIB_WRAPPED_HEADERS=(
-	/usr/include/openssl/configuration.h
-)
-
-PATCHES=(
-	"${FILESDIR}"/${P}-x509-CVE-2022-3996.patch
-)
-
-pkg_setup() {
-	if use ktls ; then
-		if kernel_is -lt 4 18 ; then
-			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
-		else
-			CONFIG_CHECK="~TLS ~TLS_DEVICE"
-			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
-			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
-
-			linux-info_pkg_setup
-		fi
-	fi
-
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl doesn't work with userpriv!
-	if use test && use sctp ; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_unpack() {
-	# Can delete this once test fix patch is dropped
-	if use verify-sig ; then
-		# Needed for downloaded patch (which is unsigned, which is fine)
-		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
-	fi
-
-	default
-}
-
-src_prepare() {
-	# Allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.3 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	# Keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		PATCHES+=(
-			# Add patches which are Gentoo-specific customisations here
-		)
-	fi
-
-	default
-
-	if use test && use sctp && has network-sandbox ${FEATURES} ; then
-		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
-		rm test/recipes/80-test_ssl_new.t || die
-	fi
-
-	# - Make sure the man pages are suffixed (bug #302165)
-	# - Don't bother building man pages if they're disabled
-	# - Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
-	# Quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (bug #417795 again)
-	tc-is-clang && append-flags -Qunused-arguments
-
-	# We really, really need to build OpenSSL w/ strict aliasing disabled.
-	# It's filled with violations and it *will* result in miscompiled
-	# code. This has been in the ebuild for > 10 years but even in 2022,
-	# it's still relevant:
-	# - https://github.com/llvm/llvm-project/issues/55255
-	# - https://github.com/openssl/openssl/issues/18225
-	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
-	# Don't remove the no strict aliasing bits below!
-	filter-flags -fstrict-aliasing
-	append-flags -fno-strict-aliasing
-
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	# Prefixify Configure shebang (bug #141906)
-	sed \
-		-e "1s,/usr/bin/env,${BROOT}&," \
-		-i Configure || die
-
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-
-	# The config script does stupid stuff to prompt the user. Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	# bug #197996
-	unset APPS
-	# bug #312551
-	unset SCRIPTS
-	# bug #311473
-	unset CROSS_COMPILE
-
-	tc-export AR CC CXX RANLIB RC
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths, bug #460790.
-	#local ec_nistp_64_gcc_128
-	#
-	# Disable it for now though (bug #469976)
-	# Do NOT re-enable without substantial discussion first!
-	#
-	#echo "__uint128_t i;" > "${T}"/128.c
-	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Using configuration: ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
-
-	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
-	local myeconfargs=(
-		${sslout}
-
-		$(use cpu_flags_x86_sse2 || echo "no-sse2")
-		enable-camellia
-		enable-ec
-		enable-ec2m
-		enable-sm2
-		enable-srp
-		$(use elibc_musl && echo "no-async")
-		enable-idea
-		enable-mdc2
-		enable-rc5
-		$(use fips && echo "enable-fips")
-		$(use_ssl asm)
-		$(use_ssl ktls)
-		$(use_ssl rfc3779)
-		$(use_ssl sctp)
-		$(use test || echo "no-tests")
-		$(use_ssl tls-compression zlib)
-		$(use_ssl weak-ssl-ciphers)
-
-		--prefix="${EPREFIX}"/usr
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
-		--libdir=$(get_libdir)
-
-		shared
-		threads
-	)
-
-	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
-
-	# Clean out hardcoded flags that openssl uses
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:\(^\| \)-fomit-frame-pointer::g' \
-		-e 's:\(^\| \)-O[^ ]*::g' \
-		-e 's:\(^\| \)-march=[^ ]*::g' \
-		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-		-e 's:\(^\| \)-m[^ ]*::g' \
-		-e 's:^ *::' \
-		-e 's: *$::' \
-		-e 's: \+: :g' \
-		-e 's:\\:\\\\:g'
-	)
-
-	# Now insert clean default flags with user flags
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile \
-		|| die
-}
-
-multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
-
-	emake all
-}
-
-multilib_src_test() {
-	# VFP = show subtests verbosely and show failed tests verbosely
-	# Normal V=1 would show everything verbosely but this slows things down.
-	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
-}
-
-multilib_src_install() {
-	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
-	dodir /usr
-
-	emake DESTDIR="${D}" install
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs. But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs ; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
-
-	# Create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*}
-		d=${d#./}
-		m=${m##*/}
-
-		[[ ${m} == openssl.1* ]] && continue
-
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-
-		mv ${d}/{,ssl-}${m} || die
-
-		# Fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die
-		ln -s ssl-${m} ${d}/openssl-${m} || die
-
-		# Locate any symlinks that point to this man page
-		# We assume that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-
-			rm -f ${d}/${s}
-
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
-
-	# bug #254521
-	dodir /etc/sandbox.d
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
-}

diff --git a/dev-libs/openssl/openssl-3.0.7-r4.ebuild b/dev-libs/openssl/openssl-3.0.7-r4.ebuild
deleted file mode 100644
index 54d8d66651f8..000000000000
--- a/dev-libs/openssl/openssl-3.0.7-r4.ebuild
+++ /dev/null
@@ -1,264 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
-
-DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
-
-MY_P=${P/_/-}
-
-if [[ ${PV} == 9999 ]] ; then
-	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
-
-	inherit git-r3
-else
-	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-	#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-fi
-
-S="${WORKDIR}"/${MY_P}
-
-LICENSE="Apache-2.0"
-SLOT="0/3" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-COMMON_DEPEND="
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		sys-process/procps
-	)
-	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
-
-DEPEND="${COMMON_DEPEND}"
-RDEPEND="${COMMON_DEPEND}"
-PDEPEND="app-misc/ca-certificates"
-
-MULTILIB_WRAPPED_HEADERS=(
-	/usr/include/openssl/configuration.h
-)
-
-PATCHES=(
-	"${FILESDIR}"/${P}-x509-CVE-2022-3996.patch
-)
-
-pkg_setup() {
-	if use ktls ; then
-		if kernel_is -lt 4 18 ; then
-			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
-		else
-			CONFIG_CHECK="~TLS ~TLS_DEVICE"
-			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
-			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
-			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
-
-			linux-info_pkg_setup
-		fi
-	fi
-
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl doesn't work with userpriv!
-	if use test && use sctp ; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_unpack() {
-	# Can delete this once test fix patch is dropped
-	if use verify-sig ; then
-		# Needed for downloaded patch (which is unsigned, which is fine)
-		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
-	fi
-
-	default
-}
-
-src_prepare() {
-	# Allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.4 gentoo.config || die
-	chmod a+rx gentoo.config || die
-
-	# Keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		PATCHES+=(
-			# Add patches which are Gentoo-specific customisations here
-		)
-	fi
-
-	default
-
-	if use test && use sctp && has network-sandbox ${FEATURES} ; then
-		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
-		rm test/recipes/80-test_ssl_new.t || die
-	fi
-
-	# Quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (bug #417795 again)
-	tc-is-clang && append-flags -Qunused-arguments
-
-	# We really, really need to build OpenSSL w/ strict aliasing disabled.
-	# It's filled with violations and it *will* result in miscompiled
-	# code. This has been in the ebuild for > 10 years but even in 2022,
-	# it's still relevant:
-	# - https://github.com/llvm/llvm-project/issues/55255
-	# - https://github.com/openssl/openssl/issues/18225
-	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
-	# Don't remove the no strict aliasing bits below!
-	filter-flags -fstrict-aliasing
-	append-flags -fno-strict-aliasing
-
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	local sslout=$(./gentoo.config)
-	einfo "Using configuration: ${sslout:-(openssl knows best)}"
-	edo perl Configure ${sslout} --test-sanity
-
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	# bug #197996
-	unset APPS
-	# bug #312551
-	unset SCRIPTS
-	# bug #311473
-	unset CROSS_COMPILE
-
-	tc-export AR CC CXX RANLIB RC
-
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths, bug #460790.
-	#local ec_nistp_64_gcc_128
-	#
-	# Disable it for now though (bug #469976)
-	# Do NOT re-enable without substantial discussion first!
-	#
-	#echo "__uint128_t i;" > "${T}"/128.c
-	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#fi
-
-	local sslout=$(./gentoo.config)
-	einfo "Using configuration: ${sslout:-(openssl knows best)}"
-
-	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
-	local myeconfargs=(
-		${sslout}
-
-		$(use cpu_flags_x86_sse2 || echo "no-sse2")
-		enable-camellia
-		enable-ec
-		enable-ec2m
-		enable-sm2
-		enable-srp
-		$(use elibc_musl && echo "no-async")
-		enable-idea
-		enable-mdc2
-		enable-rc5
-		$(use fips && echo "enable-fips")
-		$(use_ssl asm)
-		$(use_ssl ktls)
-		$(use_ssl rfc3779)
-		$(use_ssl sctp)
-		$(use test || echo "no-tests")
-		$(use_ssl tls-compression zlib)
-		$(use_ssl weak-ssl-ciphers)
-
-		--prefix="${EPREFIX}"/usr
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
-		--libdir=$(get_libdir)
-
-		shared
-		threads
-	)
-
-	edo perl Configure "${myeconfargs[@]}"
-}
-
-multilib_src_compile() {
-	emake build_sw
-
-	if multilib_is_native_abi; then
-		emake build_docs
-	fi
-}
-
-multilib_src_test() {
-	# VFP = show subtests verbosely and show failed tests verbosely
-	# Normal V=1 would show everything verbosely but this slows things down.
-	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
-}
-
-multilib_src_install() {
-	emake DESTDIR="${D}" install_sw
-	if use fips; then
-		emake DESTDIR="${D}" install_fips
-	fi
-
-	if multilib_is_native_abi; then
-		emake DESTDIR="${D}" install_ssldirs
-		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
-	fi
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs. But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs ; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
-
-	# Create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# bug #254521
-	dodir /etc/sandbox.d
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
-	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
-	eend $?
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-03-22 23:00 Patrick McLean
  0 siblings, 0 replies; 52+ messages in thread
From: Patrick McLean @ 2023-03-22 23:00 UTC (permalink / raw
  To: gentoo-commits

commit:     f8e9992c5936077459a640b9cb4aa07ff5e75a20
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 22 22:58:47 2023 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Wed Mar 22 22:59:47 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8e9992c

dev-libs/openssl: Bump to 3.0.8-r2, add patch for CVE-2023-0464

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssl-3.0.8-CVE-2023-0464.patch        | 214 ++++++++++++++++
 dev-libs/openssl/openssl-3.0.8-r2.ebuild           | 271 +++++++++++++++++++++
 2 files changed, 485 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch
new file mode 100644
index 000000000000..3cf1d3b38ec9
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch
@@ -0,0 +1,214 @@
+commit 959c59c7a0164117e7f8366466a32bb1f8d77ff1
+Author: Pauli <pauli@openssl.org>
+Date:   Wed Mar 8 15:28:20 2023 +1100
+
+    x509: excessive resource use verifying policy constraints
+    
+    A security vulnerability has been identified in all supported versions
+    of OpenSSL related to the verification of X.509 certificate chains
+    that include policy constraints.  Attackers may be able to exploit this
+    vulnerability by creating a malicious certificate chain that triggers
+    exponential use of computational resources, leading to a denial-of-service
+    (DoS) attack on affected systems.
+    
+    Fixes CVE-2023-0464
+    
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    (Merged from https://github.com/openssl/openssl/pull/20568)
+
+diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
+index 18b53cc09e..cba107ca03 100644
+--- a/crypto/x509/pcy_local.h
++++ b/crypto/x509/pcy_local.h
+@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
++    /* The number of nodes in the tree */
++    size_t node_count;
++    /* The maximum number of nodes in the tree */
++    size_t node_maximum;
++
+     /* This is the tree 'level' data */
+     X509_POLICY_LEVEL *levels;
+     int nlevel;
+@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+                                              X509_POLICY_DATA *data,
+                                              X509_POLICY_NODE *parent,
+-                                             X509_POLICY_TREE *tree);
++                                             X509_POLICY_TREE *tree,
++                                             int extra_data);
+ void ossl_policy_node_free(X509_POLICY_NODE *node);
+ int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
+                            const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
+index 9d9a7ea179..450f95a655 100644
+--- a/crypto/x509/pcy_node.c
++++ b/crypto/x509/pcy_node.c
+@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+                                              X509_POLICY_DATA *data,
+                                              X509_POLICY_NODE *parent,
+-                                             X509_POLICY_TREE *tree)
++                                             X509_POLICY_TREE *tree,
++                                             int extra_data)
+ {
+     X509_POLICY_NODE *node;
+ 
++    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
++    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
++        return NULL;
++
+     node = OPENSSL_zalloc(sizeof(*node));
+     if (node == NULL) {
+         ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
+@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+     }
+     node->data = data;
+     node->parent = parent;
+-    if (level) {
++    if (level != NULL) {
+         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+             if (level->anyPolicy)
+                 goto node_error;
+@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
+-    if (tree) {
++    if (extra_data) {
+         if (tree->extra_data == NULL)
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (tree->extra_data == NULL){
+@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
++    tree->node_count++;
+     if (parent)
+         parent->nchild++;
+ 
+diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
+index fa45da5117..f953a05a41 100644
+--- a/crypto/x509/pcy_tree.c
++++ b/crypto/x509/pcy_tree.c
+@@ -14,6 +14,17 @@
+ 
+ #include "pcy_local.h"
+ 
++/*
++ * If the maximum number of nodes in the policy tree isn't defined, set it to
++ * a generous default of 1000 nodes.
++ *
++ * Defining this to be zero means unlimited policy tree growth which opens the
++ * door on CVE-2023-0464.
++ */
++#ifndef OPENSSL_POLICY_TREE_NODES_MAX
++# define OPENSSL_POLICY_TREE_NODES_MAX 1000
++#endif
++
+ static void expected_print(BIO *channel,
+                            X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
+                            int indent)
+@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+         return X509_PCY_TREE_INTERNAL;
+     }
+ 
++    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
++    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
++
+     /*
+      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
+      *
+@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+     if ((data = ossl_policy_data_new(NULL,
+                                      OBJ_nid2obj(NID_any_policy), 0)) == NULL)
+         goto bad_tree;
+-    if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
++    if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
+         ossl_policy_data_free(data);
+         goto bad_tree;
+     }
+@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+  * Return value: 1 on success, 0 otherwise
+  */
+ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+-                                    X509_POLICY_DATA *data)
++                                    X509_POLICY_DATA *data,
++                                    X509_POLICY_TREE *tree)
+ {
+     X509_POLICY_LEVEL *last = curr - 1;
+     int i, matched = 0;
+@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
+ 
+         if (ossl_policy_node_match(last, node, data->valid_policy)) {
+-            if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
++            if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
+                 return 0;
+             matched = 1;
+         }
+     }
+     if (!matched && last->anyPolicy) {
+-        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
++        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
+             return 0;
+     }
+     return 1;
+@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+  * Return value: 1 on success, 0 otherwise.
+  */
+ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+-                           const X509_POLICY_CACHE *cache)
++                           const X509_POLICY_CACHE *cache,
++                           X509_POLICY_TREE *tree)
+ {
+     int i;
+ 
+@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
+ 
+         /* Look for matching nodes in previous level */
+-        if (!tree_link_matching_nodes(curr, data))
++        if (!tree_link_matching_nodes(curr, data, tree))
+             return 0;
+     }
+     return 1;
+@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
+     /* Curr may not have anyPolicy */
+     data->qualifier_set = cache->anyPolicy->qualifier_set;
+     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-    if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
++    if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
+         ossl_policy_data_free(data);
+         return 0;
+     }
+@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+     /* Finally add link to anyPolicy */
+     if (last->anyPolicy &&
+             ossl_policy_level_add_node(curr, cache->anyPolicy,
+-                                       last->anyPolicy, NULL) == NULL)
++                                       last->anyPolicy, tree, 0) == NULL)
+         return 0;
+     return 1;
+ }
+@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+             node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
+-                                              tree);
++                                              tree, 1);
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
+ 
+     for (i = 1; i < tree->nlevel; i++, curr++) {
+         cache = ossl_policy_cache_set(curr->cert);
+-        if (!tree_link_nodes(curr, cache))
++        if (!tree_link_nodes(curr, cache, tree))
+             return X509_PCY_TREE_INTERNAL;
+ 
+         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)

diff --git a/dev-libs/openssl/openssl-3.0.8-r2.ebuild b/dev-libs/openssl/openssl-3.0.8-r2.ebuild
new file mode 100644
index 000000000000..bc44de5a3345
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.8-r2.ebuild
@@ -0,0 +1,271 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0464.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install_sw
+	if use fips; then
+		emake DESTDIR="${D}" install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-03-22 23:00 Patrick McLean
  0 siblings, 0 replies; 52+ messages in thread
From: Patrick McLean @ 2023-03-22 23:00 UTC (permalink / raw
  To: gentoo-commits

commit:     d0c15fb7ffe7e93294611b885c10b86fa5323575
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 22 22:59:09 2023 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Wed Mar 22 22:59:47 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0c15fb7

dev-libs/openssl: Bump to 3.1.0-r1, add patch for CVE-2023-0464

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssl-3.1.0-CVE-2023-0464.patch        | 214 ++++++++++++++++
 dev-libs/openssl/openssl-3.1.0-r1.ebuild           | 274 +++++++++++++++++++++
 2 files changed, 488 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch
new file mode 100644
index 000000000000..dfe83e53d0ad
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch
@@ -0,0 +1,214 @@
+commit 2017771e2db3e2b96f89bbe8766c3209f6a99545
+Author: Pauli <pauli@openssl.org>
+Date:   Wed Mar 8 15:28:20 2023 +1100
+
+    x509: excessive resource use verifying policy constraints
+    
+    A security vulnerability has been identified in all supported versions
+    of OpenSSL related to the verification of X.509 certificate chains
+    that include policy constraints.  Attackers may be able to exploit this
+    vulnerability by creating a malicious certificate chain that triggers
+    exponential use of computational resources, leading to a denial-of-service
+    (DoS) attack on affected systems.
+    
+    Fixes CVE-2023-0464
+    
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    (Merged from https://github.com/openssl/openssl/pull/20570)
+
+diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
+index 18b53cc09e..cba107ca03 100644
+--- a/crypto/x509/pcy_local.h
++++ b/crypto/x509/pcy_local.h
+@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
++    /* The number of nodes in the tree */
++    size_t node_count;
++    /* The maximum number of nodes in the tree */
++    size_t node_maximum;
++
+     /* This is the tree 'level' data */
+     X509_POLICY_LEVEL *levels;
+     int nlevel;
+@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+                                              X509_POLICY_DATA *data,
+                                              X509_POLICY_NODE *parent,
+-                                             X509_POLICY_TREE *tree);
++                                             X509_POLICY_TREE *tree,
++                                             int extra_data);
+ void ossl_policy_node_free(X509_POLICY_NODE *node);
+ int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
+                            const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
+index 9d9a7ea179..450f95a655 100644
+--- a/crypto/x509/pcy_node.c
++++ b/crypto/x509/pcy_node.c
+@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+                                              X509_POLICY_DATA *data,
+                                              X509_POLICY_NODE *parent,
+-                                             X509_POLICY_TREE *tree)
++                                             X509_POLICY_TREE *tree,
++                                             int extra_data)
+ {
+     X509_POLICY_NODE *node;
+ 
++    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
++    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
++        return NULL;
++
+     node = OPENSSL_zalloc(sizeof(*node));
+     if (node == NULL) {
+         ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
+@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+     }
+     node->data = data;
+     node->parent = parent;
+-    if (level) {
++    if (level != NULL) {
+         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+             if (level->anyPolicy)
+                 goto node_error;
+@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
+-    if (tree) {
++    if (extra_data) {
+         if (tree->extra_data == NULL)
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (tree->extra_data == NULL){
+@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
++    tree->node_count++;
+     if (parent)
+         parent->nchild++;
+ 
+diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
+index fa45da5117..f953a05a41 100644
+--- a/crypto/x509/pcy_tree.c
++++ b/crypto/x509/pcy_tree.c
+@@ -14,6 +14,17 @@
+ 
+ #include "pcy_local.h"
+ 
++/*
++ * If the maximum number of nodes in the policy tree isn't defined, set it to
++ * a generous default of 1000 nodes.
++ *
++ * Defining this to be zero means unlimited policy tree growth which opens the
++ * door on CVE-2023-0464.
++ */
++#ifndef OPENSSL_POLICY_TREE_NODES_MAX
++# define OPENSSL_POLICY_TREE_NODES_MAX 1000
++#endif
++
+ static void expected_print(BIO *channel,
+                            X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
+                            int indent)
+@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+         return X509_PCY_TREE_INTERNAL;
+     }
+ 
++    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
++    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
++
+     /*
+      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
+      *
+@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+     if ((data = ossl_policy_data_new(NULL,
+                                      OBJ_nid2obj(NID_any_policy), 0)) == NULL)
+         goto bad_tree;
+-    if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
++    if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
+         ossl_policy_data_free(data);
+         goto bad_tree;
+     }
+@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+  * Return value: 1 on success, 0 otherwise
+  */
+ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+-                                    X509_POLICY_DATA *data)
++                                    X509_POLICY_DATA *data,
++                                    X509_POLICY_TREE *tree)
+ {
+     X509_POLICY_LEVEL *last = curr - 1;
+     int i, matched = 0;
+@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
+ 
+         if (ossl_policy_node_match(last, node, data->valid_policy)) {
+-            if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
++            if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
+                 return 0;
+             matched = 1;
+         }
+     }
+     if (!matched && last->anyPolicy) {
+-        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
++        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
+             return 0;
+     }
+     return 1;
+@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+  * Return value: 1 on success, 0 otherwise.
+  */
+ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+-                           const X509_POLICY_CACHE *cache)
++                           const X509_POLICY_CACHE *cache,
++                           X509_POLICY_TREE *tree)
+ {
+     int i;
+ 
+@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
+ 
+         /* Look for matching nodes in previous level */
+-        if (!tree_link_matching_nodes(curr, data))
++        if (!tree_link_matching_nodes(curr, data, tree))
+             return 0;
+     }
+     return 1;
+@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
+     /* Curr may not have anyPolicy */
+     data->qualifier_set = cache->anyPolicy->qualifier_set;
+     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-    if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
++    if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
+         ossl_policy_data_free(data);
+         return 0;
+     }
+@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+     /* Finally add link to anyPolicy */
+     if (last->anyPolicy &&
+             ossl_policy_level_add_node(curr, cache->anyPolicy,
+-                                       last->anyPolicy, NULL) == NULL)
++                                       last->anyPolicy, tree, 0) == NULL)
+         return 0;
+     return 1;
+ }
+@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+             node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
+-                                              tree);
++                                              tree, 1);
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
+ 
+     for (i = 1; i < tree->nlevel; i++, curr++) {
+         cache = ossl_policy_cache_set(curr->cert);
+-        if (!tree_link_nodes(curr, cache))
++        if (!tree_link_nodes(curr, cache, tree))
+             return X509_PCY_TREE_INTERNAL;
+ 
+         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)

diff --git a/dev-libs/openssl/openssl-3.1.0-r1.ebuild b/dev-libs/openssl/openssl-3.1.0-r1.ebuild
new file mode 100644
index 000000000000..f50b53ac125a
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.1.0-r1.ebuild
@@ -0,0 +1,274 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+	"
+	#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	!<net-misc/openssh-9.2_p1-r3
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+	"${FILESDIR}"/openssl-3.1.0-CVE-2023-0464.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install_sw
+	if use fips; then
+		emake DESTDIR="${D}" install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-03-28 18:29 Patrick McLean
  0 siblings, 0 replies; 52+ messages in thread
From: Patrick McLean @ 2023-03-28 18:29 UTC (permalink / raw
  To: gentoo-commits

commit:     abff4432080ff23277dce168d9688acf6c09a4bf
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 28 18:24:48 2023 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Mar 28 18:29:08 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abff4432

dev-libs/openssl: Revbump to 1.1.1t for CVE-2023-0465, CVE-2023-0466

Upstream changelogs (dropped from NEWS due to conflicts):
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
  that it does not enable policy checking. Thanks to David Benjamin for
  discovering this issue.
  ([CVE-2023-0466])

 *Tomáš Mráz*

More information about vulnerabilities:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssl-1.1.1t-CVE-2023-0465.patch       |  48 ++++
 .../files/openssl-1.1.1t-CVE-2023-0466.patch       |  41 ++++
 dev-libs/openssl/openssl-1.1.1t-r3.ebuild          | 269 +++++++++++++++++++++
 3 files changed, 358 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch
new file mode 100644
index 000000000000..c332e0bd2c9f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch
@@ -0,0 +1,48 @@
+commit b013765abfa80036dc779dd0e50602c57bb3bf95
+Author: Matt Caswell <matt@openssl.org>
+Date:   Tue Mar 7 16:52:55 2023 +0000
+
+    Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
+    
+    Even though we check the leaf cert to confirm it is valid, we
+    later ignored the invalid flag and did not notice that the leaf
+    cert was bad.
+    
+    Fixes: CVE-2023-0465
+    
+    Reviewed-by: Hugo Landau <hlandau@openssl.org>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/20588)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 925fbb5412..1dfe4f9f31 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
+     }
+     /* Invalid or inconsistent extensions */
+     if (ret == X509_PCY_TREE_INVALID) {
+-        int i;
++        int i, cbcalled = 0;
+ 
+         /* Locate certificates with bad extensions and notify callback. */
+-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+             X509 *x = sk_X509_value(ctx->chain, i);
+ 
+             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
+                 continue;
++            cbcalled = 1;
+             if (!verify_cb_cert(ctx, x, i,
+                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
+                 return 0;
+         }
++        if (!cbcalled) {
++            /* Should not be able to get here */
++            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
++            return 0;
++        }
++        /* The callback ignored the error so we return success */
+         return 1;
+     }
+     if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch
new file mode 100644
index 000000000000..9a59d2846a48
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch
@@ -0,0 +1,41 @@
+commit 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
+Author: Tomas Mraz <tomas@openssl.org>
+Date:   Tue Mar 21 16:15:47 2023 +0100
+
+    Fix documentation of X509_VERIFY_PARAM_add0_policy()
+    
+    The function was incorrectly documented as enabling policy checking.
+    
+    Fixes: CVE-2023-0466
+    
+    Reviewed-by: Matt Caswell <matt@openssl.org>
+    Reviewed-by: Paul Dale <pauli@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/20564)
+
+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+index f6f304bf7b..aa292f9336 100644
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -92,8 +92,9 @@ B<trust>.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
+ B<t>. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B<policy> to the acceptable policy set.
++X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
++Contrary to preexisting documentation of this function it does not enable
++policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B<policies>. Any existing
+@@ -377,6 +378,10 @@ and has no effect.
+ 
+ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+ 
++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
++enabling policy checking however the implementation has never done this.
++The documentation was changed to align with the implementation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/dev-libs/openssl/openssl-1.1.1t-r3.ebuild b/dev-libs/openssl/openssl-1.1.1t-r3.ebuild
new file mode 100644
index 000000000000..1c29542e9287
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1t-r3.ebuild
@@ -0,0 +1,269 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
+
+MY_P=${P/_/-}
+DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+	verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+if [[ ${PV} != *_pre* ]] ; then
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
+fi
+IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		kernel_linux? ( sys-process/procps )
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+PDEPEND="app-misc/ca-certificates"
+
+# force upgrade to prevent broken login, bug #696950
+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
+
+MULTILIB_WRAPPED_HEADERS=(
+	usr/include/openssl/opensslconf.h
+)
+
+PATCHES=(
+	# General patches which are suitable to always apply
+	# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
+	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
+	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+	"${FILESDIR}"/openssl-1.1.1t-CVE-2023-0464.patch
+	"${FILESDIR}"/openssl-1.1.1t-CVE-2023-0465.patch
+	"${FILESDIR}"/openssl-1.1.1t-CVE-2023-0466.patch
+)
+
+pkg_setup() {
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES}; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+
+	# Remove test target when FEATURES=test isn't set
+	if ! use test ; then
+		sed \
+			-e '/^$config{dirs}/s@ "test",@@' \
+			-i Configure || die
+	fi
+
+	if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
+		# use GNU ld full option, not to confuse it on Solaris
+		sed -i \
+			-e 's/-Wl,-M,/-Wl,--version-script=/' \
+			-e 's/-Wl,-h,/-Wl,--soname=/' \
+			Configurations/10-main.conf || die
+
+		# fix building on Solaris 10
+		# https://github.com/openssl/openssl/issues/6333
+		sed -i \
+			-e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
+			Configurations/10-main.conf || die
+	fi
+
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+
+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config=( perl "${S}/Configure" )
+	[[ -z ${sslout} ]] && config=( sh "${S}/config" -v )
+
+	# "disable-deprecated" option breaks too many consumers.
+	# Don't set it without thorough revdeps testing.
+	# Make sure user flags don't get added *yet* to avoid duplicated
+	# flags.
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		${ec_nistp_64_gcc_128}
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use_ssl sslv3 ssl3)
+		$(use_ssl sslv3 ssl3-method)
+		$(use_ssl asm)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl tls-heartbeat heartbeats)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo "${config[@]}" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake all
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install_sw
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} MANSUFFIX=ssl install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-03-28 18:29 Patrick McLean
  0 siblings, 0 replies; 52+ messages in thread
From: Patrick McLean @ 2023-03-28 18:29 UTC (permalink / raw
  To: gentoo-commits

commit:     c2d9bf4871d6a437560697a82f994825632ade98
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 28 18:28:17 2023 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Mar 28 18:29:08 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d9bf48

dev-libs/openssl: Revbump to 3.0.8-r3 for CVE-2023-0465, CVE-2023-0466

Upstream changelogs (dropped from NEWS due to conflicts):
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
  that it does not enable policy checking. Thanks to David Benjamin for
  discovering this issue.
  ([CVE-2023-0466])

 *Tomáš Mráz*

More information about vulnerabilities:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssl-3.0.8-CVE-2023-0465.patch        |  46 ++++
 .../files/openssl-3.0.8-CVE-2023-0466.patch        |  41 ++++
 dev-libs/openssl/openssl-3.0.8-r3.ebuild           | 273 +++++++++++++++++++++
 3 files changed, 360 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch
new file mode 100644
index 000000000000..852706d8aa92
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch
@@ -0,0 +1,46 @@
+commit 1dd43e0709fece299b15208f36cc7c76209ba0bb
+Author: Matt Caswell <matt@openssl.org>
+Date:   Tue Mar 7 16:52:55 2023 +0000
+
+    Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
+    
+    Even though we check the leaf cert to confirm it is valid, we
+    later ignored the invalid flag and did not notice that the leaf
+    cert was bad.
+    
+    Fixes: CVE-2023-0465
+    
+    Reviewed-by: Hugo Landau <hlandau@openssl.org>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/20587)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 9384f1da9b..a0282c3ef1 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
+         goto memerr;
+     /* Invalid or inconsistent extensions */
+     if (ret == X509_PCY_TREE_INVALID) {
+-        int i;
++        int i, cbcalled = 0;
+ 
+         /* Locate certificates with bad extensions and notify callback. */
+-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+             X509 *x = sk_X509_value(ctx->chain, i);
+ 
++            if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
++                cbcalled = 1;
+             CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
+                        ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
+         }
++        if (!cbcalled) {
++            /* Should not be able to get here */
++            ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
++            return 0;
++        }
++        /* The callback ignored the error so we return success */
+         return 1;
+     }
+     if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch
new file mode 100644
index 000000000000..c71665d82e18
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch
@@ -0,0 +1,41 @@
+commit 51e8a84ce742db0f6c70510d0159dad8f7825908
+Author: Tomas Mraz <tomas@openssl.org>
+Date:   Tue Mar 21 16:15:47 2023 +0100
+
+    Fix documentation of X509_VERIFY_PARAM_add0_policy()
+    
+    The function was incorrectly documented as enabling policy checking.
+    
+    Fixes: CVE-2023-0466
+    
+    Reviewed-by: Matt Caswell <matt@openssl.org>
+    Reviewed-by: Paul Dale <pauli@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/20563)
+
+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+index 75a1677022..43c1900bca 100644
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -98,8 +98,9 @@ B<trust>.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
+ B<t>. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B<policy> to the acceptable policy set.
++X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
++Contrary to preexisting documentation of this function it does not enable
++policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B<policies>. Any existing
+@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+ The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
+ and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
+ 
++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
++enabling policy checking however the implementation has never done this.
++The documentation was changed to align with the implementation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/dev-libs/openssl/openssl-3.0.8-r3.ebuild b/dev-libs/openssl/openssl-3.0.8-r3.ebuild
new file mode 100644
index 000000000000..ad4ca4f3b019
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.8-r3.ebuild
@@ -0,0 +1,273 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0464.patch
+	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0465.patch
+	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0466.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install_sw
+	if use fips; then
+		emake DESTDIR="${D}" install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-03-28 18:29 Patrick McLean
  0 siblings, 0 replies; 52+ messages in thread
From: Patrick McLean @ 2023-03-28 18:29 UTC (permalink / raw
  To: gentoo-commits

commit:     41ad57bbbed0ee3d06a9922f8fbdc1116f52dd2a
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 28 18:28:44 2023 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Mar 28 18:29:09 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41ad57bb

dev-libs/openssl: Revbump to 3.1.0-r2 for CVE-2023-0465, CVE-2023-0466

Upstream changelogs (dropped from NEWS due to conflicts):
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
  that it does not enable policy checking. Thanks to David Benjamin for
  discovering this issue.
  ([CVE-2023-0466])

 *Tomáš Mráz*

More information about vulnerabilities:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssl-3.1.0-CVE-2023-0465.patch        |  46 ++++
 .../files/openssl-3.1.0-CVE-2023-0466.patch        |  41 +++
 dev-libs/openssl/openssl-3.1.0-r2.ebuild           | 276 +++++++++++++++++++++
 3 files changed, 363 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch
new file mode 100644
index 000000000000..a98f7cba13bd
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch
@@ -0,0 +1,46 @@
+commit facfb1ab745646e97a1920977ae4a9965ea61d5c
+Author: Matt Caswell <matt@openssl.org>
+Date:   Tue Mar 7 16:52:55 2023 +0000
+
+    Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
+    
+    Even though we check the leaf cert to confirm it is valid, we
+    later ignored the invalid flag and did not notice that the leaf
+    cert was bad.
+    
+    Fixes: CVE-2023-0465
+    
+    Reviewed-by: Hugo Landau <hlandau@openssl.org>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/20586)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 9384f1da9b..a0282c3ef1 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
+         goto memerr;
+     /* Invalid or inconsistent extensions */
+     if (ret == X509_PCY_TREE_INVALID) {
+-        int i;
++        int i, cbcalled = 0;
+ 
+         /* Locate certificates with bad extensions and notify callback. */
+-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+             X509 *x = sk_X509_value(ctx->chain, i);
+ 
++            if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
++                cbcalled = 1;
+             CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
+                        ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
+         }
++        if (!cbcalled) {
++            /* Should not be able to get here */
++            ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
++            return 0;
++        }
++        /* The callback ignored the error so we return success */
+         return 1;
+     }
+     if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch
new file mode 100644
index 000000000000..9a315f4c00fd
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch
@@ -0,0 +1,41 @@
+commit fc814a30fc4f0bc54fcea7d9a7462f5457aab061
+Author: Tomas Mraz <tomas@openssl.org>
+Date:   Tue Mar 21 16:15:47 2023 +0100
+
+    Fix documentation of X509_VERIFY_PARAM_add0_policy()
+    
+    The function was incorrectly documented as enabling policy checking.
+    
+    Fixes: CVE-2023-0466
+    
+    Reviewed-by: Paul Dale <pauli@openssl.org>
+    Reviewed-by: Matt Caswell <matt@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/20562)
+
+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+index 20aea99b5b..fcbbfc4c30 100644
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -98,8 +98,9 @@ B<trust>.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
+ B<t>. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B<policy> to the acceptable policy set.
++X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
++Contrary to preexisting documentation of this function it does not enable
++policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B<policies>. Any existing
+@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+ The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
+ and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
+ 
++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
++enabling policy checking however the implementation has never done this.
++The documentation was changed to align with the implementation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/dev-libs/openssl/openssl-3.1.0-r2.ebuild b/dev-libs/openssl/openssl-3.1.0-r2.ebuild
new file mode 100644
index 000000000000..b5a3fe7adebf
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.1.0-r2.ebuild
@@ -0,0 +1,276 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+	"
+	#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	!<net-misc/openssh-9.2_p1-r3
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+	"${FILESDIR}"/openssl-3.1.0-CVE-2023-0464.patch
+	"${FILESDIR}"/openssl-3.1.0-CVE-2023-0465.patch
+	"${FILESDIR}"/openssl-3.1.0-CVE-2023-0466.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install_sw
+	if use fips; then
+		emake DESTDIR="${D}" install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-04-20 16:58 Patrick McLean
  0 siblings, 0 replies; 52+ messages in thread
From: Patrick McLean @ 2023-04-20 16:58 UTC (permalink / raw
  To: gentoo-commits

commit:     3be8b79d0c921d127686e92c064f0280747cac9d
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Apr 20 16:46:08 2023 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Apr 20 16:57:55 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3be8b79d

dev-libs/openssl: 3.0.8-r4, add patch for CVE-2023-1255

Upstream changelog (diff edited to remove NEWS and CHANGES.md changes to avoid
conflicts):

 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
   happens if the buffer size is 4 mod 5. This can trigger a crash of an
   application using AES-XTS decryption if the memory just after the buffer
   being decrypted is not mapped.
   Thanks to Anton Romanov (Amazon) for discovering the issue.
   ([CVE-2023-1255])

   *Nevine Ebeid*

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssl-3.0.8-CVE-2023-1255.patch        |  40 +++
 dev-libs/openssl/openssl-3.0.8-r4.ebuild           | 278 +++++++++++++++++++++
 2 files changed, 318 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch
new file mode 100644
index 000000000000..9b1a657d51be
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch
@@ -0,0 +1,40 @@
+commit 02ac9c9420275868472f33b01def01218742b8bb
+Author: Tomas Mraz <tomas@openssl.org>
+Date:   Mon Apr 17 16:51:20 2023 +0200
+
+    aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption
+    
+    Original author: Nevine Ebeid (Amazon)
+    Fixes: CVE-2023-1255
+    
+    The buffer overread happens on decrypts of 4 mod 5 sizes.
+    Unless the memory just after the buffer is unmapped this is harmless.
+    
+    Reviewed-by: Paul Dale <pauli@openssl.org>
+    Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+    (Merged from https://github.com/openssl/openssl/pull/20759)
+    
+    (cherry picked from commit 72dfe46550ee1f1bbfacd49f071419365bc23304)
+
+diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
+index 6a7bf05d1b..bd583e2c89 100755
+--- a/crypto/aes/asm/aesv8-armx.pl
++++ b/crypto/aes/asm/aesv8-armx.pl
+@@ -3353,7 +3353,7 @@ $code.=<<___	if ($flavour =~ /64/);
+ .align	4
+ .Lxts_dec_tail4x:
+ 	add	$inp,$inp,#16
+-	vld1.32	{$dat0},[$inp],#16
++	tst	$tailcnt,#0xf
+ 	veor	$tmp1,$dat1,$tmp0
+ 	vst1.8	{$tmp1},[$out],#16
+ 	veor	$tmp2,$dat2,$tmp2
+@@ -3362,6 +3362,8 @@ $code.=<<___	if ($flavour =~ /64/);
+ 	veor	$tmp4,$dat4,$tmp4
+ 	vst1.8	{$tmp3-$tmp4},[$out],#32
+ 
++	b.eq	.Lxts_dec_abort
++	vld1.32	{$dat0},[$inp],#16
+ 	b	.Lxts_done
+ .align	4
+ .Lxts_outer_dec_tail:

diff --git a/dev-libs/openssl/openssl-3.0.8-r4.ebuild b/dev-libs/openssl/openssl-3.0.8-r4.ebuild
new file mode 100644
index 000000000000..e11cbae84179
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.8-r4.ebuild
@@ -0,0 +1,278 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0464.patch
+	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0465.patch
+	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0466.patch
+	"${FILESDIR}"/openssl-3.0.8-CVE-2023-1255.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install_sw
+	if use fips; then
+		emake DESTDIR="${D}" install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-06-14  5:20 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2023-06-14  5:20 UTC (permalink / raw
  To: gentoo-commits

commit:     3db09f5bac6ff132b69d3f723d4c93662c96ed72
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Jun 14 05:17:03 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jun 14 05:19:10 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db09f5b

dev-libs/openssl: drop 3.0.8-r4

Bug: https://bugs.gentoo.org/903545
Bug: https://bugs.gentoo.org/907413
Signed-off-by: Sam James <sam <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   2 -
 .../files/openssl-3.0.8-CVE-2023-0464.patch        | 214 ----------------
 .../files/openssl-3.0.8-CVE-2023-0465.patch        |  46 ----
 .../files/openssl-3.0.8-CVE-2023-0466.patch        |  41 ---
 .../files/openssl-3.0.8-CVE-2023-1255.patch        |  40 ---
 .../openssl/files/openssl-3.0.8-mips-cflags.patch  |  30 ---
 dev-libs/openssl/openssl-3.0.8-r4.ebuild           | 281 ---------------------
 7 files changed, 654 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 55a08fc6adbe..3793e1ac7a75 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -5,8 +5,6 @@ DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e85
 DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b
 DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 5de9cb856e497596ecba008bad6515eefd093849b9c66dd7447031723996f3ba66ac37a323a5f7d01b1d42df4daaceb523372f5897d5c53b935ffab91c566594 SHA512 d00aeb0b4c4676deff06ff95af7ac33dd683b92f972b4a8ae55cf384bb37c7ec30ab83c6c0745daf87cf1743a745fced6a347fd11fed4c548aa0953610ed4919
 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468 SHA512 40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28
-DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
-DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6
 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885 SHA512 86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a
 DIST openssl-3.0.9.tar.gz.asc 833 BLAKE2B 9943ac65f83f48465cae83b37a1d004f6be4622e53c3025166d42954abe9215f1a6c2af58d4aa2b45fa51182fee5019e740969f694655b6c592bb278c68aacef SHA512 9949de6b57d5aa21da1d4b68a29eb37e302403c983bd7d2d8769b320aac4268a9f9091c5fb182862a4f89a9099660939fe609df87c66991b75f7695faf357caf
 DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108 SHA512 71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch
deleted file mode 100644
index 3cf1d3b38ec9..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-commit 959c59c7a0164117e7f8366466a32bb1f8d77ff1
-Author: Pauli <pauli@openssl.org>
-Date:   Wed Mar 8 15:28:20 2023 +1100
-
-    x509: excessive resource use verifying policy constraints
-    
-    A security vulnerability has been identified in all supported versions
-    of OpenSSL related to the verification of X.509 certificate chains
-    that include policy constraints.  Attackers may be able to exploit this
-    vulnerability by creating a malicious certificate chain that triggers
-    exponential use of computational resources, leading to a denial-of-service
-    (DoS) attack on affected systems.
-    
-    Fixes CVE-2023-0464
-    
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    (Merged from https://github.com/openssl/openssl/pull/20568)
-
-diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
-index 18b53cc09e..cba107ca03 100644
---- a/crypto/x509/pcy_local.h
-+++ b/crypto/x509/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
- 
- struct X509_POLICY_TREE_st {
-+    /* The number of nodes in the tree */
-+    size_t node_count;
-+    /* The maximum number of nodes in the tree */
-+    size_t node_maximum;
-+
-     /* This is the tree 'level' data */
-     X509_POLICY_LEVEL *levels;
-     int nlevel;
-@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
- X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-                                              X509_POLICY_DATA *data,
-                                              X509_POLICY_NODE *parent,
--                                             X509_POLICY_TREE *tree);
-+                                             X509_POLICY_TREE *tree,
-+                                             int extra_data);
- void ossl_policy_node_free(X509_POLICY_NODE *node);
- int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
-                            const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
-index 9d9a7ea179..450f95a655 100644
---- a/crypto/x509/pcy_node.c
-+++ b/crypto/x509/pcy_node.c
-@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
- X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-                                              X509_POLICY_DATA *data,
-                                              X509_POLICY_NODE *parent,
--                                             X509_POLICY_TREE *tree)
-+                                             X509_POLICY_TREE *tree,
-+                                             int extra_data)
- {
-     X509_POLICY_NODE *node;
- 
-+    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
-+    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
-+        return NULL;
-+
-     node = OPENSSL_zalloc(sizeof(*node));
-     if (node == NULL) {
-         ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
-@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-     }
-     node->data = data;
-     node->parent = parent;
--    if (level) {
-+    if (level != NULL) {
-         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
-             if (level->anyPolicy)
-                 goto node_error;
-@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-         }
-     }
- 
--    if (tree) {
-+    if (extra_data) {
-         if (tree->extra_data == NULL)
-             tree->extra_data = sk_X509_POLICY_DATA_new_null();
-         if (tree->extra_data == NULL){
-@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-         }
-     }
- 
-+    tree->node_count++;
-     if (parent)
-         parent->nchild++;
- 
-diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
-index fa45da5117..f953a05a41 100644
---- a/crypto/x509/pcy_tree.c
-+++ b/crypto/x509/pcy_tree.c
-@@ -14,6 +14,17 @@
- 
- #include "pcy_local.h"
- 
-+/*
-+ * If the maximum number of nodes in the policy tree isn't defined, set it to
-+ * a generous default of 1000 nodes.
-+ *
-+ * Defining this to be zero means unlimited policy tree growth which opens the
-+ * door on CVE-2023-0464.
-+ */
-+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
-+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
-+#endif
-+
- static void expected_print(BIO *channel,
-                            X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
-                            int indent)
-@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-         return X509_PCY_TREE_INTERNAL;
-     }
- 
-+    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
-+    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
-+
-     /*
-      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
-      *
-@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-     if ((data = ossl_policy_data_new(NULL,
-                                      OBJ_nid2obj(NID_any_policy), 0)) == NULL)
-         goto bad_tree;
--    if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
-+    if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
-         ossl_policy_data_free(data);
-         goto bad_tree;
-     }
-@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-  * Return value: 1 on success, 0 otherwise
-  */
- static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
--                                    X509_POLICY_DATA *data)
-+                                    X509_POLICY_DATA *data,
-+                                    X509_POLICY_TREE *tree)
- {
-     X509_POLICY_LEVEL *last = curr - 1;
-     int i, matched = 0;
-@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
- 
-         if (ossl_policy_node_match(last, node, data->valid_policy)) {
--            if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
-+            if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
-                 return 0;
-             matched = 1;
-         }
-     }
-     if (!matched && last->anyPolicy) {
--        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
-+        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
-             return 0;
-     }
-     return 1;
-@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-  * Return value: 1 on success, 0 otherwise.
-  */
- static int tree_link_nodes(X509_POLICY_LEVEL *curr,
--                           const X509_POLICY_CACHE *cache)
-+                           const X509_POLICY_CACHE *cache,
-+                           X509_POLICY_TREE *tree)
- {
-     int i;
- 
-@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
-         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
- 
-         /* Look for matching nodes in previous level */
--        if (!tree_link_matching_nodes(curr, data))
-+        if (!tree_link_matching_nodes(curr, data, tree))
-             return 0;
-     }
-     return 1;
-@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
-     /* Curr may not have anyPolicy */
-     data->qualifier_set = cache->anyPolicy->qualifier_set;
-     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
--    if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
-+    if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
-         ossl_policy_data_free(data);
-         return 0;
-     }
-@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
-     /* Finally add link to anyPolicy */
-     if (last->anyPolicy &&
-             ossl_policy_level_add_node(curr, cache->anyPolicy,
--                                       last->anyPolicy, NULL) == NULL)
-+                                       last->anyPolicy, tree, 0) == NULL)
-         return 0;
-     return 1;
- }
-@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
-             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
-                 | POLICY_DATA_FLAG_EXTRA_NODE;
-             node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
--                                              tree);
-+                                              tree, 1);
-         }
-         if (!tree->user_policies) {
-             tree->user_policies = sk_X509_POLICY_NODE_new_null();
-@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
- 
-     for (i = 1; i < tree->nlevel; i++, curr++) {
-         cache = ossl_policy_cache_set(curr->cert);
--        if (!tree_link_nodes(curr, cache))
-+        if (!tree_link_nodes(curr, cache, tree))
-             return X509_PCY_TREE_INTERNAL;
- 
-         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch
deleted file mode 100644
index 852706d8aa92..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-commit 1dd43e0709fece299b15208f36cc7c76209ba0bb
-Author: Matt Caswell <matt@openssl.org>
-Date:   Tue Mar 7 16:52:55 2023 +0000
-
-    Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
-    
-    Even though we check the leaf cert to confirm it is valid, we
-    later ignored the invalid flag and did not notice that the leaf
-    cert was bad.
-    
-    Fixes: CVE-2023-0465
-    
-    Reviewed-by: Hugo Landau <hlandau@openssl.org>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/20587)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 9384f1da9b..a0282c3ef1 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
-         goto memerr;
-     /* Invalid or inconsistent extensions */
-     if (ret == X509_PCY_TREE_INVALID) {
--        int i;
-+        int i, cbcalled = 0;
- 
-         /* Locate certificates with bad extensions and notify callback. */
--        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
-             X509 *x = sk_X509_value(ctx->chain, i);
- 
-+            if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
-+                cbcalled = 1;
-             CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
-                        ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
-         }
-+        if (!cbcalled) {
-+            /* Should not be able to get here */
-+            ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
-+            return 0;
-+        }
-+        /* The callback ignored the error so we return success */
-         return 1;
-     }
-     if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch
deleted file mode 100644
index c71665d82e18..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-commit 51e8a84ce742db0f6c70510d0159dad8f7825908
-Author: Tomas Mraz <tomas@openssl.org>
-Date:   Tue Mar 21 16:15:47 2023 +0100
-
-    Fix documentation of X509_VERIFY_PARAM_add0_policy()
-    
-    The function was incorrectly documented as enabling policy checking.
-    
-    Fixes: CVE-2023-0466
-    
-    Reviewed-by: Matt Caswell <matt@openssl.org>
-    Reviewed-by: Paul Dale <pauli@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/20563)
-
-diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-index 75a1677022..43c1900bca 100644
---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-@@ -98,8 +98,9 @@ B<trust>.
- X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
- B<t>. Normally the current time is used.
- 
--X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
--by default) and adds B<policy> to the acceptable policy set.
-+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
-+Contrary to preexisting documentation of this function it does not enable
-+policy checking.
- 
- X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
- by default) and sets the acceptable policy set to B<policies>. Any existing
-@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
- The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
- and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
- 
-+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
-+enabling policy checking however the implementation has never done this.
-+The documentation was changed to align with the implementation.
-+
- =head1 COPYRIGHT
- 
- Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch
deleted file mode 100644
index 9b1a657d51be..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-commit 02ac9c9420275868472f33b01def01218742b8bb
-Author: Tomas Mraz <tomas@openssl.org>
-Date:   Mon Apr 17 16:51:20 2023 +0200
-
-    aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption
-    
-    Original author: Nevine Ebeid (Amazon)
-    Fixes: CVE-2023-1255
-    
-    The buffer overread happens on decrypts of 4 mod 5 sizes.
-    Unless the memory just after the buffer is unmapped this is harmless.
-    
-    Reviewed-by: Paul Dale <pauli@openssl.org>
-    Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-    (Merged from https://github.com/openssl/openssl/pull/20759)
-    
-    (cherry picked from commit 72dfe46550ee1f1bbfacd49f071419365bc23304)
-
-diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
-index 6a7bf05d1b..bd583e2c89 100755
---- a/crypto/aes/asm/aesv8-armx.pl
-+++ b/crypto/aes/asm/aesv8-armx.pl
-@@ -3353,7 +3353,7 @@ $code.=<<___	if ($flavour =~ /64/);
- .align	4
- .Lxts_dec_tail4x:
- 	add	$inp,$inp,#16
--	vld1.32	{$dat0},[$inp],#16
-+	tst	$tailcnt,#0xf
- 	veor	$tmp1,$dat1,$tmp0
- 	vst1.8	{$tmp1},[$out],#16
- 	veor	$tmp2,$dat2,$tmp2
-@@ -3362,6 +3362,8 @@ $code.=<<___	if ($flavour =~ /64/);
- 	veor	$tmp4,$dat4,$tmp4
- 	vst1.8	{$tmp3-$tmp4},[$out],#32
- 
-+	b.eq	.Lxts_dec_abort
-+	vld1.32	{$dat0},[$inp],#16
- 	b	.Lxts_done
- .align	4
- .Lxts_outer_dec_tail:

diff --git a/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch b/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch
deleted file mode 100644
index 111681f27d07..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-https://bugs.gentoo.org/894140
-https://github.com/openssl/openssl/issues/20214
-
-From d500b51791cd56e73065e3a7f4487fc33f31c91c Mon Sep 17 00:00:00 2001
-From: Mike Gilbert <floppym@gentoo.org>
-Date: Sun, 12 Feb 2023 17:56:58 -0500
-Subject: [PATCH] Fix Configure test for -mips in CFLAGS
-
-We want to add -mips2 or -mips3 only if the user hasn't already
-specified a mips version in CFLAGS. The existing test was a
-double-negative.
-
-Fixes: https://github.com/openssl/openssl/issues/20214
----
- Configure | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Configure b/Configure
-index b6bbec0a85c4..ec48614d6b99 100755
---- a/Configure
-+++ b/Configure
-@@ -1475,7 +1475,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
-         }
- 
- if ($target =~ /linux.*-mips/ && !$disabled{asm}
--        && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
-+        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
-         # minimally required architecture flags for assembly modules
-         my $value;
-         $value = '-mips2' if ($target =~ /mips32/);

diff --git a/dev-libs/openssl/openssl-3.0.8-r4.ebuild b/dev-libs/openssl/openssl-3.0.8-r4.ebuild
deleted file mode 100644
index e504eb575575..000000000000
--- a/dev-libs/openssl/openssl-3.0.8-r4.ebuild
+++ /dev/null
@@ -1,281 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
-
-DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
-
-MY_P=${P/_/-}
-
-if [[ ${PV} == 9999 ]] ; then
-	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
-
-	inherit git-r3
-else
-	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos"
-fi
-
-S="${WORKDIR}"/${MY_P}
-
-LICENSE="Apache-2.0"
-SLOT="0/3" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-COMMON_DEPEND="
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		sys-process/procps
-	)
-	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
-
-DEPEND="${COMMON_DEPEND}"
-RDEPEND="${COMMON_DEPEND}"
-PDEPEND="app-misc/ca-certificates"
-
-MULTILIB_WRAPPED_HEADERS=(
-	/usr/include/openssl/configuration.h
-)
-
-PATCHES=(
-	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
-	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0464.patch
-	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0465.patch
-	"${FILESDIR}"/openssl-3.0.8-CVE-2023-0466.patch
-	"${FILESDIR}"/openssl-3.0.8-CVE-2023-1255.patch
-)
-
-pkg_setup() {
-	if use ktls ; then
-		if kernel_is -lt 4 18 ; then
-			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
-		else
-			CONFIG_CHECK="~TLS ~TLS_DEVICE"
-			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
-			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
-			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
-
-			linux-info_pkg_setup
-		fi
-	fi
-
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl doesn't work with userpriv!
-	if use test && use sctp ; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_unpack() {
-	# Can delete this once test fix patch is dropped
-	if use verify-sig ; then
-		# Needed for downloaded patch (which is unsigned, which is fine)
-		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
-	fi
-
-	default
-}
-
-src_prepare() {
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		PATCHES+=(
-			# Add patches which are Gentoo-specific customisations here
-		)
-	fi
-
-	default
-
-	if use test && use sctp && has network-sandbox ${FEATURES} ; then
-		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
-		rm test/recipes/80-test_ssl_new.t || die
-	fi
-
-	# Test fails depending on kernel configuration, bug #699134
-	rm test/recipes/30-test_afalg.t || die
-}
-
-src_configure() {
-	# Keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (bug #417795 again)
-	tc-is-clang && append-flags -Qunused-arguments
-
-	# We really, really need to build OpenSSL w/ strict aliasing disabled.
-	# It's filled with violations and it *will* result in miscompiled
-	# code. This has been in the ebuild for > 10 years but even in 2022,
-	# it's still relevant:
-	# - https://github.com/llvm/llvm-project/issues/55255
-	# - https://github.com/openssl/openssl/issues/18225
-	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
-	# Don't remove the no strict aliasing bits below!
-	filter-flags -fstrict-aliasing
-	append-flags -fno-strict-aliasing
-	# The OpenSSL developers don't test with LTO right now, it leads to various
-	# warnings/errors (which may or may not be false positives), it's considered
-	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
-	filter-lto
-
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	# bug #197996
-	unset APPS
-	# bug #312551
-	unset SCRIPTS
-	# bug #311473
-	unset CROSS_COMPILE
-
-	tc-export AR CC CXX RANLIB RC
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths, bug #460790.
-	#local ec_nistp_64_gcc_128
-	#
-	# Disable it for now though (bug #469976)
-	# Do NOT re-enable without substantial discussion first!
-	#
-	#echo "__uint128_t i;" > "${T}"/128.c
-	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#fi
-
-	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
-	einfo "Using configuration: ${sslout:-(openssl knows best)}"
-
-	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
-	local myeconfargs=(
-		${sslout}
-
-		$(use cpu_flags_x86_sse2 || echo "no-sse2")
-		enable-camellia
-		enable-ec
-		enable-ec2m
-		enable-sm2
-		enable-srp
-		$(use elibc_musl && echo "no-async")
-		enable-idea
-		enable-mdc2
-		enable-rc5
-		$(use fips && echo "enable-fips")
-		$(use_ssl asm)
-		$(use_ssl ktls)
-		$(use_ssl rfc3779)
-		$(use_ssl sctp)
-		$(use test || echo "no-tests")
-		$(use_ssl tls-compression zlib)
-		$(use_ssl weak-ssl-ciphers)
-
-		--prefix="${EPREFIX}"/usr
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
-		--libdir=$(get_libdir)
-
-		shared
-		threads
-	)
-
-	edo perl "${S}/Configure" "${myeconfargs[@]}"
-}
-
-multilib_src_compile() {
-	emake build_sw
-
-	if multilib_is_native_abi; then
-		emake build_docs
-	fi
-}
-
-multilib_src_test() {
-	# VFP = show subtests verbosely and show failed tests verbosely
-	# Normal V=1 would show everything verbosely but this slows things down.
-	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
-}
-
-multilib_src_install() {
-	emake DESTDIR="${D}" install_sw
-	if use fips; then
-		emake DESTDIR="${D}" install_fips
-		# Regen this in pkg_preinst, bug 900625
-		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
-	fi
-
-	if multilib_is_native_abi; then
-		emake DESTDIR="${D}" install_ssldirs
-		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
-	fi
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs. But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs ; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
-
-	# Create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# bug #254521
-	dodir /etc/sandbox.d
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	if use fips; then
-		# Regen fipsmodule.cnf, bug 900625
-		ebegin "Running openssl fipsinstall"
-		"${ED}/usr/bin/openssl" fipsinstall -quiet \
-			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
-		eend $?
-	fi
-}
-
-pkg_postinst() {
-	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
-	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
-	eend $?
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-06-14  5:21 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2023-06-14  5:21 UTC (permalink / raw
  To: gentoo-commits

commit:     14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Jun 14 05:18:43 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jun 14 05:20:29 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14aa976d

dev-libs/openssl: drop 3.1.0-r3

Bug: https://bugs.gentoo.org/903545
Bug: https://bugs.gentoo.org/907413
Signed-off-by: Sam James <sam <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   2 -
 .../files/openssl-3.1.0-CVE-2023-0464.patch        | 214 ----------------
 .../files/openssl-3.1.0-CVE-2023-0465.patch        |  46 ----
 .../files/openssl-3.1.0-CVE-2023-0466.patch        |  41 ---
 .../files/openssl-3.1.0-CVE-2023-1255.patch        |  40 ---
 dev-libs/openssl/openssl-3.1.0-r3.ebuild           | 284 ---------------------
 6 files changed, 627 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 4c98e70a536d..f8b20e47b8a9 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -5,7 +5,5 @@ DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 5de9cb856e497596ecba008bad6515eefd093
 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468 SHA512 40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28
 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885 SHA512 86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a
 DIST openssl-3.0.9.tar.gz.asc 833 BLAKE2B 9943ac65f83f48465cae83b37a1d004f6be4622e53c3025166d42954abe9215f1a6c2af58d4aa2b45fa51182fee5019e740969f694655b6c592bb278c68aacef SHA512 9949de6b57d5aa21da1d4b68a29eb37e302403c983bd7d2d8769b320aac4268a9f9091c5fb182862a4f89a9099660939fe609df87c66991b75f7695faf357caf
-DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108 SHA512 71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713
-DIST openssl-3.1.0.tar.gz.asc 488 BLAKE2B f4a844e3db2c2bdf42b6f811d16cc2077cacf713d20474d94e2d0180a6f97eadf4f03522e9fed478d263d680d88091dc2bc48e7ebb15d049bc57ee7ed64c7fbb SHA512 8d542e6471b745822d6cd889c5b168841b4366ee9a96edc2ab5b44fa1bd1b75308422aed312f1bd6e6a3c3e306eceaa95ce9bb4d0aa3e8ff86cb0fd92a7e61ea
 DIST openssl-3.1.1.tar.gz 15544757 BLAKE2B 094f7e28f16de6528016fcd21df1d7382b0dbdcd80ec469d37add9c37f638c059dda3ffb4415eba890a33d146ddc9016bcc7192df101c73be5e70faf6e3b1097 SHA512 8ba9dd6ab87451e126c19cc106ccd1643ca48667d6c37504d0ab98205fbccf855fd0db54474b4113c4c3a15215a4ef77a039fb897a69f71bcab2054b2effd1d9
 DIST openssl-3.1.1.tar.gz.asc 833 BLAKE2B 5a2a9aeb475b843862e133d53bc5bb3c8e12e8e03b1e2da41d0eaa0eade1ae03c4318ad1f5c490c5e1ed7e6ac6275a6d7c881d99993911722b043b15d1622b25 SHA512 83349020c67e5b956f3ef37604a03a1970ea393f862691f5fd5d85930c01e559e25db17d397d8fd230c3862a8b2fba2d5c7df883d56d7472f4c01dab3a661cb2

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch
deleted file mode 100644
index dfe83e53d0ad..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-commit 2017771e2db3e2b96f89bbe8766c3209f6a99545
-Author: Pauli <pauli@openssl.org>
-Date:   Wed Mar 8 15:28:20 2023 +1100
-
-    x509: excessive resource use verifying policy constraints
-    
-    A security vulnerability has been identified in all supported versions
-    of OpenSSL related to the verification of X.509 certificate chains
-    that include policy constraints.  Attackers may be able to exploit this
-    vulnerability by creating a malicious certificate chain that triggers
-    exponential use of computational resources, leading to a denial-of-service
-    (DoS) attack on affected systems.
-    
-    Fixes CVE-2023-0464
-    
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    (Merged from https://github.com/openssl/openssl/pull/20570)
-
-diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
-index 18b53cc09e..cba107ca03 100644
---- a/crypto/x509/pcy_local.h
-+++ b/crypto/x509/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
- 
- struct X509_POLICY_TREE_st {
-+    /* The number of nodes in the tree */
-+    size_t node_count;
-+    /* The maximum number of nodes in the tree */
-+    size_t node_maximum;
-+
-     /* This is the tree 'level' data */
-     X509_POLICY_LEVEL *levels;
-     int nlevel;
-@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
- X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-                                              X509_POLICY_DATA *data,
-                                              X509_POLICY_NODE *parent,
--                                             X509_POLICY_TREE *tree);
-+                                             X509_POLICY_TREE *tree,
-+                                             int extra_data);
- void ossl_policy_node_free(X509_POLICY_NODE *node);
- int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
-                            const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
-index 9d9a7ea179..450f95a655 100644
---- a/crypto/x509/pcy_node.c
-+++ b/crypto/x509/pcy_node.c
-@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
- X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-                                              X509_POLICY_DATA *data,
-                                              X509_POLICY_NODE *parent,
--                                             X509_POLICY_TREE *tree)
-+                                             X509_POLICY_TREE *tree,
-+                                             int extra_data)
- {
-     X509_POLICY_NODE *node;
- 
-+    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
-+    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
-+        return NULL;
-+
-     node = OPENSSL_zalloc(sizeof(*node));
-     if (node == NULL) {
-         ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
-@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-     }
-     node->data = data;
-     node->parent = parent;
--    if (level) {
-+    if (level != NULL) {
-         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
-             if (level->anyPolicy)
-                 goto node_error;
-@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-         }
-     }
- 
--    if (tree) {
-+    if (extra_data) {
-         if (tree->extra_data == NULL)
-             tree->extra_data = sk_X509_POLICY_DATA_new_null();
-         if (tree->extra_data == NULL){
-@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
-         }
-     }
- 
-+    tree->node_count++;
-     if (parent)
-         parent->nchild++;
- 
-diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
-index fa45da5117..f953a05a41 100644
---- a/crypto/x509/pcy_tree.c
-+++ b/crypto/x509/pcy_tree.c
-@@ -14,6 +14,17 @@
- 
- #include "pcy_local.h"
- 
-+/*
-+ * If the maximum number of nodes in the policy tree isn't defined, set it to
-+ * a generous default of 1000 nodes.
-+ *
-+ * Defining this to be zero means unlimited policy tree growth which opens the
-+ * door on CVE-2023-0464.
-+ */
-+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
-+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
-+#endif
-+
- static void expected_print(BIO *channel,
-                            X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
-                            int indent)
-@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-         return X509_PCY_TREE_INTERNAL;
-     }
- 
-+    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
-+    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
-+
-     /*
-      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
-      *
-@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-     if ((data = ossl_policy_data_new(NULL,
-                                      OBJ_nid2obj(NID_any_policy), 0)) == NULL)
-         goto bad_tree;
--    if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
-+    if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
-         ossl_policy_data_free(data);
-         goto bad_tree;
-     }
-@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-  * Return value: 1 on success, 0 otherwise
-  */
- static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
--                                    X509_POLICY_DATA *data)
-+                                    X509_POLICY_DATA *data,
-+                                    X509_POLICY_TREE *tree)
- {
-     X509_POLICY_LEVEL *last = curr - 1;
-     int i, matched = 0;
-@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
- 
-         if (ossl_policy_node_match(last, node, data->valid_policy)) {
--            if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
-+            if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
-                 return 0;
-             matched = 1;
-         }
-     }
-     if (!matched && last->anyPolicy) {
--        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
-+        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
-             return 0;
-     }
-     return 1;
-@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-  * Return value: 1 on success, 0 otherwise.
-  */
- static int tree_link_nodes(X509_POLICY_LEVEL *curr,
--                           const X509_POLICY_CACHE *cache)
-+                           const X509_POLICY_CACHE *cache,
-+                           X509_POLICY_TREE *tree)
- {
-     int i;
- 
-@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
-         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
- 
-         /* Look for matching nodes in previous level */
--        if (!tree_link_matching_nodes(curr, data))
-+        if (!tree_link_matching_nodes(curr, data, tree))
-             return 0;
-     }
-     return 1;
-@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
-     /* Curr may not have anyPolicy */
-     data->qualifier_set = cache->anyPolicy->qualifier_set;
-     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
--    if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
-+    if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
-         ossl_policy_data_free(data);
-         return 0;
-     }
-@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
-     /* Finally add link to anyPolicy */
-     if (last->anyPolicy &&
-             ossl_policy_level_add_node(curr, cache->anyPolicy,
--                                       last->anyPolicy, NULL) == NULL)
-+                                       last->anyPolicy, tree, 0) == NULL)
-         return 0;
-     return 1;
- }
-@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
-             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
-                 | POLICY_DATA_FLAG_EXTRA_NODE;
-             node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
--                                              tree);
-+                                              tree, 1);
-         }
-         if (!tree->user_policies) {
-             tree->user_policies = sk_X509_POLICY_NODE_new_null();
-@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
- 
-     for (i = 1; i < tree->nlevel; i++, curr++) {
-         cache = ossl_policy_cache_set(curr->cert);
--        if (!tree_link_nodes(curr, cache))
-+        if (!tree_link_nodes(curr, cache, tree))
-             return X509_PCY_TREE_INTERNAL;
- 
-         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch
deleted file mode 100644
index a98f7cba13bd..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-commit facfb1ab745646e97a1920977ae4a9965ea61d5c
-Author: Matt Caswell <matt@openssl.org>
-Date:   Tue Mar 7 16:52:55 2023 +0000
-
-    Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
-    
-    Even though we check the leaf cert to confirm it is valid, we
-    later ignored the invalid flag and did not notice that the leaf
-    cert was bad.
-    
-    Fixes: CVE-2023-0465
-    
-    Reviewed-by: Hugo Landau <hlandau@openssl.org>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/20586)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 9384f1da9b..a0282c3ef1 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
-         goto memerr;
-     /* Invalid or inconsistent extensions */
-     if (ret == X509_PCY_TREE_INVALID) {
--        int i;
-+        int i, cbcalled = 0;
- 
-         /* Locate certificates with bad extensions and notify callback. */
--        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
-             X509 *x = sk_X509_value(ctx->chain, i);
- 
-+            if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
-+                cbcalled = 1;
-             CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
-                        ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
-         }
-+        if (!cbcalled) {
-+            /* Should not be able to get here */
-+            ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
-+            return 0;
-+        }
-+        /* The callback ignored the error so we return success */
-         return 1;
-     }
-     if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch
deleted file mode 100644
index 9a315f4c00fd..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-commit fc814a30fc4f0bc54fcea7d9a7462f5457aab061
-Author: Tomas Mraz <tomas@openssl.org>
-Date:   Tue Mar 21 16:15:47 2023 +0100
-
-    Fix documentation of X509_VERIFY_PARAM_add0_policy()
-    
-    The function was incorrectly documented as enabling policy checking.
-    
-    Fixes: CVE-2023-0466
-    
-    Reviewed-by: Paul Dale <pauli@openssl.org>
-    Reviewed-by: Matt Caswell <matt@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/20562)
-
-diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-index 20aea99b5b..fcbbfc4c30 100644
---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-@@ -98,8 +98,9 @@ B<trust>.
- X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
- B<t>. Normally the current time is used.
- 
--X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
--by default) and adds B<policy> to the acceptable policy set.
-+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
-+Contrary to preexisting documentation of this function it does not enable
-+policy checking.
- 
- X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
- by default) and sets the acceptable policy set to B<policies>. Any existing
-@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
- The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
- and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
- 
-+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
-+enabling policy checking however the implementation has never done this.
-+The documentation was changed to align with the implementation.
-+
- =head1 COPYRIGHT
- 
- Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-1255.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-1255.patch
deleted file mode 100644
index aea425f83556..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-1255.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-commit bc2f61ad70971869b242fc1cb445b98bad50074a
-Author: Tomas Mraz <tomas@openssl.org>
-Date:   Mon Apr 17 16:51:20 2023 +0200
-
-    aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption
-    
-    Original author: Nevine Ebeid (Amazon)
-    Fixes: CVE-2023-1255
-    
-    The buffer overread happens on decrypts of 4 mod 5 sizes.
-    Unless the memory just after the buffer is unmapped this is harmless.
-    
-    Reviewed-by: Paul Dale <pauli@openssl.org>
-    Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-    (Merged from https://github.com/openssl/openssl/pull/20759)
-    
-    (cherry picked from commit 72dfe46550ee1f1bbfacd49f071419365bc23304)
-
-diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
-index ea74217317..efd3ccd1a4 100755
---- a/crypto/aes/asm/aesv8-armx.pl
-+++ b/crypto/aes/asm/aesv8-armx.pl
-@@ -3367,7 +3367,7 @@ $code.=<<___	if ($flavour =~ /64/);
- .align	4
- .Lxts_dec_tail4x:
- 	add	$inp,$inp,#16
--	vld1.32	{$dat0},[$inp],#16
-+	tst	$tailcnt,#0xf
- 	veor	$tmp1,$dat1,$tmp0
- 	vst1.8	{$tmp1},[$out],#16
- 	veor	$tmp2,$dat2,$tmp2
-@@ -3376,6 +3376,8 @@ $code.=<<___	if ($flavour =~ /64/);
- 	veor	$tmp4,$dat4,$tmp4
- 	vst1.8	{$tmp3-$tmp4},[$out],#32
- 
-+	b.eq	.Lxts_dec_abort
-+	vld1.32	{$dat0},[$inp],#16
- 	b	.Lxts_done
- .align	4
- .Lxts_outer_dec_tail:

diff --git a/dev-libs/openssl/openssl-3.1.0-r3.ebuild b/dev-libs/openssl/openssl-3.1.0-r3.ebuild
deleted file mode 100644
index 5f1ec4c39f0f..000000000000
--- a/dev-libs/openssl/openssl-3.1.0-r3.ebuild
+++ /dev/null
@@ -1,284 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
-
-DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
-
-MY_P=${P/_/-}
-
-if [[ ${PV} == 9999 ]] ; then
-	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
-
-	inherit git-r3
-else
-	SRC_URI="
-		mirror://openssl/source/${MY_P}.tar.gz
-		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
-	"
-	#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-fi
-
-S="${WORKDIR}"/${MY_P}
-
-LICENSE="Apache-2.0"
-SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-COMMON_DEPEND="
-	!<net-misc/openssh-9.2_p1-r3
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		sys-process/procps
-	)
-	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
-
-DEPEND="${COMMON_DEPEND}"
-RDEPEND="${COMMON_DEPEND}"
-PDEPEND="app-misc/ca-certificates"
-
-MULTILIB_WRAPPED_HEADERS=(
-	/usr/include/openssl/configuration.h
-)
-
-PATCHES=(
-	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
-	"${FILESDIR}"/openssl-3.1.0-CVE-2023-0464.patch
-	"${FILESDIR}"/openssl-3.1.0-CVE-2023-0465.patch
-	"${FILESDIR}"/openssl-3.1.0-CVE-2023-0466.patch
-	"${FILESDIR}"/openssl-3.1.0-CVE-2023-1255.patch
-)
-
-pkg_setup() {
-	if use ktls ; then
-		if kernel_is -lt 4 18 ; then
-			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
-		else
-			CONFIG_CHECK="~TLS ~TLS_DEVICE"
-			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
-			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
-			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
-
-			linux-info_pkg_setup
-		fi
-	fi
-
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl doesn't work with userpriv!
-	if use test && use sctp ; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_unpack() {
-	# Can delete this once test fix patch is dropped
-	if use verify-sig ; then
-		# Needed for downloaded patch (which is unsigned, which is fine)
-		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
-	fi
-
-	default
-}
-
-src_prepare() {
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		PATCHES+=(
-			# Add patches which are Gentoo-specific customisations here
-		)
-	fi
-
-	default
-
-	if use test && use sctp && has network-sandbox ${FEATURES} ; then
-		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
-		rm test/recipes/80-test_ssl_new.t || die
-	fi
-
-	# Test fails depending on kernel configuration, bug #699134
-	rm test/recipes/30-test_afalg.t || die
-}
-
-src_configure() {
-	# Keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (bug #417795 again)
-	tc-is-clang && append-flags -Qunused-arguments
-
-	# We really, really need to build OpenSSL w/ strict aliasing disabled.
-	# It's filled with violations and it *will* result in miscompiled
-	# code. This has been in the ebuild for > 10 years but even in 2022,
-	# it's still relevant:
-	# - https://github.com/llvm/llvm-project/issues/55255
-	# - https://github.com/openssl/openssl/issues/18225
-	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
-	# Don't remove the no strict aliasing bits below!
-	filter-flags -fstrict-aliasing
-	append-flags -fno-strict-aliasing
-	# The OpenSSL developers don't test with LTO right now, it leads to various
-	# warnings/errors (which may or may not be false positives), it's considered
-	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
-	filter-lto
-
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	# bug #197996
-	unset APPS
-	# bug #312551
-	unset SCRIPTS
-	# bug #311473
-	unset CROSS_COMPILE
-
-	tc-export AR CC CXX RANLIB RC
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths, bug #460790.
-	#local ec_nistp_64_gcc_128
-	#
-	# Disable it for now though (bug #469976)
-	# Do NOT re-enable without substantial discussion first!
-	#
-	#echo "__uint128_t i;" > "${T}"/128.c
-	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#fi
-
-	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
-	einfo "Using configuration: ${sslout:-(openssl knows best)}"
-
-	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
-	local myeconfargs=(
-		${sslout}
-
-		$(use cpu_flags_x86_sse2 || echo "no-sse2")
-		enable-camellia
-		enable-ec
-		enable-ec2m
-		enable-sm2
-		enable-srp
-		$(use elibc_musl && echo "no-async")
-		enable-idea
-		enable-mdc2
-		enable-rc5
-		$(use fips && echo "enable-fips")
-		$(use_ssl asm)
-		$(use_ssl ktls)
-		$(use_ssl rfc3779)
-		$(use_ssl sctp)
-		$(use test || echo "no-tests")
-		$(use_ssl tls-compression zlib)
-		$(use_ssl weak-ssl-ciphers)
-
-		--prefix="${EPREFIX}"/usr
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
-		--libdir=$(get_libdir)
-
-		shared
-		threads
-	)
-
-	edo perl "${S}/Configure" "${myeconfargs[@]}"
-}
-
-multilib_src_compile() {
-	emake build_sw
-
-	if multilib_is_native_abi; then
-		emake build_docs
-	fi
-}
-
-multilib_src_test() {
-	# VFP = show subtests verbosely and show failed tests verbosely
-	# Normal V=1 would show everything verbosely but this slows things down.
-	emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
-}
-
-multilib_src_install() {
-	emake DESTDIR="${D}" install_sw
-	if use fips; then
-		emake DESTDIR="${D}" install_fips
-		# Regen this in pkg_preinst, bug 900625
-		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
-	fi
-
-	if multilib_is_native_abi; then
-		emake DESTDIR="${D}" install_ssldirs
-		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
-	fi
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs. But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs ; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
-
-	# Create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# bug #254521
-	dodir /etc/sandbox.d
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
-	if use fips; then
-		# Regen fipsmodule.cnf, bug 900625
-		ebegin "Running openssl fipsinstall"
-		"${ED}/usr/bin/openssl" fipsinstall -quiet \
-			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
-		eend $?
-	fi
-}
-
-pkg_postinst() {
-	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
-	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
-	eend $?
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-06-14  5:21 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2023-06-14  5:21 UTC (permalink / raw
  To: gentoo-commits

commit:     6c4610dbafdc773344fd62e49e27ada4c6b6dfd2
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Jun 14 05:17:11 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jun 14 05:20:25 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c4610db

dev-libs/openssl: drop 1.1.1t-r3

Bug: https://bugs.gentoo.org/903545
Bug: https://bugs.gentoo.org/907413
Signed-off-by: Sam James <sam <AT> gentoo.org>

 dev-libs/openssl/Manifest                          |   2 -
 .../files/openssl-1.1.1t-CVE-2023-0464.patch       | 215 ----------------
 .../files/openssl-1.1.1t-CVE-2023-0465.patch       |  48 ----
 .../files/openssl-1.1.1t-CVE-2023-0466.patch       |  41 ----
 dev-libs/openssl/openssl-1.1.1t-r3.ebuild          | 269 ---------------------
 5 files changed, 575 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 3793e1ac7a75..4c98e70a536d 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,8 +1,6 @@
 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
-DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e857728625d31ab3244881cafa91c099a817a09def7746bce4133585bfc90b769f43527e77a81ed13e60a8c2fb4d8d SHA512 628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c
-DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b
 DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 5de9cb856e497596ecba008bad6515eefd093849b9c66dd7447031723996f3ba66ac37a323a5f7d01b1d42df4daaceb523372f5897d5c53b935ffab91c566594 SHA512 d00aeb0b4c4676deff06ff95af7ac33dd683b92f972b4a8ae55cf384bb37c7ec30ab83c6c0745daf87cf1743a745fced6a347fd11fed4c548aa0953610ed4919
 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468 SHA512 40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28
 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885 SHA512 86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a

diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch
deleted file mode 100644
index 950e6572cd28..000000000000
--- a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-commit 879f7080d7e141f415c79eaa3a8ac4a3dad0348b
-Author: Pauli <pauli@openssl.org>
-Date:   Wed Mar 8 15:28:20 2023 +1100
-
-    x509: excessive resource use verifying policy constraints
-    
-    A security vulnerability has been identified in all supported versions
-    of OpenSSL related to the verification of X.509 certificate chains
-    that include policy constraints.  Attackers may be able to exploit this
-    vulnerability by creating a malicious certificate chain that triggers
-    exponential use of computational resources, leading to a denial-of-service
-    (DoS) attack on affected systems.
-    
-    Fixes CVE-2023-0464
-    
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    (Merged from https://github.com/openssl/openssl/pull/20569)
-
-diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
-index 5daf78de45..344aa06765 100644
---- a/crypto/x509v3/pcy_local.h
-+++ b/crypto/x509v3/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
- 
- struct X509_POLICY_TREE_st {
-+    /* The number of nodes in the tree */
-+    size_t node_count;
-+    /* The maximum number of nodes in the tree */
-+    size_t node_maximum;
-+
-     /* This is the tree 'level' data */
-     X509_POLICY_LEVEL *levels;
-     int nlevel;
-@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
- X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-                                  X509_POLICY_DATA *data,
-                                  X509_POLICY_NODE *parent,
--                                 X509_POLICY_TREE *tree);
-+                                 X509_POLICY_TREE *tree,
-+                                 int extra_data);
- void policy_node_free(X509_POLICY_NODE *node);
- int policy_node_match(const X509_POLICY_LEVEL *lvl,
-                       const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
-index e2d7b15322..d574fb9d66 100644
---- a/crypto/x509v3/pcy_node.c
-+++ b/crypto/x509v3/pcy_node.c
-@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
- X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-                                  X509_POLICY_DATA *data,
-                                  X509_POLICY_NODE *parent,
--                                 X509_POLICY_TREE *tree)
-+                                 X509_POLICY_TREE *tree,
-+                                 int extra_data)
- {
-     X509_POLICY_NODE *node;
- 
-+    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
-+    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
-+        return NULL;
-+
-     node = OPENSSL_zalloc(sizeof(*node));
-     if (node == NULL) {
-         X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
-@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-     }
-     node->data = data;
-     node->parent = parent;
--    if (level) {
-+    if (level != NULL) {
-         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
-             if (level->anyPolicy)
-                 goto node_error;
-@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-         }
-     }
- 
--    if (tree) {
-+    if (extra_data) {
-         if (tree->extra_data == NULL)
-             tree->extra_data = sk_X509_POLICY_DATA_new_null();
-         if (tree->extra_data == NULL){
-@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-         }
-     }
- 
-+    tree->node_count++;
-     if (parent)
-         parent->nchild++;
- 
-diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
-index 6e8322cbc5..6c7fd35405 100644
---- a/crypto/x509v3/pcy_tree.c
-+++ b/crypto/x509v3/pcy_tree.c
-@@ -13,6 +13,18 @@
- 
- #include "pcy_local.h"
- 
-+/*
-+ * If the maximum number of nodes in the policy tree isn't defined, set it to
-+ * a generous default of 1000 nodes.
-+ *
-+ * Defining this to be zero means unlimited policy tree growth which opens the
-+ * door on CVE-2023-0464.
-+ */
-+
-+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
-+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
-+#endif
-+
- /*
-  * Enable this to print out the complete policy tree at various point during
-  * evaluation.
-@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-         return X509_PCY_TREE_INTERNAL;
-     }
- 
-+    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
-+    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
-+
-     /*
-      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
-      *
-@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-     level = tree->levels;
-     if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
-         goto bad_tree;
--    if (level_add_node(level, data, NULL, tree) == NULL) {
-+    if (level_add_node(level, data, NULL, tree, 1) == NULL) {
-         policy_data_free(data);
-         goto bad_tree;
-     }
-@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-  * Return value: 1 on success, 0 otherwise
-  */
- static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
--                                    X509_POLICY_DATA *data)
-+                                    X509_POLICY_DATA *data,
-+                                    X509_POLICY_TREE *tree)
- {
-     X509_POLICY_LEVEL *last = curr - 1;
-     int i, matched = 0;
-@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
- 
-         if (policy_node_match(last, node, data->valid_policy)) {
--            if (level_add_node(curr, data, node, NULL) == NULL)
-+            if (level_add_node(curr, data, node, tree, 0) == NULL)
-                 return 0;
-             matched = 1;
-         }
-     }
-     if (!matched && last->anyPolicy) {
--        if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
-+        if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
-             return 0;
-     }
-     return 1;
-@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-  * Return value: 1 on success, 0 otherwise.
-  */
- static int tree_link_nodes(X509_POLICY_LEVEL *curr,
--                           const X509_POLICY_CACHE *cache)
-+                           const X509_POLICY_CACHE *cache,
-+                           X509_POLICY_TREE *tree)
- {
-     int i;
- 
-@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
-         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
- 
-         /* Look for matching nodes in previous level */
--        if (!tree_link_matching_nodes(curr, data))
-+        if (!tree_link_matching_nodes(curr, data, tree))
-             return 0;
-     }
-     return 1;
-@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
-     /* Curr may not have anyPolicy */
-     data->qualifier_set = cache->anyPolicy->qualifier_set;
-     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
--    if (level_add_node(curr, data, node, tree) == NULL) {
-+    if (level_add_node(curr, data, node, tree, 1) == NULL) {
-         policy_data_free(data);
-         return 0;
-     }
-@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
-     }
-     /* Finally add link to anyPolicy */
-     if (last->anyPolicy &&
--        level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
-+        level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
-         return 0;
-     return 1;
- }
-@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
-             extra->qualifier_set = anyPolicy->data->qualifier_set;
-             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
-                 | POLICY_DATA_FLAG_EXTRA_NODE;
--            node = level_add_node(NULL, extra, anyPolicy->parent, tree);
-+            node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
-         }
-         if (!tree->user_policies) {
-             tree->user_policies = sk_X509_POLICY_NODE_new_null();
-@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
- 
-     for (i = 1; i < tree->nlevel; i++, curr++) {
-         cache = policy_cache_set(curr->cert);
--        if (!tree_link_nodes(curr, cache))
-+        if (!tree_link_nodes(curr, cache, tree))
-             return X509_PCY_TREE_INTERNAL;
- 
-         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)

diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch
deleted file mode 100644
index c332e0bd2c9f..000000000000
--- a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-commit b013765abfa80036dc779dd0e50602c57bb3bf95
-Author: Matt Caswell <matt@openssl.org>
-Date:   Tue Mar 7 16:52:55 2023 +0000
-
-    Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
-    
-    Even though we check the leaf cert to confirm it is valid, we
-    later ignored the invalid flag and did not notice that the leaf
-    cert was bad.
-    
-    Fixes: CVE-2023-0465
-    
-    Reviewed-by: Hugo Landau <hlandau@openssl.org>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/20588)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 925fbb5412..1dfe4f9f31 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
-     }
-     /* Invalid or inconsistent extensions */
-     if (ret == X509_PCY_TREE_INVALID) {
--        int i;
-+        int i, cbcalled = 0;
- 
-         /* Locate certificates with bad extensions and notify callback. */
--        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
-             X509 *x = sk_X509_value(ctx->chain, i);
- 
-             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
-                 continue;
-+            cbcalled = 1;
-             if (!verify_cb_cert(ctx, x, i,
-                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
-                 return 0;
-         }
-+        if (!cbcalled) {
-+            /* Should not be able to get here */
-+            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
-+            return 0;
-+        }
-+        /* The callback ignored the error so we return success */
-         return 1;
-     }
-     if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch
deleted file mode 100644
index 9a59d2846a48..000000000000
--- a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-commit 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
-Author: Tomas Mraz <tomas@openssl.org>
-Date:   Tue Mar 21 16:15:47 2023 +0100
-
-    Fix documentation of X509_VERIFY_PARAM_add0_policy()
-    
-    The function was incorrectly documented as enabling policy checking.
-    
-    Fixes: CVE-2023-0466
-    
-    Reviewed-by: Matt Caswell <matt@openssl.org>
-    Reviewed-by: Paul Dale <pauli@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/20564)
-
-diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-index f6f304bf7b..aa292f9336 100644
---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-@@ -92,8 +92,9 @@ B<trust>.
- X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
- B<t>. Normally the current time is used.
- 
--X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
--by default) and adds B<policy> to the acceptable policy set.
-+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
-+Contrary to preexisting documentation of this function it does not enable
-+policy checking.
- 
- X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
- by default) and sets the acceptable policy set to B<policies>. Any existing
-@@ -377,6 +378,10 @@ and has no effect.
- 
- The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
- 
-+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
-+enabling policy checking however the implementation has never done this.
-+The documentation was changed to align with the implementation.
-+
- =head1 COPYRIGHT
- 
- Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/dev-libs/openssl/openssl-1.1.1t-r3.ebuild b/dev-libs/openssl/openssl-1.1.1t-r3.ebuild
deleted file mode 100644
index 36d0d673d156..000000000000
--- a/dev-libs/openssl/openssl-1.1.1t-r3.ebuild
+++ /dev/null
@@ -1,269 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
-
-MY_P=${P/_/-}
-DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
-	verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-S="${WORKDIR}/${MY_P}"
-
-LICENSE="openssl"
-SLOT="0/1.1" # .so version of libssl/libcrypto
-if [[ ${PV} != *_pre* ]] ; then
-	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-fi
-IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-RDEPEND="
-	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	>=dev-lang/perl-5
-	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
-	test? (
-		sys-apps/diffutils
-		sys-devel/bc
-		kernel_linux? ( sys-process/procps )
-	)
-	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
-PDEPEND="app-misc/ca-certificates"
-
-# force upgrade to prevent broken login, bug #696950
-RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
-
-MULTILIB_WRAPPED_HEADERS=(
-	usr/include/openssl/opensslconf.h
-)
-
-PATCHES=(
-	# General patches which are suitable to always apply
-	# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
-	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
-	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
-	"${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
-	"${FILESDIR}"/openssl-1.1.1t-CVE-2023-0464.patch
-	"${FILESDIR}"/openssl-1.1.1t-CVE-2023-0465.patch
-	"${FILESDIR}"/openssl-1.1.1t-CVE-2023-0466.patch
-)
-
-pkg_setup() {
-	[[ ${MERGE_TYPE} == binary ]] && return
-
-	# must check in pkg_setup; sysctl doesn't work with userpriv!
-	if use test && use sctp; then
-		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
-		# if sctp.auth_enable is not enabled.
-		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
-		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
-			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
-		fi
-	fi
-}
-
-src_unpack() {
-	# Can delete this once test fix patch is dropped
-	if use verify-sig ; then
-		# Needed for downloaded patch (which is unsigned, which is fine)
-		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
-	fi
-
-	default
-}
-
-src_prepare() {
-	# Make sure we only ever touch Makefile.org and avoid patching a file
-	# that gets blown away anyways by the Configure script in src_configure
-	rm -f Makefile
-
-	if ! use vanilla ; then
-		PATCHES+=(
-			# Add patches which are Gentoo-specific customisations here
-		)
-	fi
-
-	default
-
-	if use test && use sctp && has network-sandbox ${FEATURES}; then
-		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
-		rm test/recipes/80-test_ssl_new.t || die
-	fi
-
-	# Test fails depending on kernel configuration, bug #699134
-	rm test/recipes/30-test_afalg.t || die
-
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-
-	if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
-		# use GNU ld full option, not to confuse it on Solaris
-		sed -i \
-			-e 's/-Wl,-M,/-Wl,--version-script=/' \
-			-e 's/-Wl,-h,/-Wl,--soname=/' \
-			Configurations/10-main.conf || die
-	fi
-
-	# The config script does stupid stuff to prompt the user.  Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-}
-
-src_configure() {
-	# Keep this in sync with app-misc/c_rehash
-	SSL_CNF_DIR="/etc/ssl"
-
-	# Quiet out unknown driver argument warnings since openssl
-	# doesn't have well-split CFLAGS and we're making it even worse
-	# and 'make depend' uses -Werror for added fun (bug #417795 again)
-	tc-is-clang && append-flags -Qunused-arguments
-
-	# We really, really need to build OpenSSL w/ strict aliasing disabled.
-	# It's filled with violations and it *will* result in miscompiled
-	# code. This has been in the ebuild for > 10 years but even in 2022,
-	# it's still relevant:
-	# - https://github.com/llvm/llvm-project/issues/55255
-	# - https://github.com/openssl/openssl/issues/18225
-	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
-	# Don't remove the no strict aliasing bits below!
-	filter-flags -fstrict-aliasing
-	append-flags -fno-strict-aliasing
-	# The OpenSSL developers don't test with LTO right now, it leads to various
-	# warnings/errors (which may or may not be false positives), it's considered
-	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
-	filter-lto
-
-	append-cppflags -DOPENSSL_NO_BUF_FREELISTS
-
-	append-flags $(test-flags-CC -Wa,--noexecstack)
-
-	# bug #197996
-	unset APPS
-	# bug #312551
-	unset SCRIPTS
-	# bug #311473
-	unset CROSS_COMPILE
-
-	tc-export AR CC CXX RANLIB RC
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
-	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
-	# See if our toolchain supports __uint128_t.  If so, it's 64bit
-	# friendly and can use the nicely optimized code paths, bug #460790.
-	#local ec_nistp_64_gcc_128
-	#
-	# Disable it for now though (bug #469976)
-	# Do NOT re-enable without substantial discussion first!
-	#
-	#echo "__uint128_t i;" > "${T}"/128.c
-	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
-	#fi
-
-	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
-	einfo "Use configuration ${sslout:-(openssl knows best)}"
-	local config=( perl "${S}/Configure" )
-	[[ -z ${sslout} ]] && config=( sh "${S}/config" -v )
-
-	# "disable-deprecated" option breaks too many consumers.
-	# Don't set it without thorough revdeps testing.
-	# Make sure user flags don't get added *yet* to avoid duplicated
-	# flags.
-	local myeconfargs=(
-		${sslout}
-
-		$(use cpu_flags_x86_sse2 || echo "no-sse2")
-		enable-camellia
-		enable-ec
-		enable-ec2m
-		enable-sm2
-		enable-srp
-		$(use elibc_musl && echo "no-async")
-		${ec_nistp_64_gcc_128}
-		enable-idea
-		enable-mdc2
-		enable-rc5
-		$(use_ssl sslv3 ssl3)
-		$(use_ssl sslv3 ssl3-method)
-		$(use_ssl asm)
-		$(use_ssl rfc3779)
-		$(use_ssl sctp)
-		$(use test || echo "no-tests")
-		$(use_ssl tls-compression zlib)
-		$(use_ssl tls-heartbeat heartbeats)
-		$(use_ssl weak-ssl-ciphers)
-
-		--prefix="${EPREFIX}"/usr
-		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
-		--libdir=$(get_libdir)
-
-		shared
-		threads
-	)
-
-	edo "${config[@]}" "${myeconfargs[@]}"
-}
-
-multilib_src_compile() {
-	emake all
-}
-
-multilib_src_test() {
-	emake -j1 test
-}
-
-multilib_src_install() {
-	emake DESTDIR="${D}" install_sw
-
-	if multilib_is_native_abi; then
-		emake DESTDIR="${D}" install_ssldirs
-		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} MANSUFFIX=ssl install_docs
-	fi
-
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs. But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	if ! use static-libs; then
-		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
-	fi
-}
-
-multilib_src_install_all() {
-	# openssl installs perl version of c_rehash by default, but
-	# we provide a shell version via app-misc/c_rehash
-	rm "${ED}"/usr/bin/c_rehash || die
-
-	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
-
-	# Create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
-	# bug #254521
-	dodir /etc/sandbox.d
-	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_postinst() {
-	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
-	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
-	eend $?
-}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2023-07-19 15:06 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2023-07-19 15:06 UTC (permalink / raw
  To: gentoo-commits

commit:     e70b056198310f608b8faddfcb24a96f2dfab9e6
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 19 14:55:30 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jul 19 15:05:52 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e70b0561

dev-libs/openssl: patch CVE-2023-2975, CVE-2023-3446 for 3.0.9

Bug: https://bugs.gentoo.org/910556
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/openssl-3.0.9-CVE-2023-2975.patch        | 109 ++++++++
 .../files/openssl-3.0.9-CVE-2023-3446.patch        | 120 +++++++++
 dev-libs/openssl/openssl-3.0.9-r2.ebuild           | 290 +++++++++++++++++++++
 3 files changed, 519 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch
new file mode 100644
index 000000000000..908e57251cb9
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch
@@ -0,0 +1,109 @@
+https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598
+https://github.com/openssl/openssl/commit/96318a8d21bed334d78797eca5b32790775d5f05
+
+From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 4 Jul 2023 17:30:35 +0200
+Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
+
+The AES-SIV mode allows for multiple associated data items
+authenticated separately with any of these being 0 length.
+
+The provided implementation ignores such empty associated data
+which is incorrect in regards to the RFC 5297 and is also
+a security issue because such empty associated data then become
+unauthenticated if an application expects to authenticate them.
+
+Fixes CVE-2023-2975
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21384)
+
+(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
+--- a/providers/implementations/ciphers/cipher_aes_siv.c
++++ b/providers/implementations/ciphers/cipher_aes_siv.c
+@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
+     if (!ossl_prov_is_running())
+         return 0;
+ 
+-    if (inl == 0) {
+-        *outl = 0;
+-        return 1;
+-    }
++    /* Ignore just empty encryption/decryption call and not AAD. */
++    if (out != NULL) {
++        if (inl == 0) {
++            if (outl != NULL)
++                *outl = 0;
++            return 1;
++        }
+ 
+-    if (outsize < inl) {
+-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+-        return 0;
++        if (outsize < inl) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
++            return 0;
++        }
+     }
+ 
+     if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
+
+From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 4 Jul 2023 17:50:37 +0200
+Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21384)
+
+(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
+--- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
++++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
+@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
+ Plaintext =  112233445566778899aabbccddee
+ Ciphertext = 40c02b9690c4dc04daef7f6afe5c
+ 
++Cipher = aes-128-siv
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++Tag = f1c5fdeac1f15a26779c1501f9fb7588
++Plaintext =  112233445566778899aabbccddee
++Ciphertext = 27e946c669088ab06da58c5c831c
++
++Cipher = aes-128-siv
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++AAD =
++Tag = d1022f5b3664e5a4dfaf90f85be6f28a
++Plaintext =  112233445566778899aabbccddee
++Ciphertext = b66cff6b8eca0b79f083b39a0901
++
+ Cipher = aes-128-siv
+ Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+ AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
+ Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+ Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
+ 
++Cipher = aes-128-siv
++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
++AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
++AAD =
++AAD = 09f911029d74e35bd84156c5635688c0
++Tag = 83ce6593a8fa67eb6fcd2819cedfc011
++Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
++Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
++
++Cipher = aes-128-siv
++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
++AAD =
++AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
++AAD = 09f911029d74e35bd84156c5635688c0
++Tag = 77dd4a44f5a6b41302121ee7f378de25
++Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
++Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe
++
+ Cipher = aes-192-siv
+ Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0
+ AAD = 101112131415161718191a1b1c1d1e1f2021222324252627

diff --git a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-3446.patch b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-3446.patch
new file mode 100644
index 000000000000..1a1be6a8af51
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-3446.patch
@@ -0,0 +1,120 @@
+https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb
+https://github.com/openssl/openssl/commit/8a62fd996cb1c22383ec75b4155d54dec4a1b0ee
+
+From 1fa20cf2f506113c761777127a38bce5068740eb Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 6 Jul 2023 16:36:35 +0100
+Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
+
+The DH_check() function checks numerous aspects of the key or parameters
+that have been supplied. Some of those checks use the supplied modulus
+value even if it is excessively large.
+
+There is already a maximum DH modulus size (10,000 bits) over which
+OpenSSL will not generate or derive keys. DH_check() will however still
+perform various tests for validity on such a large modulus. We introduce a
+new maximum (32,768) over which DH_check() will just fail.
+
+An application that calls DH_check() and supplies a key or parameters
+obtained from an untrusted source could be vulnerable to a Denial of
+Service attack.
+
+The function DH_check() is itself called by a number of other OpenSSL
+functions. An application calling any of those other functions may
+similarly be affected. The other functions affected by this are
+DH_check_ex() and EVP_PKEY_param_check().
+
+CVE-2023-3446
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21451)
+
+(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
+     if (nid != NID_undef)
+         return 1;
+ 
++    /* Don't do any checks at all with an excessively large modulus */
++    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
++        return 0;
++    }
++
+     if (!DH_check_params(dh, ret))
+         return 0;
+ 
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
+ #  include <openssl/dherr.h>
+ 
+ #  ifndef OPENSSL_DH_MAX_MODULUS_BITS
+-#   define OPENSSL_DH_MAX_MODULUS_BITS    10000
++#   define OPENSSL_DH_MAX_MODULUS_BITS        10000
++#  endif
++
++#  ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
++#   define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
+ #  endif
+ 
+ #  define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+
+From 8a62fd996cb1c22383ec75b4155d54dec4a1b0ee Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 7 Jul 2023 14:39:48 +0100
+Subject: [PATCH] Add a test for CVE-2023-3446
+
+Confirm that the only errors DH_check() finds with DH parameters with an
+excessively long modulus is that the modulus is too large. We should not
+be performing time consuming checks using that modulus.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21451)
+
+(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)
+--- a/test/dhtest.c
++++ b/test/dhtest.c
+@@ -73,7 +73,7 @@ static int dh_test(void)
+         goto err1;
+ 
+     /* check fails, because p is way too small */
+-    if (!DH_check(dh, &i))
++    if (!TEST_true(DH_check(dh, &i)))
+         goto err2;
+     i ^= DH_MODULUS_TOO_SMALL;
+     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+@@ -124,6 +124,17 @@ static int dh_test(void)
+     /* We'll have a stale error on the queue from the above test so clear it */
+     ERR_clear_error();
+ 
++    /* Modulus of size: dh check max modulus bits + 1 */
++    if (!TEST_true(BN_set_word(p, 1))
++            || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
++        goto err3;
++
++    /*
++     * We expect no checks at all for an excessively large modulus
++     */
++    if (!TEST_false(DH_check(dh, &i)))
++        goto err3;
++
+     /*
+      * II) key generation
+      */
+@@ -138,7 +149,7 @@ static int dh_test(void)
+         goto err3;
+ 
+     /* ... and check whether it is valid */
+-    if (!DH_check(a, &i))
++    if (!TEST_true(DH_check(a, &i)))
+         goto err3;
+     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)

diff --git a/dev-libs/openssl/openssl-3.0.9-r2.ebuild b/dev-libs/openssl/openssl-3.0.9-r2.ebuild
new file mode 100644
index 000000000000..c1c56681758c
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.9-r2.ebuild
@@ -0,0 +1,290 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		sys-devel/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2023-2975.patch
+	"${FILESDIR}"/${P}-CVE-2023-3446.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308
+	append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install_sw
+	if use fips; then
+		emake DESTDIR="${D}" install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2024-03-31 16:48 Jakov Smolić
  0 siblings, 0 replies; 52+ messages in thread
From: Jakov Smolić @ 2024-03-31 16:48 UTC (permalink / raw
  To: gentoo-commits

commit:     64867ad1eb261d199c0e80a71b24d1a9d6769c39
Author:     Jakov Smolić <jsmolic <AT> gentoo <DOT> org>
AuthorDate: Sun Mar 24 17:47:21 2024 +0000
Commit:     Jakov Smolić <jsmolic <AT> gentoo <DOT> org>
CommitDate: Sun Mar 31 16:48:16 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64867ad1

dev-libs/openssl: Backport riscv patch to 3.2.1

Closes: https://bugs.gentoo.org/923956
Signed-off-by: Jakov Smolić <jsmolic <AT> gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/35901
Signed-off-by: Jakov Smolić <jsmolic <AT> gentoo.org>

 dev-libs/openssl/files/openssl-3.2.1-riscv.patch | 70 ++++++++++++++++++++++++
 dev-libs/openssl/openssl-3.2.1-r1.ebuild         |  2 +
 2 files changed, 72 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch
new file mode 100644
index 000000000000..51256cf434e2
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch
@@ -0,0 +1,70 @@
+# Bug: https://bugs.gentoo.org/923956
+# Upstream PR: https://github.com/openssl/openssl/pull/23752
+--- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c
++++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c
+@@ -142,9 +142,9 @@ static const PROV_GCM_HW aes_gcm = {
+ # include "cipher_aes_gcm_hw_armv8.inc"
+ #elif defined(PPC_AES_GCM_CAPABLE) && defined(_ARCH_PPC64)
+ # include "cipher_aes_gcm_hw_ppc.inc"
+-#elif defined(__riscv) && __riscv_xlen == 64
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "cipher_aes_gcm_hw_rv64i.inc"
+-#elif defined(__riscv) && __riscv_xlen == 32
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
+ # include "cipher_aes_gcm_hw_rv32i.inc"
+ #else
+ const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits)
+--- a/providers/implementations/ciphers/cipher_aes_hw.c
++++ b/providers/implementations/ciphers/cipher_aes_hw.c
+@@ -142,9 +142,9 @@ const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_##mode(size_t keybits)           \
+ # include "cipher_aes_hw_t4.inc"
+ #elif defined(S390X_aes_128_CAPABLE)
+ # include "cipher_aes_hw_s390x.inc"
+-#elif defined(__riscv) && __riscv_xlen == 64
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "cipher_aes_hw_rv64i.inc"
+-#elif defined(__riscv) && __riscv_xlen == 32
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
+ # include "cipher_aes_hw_rv32i.inc"
+ #else
+ /* The generic case */
+--- a/providers/implementations/ciphers/cipher_aes_ocb_hw.c
++++ b/providers/implementations/ciphers/cipher_aes_ocb_hw.c
+@@ -104,7 +104,7 @@ static const PROV_CIPHER_HW aes_t4_ocb = {                                     \
+     if (SPARC_AES_CAPABLE)                                                     \
+         return &aes_t4_ocb;
+ 
+-#elif defined(__riscv) && __riscv_xlen == 64
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ 
+ static int cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
+                                                      const unsigned char *key,
+@@ -126,7 +126,7 @@ static const PROV_CIPHER_HW aes_rv64i_zknd_zkne_ocb = {                        \
+     if (RISCV_HAS_ZKND_AND_ZKNE())                                             \
+         return &aes_rv64i_zknd_zkne_ocb;
+ 
+-#elif defined(__riscv) && __riscv_xlen == 32
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
+ 
+ static int cipher_hw_aes_ocb_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
+                                                      const unsigned char *key,
+--- a/providers/implementations/ciphers/cipher_aes_xts_hw.c
++++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c
+@@ -159,7 +159,7 @@ static const PROV_CIPHER_HW aes_xts_t4 = {                                     \
+ if (SPARC_AES_CAPABLE)                                                         \
+     return &aes_xts_t4;
+ 
+-#elif defined(__riscv) && __riscv_xlen == 64
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ 
+ static int cipher_hw_aes_xts_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
+                                                      const unsigned char *key,
+@@ -185,7 +185,7 @@ static const PROV_CIPHER_HW aes_xts_rv64i_zknd_zkne = {                        \
+ if (RISCV_HAS_ZKND_AND_ZKNE())                                                 \
+     return &aes_xts_rv64i_zknd_zkne;
+ 
+-#elif defined(__riscv) && __riscv_xlen == 32
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
+ 
+ static int cipher_hw_aes_xts_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
+                                                      const unsigned char *key,

diff --git a/dev-libs/openssl/openssl-3.2.1-r1.ebuild b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
index 24ae65f3321f..79bd29a1a54e 100644
--- a/dev-libs/openssl/openssl-3.2.1-r1.ebuild
+++ b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
@@ -58,6 +58,8 @@ MULTILIB_WRAPPED_HEADERS=(
 
 PATCHES=(
 	"${FILESDIR}"/${P}-p11-segfault.patch
+	# bug 923956 (drop on next version bump)
+	"${FILESDIR}"/${P}-riscv.patch
 )
 
 pkg_setup() {


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2024-04-02 17:54 Fabian Groffen
  0 siblings, 0 replies; 52+ messages in thread
From: Fabian Groffen @ 2024-04-02 17:54 UTC (permalink / raw
  To: gentoo-commits

commit:     0785cd27c30f5e045bda1b6dc6e517d3499a4e55
Author:     Fabian Groffen <grobian <AT> gentoo <DOT> org>
AuthorDate: Tue Apr  2 17:52:42 2024 +0000
Commit:     Fabian Groffen <grobian <AT> gentoo <DOT> org>
CommitDate: Tue Apr  2 17:54:22 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0785cd27

dev-libs/openssl-3.2.1-r1: fix for Darwin

don't run append-atomic-flags with non-GNU-like linker
add guess for arm64-darwin

Signed-off-by: Fabian Groffen <grobian <AT> gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.4 | 2 ++
 dev-libs/openssl/openssl-3.2.1-r1.ebuild   | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4
index 5f205781ae3e..d32ce877a34a 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -32,6 +32,7 @@ if [[ $1 == "test" ]] ; then
 		"i686-apple-darwinX           |darwin-i386-cc" \
 		"i386-apple-darwinX           |darwin-i386-cc" \
 		"powerpc-apple-darwinX        |darwin-ppc-cc" \
+		"arm64-apple-darwinX          |darwin-arm64-cc" \
 		"i586-pc-winnt                |winnt-parity" \
 		"s390-ibm-linux-gnu           |linux-generic32 -DB_ENDIAN" \
 		"s390x-linux-gnu              |linux64-s390x" \
@@ -155,6 +156,7 @@ darwin)
 		powerpc)      machine=ppc-cc;;
 		i?86*)        machine=i386-cc;;
 		x86_64)       machine=x86_64-cc; system=${system}64;;
+		arm64)        machine=arm64-cc; system=${system}64;;
 	esac
 	;;
 hpux)

diff --git a/dev-libs/openssl/openssl-3.2.1-r1.ebuild b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
index 79bd29a1a54e..ee2e112cd6f0 100644
--- a/dev-libs/openssl/openssl-3.2.1-r1.ebuild
+++ b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
@@ -148,8 +148,8 @@ src_configure() {
 
 	append-flags $(test-flags-CC -Wa,--noexecstack)
 
-	# bug #895308
-	append-atomic-flags
+	# bug #895308 -- check inserts GNU ld-compatible arguments
+	[[ ${CHOST} == *-darwin* ]] || append-atomic-flags
 	# Configure doesn't respect LIBS
 	export LDLIBS="${LIBS}"
 


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2024-04-15  7:16 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2024-04-15  7:16 UTC (permalink / raw
  To: gentoo-commits

commit:     ccf71abfb2591dbf4b65f1db957596562234cb82
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 15 07:15:58 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Apr 15 07:16:11 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccf71abf

dev-libs/openssl: fix CVE-2024-2511 for 3.2.1

Bug: https://bugs.gentoo.org/930047
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/openssl-3.2.1-CVE-2024-2511.patch        | 137 +++++++++
 dev-libs/openssl/openssl-3.2.1-r2.ebuild           | 307 +++++++++++++++++++++
 2 files changed, 444 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch
new file mode 100644
index 000000000000..d5b40447d745
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch
@@ -0,0 +1,137 @@
+https://www.openssl.org/news/secadv/20240408.txt
+https://bugs.gentoo.org/930047
+https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
+https://github.com/openssl/openssl/commit/4d67109432646c113887b0aa8091fb0d1b3057e6
+
+From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Mar 2024 15:43:53 +0000
+Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
+
+In TLSv1.3 we create a new session object for each ticket that we send.
+We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+use then the new session will be added to the session cache. However, if
+early data is not in use (and therefore anti-replay protection is being
+used), then multiple threads could be resuming from the same session
+simultaneously. If this happens and a problem occurs on one of the threads,
+then the original session object could be marked as not_resumable. When we
+duplicate the session object this not_resumable status gets copied into the
+new session object. The new session object is then added to the session
+cache even though it is not_resumable.
+
+Subsequently, another bug means that the session_id_length is set to 0 for
+sessions that are marked as not_resumable - even though that session is
+still in the cache. Once this happens the session can never be removed from
+the cache. When that object gets to be the session cache tail object the
+cache never shrinks again and grows indefinitely.
+
+CVE-2024-2511
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24043)
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode)
+ 
+     /*
+      * If the session_id_length is 0, we are not supposed to cache it, and it
+-     * would be rather hard to do anyway :-)
++     * would be rather hard to do anyway :-). Also if the session has already
++     * been marked as not_resumable we should not cache it for later reuse.
+      */
+-    if (s->session->session_id_length == 0)
++    if (s->session->session_id_length == 0 || s->session->not_resumable)
+         return;
+ 
+     /*
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+     return ss;
+ }
+ 
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+-    return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+     SSL_SESSION *dest;
+ 
+@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+     return NULL;
+ }
+ 
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++    return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++    if (sess != NULL)
++        sess->not_resumable = 0;
++
++    return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+     if (len)
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
+      * so the following won't overwrite an ID that we're supposed
+      * to send back.
+      */
+-    if (s->session->not_resumable ||
+-        (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
+-         && !s->hit))
++    if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
++            && !s->hit)
+         s->session->session_id_length = 0;
+ 
+     if (usetls13) {
+
+From 4d67109432646c113887b0aa8091fb0d1b3057e6 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 15 Mar 2024 17:58:42 +0000
+Subject: [PATCH] Hardening around not_resumable sessions
+
+Make sure we can't inadvertently use a not_resumable session
+
+Related to CVE-2024-2511
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24043)
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -519,6 +519,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s,
+                                              sess_id, sess_id_len, &copy);
+ 
+         if (ret != NULL) {
++            if (ret->not_resumable) {
++                /* If its not resumable then ignore this session */
++                if (!copy)
++                    SSL_SESSION_free(ret);
++                return NULL;
++            }
+             ssl_tsan_counter(s->session_ctx,
+                              &s->session_ctx->stats.sess_cb_hit);
+ 

diff --git a/dev-libs/openssl/openssl-3.2.1-r2.ebuild b/dev-libs/openssl/openssl-3.2.1-r2.ebuild
new file mode 100644
index 000000000000..31486ad9fabe
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.2.1-r2.ebuild
@@ -0,0 +1,307 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+	"
+
+	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	fi
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	!<net-misc/openssh-9.2_p1-r3
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		app-alternatives/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-p11-segfault.patch
+	# bug 923956 (drop on next version bump)
+	"${FILESDIR}"/${P}-riscv.patch
+	"${FILESDIR}"/${P}-CVE-2024-2511.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/12247
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308 -- check inserts GNU ld-compatible arguments
+	[[ ${CHOST} == *-darwin* ]] || append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# See https://github.com/openssl/openssl/blob/master/test/README.md for options.
+	#
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	#
+	# -j1 here for https://github.com/openssl/openssl/issues/21999, but it
+	# shouldn't matter as tests were already built earlier, and HARNESS_JOBS
+	# controls running the tests.
+	emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	# Only -j1 is supported for the install targets:
+	# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+	emake DESTDIR="${D}" -j1 install_sw
+	if use fips; then
+		emake DESTDIR="${D}" -j1 install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" -j1 install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2024-04-15  8:17 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2024-04-15  8:17 UTC (permalink / raw
  To: gentoo-commits

commit:     0626b571d9c2a3f6774d5cf929e80b325e571a38
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 15 08:12:52 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Apr 15 08:16:46 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0626b571

dev-libs/openssl: backport libp11 segfault fix to 3.0.13 too

Bug: https://bugs.gentoo.org/916328
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/openssl-3.0.13-p11-segfault.patch        |  79 ++++++
 dev-libs/openssl/openssl-3.0.13-r2.ebuild          | 283 +++++++++++++++++++++
 2 files changed, 362 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch
new file mode 100644
index 000000000000..73b131ab7928
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch
@@ -0,0 +1,79 @@
+https://bugs.gentoo.org/916328
+https://github.com/opendnssec/SoftHSMv2/issues/729
+https://github.com/openssl/openssl/issues/22508
+https://github.com/openssl/openssl/commit/ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6
+
+From ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Fri, 15 Dec 2023 13:45:50 +0100
+Subject: [PATCH] Revert "Improved detection of engine-provided private
+ "classic" keys"
+
+This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
+
+The commit was wrong. With 3.x versions the engines must be themselves
+responsible for creating their EVP_PKEYs in a way that they are treated
+as legacy - either by using the respective set1 calls or by setting
+non-default EVP_PKEY_METHOD.
+
+The workaround has caused more problems than it solved.
+
+Fixes #22945
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23063)
+
+(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
+--- a/crypto/engine/eng_pkey.c
++++ b/crypto/engine/eng_pkey.c
+@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+         ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+         return NULL;
+     }
+-    /* We enforce check for legacy key */
+-    switch (EVP_PKEY_get_id(pkey)) {
+-    case EVP_PKEY_RSA:
+-        {
+-        RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+-        EVP_PKEY_set1_RSA(pkey, rsa);
+-        RSA_free(rsa);
+-        }
+-        break;
+-#  ifndef OPENSSL_NO_EC
+-    case EVP_PKEY_SM2:
+-    case EVP_PKEY_EC:
+-        {
+-        EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+-        EVP_PKEY_set1_EC_KEY(pkey, ec);
+-        EC_KEY_free(ec);
+-        }
+-        break;
+-#  endif
+-#  ifndef OPENSSL_NO_DSA
+-    case EVP_PKEY_DSA:
+-        {
+-        DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+-        EVP_PKEY_set1_DSA(pkey, dsa);
+-        DSA_free(dsa);
+-        }
+-        break;
+-#endif
+-#  ifndef OPENSSL_NO_DH
+-    case EVP_PKEY_DH:
+-        {
+-        DH *dh = EVP_PKEY_get1_DH(pkey);
+-        EVP_PKEY_set1_DH(pkey, dh);
+-        DH_free(dh);
+-        }
+-        break;
+-#endif
+-    default:
+-        /*Do nothing */
+-        break;
+-    }
+-
+     return pkey;
+ }
+ 
+

diff --git a/dev-libs/openssl/openssl-3.0.13-r2.ebuild b/dev-libs/openssl/openssl-3.0.13-r2.ebuild
new file mode 100644
index 000000000000..3743359d3e0d
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.13-r2.ebuild
@@ -0,0 +1,283 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://www.openssl.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		app-alternatives/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2024-2511.patch
+	"${FILESDIR}"/${P}-p11-segfault.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile || die
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/12247
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308
+	append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+	# Only -j1 is supported for the install targets:
+	# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+	emake DESTDIR="${D}" -j1 install_sw
+	if use fips; then
+		emake DESTDIR="${D}" -j1 install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" -j1 install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2024-07-28 17:02 Mike Gilbert
  0 siblings, 0 replies; 52+ messages in thread
From: Mike Gilbert @ 2024-07-28 17:02 UTC (permalink / raw
  To: gentoo-commits

commit:     06a2a7a940e40c6057924e633c1504fd3e0292c8
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sun Jul 28 17:01:23 2024 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sun Jul 28 17:01:23 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06a2a7a9

dev-libs/openssl: fix Libs.private in libcrypto.pc

Closes: https://bugs.gentoo.org/936793
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 .../openssl/files/openssl-3.3.1-pkg-config.patch   | 31 ++++++++++++++++++++++
 ...penssl-3.3.1.ebuild => openssl-3.3.1-r1.ebuild} |  2 ++
 2 files changed, 33 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch b/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch
new file mode 100644
index 000000000000..b915b963509a
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch
@@ -0,0 +1,31 @@
+https://github.com/openssl/openssl/pull/25018
+https://bugs.gentoo.org/936793
+
+From b7bd618fb12728b4a85b9159af95ca40a817674d Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Sun, 28 Jul 2024 10:47:08 +0200
+Subject: [PATCH] fix: util/mkinstallvars.pl mistreated LDLIBS on Unix (and
+ Windows)
+
+Don't do comma separation on those platforms.
+
+Fixes #24986
+---
+ util/mkinstallvars.pl | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl
+index 5fadb708e1b77..e2b7d9d08321f 100644
+--- a/util/mkinstallvars.pl
++++ b/util/mkinstallvars.pl
+@@ -124,7 +124,9 @@ package OpenSSL::safe::installdata;
+ our \$VERSION                    = '$ENV{VERSION}';
+ our \@LDLIBS                     =
+     # Unix and Windows use space separation, VMS uses comma separation
+-    split(/ +| *, */, '$ENV{LDLIBS}');
++    \$^O eq 'VMS'
++    ? split(/ *, */, '$ENV{LDLIBS}')
++    : split(/ +/, '$ENV{LDLIBS}');
+ 
+ 1;
+ _____

diff --git a/dev-libs/openssl/openssl-3.3.1.ebuild b/dev-libs/openssl/openssl-3.3.1-r1.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-3.3.1.ebuild
rename to dev-libs/openssl/openssl-3.3.1-r1.ebuild
index 18c0067df4fc..b91bebbeb911 100644
--- a/dev-libs/openssl/openssl-3.3.1.ebuild
+++ b/dev-libs/openssl/openssl-3.3.1-r1.ebuild
@@ -59,6 +59,8 @@ MULTILIB_WRAPPED_HEADERS=(
 PATCHES=(
 	# bug 936311, drop on next version bump
 	"${FILESDIR}"/${P}-riscv.patch
+	# https://bugs.gentoo.org/936793
+	"${FILESDIR}"/openssl-3.3.1-pkg-config.patch
 )
 
 pkg_setup() {


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2024-10-29  2:10 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2024-10-29  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     262bc64a0613918288342dda8ed6f2ee91b87cd7
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 29 01:45:59 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Oct 29 02:09:22 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=262bc64a

dev-libs/openssl: fix CVE-2024-9143 for 3.0.15-r1

Bug: https://bugs.gentoo.org/941643
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/openssl-3.0.15-CVE-2024-9143.patch       | 193 ++++++++++++++
 dev-libs/openssl/openssl-3.0.15-r1.ebuild          | 287 +++++++++++++++++++++
 2 files changed, 480 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch
new file mode 100644
index 000000000000..252a24776ae8
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch
@@ -0,0 +1,193 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712
+
+From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+

diff --git a/dev-libs/openssl/openssl-3.0.15-r1.ebuild b/dev-libs/openssl/openssl-3.0.15-r1.ebuild
new file mode 100644
index 000000000000..98d175f95d2e
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.15-r1.ebuild
@@ -0,0 +1,287 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+		verify-sig? (
+			https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+		)
+	"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		app-alternatives/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2024-9143.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile || die
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/12247
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308
+	append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+	# Only -j1 is supported for the install targets:
+	# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+	emake DESTDIR="${D}" -j1 install_sw
+	if use fips; then
+		emake DESTDIR="${D}" -j1 install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" -j1 install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
@ 2024-10-29  2:10 Sam James
  0 siblings, 0 replies; 52+ messages in thread
From: Sam James @ 2024-10-29  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     6855692d8c265fa2c9c7216bb17d52eaa507ccb4
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 29 02:01:10 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Oct 29 02:09:23 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6855692d

dev-libs/openssl: fix CVE-2024-9143 for 3.2.3-r1

Bug: https://bugs.gentoo.org/941643
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/openssl-3.2.3-CVE-2024-9143.patch        | 193 +++++++++++++
 dev-libs/openssl/openssl-3.2.3-r1.ebuild           | 306 +++++++++++++++++++++
 2 files changed, 499 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.2.3-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.2.3-CVE-2024-9143.patch
new file mode 100644
index 000000000000..e84b0f6c353e
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.3-CVE-2024-9143.patch
@@ -0,0 +1,193 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700
+
+From bc7e04d7c8d509fb78fc0e285aa948fb0da04700 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+

diff --git a/dev-libs/openssl/openssl-3.2.3-r1.ebuild b/dev-libs/openssl/openssl-3.2.3-r1.ebuild
new file mode 100644
index 000000000000..9e0ddd974047
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.2.3-r1.ebuild
@@ -0,0 +1,306 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+		verify-sig? (
+			https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+		)
+	"
+
+	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	fi
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	!<net-misc/openssh-9.2_p1-r3
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		app-alternatives/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2024-9143.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/12247
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308 -- check inserts GNU ld-compatible arguments
+	[[ ${CHOST} == *-darwin* ]] || append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# See https://github.com/openssl/openssl/blob/master/test/README.md for options.
+	#
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	#
+	# -j1 here for https://github.com/openssl/openssl/issues/21999, but it
+	# shouldn't matter as tests were already built earlier, and HARNESS_JOBS
+	# controls running the tests.
+	emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	# Only -j1 is supported for the install targets:
+	# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+	emake DESTDIR="${D}" -j1 install_sw
+	if use fips; then
+		emake DESTDIR="${D}" -j1 install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" -j1 install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}


^ permalink raw reply related	[flat|nested] 52+ messages in thread

end of thread, other threads:[~2024-10-29  2:10 UTC | newest]

Thread overview: 52+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-15  8:17 [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/ Sam James
  -- strict thread matches above, loose matches on Subject: below --
2024-10-29  2:10 Sam James
2024-10-29  2:10 Sam James
2024-07-28 17:02 Mike Gilbert
2024-04-15  7:16 Sam James
2024-04-02 17:54 Fabian Groffen
2024-03-31 16:48 Jakov Smolić
2023-07-19 15:06 Sam James
2023-06-14  5:21 Sam James
2023-06-14  5:21 Sam James
2023-06-14  5:20 Sam James
2023-04-20 16:58 Patrick McLean
2023-03-28 18:29 Patrick McLean
2023-03-28 18:29 Patrick McLean
2023-03-28 18:29 Patrick McLean
2023-03-22 23:00 Patrick McLean
2023-03-22 23:00 Patrick McLean
2023-03-14 19:48 Sam James
2023-02-12 23:23 Mike Gilbert
2022-12-17 19:19 Andreas K. Hüttel
2022-12-16 20:47 Andreas K. Hüttel
2022-12-14 23:01 Andreas K. Hüttel
2022-12-13 18:18 Sam James
2022-08-29 21:13 Sam James
2022-07-05 23:33 Sam James
2022-07-05 22:15 Mike Gilbert
2020-06-04 17:53 Thomas Deutschmann
2020-02-25 22:41 Matt Turner
2019-09-11 23:30 Thomas Deutschmann
2019-08-23 18:10 Thomas Deutschmann
2019-06-14 17:46 Thomas Deutschmann
2019-03-06 16:56 Thomas Deutschmann
2019-02-27 19:09 Thomas Deutschmann
2019-02-26 15:31 Lars Wendler
2018-11-12 18:36 Thomas Deutschmann
2018-10-29 13:08 Lars Wendler
2018-08-31 20:45 Thomas Deutschmann
2018-08-14 13:54 Lars Wendler
2018-06-11 13:58 Robin H. Johnson
2018-04-17 20:50 Thomas Deutschmann
2017-12-29  1:57 Thomas Deutschmann
2017-12-07 18:13 Thomas Deutschmann
2016-11-10 15:40 Lars Wendler
2016-10-31  7:11 Lars Wendler
2016-08-26 17:39 Lars Wendler
2016-08-26 15:52 Lars Wendler
2016-06-25  2:19 Patrick McLean
2016-03-01 14:24 Lars Wendler
2016-02-09 18:30 Robin H. Johnson
2016-01-29  6:59 Lars Wendler
2015-09-20 18:13 Mike Frysinger
2015-09-02  5:04 Mike Frysinger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox