Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Lars Wendler <polynomial-c@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
Date: Tue, 26 Feb 2019 15:31:52
Message-Id: 1551195101.a1ced0de770abbc643d994378b9cd11a41605902.polynomial-c@gentoo
1 commit: a1ced0de770abbc643d994378b9cd11a41605902
2 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3 AuthorDate: Tue Feb 26 15:12:11 2019 +0000
4 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5 CommitDate: Tue Feb 26 15:31:41 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1ced0de
7
8 dev-libs/openssl: Removed old.
9
10 Package-Manager: Portage-2.3.62, Repoman-2.3.12
11 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
12
13 dev-libs/openssl/Manifest | 4 -
14 ...-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch | 27 --
15 ...ix-cert-with-rsa-instead-of-rsaEncryption.patch | 97 -----
16 ...ix-some-SSL_export_keying_material-issues.patch | 420 ---------------------
17 ...a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch | 26 --
18 ...ure-build_SYS_str_reasons_preserves_errno.patch | 68 ----
19 .../openssl-1.1.1a-preserve-errno-on-dlopen.patch | 51 ---
20 ...-system-error-number-in-a-few-more-places.patch | 57 ---
21 ...t-reduce-stack-usage-in-tls13_hkdf_expand.patch | 56 ---
22 dev-libs/openssl/openssl-1.0.2q-r200.ebuild | 248 ------------
23 dev-libs/openssl/openssl-1.1.1a-r1.ebuild | 299 ---------------
24 dev-libs/openssl/openssl-1.1.1a.ebuild | 288 --------------
25 12 files changed, 1641 deletions(-)
26
27 diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
28 index 3f3dd41c6a0..dd125204215 100644
29 --- a/dev-libs/openssl/Manifest
30 +++ b/dev-libs/openssl/Manifest
31 @@ -15,10 +15,6 @@ DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ec_curve.c 18401 BL
32 DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b
33 DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
34 DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3 SHA512 de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1
35 -DIST openssl-1.1.1a.tar.gz 8350547 BLAKE2B 71dae2f44ade3e31983599a491b5efe5da63bbe4f32a2336a8022b282f844a9d898f3b1c3fa825a5973cb16898e8e87fcd73d68e9b602b58f500c3f3e047b199 SHA512 1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34
36 -DIST openssl-1.1.1a_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
37 -DIST openssl-1.1.1a_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef
38 -DIST openssl-1.1.1a_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
39 DIST openssl-1.1.1b.tar.gz 8213737 BLAKE2B 7ad9da9548052e2a033a684038f97c420cfffd57994604bcb3fa12640796c8c0aea3d24fb05648ee4940fbec40b81462e81c353da5a41a2575c0585d9718eae8 SHA512 b54025fbb4fe264466f3b0d762aad4be45bd23cd48bdb26d901d4c41a40bfd776177e02230995ab181a695435039dbad313f4b9a563239a70807a2e19ecf045d
40 DIST openssl-1.1.1b_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
41 DIST openssl-1.1.1b_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef
42
43 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
44 deleted file mode 100644
45 index 8014be130ab..00000000000
46 --- a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
47 +++ /dev/null
48 @@ -1,27 +0,0 @@
49 -From 3be71a31a1dda204bb95462a92cf7f247e64b939 Mon Sep 17 00:00:00 2001
50 -From: Bernd Edlinger <bernd.edlinger@×××××××.de>
51 -Date: Sun, 16 Dec 2018 12:43:59 +0100
52 -Subject: [PATCH] Fix a minor nit in the hkdflabel size
53 -
54 -Reviewed-by: Paul Dale <paul.dale@××××××.com>
55 -Reviewed-by: Matt Caswell <matt@×××××××.org>
56 -(Merged from https://github.com/openssl/openssl/pull/7913)
57 -
58 -(cherry picked from commit 0b4233f5a4a181a6dcb7c511cd2663e500e659a4)
59 ----
60 - ssl/tls13_enc.c | 2 +-
61 - 1 file changed, 1 insertion(+), 1 deletion(-)
62 -
63 -diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
64 -index c3021d18aa9..e36b7d3a066 100644
65 ---- a/ssl/tls13_enc.c
66 -+++ b/ssl/tls13_enc.c
67 -@@ -41,7 +41,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
68 - * + bytes for the hash itself
69 - */
70 - unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
71 -- + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
72 -+ + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN
73 - + 1 + EVP_MAX_MD_SIZE];
74 - WPACKET pkt;
75 -
76
77 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch
78 deleted file mode 100644
79 index 8f249e22a1d..00000000000
80 --- a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch
81 +++ /dev/null
82 @@ -1,97 +0,0 @@
83 -From c25ae0fff78cb3cb784ef79167329d5cd55b62de Mon Sep 17 00:00:00 2001
84 -From: Bernd Edlinger <bernd.edlinger@×××××××.de>
85 -Date: Thu, 27 Dec 2018 22:18:21 +0100
86 -Subject: [PATCH] Fix cert with rsa instead of rsaEncryption as public key
87 - algorithm
88 -
89 -Reviewed-by: Kurt Roeckx <kurt@××××××.be>
90 -(Merged from https://github.com/openssl/openssl/pull/7962)
91 -
92 -(cherry picked from commit 1f483a69bce11c940309edc437eee6e32294d5f2)
93 ----
94 - crypto/rsa/rsa_ameth.c | 9 ++++++---
95 - test/certs/root-cert-rsa2.pem | 18 ++++++++++++++++++
96 - test/recipes/25-test_verify.t | 4 +++-
97 - 3 files changed, 27 insertions(+), 4 deletions(-)
98 - create mode 100644 test/certs/root-cert-rsa2.pem
99 -
100 -diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
101 -index a6595aec054..75debb3e0a9 100644
102 ---- a/crypto/rsa/rsa_ameth.c
103 -+++ b/crypto/rsa/rsa_ameth.c
104 -@@ -34,7 +34,7 @@ static int rsa_param_encode(const EVP_PKEY *pkey,
105 -
106 - *pstr = NULL;
107 - /* If RSA it's just NULL type */
108 -- if (pkey->ameth->pkey_id == EVP_PKEY_RSA) {
109 -+ if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
110 - *pstrtype = V_ASN1_NULL;
111 - return 1;
112 - }
113 -@@ -58,7 +58,7 @@ static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
114 - int algptype;
115 -
116 - X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
117 -- if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA)
118 -+ if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
119 - return 1;
120 - if (algptype == V_ASN1_UNDEF)
121 - return 1;
122 -@@ -109,7 +109,10 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
123 - RSA_free(rsa);
124 - return 0;
125 - }
126 -- EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
127 -+ if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
128 -+ RSA_free(rsa);
129 -+ return 0;
130 -+ }
131 - return 1;
132 - }
133 -
134 -diff --git a/test/certs/root-cert-rsa2.pem b/test/certs/root-cert-rsa2.pem
135 -new file mode 100644
136 -index 00000000000..b817fdf3e5d
137 ---- /dev/null
138 -+++ b/test/certs/root-cert-rsa2.pem
139 -@@ -0,0 +1,18 @@
140 -+-----BEGIN CERTIFICATE-----
141 -+MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
142 -+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
143 -+DAdSb290IENBMIIBHTAIBgRVCAEBBQADggEPADCCAQoCggEBAOHmAPUGvKBGOHkP
144 -+Px5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3jIVyk
145 -+7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcArVREX
146 -+OjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI0YYq
147 -+alUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt9gfN
148 -+biuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337VoIkN+
149 -+ZiQjr8UCAwEAAaNQME4wHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8G
150 -+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
151 -+KoZIhvcNAQELBQADggEBAJ0OIdog3uQ1pmsjv1Qtf1w4If1geOn5uK0EOj2wYBHt
152 -+NxlFn7l8d9+51QMZFO+RlQJ0s3Webyo1ReuaL2dMn2LGJhWMoSBAwrMALAENU3lv
153 -+8jioRbfO2OamsdpJpKxQUyUJYudNe+BoKNX/ry3rxezmsFsRr9nDMiJZpmBCXiMm
154 -+mFFJOJkG0CheexBbMkua4kyStIOwO4rb5bSHszVso/9ucdGHBSC7oRcJXoWSDjBx
155 -+PdQPPBK5g4yqL8Lz26ehgsmhRKL9k32eVyjDKcIzgpmgcPTfTqNbd1KHQJKx4ssb
156 -+7nEpGKHalSo5Oq5L9s9qYrUv37kwBY4OpJFtmGaodoI=
157 -+-----END CERTIFICATE-----
158 -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
159 -index 6c3deab7c67..b80a1cde3ed 100644
160 ---- a/test/recipes/25-test_verify.t
161 -+++ b/test/recipes/25-test_verify.t
162 -@@ -27,7 +27,7 @@ sub verify {
163 - run(app([@args]));
164 - }
165 -
166 --plan tests => 134;
167 -+plan tests => 135;
168 -
169 - # Canonical success
170 - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
171 -@@ -361,6 +361,8 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"]
172 - "Not too many names and constraints to check (2)");
173 - ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ),
174 - "Not too many names and constraints to check (3)");
175 -+ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"),
176 -+ "Public Key Algorithm rsa instead of rsaEncryption");
177 -
178 - SKIP: {
179 - skip "Ed25519 is not supported by this OpenSSL build", 1
180
181 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch
182 deleted file mode 100644
183 index 2db64d83e45..00000000000
184 --- a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch
185 +++ /dev/null
186 @@ -1,420 +0,0 @@
187 -From 0fb2815b873304d145ed00283454fc9f3bd35e6b Mon Sep 17 00:00:00 2001
188 -From: Matt Caswell <matt@×××××××.org>
189 -Date: Tue, 4 Dec 2018 08:37:04 +0000
190 -Subject: [PATCH] Fix some SSL_export_keying_material() issues
191 -
192 -Fix some issues in tls13_hkdf_expand() which impact the above function
193 -for TLSv1.3. In particular test that we can use the maximum label length
194 -in TLSv1.3.
195 -
196 -Reviewed-by: Tim Hudson <tjh@×××××××.org>
197 -(Merged from https://github.com/openssl/openssl/pull/7755)
198 ----
199 - doc/man3/SSL_export_keying_material.pod | 3 +-
200 - ssl/ssl_locl.h | 2 +-
201 - ssl/statem/extensions.c | 2 +-
202 - ssl/statem/statem_clnt.c | 2 +-
203 - ssl/statem/statem_srvr.c | 2 +-
204 - ssl/tls13_enc.c | 73 +++++++++++++++++--------
205 - test/sslapitest.c | 48 ++++++++++++----
206 - test/tls13secretstest.c | 2 +-
207 - 8 files changed, 92 insertions(+), 42 deletions(-)
208 -
209 -diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod
210 -index abebf911fc3..4c81a60ffbb 100644
211 ---- a/doc/man3/SSL_export_keying_material.pod
212 -+++ b/doc/man3/SSL_export_keying_material.pod
213 -@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from
214 - the IANA Exporter Label Registry
215 - (L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).
216 - Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
217 --to be used without registration.
218 -+to be used without registration. TLSv1.3 imposes a maximum label length of
219 -+249 bytes.
220 -
221 - Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
222 - above. Attempting to use it in SSLv3 will result in an error.
223 -diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
224 -index 70e5a1740f9..307131de93a 100644
225 ---- a/ssl/ssl_locl.h
226 -+++ b/ssl/ssl_locl.h
227 -@@ -2461,7 +2461,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,
228 - const unsigned char *secret,
229 - const unsigned char *label, size_t labellen,
230 - const unsigned char *data, size_t datalen,
231 -- unsigned char *out, size_t outlen);
232 -+ unsigned char *out, size_t outlen, int fatal);
233 - __owur int tls13_derive_key(SSL *s, const EVP_MD *md,
234 - const unsigned char *secret, unsigned char *key,
235 - size_t keylen);
236 -diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
237 -index 63e61c6184a..716d6d23e08 100644
238 ---- a/ssl/statem/extensions.c
239 -+++ b/ssl/statem/extensions.c
240 -@@ -1506,7 +1506,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
241 -
242 - /* Generate the binder key */
243 - if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
244 -- hashsize, binderkey, hashsize)) {
245 -+ hashsize, binderkey, hashsize, 1)) {
246 - /* SSLfatal() already called */
247 - goto err;
248 - }
249 -diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
250 -index 5a8f1163dfa..a0e495d8e83 100644
251 ---- a/ssl/statem/statem_clnt.c
252 -+++ b/ssl/statem/statem_clnt.c
253 -@@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
254 - PACKET_data(&nonce),
255 - PACKET_remaining(&nonce),
256 - s->session->master_key,
257 -- hashlen)) {
258 -+ hashlen, 1)) {
259 - /* SSLfatal() already called */
260 - goto err;
261 - }
262 -diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
263 -index e7c11c4bea4..a8e862ced55 100644
264 ---- a/ssl/statem/statem_srvr.c
265 -+++ b/ssl/statem/statem_srvr.c
266 -@@ -4099,7 +4099,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
267 - tick_nonce,
268 - TICKET_NONCE_SIZE,
269 - s->session->master_key,
270 -- hashlen)) {
271 -+ hashlen, 1)) {
272 - /* SSLfatal() already called */
273 - goto err;
274 - }
275 -diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
276 -index f7ab0fa4704..c3021d18aa9 100644
277 ---- a/ssl/tls13_enc.c
278 -+++ b/ssl/tls13_enc.c
279 -@@ -13,7 +13,7 @@
280 - #include <openssl/evp.h>
281 - #include <openssl/kdf.h>
282 -
283 --#define TLS13_MAX_LABEL_LEN 246
284 -+#define TLS13_MAX_LABEL_LEN 249
285 -
286 - /* Always filled with zeros */
287 - static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
288 -@@ -22,30 +22,47 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
289 - * Given a |secret|; a |label| of length |labellen|; and |data| of length
290 - * |datalen| (e.g. typically a hash of the handshake messages), derive a new
291 - * secret |outlen| bytes long and store it in the location pointed to be |out|.
292 -- * The |data| value may be zero length. Returns 1 on success 0 on failure.
293 -+ * The |data| value may be zero length. Any errors will be treated as fatal if
294 -+ * |fatal| is set. Returns 1 on success 0 on failure.
295 - */
296 - int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
297 - const unsigned char *label, size_t labellen,
298 - const unsigned char *data, size_t datalen,
299 -- unsigned char *out, size_t outlen)
300 -+ unsigned char *out, size_t outlen, int fatal)
301 - {
302 -- const unsigned char label_prefix[] = "tls13 ";
303 -+ static const unsigned char label_prefix[] = "tls13 ";
304 - EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
305 - int ret;
306 - size_t hkdflabellen;
307 - size_t hashlen;
308 - /*
309 -- * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
310 -- * prefix and label + bytes for the label itself + bytes for the hash
311 -+ * 2 bytes for length of derived secret + 1 byte for length of combined
312 -+ * prefix and label + bytes for the label itself + 1 byte length of hash
313 -+ * + bytes for the hash itself
314 - */
315 - unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
316 - + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
317 -- + EVP_MAX_MD_SIZE];
318 -+ + 1 + EVP_MAX_MD_SIZE];
319 - WPACKET pkt;
320 -
321 - if (pctx == NULL)
322 - return 0;
323 -
324 -+ if (labellen > TLS13_MAX_LABEL_LEN) {
325 -+ if (fatal) {
326 -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
327 -+ ERR_R_INTERNAL_ERROR);
328 -+ } else {
329 -+ /*
330 -+ * Probably we have been called from SSL_export_keying_material(),
331 -+ * or SSL_export_keying_material_early().
332 -+ */
333 -+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
334 -+ }
335 -+ EVP_PKEY_CTX_free(pctx);
336 -+ return 0;
337 -+ }
338 -+
339 - hashlen = EVP_MD_size(md);
340 -
341 - if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
342 -@@ -59,8 +76,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
343 - || !WPACKET_finish(&pkt)) {
344 - EVP_PKEY_CTX_free(pctx);
345 - WPACKET_cleanup(&pkt);
346 -- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
347 -- ERR_R_INTERNAL_ERROR);
348 -+ if (fatal)
349 -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
350 -+ ERR_R_INTERNAL_ERROR);
351 -+ else
352 -+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
353 - return 0;
354 - }
355 -
356 -@@ -74,9 +94,13 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
357 -
358 - EVP_PKEY_CTX_free(pctx);
359 -
360 -- if (ret != 0)
361 -- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
362 -- ERR_R_INTERNAL_ERROR);
363 -+ if (ret != 0) {
364 -+ if (fatal)
365 -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
366 -+ ERR_R_INTERNAL_ERROR);
367 -+ else
368 -+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
369 -+ }
370 -
371 - return ret == 0;
372 - }
373 -@@ -91,7 +115,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
374 - static const unsigned char keylabel[] = "key";
375 -
376 - return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
377 -- NULL, 0, key, keylen);
378 -+ NULL, 0, key, keylen, 1);
379 - }
380 -
381 - /*
382 -@@ -104,7 +128,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
383 - static const unsigned char ivlabel[] = "iv";
384 -
385 - return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
386 -- NULL, 0, iv, ivlen);
387 -+ NULL, 0, iv, ivlen, 1);
388 - }
389 -
390 - int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
391 -@@ -114,7 +138,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
392 - static const unsigned char finishedlabel[] = "finished";
393 -
394 - return tls13_hkdf_expand(s, md, secret, finishedlabel,
395 -- sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
396 -+ sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
397 - }
398 -
399 - /*
400 -@@ -177,7 +201,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
401 - if (!tls13_hkdf_expand(s, md, prevsecret,
402 - (unsigned char *)derived_secret_label,
403 - sizeof(derived_secret_label) - 1, hash, mdlen,
404 -- preextractsec, mdlen)) {
405 -+ preextractsec, mdlen, 1)) {
406 - /* SSLfatal() already called */
407 - EVP_PKEY_CTX_free(pctx);
408 - return 0;
409 -@@ -337,7 +361,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
410 - hashlen = (size_t)hashleni;
411 -
412 - if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
413 -- secret, hashlen)) {
414 -+ secret, hashlen, 1)) {
415 - /* SSLfatal() already called */
416 - goto err;
417 - }
418 -@@ -517,7 +541,8 @@ int tls13_change_cipher_state(SSL *s, int which)
419 - early_exporter_master_secret,
420 - sizeof(early_exporter_master_secret) - 1,
421 - hashval, hashlen,
422 -- s->early_exporter_master_secret, hashlen)) {
423 -+ s->early_exporter_master_secret, hashlen,
424 -+ 1)) {
425 - SSLfatal(s, SSL_AD_INTERNAL_ERROR,
426 - SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
427 - goto err;
428 -@@ -604,7 +629,7 @@ int tls13_change_cipher_state(SSL *s, int which)
429 - resumption_master_secret,
430 - sizeof(resumption_master_secret) - 1,
431 - hashval, hashlen, s->resumption_master_secret,
432 -- hashlen)) {
433 -+ hashlen, 1)) {
434 - /* SSLfatal() already called */
435 - goto err;
436 - }
437 -@@ -624,7 +649,7 @@ int tls13_change_cipher_state(SSL *s, int which)
438 - exporter_master_secret,
439 - sizeof(exporter_master_secret) - 1,
440 - hash, hashlen, s->exporter_master_secret,
441 -- hashlen)) {
442 -+ hashlen, 1)) {
443 - /* SSLfatal() already called */
444 - goto err;
445 - }
446 -@@ -738,10 +763,10 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
447 - || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
448 - || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
449 - (const unsigned char *)label, llen,
450 -- data, datalen, exportsecret, hashsize)
451 -+ data, datalen, exportsecret, hashsize, 0)
452 - || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
453 - sizeof(exporterlabel) - 1, hash, hashsize,
454 -- out, olen))
455 -+ out, olen, 0))
456 - goto err;
457 -
458 - ret = 1;
459 -@@ -797,10 +822,10 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
460 - || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
461 - || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
462 - (const unsigned char *)label, llen,
463 -- data, datalen, exportsecret, hashsize)
464 -+ data, datalen, exportsecret, hashsize, 0)
465 - || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
466 - sizeof(exporterlabel) - 1, hash, hashsize,
467 -- out, olen))
468 -+ out, olen, 0))
469 - goto err;
470 -
471 - ret = 1;
472 -diff --git a/test/sslapitest.c b/test/sslapitest.c
473 -index 108d57e4781..a4bbb4fead4 100644
474 ---- a/test/sslapitest.c
475 -+++ b/test/sslapitest.c
476 -@@ -4028,20 +4028,25 @@ static int test_serverinfo(int tst)
477 - * no test vectors so all we do is test that both sides of the communication
478 - * produce the same results for different protocol versions.
479 - */
480 -+#define SMALL_LABEL_LEN 10
481 -+#define LONG_LABEL_LEN 249
482 - static int test_export_key_mat(int tst)
483 - {
484 - int testresult = 0;
485 - SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
486 - SSL *clientssl = NULL, *serverssl = NULL;
487 -- const char label[] = "test label";
488 -+ const char label[LONG_LABEL_LEN + 1] = "test label";
489 - const unsigned char context[] = "context";
490 - const unsigned char *emptycontext = NULL;
491 - unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
492 - unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
493 -+ size_t labellen;
494 - const int protocols[] = {
495 - TLS1_VERSION,
496 - TLS1_1_VERSION,
497 - TLS1_2_VERSION,
498 -+ TLS1_3_VERSION,
499 -+ TLS1_3_VERSION,
500 - TLS1_3_VERSION
501 - };
502 -
503 -@@ -4058,7 +4063,7 @@ static int test_export_key_mat(int tst)
504 - return 1;
505 - #endif
506 - #ifdef OPENSSL_NO_TLS1_3
507 -- if (tst == 3)
508 -+ if (tst >= 3)
509 - return 1;
510 - #endif
511 - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
512 -@@ -4076,33 +4081,52 @@ static int test_export_key_mat(int tst)
513 - SSL_ERROR_NONE)))
514 - goto end;
515 -
516 -+ if (tst == 5) {
517 -+ /*
518 -+ * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
519 -+ * go over that.
520 -+ */
521 -+ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
522 -+ sizeof(ckeymat1), label,
523 -+ LONG_LABEL_LEN + 1, context,
524 -+ sizeof(context) - 1, 1), 0))
525 -+ goto end;
526 -+
527 -+ testresult = 1;
528 -+ goto end;
529 -+ } else if (tst == 4) {
530 -+ labellen = LONG_LABEL_LEN;
531 -+ } else {
532 -+ labellen = SMALL_LABEL_LEN;
533 -+ }
534 -+
535 - if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
536 - sizeof(ckeymat1), label,
537 -- sizeof(label) - 1, context,
538 -+ labellen, context,
539 - sizeof(context) - 1, 1), 1)
540 - || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
541 - sizeof(ckeymat2), label,
542 -- sizeof(label) - 1,
543 -+ labellen,
544 - emptycontext,
545 - 0, 1), 1)
546 - || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
547 - sizeof(ckeymat3), label,
548 -- sizeof(label) - 1,
549 -+ labellen,
550 - NULL, 0, 0), 1)
551 - || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
552 - sizeof(skeymat1), label,
553 -- sizeof(label) - 1,
554 -+ labellen,
555 - context,
556 - sizeof(context) -1, 1),
557 - 1)
558 - || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
559 - sizeof(skeymat2), label,
560 -- sizeof(label) - 1,
561 -+ labellen,
562 - emptycontext,
563 - 0, 1), 1)
564 - || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
565 - sizeof(skeymat3), label,
566 -- sizeof(label) - 1,
567 -+ labellen,
568 - NULL, 0, 0), 1)
569 - /*
570 - * Check that both sides created the same key material with the
571 -@@ -4131,10 +4155,10 @@ static int test_export_key_mat(int tst)
572 - * Check that an empty context and no context produce different results in
573 - * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
574 - */
575 -- if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
576 -+ if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
577 - sizeof(ckeymat3)))
578 -- || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
579 -- sizeof(ckeymat3))))
580 -+ || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
581 -+ sizeof(ckeymat3))))
582 - goto end;
583 -
584 - testresult = 1;
585 -@@ -5909,7 +5933,7 @@ int setup_tests(void)
586 - ADD_ALL_TESTS(test_custom_exts, 3);
587 - #endif
588 - ADD_ALL_TESTS(test_serverinfo, 8);
589 -- ADD_ALL_TESTS(test_export_key_mat, 4);
590 -+ ADD_ALL_TESTS(test_export_key_mat, 6);
591 - #ifndef OPENSSL_NO_TLS1_3
592 - ADD_ALL_TESTS(test_export_key_mat_early, 3);
593 - #endif
594 -diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
595 -index 319df17bab0..de318df02b4 100644
596 ---- a/test/tls13secretstest.c
597 -+++ b/test/tls13secretstest.c
598 -@@ -226,7 +226,7 @@ static int test_secret(SSL *s, unsigned char *prk,
599 - }
600 -
601 - if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
602 -- gensecret, hashsize)) {
603 -+ gensecret, hashsize, 1)) {
604 - TEST_error("Secret generation failed");
605 - return 0;
606 - }
607
608 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
609 deleted file mode 100644
610 index c2f8bb638b3..00000000000
611 --- a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
612 +++ /dev/null
613 @@ -1,26 +0,0 @@
614 -From 3ccccb91ae1c07a4310778b3d7ba74ff4ff787f0 Mon Sep 17 00:00:00 2001
615 -From: Paul Yang <yang.yang@××××××××××××.com>
616 -Date: Wed, 21 Nov 2018 13:16:27 +0800
617 -Subject: [PATCH] Fix wrong return value in ssl3_ctx_ctrl
618 -
619 -This fixes issue #7677
620 -
621 -Reviewed-by: Matt Caswell <matt@×××××××.org>
622 -(Merged from https://github.com/openssl/openssl/pull/7678)
623 ----
624 - ssl/s3_lib.c | 2 +-
625 - 1 file changed, 1 insertion(+), 1 deletion(-)
626 -
627 -diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
628 -index 866ca4dfa9b..99ae48199c2 100644
629 ---- a/ssl/s3_lib.c
630 -+++ b/ssl/s3_lib.c
631 -@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
632 - EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
633 - SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
634 - EVP_PKEY_free(pkdh);
635 -- return 1;
636 -+ return 0;
637 - }
638 - EVP_PKEY_free(ctx->cert->dh_tmp);
639 - ctx->cert->dh_tmp = pkdh;
640
641 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch b/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch
642 deleted file mode 100644
643 index cfa84c73a5b..00000000000
644 --- a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch
645 +++ /dev/null
646 @@ -1,68 +0,0 @@
647 -From 99992ad22019e752c7b103a45f860a48b6bc0972 Mon Sep 17 00:00:00 2001
648 -From: Matt Caswell <matt@×××××××.org>
649 -Date: Wed, 21 Nov 2018 11:44:42 +0000
650 -Subject: [PATCH] Make sure build_SYS_str_reasons() preserves errno
651 -
652 -This function can end up being called during ERR_get_error() if we are
653 -initialising. ERR_get_error() must preserve errno since it gets called via
654 -SSL_get_error(). If that function returns SSL_ERROR_SYSCALL then you are
655 -supposed to inspect errno.
656 -
657 -Reviewed-by: Richard Levitte <levitte@×××××××.org>
658 -(Merged from https://github.com/openssl/openssl/pull/7680)
659 -
660 -(cherry picked from commit 71b1ceffc4c795f5db21861dd1016fbe23a53a53)
661 ----
662 -
663 -diff --git a/crypto/err/err.c b/crypto/err/err.c
664 -index 03cbd73..2eeeab2 100644
665 ---- a/crypto/err/err.c
666 -+++ b/crypto/err/err.c
667 -@@ -19,6 +19,7 @@
668 - #include <openssl/bio.h>
669 - #include <openssl/opensslconf.h>
670 - #include "internal/thread_once.h"
671 -+#include "e_os.h"
672 -
673 - static int err_load_strings(const ERR_STRING_DATA *str);
674 -
675 -@@ -201,6 +202,7 @@ static void build_SYS_str_reasons(void)
676 - static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
677 - static int init = 1;
678 - int i;
679 -+ int saveerrno = get_last_sys_error();
680 -
681 - CRYPTO_THREAD_write_lock(err_string_lock);
682 - if (!init) {
683 -@@ -229,6 +231,8 @@ static void build_SYS_str_reasons(void)
684 - init = 0;
685 -
686 - CRYPTO_THREAD_unlock(err_string_lock);
687 -+ /* openssl_strerror_r could change errno, but we want to preserve it */
688 -+ set_sys_error(saveerrno);
689 - err_load_strings(SYS_str_reasons);
690 - }
691 - #endif
692 -diff --git a/e_os.h b/e_os.h
693 -index 5340593..8e6efa9 100644
694 ---- a/e_os.h
695 -+++ b/e_os.h
696 -@@ -49,6 +49,7 @@
697 -
698 - # define get_last_sys_error() errno
699 - # define clear_sys_error() errno=0
700 -+# define set_sys_error(e) errno=(e)
701 -
702 - /********************************************************************
703 - The Microsoft section
704 -@@ -66,8 +67,10 @@
705 - # ifdef WIN32
706 - # undef get_last_sys_error
707 - # undef clear_sys_error
708 -+# undef set_sys_error
709 - # define get_last_sys_error() GetLastError()
710 - # define clear_sys_error() SetLastError(0)
711 -+# define set_sys_error(e) SetLastError(e)
712 - # if !defined(WINNT)
713 - # define WIN_CONSOLE_BUG
714 - # endif
715
716 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch
717 deleted file mode 100644
718 index ed8f2dd96be..00000000000
719 --- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch
720 +++ /dev/null
721 @@ -1,51 +0,0 @@
722 -From ef97becf522fc4e2e9d98e6ae7bcb26651883d9a Mon Sep 17 00:00:00 2001
723 -From: Matt Caswell <matt@×××××××.org>
724 -Date: Wed, 21 Nov 2018 11:57:04 +0000
725 -Subject: [PATCH] Preserve errno on dlopen
726 -
727 -For the same reasons as in the previous commit we must preserve errno
728 -across dlopen calls. Some implementations (e.g. solaris) do not preserve
729 -errno even on a successful dlopen call.
730 -
731 -Fixes #6953
732 -
733 -Reviewed-by: Richard Levitte <levitte@×××××××.org>
734 -(Merged from https://github.com/openssl/openssl/pull/7680)
735 -
736 -(cherry picked from commit 3cb4e7dc1cf92022f62b9bbdd59695885a1265ff)
737 ----
738 - crypto/dso/dso_dlfcn.c | 7 +++++++
739 - 1 file changed, 7 insertions(+)
740 -
741 -diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
742 -index ad8899c289a..4240f5f5e30 100644
743 ---- a/crypto/dso/dso_dlfcn.c
744 -+++ b/crypto/dso/dso_dlfcn.c
745 -@@ -17,6 +17,7 @@
746 - #endif
747 -
748 - #include "dso_locl.h"
749 -+#include "e_os.h"
750 -
751 - #ifdef DSO_DLFCN
752 -
753 -@@ -99,6 +100,7 @@ static int dlfcn_load(DSO *dso)
754 - /* See applicable comments in dso_dl.c */
755 - char *filename = DSO_convert_filename(dso, NULL);
756 - int flags = DLOPEN_FLAG;
757 -+ int saveerrno = get_last_sys_error();
758 -
759 - if (filename == NULL) {
760 - DSOerr(DSO_F_DLFCN_LOAD, DSO_R_NO_FILENAME);
761 -@@ -118,6 +120,11 @@ static int dlfcn_load(DSO *dso)
762 - ERR_add_error_data(4, "filename(", filename, "): ", dlerror());
763 - goto err;
764 - }
765 -+ /*
766 -+ * Some dlopen() implementations (e.g. solaris) do no preserve errno, even
767 -+ * on a successful call.
768 -+ */
769 -+ set_sys_error(saveerrno);
770 - if (!sk_void_push(dso->meth_data, (char *)ptr)) {
771 - DSOerr(DSO_F_DLFCN_LOAD, DSO_R_STACK_ERROR);
772 - goto err;
773
774 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch
775 deleted file mode 100644
776 index 84c43a3c3e0..00000000000
777 --- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch
778 +++ /dev/null
779 @@ -1,57 +0,0 @@
780 -From 145419423e1a74ae54cdbd3aed8bb15cbd53c7cc Mon Sep 17 00:00:00 2001
781 -From: Richard Levitte <levitte@×××××××.org>
782 -Date: Fri, 14 Dec 2018 19:33:55 +0100
783 -Subject: [PATCH] ERR: preserve system error number in a few more places
784 -
785 -It turns out that intialization may change the error number, so we
786 -need to preserve the system error number in functions where
787 -initialization is called for.
788 -These are ERR_get_state() and err_shelve_state()
789 -
790 -Fixes #7897
791 -
792 -Reviewed-by: Matt Caswell <matt@×××××××.org>
793 -(Merged from https://github.com/openssl/openssl/pull/7902)
794 -
795 -(cherry picked from commit 91c5473035aaf2c0d86e4039c2a29a5b70541905)
796 ----
797 - crypto/err/err.c | 5 +++++
798 - 1 file changed, 5 insertions(+)
799 -
800 -diff --git a/crypto/err/err.c b/crypto/err/err.c
801 -index 5cfb02d821b..aef2543d60b 100644
802 ---- a/crypto/err/err.c
803 -+++ b/crypto/err/err.c
804 -@@ -697,6 +697,7 @@ DEFINE_RUN_ONCE_STATIC(err_do_init)
805 - ERR_STATE *ERR_get_state(void)
806 - {
807 - ERR_STATE *state;
808 -+ int saveerrno = get_last_sys_error();
809 -
810 - if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
811 - return NULL;
812 -@@ -728,6 +729,7 @@ ERR_STATE *ERR_get_state(void)
813 - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
814 - }
815 -
816 -+ set_sys_error(saveerrno);
817 - return state;
818 - }
819 -
820 -@@ -737,6 +739,8 @@ ERR_STATE *ERR_get_state(void)
821 - */
822 - int err_shelve_state(void **state)
823 - {
824 -+ int saveerrno = get_last_sys_error();
825 -+
826 - if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
827 - return 0;
828 -
829 -@@ -747,6 +751,7 @@ int err_shelve_state(void **state)
830 - if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1))
831 - return 0;
832 -
833 -+ set_sys_error(saveerrno);
834 - return 1;
835 - }
836 -
837
838 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch b/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
839 deleted file mode 100644
840 index 5ea4fb97bfc..00000000000
841 --- a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
842 +++ /dev/null
843 @@ -1,56 +0,0 @@
844 -From ed371b8cbac0d0349667558c061c1ae380cf75eb Mon Sep 17 00:00:00 2001
845 -From: Matt Caswell <matt@×××××××.org>
846 -Date: Mon, 3 Dec 2018 18:14:57 +0000
847 -Subject: [PATCH] Revert "Reduce stack usage in tls13_hkdf_expand"
848 -
849 -This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d.
850 -
851 -SSL_export_keying_material() may use longer label lengths.
852 -
853 -Fixes #7712
854 -
855 -Reviewed-by: Tim Hudson <tjh@×××××××.org>
856 -(Merged from https://github.com/openssl/openssl/pull/7755)
857 ----
858 - ssl/tls13_enc.c | 16 ++++------------
859 - 1 file changed, 4 insertions(+), 12 deletions(-)
860 -
861 -diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
862 -index b6825d20c2d..f7ab0fa4704 100644
863 ---- a/ssl/tls13_enc.c
864 -+++ b/ssl/tls13_enc.c
865 -@@ -13,14 +13,7 @@
866 - #include <openssl/evp.h>
867 - #include <openssl/kdf.h>
868 -
869 --/*
870 -- * RFC 8446, 7.1 Key Schedule, says:
871 -- * Note: With common hash functions, any label longer than 12 characters
872 -- * requires an additional iteration of the hash function to compute.
873 -- * The labels in this specification have all been chosen to fit within
874 -- * this limit.
875 -- */
876 --#define TLS13_MAX_LABEL_LEN 12
877 -+#define TLS13_MAX_LABEL_LEN 246
878 -
879 - /* Always filled with zeros */
880 - static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
881 -@@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
882 - const unsigned char *data, size_t datalen,
883 - unsigned char *out, size_t outlen)
884 - {
885 -- static const unsigned char label_prefix[] = "tls13 ";
886 -+ const unsigned char label_prefix[] = "tls13 ";
887 - EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
888 - int ret;
889 - size_t hkdflabellen;
890 - size_t hashlen;
891 - /*
892 -- * 2 bytes for length of derived secret + 1 byte for length of combined
893 -- * prefix and label + bytes for the label itself + 1 byte length of hash
894 -- * + bytes for the hash itself
895 -+ * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
896 -+ * prefix and label + bytes for the label itself + bytes for the hash
897 - */
898 - unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
899 - + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
900
901 diff --git a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild b/dev-libs/openssl/openssl-1.0.2q-r200.ebuild
902 deleted file mode 100644
903 index 44b9547d141..00000000000
904 --- a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild
905 +++ /dev/null
906 @@ -1,248 +0,0 @@
907 -# Copyright 1999-2019 Gentoo Authors
908 -# Distributed under the terms of the GNU General Public License v2
909 -
910 -EAPI="6"
911 -
912 -inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
913 -
914 -# openssl-1.0.2-patches-1.6 contain additional CVE patches
915 -# which got fixed with this release.
916 -# Please use 1.7 version number when rolling a new tarball!
917 -PATCH_SET="openssl-1.0.2-patches-1.5"
918 -MY_P=${P/_/-}
919 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
920 -HOMEPAGE="https://www.openssl.org/"
921 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
922 - !vanilla? (
923 - mirror://gentoo/${PATCH_SET}.tar.xz
924 - https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
925 - https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
926 - https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz
927 - )"
928 -
929 -LICENSE="openssl"
930 -SLOT="1.0.0"
931 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
932 -IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
933 -RESTRICT="!bindist? ( bindist )"
934 -
935 -RDEPEND=">=app-misc/c_rehash-1.7-r1
936 - gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
937 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
938 - kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
939 - !=dev-libs/openssl-1.0.2*:0"
940 -DEPEND="${RDEPEND}
941 - >=dev-lang/perl-5
942 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
943 - test? (
944 - sys-apps/diffutils
945 - sys-devel/bc
946 - )"
947 -
948 -RESTRICT="test"
949 -
950 -# Do not install any docs
951 -DOCS=()
952 -
953 -# This does not copy the entire Fedora patchset, but JUST the parts that
954 -# are needed to make it safe to use EC with RESTRICT=bindist.
955 -# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
956 -SOURCE1=hobble-openssl
957 -SOURCE12=ec_curve.c
958 -SOURCE13=ectest.c
959 -# These are ported instead
960 -#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
961 -#PATCH37=openssl-1.1.0-ec-curves.patch
962 -FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
963 -FEDORA_GIT_BRANCH='f25'
964 -FEDORA_SRC_URI=()
965 -FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
966 -FEDORA_PATCH=( $PATCH1 $PATCH37 )
967 -for i in "${FEDORA_SOURCE[@]}" ; do
968 - FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
969 -done
970 -for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
971 - FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
972 -done
973 -SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
974 -
975 -S="${WORKDIR}/${MY_P}"
976 -
977 -MULTILIB_WRAPPED_HEADERS=(
978 - usr/include/openssl/opensslconf.h
979 -)
980 -
981 -src_prepare() {
982 - if use bindist; then
983 - # This just removes the prefix, and puts it into WORKDIR like the RPM.
984 - for i in "${FEDORA_SOURCE[@]}" ; do
985 - cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
986 - done
987 - # .spec %prep
988 - bash "${WORKDIR}"/"${SOURCE1}" || die
989 - cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
990 - cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
991 - for i in "${FEDORA_PATCH[@]}" ; do
992 - eapply "${DISTDIR}"/"${i}"
993 - done
994 - eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
995 - # Also see the configure parts below:
996 - # enable-ec \
997 - # $(use_ssl !bindist ec2m) \
998 - # $(use_ssl !bindist srp) \
999 - fi
1000 -
1001 - # keep this in sync with app-misc/c_rehash
1002 - SSL_CNF_DIR="/etc/ssl"
1003 -
1004 - # Make sure we only ever touch Makefile.org and avoid patching a file
1005 - # that gets blown away anyways by the Configure script in src_configure
1006 - rm -f Makefile
1007 -
1008 - if ! use vanilla ; then
1009 - eapply "${WORKDIR}"/patch/*.patch
1010 - fi
1011 -
1012 - eapply_user
1013 -
1014 - # disable fips in the build
1015 - # make sure the man pages are suffixed #302165
1016 - # don't bother building man pages if they're disabled
1017 - sed -i \
1018 - -e '/DIRS/s: fips : :g' \
1019 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
1020 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
1021 - -e $(has noman FEATURES \
1022 - && echo '/^install:/s:install_docs::' \
1023 - || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
1024 - Makefile.org \
1025 - || die
1026 - # show the actual commands in the log
1027 - sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
1028 -
1029 - # since we're forcing $(CC) as makedep anyway, just fix
1030 - # the conditional as always-on
1031 - # helps clang (#417795), and versioned gcc (#499818)
1032 - # this breaks build with 1.0.2p, not sure if it is needed anymore
1033 - #sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
1034 -
1035 - # quiet out unknown driver argument warnings since openssl
1036 - # doesn't have well-split CFLAGS and we're making it even worse
1037 - # and 'make depend' uses -Werror for added fun (#417795 again)
1038 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
1039 -
1040 - # allow openssl to be cross-compiled
1041 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
1042 - chmod a+rx gentoo.config || die
1043 -
1044 - append-flags -fno-strict-aliasing
1045 - append-flags $(test-flags-CC -Wa,--noexecstack)
1046 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
1047 -
1048 - sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906
1049 - # The config script does stupid stuff to prompt the user. Kill it.
1050 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
1051 - ./config --test-sanity || die "I AM NOT SANE"
1052 -
1053 - multilib_copy_sources
1054 -}
1055 -
1056 -multilib_src_configure() {
1057 - unset APPS #197996
1058 - unset SCRIPTS #312551
1059 - unset CROSS_COMPILE #311473
1060 -
1061 - tc-export CC AR RANLIB RC
1062 -
1063 - # Clean out patent-or-otherwise-encumbered code
1064 - # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
1065 - # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
1066 - # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
1067 - # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
1068 - # RC5: Expired https://en.wikipedia.org/wiki/RC5
1069 -
1070 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
1071 - echoit() { echo "$@" ; "$@" ; }
1072 -
1073 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
1074 -
1075 - # See if our toolchain supports __uint128_t. If so, it's 64bit
1076 - # friendly and can use the nicely optimized code paths. #460790
1077 - local ec_nistp_64_gcc_128
1078 - # Disable it for now though #469976
1079 - #if ! use bindist ; then
1080 - # echo "__uint128_t i;" > "${T}"/128.c
1081 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
1082 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
1083 - # fi
1084 - #fi
1085 -
1086 - # https://github.com/openssl/openssl/issues/2286
1087 - if use ia64 ; then
1088 - replace-flags -g3 -g2
1089 - replace-flags -ggdb3 -ggdb2
1090 - fi
1091 -
1092 - local sslout=$(./gentoo.config)
1093 - einfo "Use configuration ${sslout:-(openssl knows best)}"
1094 - local config="Configure"
1095 - [[ -z ${sslout} ]] && config="config"
1096 -
1097 - # Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
1098 - echoit \
1099 - ./${config} \
1100 - ${sslout} \
1101 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
1102 - enable-camellia \
1103 - enable-ec \
1104 - $(use_ssl !bindist ec2m) \
1105 - $(use_ssl !bindist srp) \
1106 - ${ec_nistp_64_gcc_128} \
1107 - enable-idea \
1108 - enable-mdc2 \
1109 - enable-rc5 \
1110 - enable-tlsext \
1111 - $(use_ssl asm) \
1112 - $(use_ssl gmp gmp -lgmp) \
1113 - $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
1114 - $(use_ssl rfc3779) \
1115 - $(use_ssl sctp) \
1116 - $(use_ssl sslv2 ssl2) \
1117 - $(use_ssl sslv3 ssl3) \
1118 - $(use_ssl tls-heartbeat heartbeats) \
1119 - $(use_ssl zlib) \
1120 - --prefix="${EPREFIX%/}"/usr \
1121 - --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
1122 - --libdir=$(get_libdir) \
1123 - shared threads \
1124 - || die
1125 -
1126 - # Clean out hardcoded flags that openssl uses
1127 - local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
1128 - -e 's:^CFLAG=::' \
1129 - -e 's:-fomit-frame-pointer ::g' \
1130 - -e 's:-O[0-9] ::g' \
1131 - -e 's:-march=[-a-z0-9]* ::g' \
1132 - -e 's:-mcpu=[-a-z0-9]* ::g' \
1133 - -e 's:-m[a-z0-9]* ::g' \
1134 - )
1135 - sed -i \
1136 - -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
1137 - -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
1138 - Makefile || die
1139 -}
1140 -
1141 -multilib_src_compile() {
1142 - # depend is needed to use $confopts; it also doesn't matter
1143 - # that it's -j1 as the code itself serializes subdirs
1144 - emake -j1 V=1 depend
1145 - emake build_libs
1146 -}
1147 -
1148 -multilib_src_test() {
1149 - emake -j1 test
1150 -}
1151 -
1152 -multilib_src_install() {
1153 - dolib.so lib{crypto,ssl}.so.${SLOT}
1154 -}
1155
1156 diff --git a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild b/dev-libs/openssl/openssl-1.1.1a-r1.ebuild
1157 deleted file mode 100644
1158 index 0ad3e058c0c..00000000000
1159 --- a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild
1160 +++ /dev/null
1161 @@ -1,299 +0,0 @@
1162 -# Copyright 1999-2019 Gentoo Authors
1163 -# Distributed under the terms of the GNU General Public License v2
1164 -
1165 -EAPI="6"
1166 -
1167 -inherit flag-o-matic toolchain-funcs multilib multilib-minimal
1168 -
1169 -MY_P=${P/_/-}
1170 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
1171 -HOMEPAGE="https://www.openssl.org/"
1172 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
1173 -
1174 -LICENSE="openssl"
1175 -SLOT="0/1.1" # .so version of libssl/libcrypto
1176 -[[ "${PV}" = *_pre* ]] || \
1177 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
1178 -IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
1179 -RESTRICT="!bindist? ( bindist )"
1180 -
1181 -RDEPEND=">=app-misc/c_rehash-1.7-r1
1182 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
1183 -DEPEND="${RDEPEND}
1184 - >=dev-lang/perl-5
1185 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
1186 - test? (
1187 - sys-apps/diffutils
1188 - sys-devel/bc
1189 - )"
1190 -PDEPEND="app-misc/ca-certificates"
1191 -
1192 -PATCHES=(
1193 - "${FILESDIR}"/${P}-make-sure-build_SYS_str_reasons_preserves_errno.patch
1194 - "${FILESDIR}"/${P}-preserve-errno-on-dlopen.patch
1195 - "${FILESDIR}"/${P}-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch
1196 - "${FILESDIR}"/${P}-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch
1197 - "${FILESDIR}"/${P}-fix-some-SSL_export_keying_material-issues.patch
1198 - "${FILESDIR}"/${P}-preserve-system-error-number-in-a-few-more-places.patch
1199 - "${FILESDIR}"/${P}-fix-a-minor-nit-in-hkdflabel-size.patch
1200 - "${FILESDIR}"/${P}-fix-cert-with-rsa-instead-of-rsaEncryption.patch
1201 -)
1202 -
1203 -# This does not copy the entire Fedora patchset, but JUST the parts that
1204 -# are needed to make it safe to use EC with RESTRICT=bindist.
1205 -# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
1206 -SOURCE1=hobble-openssl
1207 -SOURCE12=ec_curve.c
1208 -SOURCE13=ectest.c
1209 -PATCH37=openssl-1.1.1-ec-curves.patch
1210 -FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
1211 -FEDORA_GIT_BRANCH='f29'
1212 -FEDORA_SRC_URI=()
1213 -FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
1214 -FEDORA_PATCH=( ${PATCH37} )
1215 -for i in "${FEDORA_SOURCE[@]}" ; do
1216 - FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
1217 -done
1218 -for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
1219 - FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
1220 -done
1221 -SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
1222 -
1223 -S="${WORKDIR}/${MY_P}"
1224 -
1225 -MULTILIB_WRAPPED_HEADERS=(
1226 - usr/include/openssl/opensslconf.h
1227 -)
1228 -
1229 -src_prepare() {
1230 - if use bindist; then
1231 - # This just removes the prefix, and puts it into WORKDIR like the RPM.
1232 - for i in "${FEDORA_SOURCE[@]}" ; do
1233 - cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
1234 - done
1235 - # .spec %prep
1236 - bash "${WORKDIR}"/"${SOURCE1}" || die
1237 - cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
1238 - cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
1239 - for i in "${FEDORA_PATCH[@]}" ; do
1240 - eapply "${DISTDIR}"/"${i}"
1241 - done
1242 - # Also see the configure parts below:
1243 - # enable-ec \
1244 - # $(use_ssl !bindist ec2m) \
1245 -
1246 - fi
1247 -
1248 - # keep this in sync with app-misc/c_rehash
1249 - SSL_CNF_DIR="/etc/ssl"
1250 -
1251 - # Make sure we only ever touch Makefile.org and avoid patching a file
1252 - # that gets blown away anyways by the Configure script in src_configure
1253 - rm -f Makefile
1254 -
1255 - if ! use vanilla ; then
1256 - if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
1257 - [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
1258 - fi
1259 - fi
1260 -
1261 - eapply_user #332661
1262 -
1263 - # make sure the man pages are suffixed #302165
1264 - # don't bother building man pages if they're disabled
1265 - # Make DOCDIR Gentoo compliant
1266 - sed -i \
1267 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
1268 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
1269 - -e $(has noman FEATURES \
1270 - && echo '/^install:/s:install_docs::' \
1271 - || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
1272 - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
1273 - Configurations/unix-Makefile.tmpl \
1274 - || die
1275 -
1276 - # quiet out unknown driver argument warnings since openssl
1277 - # doesn't have well-split CFLAGS and we're making it even worse
1278 - # and 'make depend' uses -Werror for added fun (#417795 again)
1279 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
1280 -
1281 - # allow openssl to be cross-compiled
1282 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
1283 - chmod a+rx gentoo.config || die
1284 -
1285 - append-flags -fno-strict-aliasing
1286 - append-flags $(test-flags-CC -Wa,--noexecstack)
1287 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
1288 -
1289 - # Prefixify Configure shebang (#141906)
1290 - sed \
1291 - -e "1s,/usr/bin/env,${EPREFIX%/}&," \
1292 - -i Configure || die
1293 - # Remove test target when FEATURES=test isn't set
1294 - if ! use test ; then
1295 - sed \
1296 - -e '/^$config{dirs}/s@ "test",@@' \
1297 - -i Configure || die
1298 - fi
1299 - # The config script does stupid stuff to prompt the user. Kill it.
1300 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
1301 - ./config --test-sanity || die "I AM NOT SANE"
1302 -
1303 - multilib_copy_sources
1304 -}
1305 -
1306 -multilib_src_configure() {
1307 - unset APPS #197996
1308 - unset SCRIPTS #312551
1309 - unset CROSS_COMPILE #311473
1310 -
1311 - tc-export CC AR RANLIB RC
1312 -
1313 - # Clean out patent-or-otherwise-encumbered code
1314 - # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
1315 - # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
1316 - # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
1317 - # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
1318 - # RC5: Expired https://en.wikipedia.org/wiki/RC5
1319 -
1320 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
1321 - echoit() { echo "$@" ; "$@" ; }
1322 -
1323 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
1324 -
1325 - # See if our toolchain supports __uint128_t. If so, it's 64bit
1326 - # friendly and can use the nicely optimized code paths. #460790
1327 - local ec_nistp_64_gcc_128
1328 - # Disable it for now though #469976
1329 - #if ! use bindist ; then
1330 - # echo "__uint128_t i;" > "${T}"/128.c
1331 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
1332 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
1333 - # fi
1334 - #fi
1335 -
1336 - local sslout=$(./gentoo.config)
1337 - einfo "Use configuration ${sslout:-(openssl knows best)}"
1338 - local config="Configure"
1339 - [[ -z ${sslout} ]] && config="config"
1340 -
1341 - # Fedora hobbled-EC needs 'no-ec2m'
1342 - # 'srp' was restricted until early 2017 as well.
1343 - # "disable-deprecated" option breaks too many consumers.
1344 - # Don't set it without thorough revdeps testing.
1345 - echoit \
1346 - ./${config} \
1347 - ${sslout} \
1348 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
1349 - enable-camellia \
1350 - enable-ec \
1351 - $(use_ssl !bindist ec2m) \
1352 - enable-srp \
1353 - $(use elibc_musl && echo "no-async") \
1354 - ${ec_nistp_64_gcc_128} \
1355 - enable-idea \
1356 - enable-mdc2 \
1357 - enable-rc5 \
1358 - $(use_ssl sslv3 ssl3) \
1359 - $(use_ssl sslv3 ssl3-method) \
1360 - $(use_ssl asm) \
1361 - $(use_ssl rfc3779) \
1362 - $(use_ssl sctp) \
1363 - $(use_ssl tls-heartbeat heartbeats) \
1364 - $(use_ssl zlib) \
1365 - --prefix="${EPREFIX%/}"/usr \
1366 - --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
1367 - --libdir=$(get_libdir) \
1368 - shared threads \
1369 - || die
1370 -
1371 - # Clean out hardcoded flags that openssl uses
1372 - # Fix quoting for sed
1373 - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
1374 - -e 's:^CFLAGS=::' \
1375 - -e 's:-fomit-frame-pointer ::g' \
1376 - -e 's:-O[0-9] ::g' \
1377 - -e 's:-march=[-a-z0-9]* ::g' \
1378 - -e 's:-mcpu=[-a-z0-9]* ::g' \
1379 - -e 's:-m[a-z0-9]* ::g' \
1380 - -e 's:\\:\\\\:g' \
1381 - )
1382 - sed -i \
1383 - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
1384 - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
1385 - Makefile || die
1386 -}
1387 -
1388 -multilib_src_compile() {
1389 - # depend is needed to use $confopts; it also doesn't matter
1390 - # that it's -j1 as the code itself serializes subdirs
1391 - emake -j1 depend
1392 - emake all
1393 -}
1394 -
1395 -multilib_src_test() {
1396 - emake -j1 test
1397 -}
1398 -
1399 -multilib_src_install() {
1400 - # We need to create $ED/usr on our own to avoid a race condition #665130
1401 - if [[ ! -d "${ED%/}/usr" ]]; then
1402 - # We can only create this directory once
1403 - mkdir "${ED%/}"/usr || die
1404 - fi
1405 -
1406 - emake DESTDIR="${D%/}" install
1407 -}
1408 -
1409 -multilib_src_install_all() {
1410 - # openssl installs perl version of c_rehash by default, but
1411 - # we provide a shell version via app-misc/c_rehash
1412 - rm "${ED%/}"/usr/bin/c_rehash || die
1413 -
1414 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
1415 -
1416 - # This is crappy in that the static archives are still built even
1417 - # when USE=static-libs. But this is due to a failing in the openssl
1418 - # build system: the static archives are built as PIC all the time.
1419 - # Only way around this would be to manually configure+compile openssl
1420 - # twice; once with shared lib support enabled and once without.
1421 - use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
1422 -
1423 - # create the certs directory
1424 - keepdir ${SSL_CNF_DIR}/certs
1425 -
1426 - # Namespace openssl programs to prevent conflicts with other man pages
1427 - cd "${ED%/}"/usr/share/man || die
1428 - local m d s
1429 - for m in $(find . -type f | xargs grep -L '#include') ; do
1430 - d=${m%/*} ; d=${d#./} ; m=${m##*/}
1431 - [[ ${m} == openssl.1* ]] && continue
1432 - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
1433 - mv ${d}/{,ssl-}${m}
1434 - # fix up references to renamed man pages
1435 - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
1436 - ln -s ssl-${m} ${d}/openssl-${m}
1437 - # locate any symlinks that point to this man page ... we assume
1438 - # that any broken links are due to the above renaming
1439 - for s in $(find -L ${d} -type l) ; do
1440 - s=${s##*/}
1441 - rm -f ${d}/${s}
1442 - # We don't want to "|| die" here
1443 - ln -s ssl-${m} ${d}/ssl-${s}
1444 - ln -s ssl-${s} ${d}/openssl-${s}
1445 - done
1446 - done
1447 - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
1448 -
1449 - dodir /etc/sandbox.d #254521
1450 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
1451 -
1452 - diropts -m0700
1453 - keepdir ${SSL_CNF_DIR}/private
1454 -}
1455 -
1456 -pkg_postinst() {
1457 - ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
1458 - c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
1459 - eend $?
1460 -}
1461
1462 diff --git a/dev-libs/openssl/openssl-1.1.1a.ebuild b/dev-libs/openssl/openssl-1.1.1a.ebuild
1463 deleted file mode 100644
1464 index 5b5bb76c6b7..00000000000
1465 --- a/dev-libs/openssl/openssl-1.1.1a.ebuild
1466 +++ /dev/null
1467 @@ -1,288 +0,0 @@
1468 -# Copyright 1999-2018 Gentoo Authors
1469 -# Distributed under the terms of the GNU General Public License v2
1470 -
1471 -EAPI="6"
1472 -
1473 -inherit flag-o-matic toolchain-funcs multilib multilib-minimal
1474 -
1475 -MY_P=${P/_/-}
1476 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
1477 -HOMEPAGE="https://www.openssl.org/"
1478 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
1479 -
1480 -LICENSE="openssl"
1481 -SLOT="0/1.1" # .so version of libssl/libcrypto
1482 -[[ "${PV}" = *_pre* ]] || \
1483 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
1484 -IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
1485 -RESTRICT="!bindist? ( bindist )"
1486 -
1487 -RDEPEND=">=app-misc/c_rehash-1.7-r1
1488 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
1489 -DEPEND="${RDEPEND}
1490 - >=dev-lang/perl-5
1491 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
1492 - test? (
1493 - sys-apps/diffutils
1494 - sys-devel/bc
1495 - )"
1496 -PDEPEND="app-misc/ca-certificates"
1497 -
1498 -# This does not copy the entire Fedora patchset, but JUST the parts that
1499 -# are needed to make it safe to use EC with RESTRICT=bindist.
1500 -# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
1501 -SOURCE1=hobble-openssl
1502 -SOURCE12=ec_curve.c
1503 -SOURCE13=ectest.c
1504 -PATCH37=openssl-1.1.1-ec-curves.patch
1505 -FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
1506 -FEDORA_GIT_BRANCH='f29'
1507 -FEDORA_SRC_URI=()
1508 -FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} )
1509 -FEDORA_PATCH=( ${PATCH37} )
1510 -for i in "${FEDORA_SOURCE[@]}" ; do
1511 - FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
1512 -done
1513 -for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
1514 - FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
1515 -done
1516 -SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
1517 -
1518 -S="${WORKDIR}/${MY_P}"
1519 -
1520 -MULTILIB_WRAPPED_HEADERS=(
1521 - usr/include/openssl/opensslconf.h
1522 -)
1523 -
1524 -src_prepare() {
1525 - if use bindist; then
1526 - # This just removes the prefix, and puts it into WORKDIR like the RPM.
1527 - for i in "${FEDORA_SOURCE[@]}" ; do
1528 - cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
1529 - done
1530 - # .spec %prep
1531 - bash "${WORKDIR}"/"${SOURCE1}" || die
1532 - cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
1533 - cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
1534 - for i in "${FEDORA_PATCH[@]}" ; do
1535 - eapply "${DISTDIR}"/"${i}"
1536 - done
1537 - # Also see the configure parts below:
1538 - # enable-ec \
1539 - # $(use_ssl !bindist ec2m) \
1540 -
1541 - fi
1542 -
1543 - # keep this in sync with app-misc/c_rehash
1544 - SSL_CNF_DIR="/etc/ssl"
1545 -
1546 - # Make sure we only ever touch Makefile.org and avoid patching a file
1547 - # that gets blown away anyways by the Configure script in src_configure
1548 - rm -f Makefile
1549 -
1550 - if ! use vanilla ; then
1551 - if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
1552 - [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
1553 - fi
1554 - fi
1555 -
1556 - eapply_user #332661
1557 -
1558 - # make sure the man pages are suffixed #302165
1559 - # don't bother building man pages if they're disabled
1560 - # Make DOCDIR Gentoo compliant
1561 - sed -i \
1562 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
1563 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
1564 - -e $(has noman FEATURES \
1565 - && echo '/^install:/s:install_docs::' \
1566 - || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
1567 - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
1568 - Configurations/unix-Makefile.tmpl \
1569 - || die
1570 -
1571 - # quiet out unknown driver argument warnings since openssl
1572 - # doesn't have well-split CFLAGS and we're making it even worse
1573 - # and 'make depend' uses -Werror for added fun (#417795 again)
1574 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
1575 -
1576 - # allow openssl to be cross-compiled
1577 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
1578 - chmod a+rx gentoo.config || die
1579 -
1580 - append-flags -fno-strict-aliasing
1581 - append-flags $(test-flags-CC -Wa,--noexecstack)
1582 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
1583 -
1584 - # Prefixify Configure shebang (#141906)
1585 - sed \
1586 - -e "1s,/usr/bin/env,${EPREFIX%/}&," \
1587 - -i Configure || die
1588 - # Remove test target when FEATURES=test isn't set
1589 - if ! use test ; then
1590 - sed \
1591 - -e '/^$config{dirs}/s@ "test",@@' \
1592 - -i Configure || die
1593 - fi
1594 - # The config script does stupid stuff to prompt the user. Kill it.
1595 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
1596 - ./config --test-sanity || die "I AM NOT SANE"
1597 -
1598 - multilib_copy_sources
1599 -}
1600 -
1601 -multilib_src_configure() {
1602 - unset APPS #197996
1603 - unset SCRIPTS #312551
1604 - unset CROSS_COMPILE #311473
1605 -
1606 - tc-export CC AR RANLIB RC
1607 -
1608 - # Clean out patent-or-otherwise-encumbered code
1609 - # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
1610 - # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
1611 - # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
1612 - # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
1613 - # RC5: Expired https://en.wikipedia.org/wiki/RC5
1614 -
1615 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
1616 - echoit() { echo "$@" ; "$@" ; }
1617 -
1618 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
1619 -
1620 - # See if our toolchain supports __uint128_t. If so, it's 64bit
1621 - # friendly and can use the nicely optimized code paths. #460790
1622 - local ec_nistp_64_gcc_128
1623 - # Disable it for now though #469976
1624 - #if ! use bindist ; then
1625 - # echo "__uint128_t i;" > "${T}"/128.c
1626 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
1627 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
1628 - # fi
1629 - #fi
1630 -
1631 - local sslout=$(./gentoo.config)
1632 - einfo "Use configuration ${sslout:-(openssl knows best)}"
1633 - local config="Configure"
1634 - [[ -z ${sslout} ]] && config="config"
1635 -
1636 - # Fedora hobbled-EC needs 'no-ec2m'
1637 - # 'srp' was restricted until early 2017 as well.
1638 - # "disable-deprecated" option breaks too many consumers.
1639 - # Don't set it without thorough revdeps testing.
1640 - echoit \
1641 - ./${config} \
1642 - ${sslout} \
1643 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
1644 - enable-camellia \
1645 - enable-ec \
1646 - $(use_ssl !bindist ec2m) \
1647 - enable-srp \
1648 - $(use elibc_musl && echo "no-async") \
1649 - ${ec_nistp_64_gcc_128} \
1650 - enable-idea \
1651 - enable-mdc2 \
1652 - enable-rc5 \
1653 - $(use_ssl sslv3 ssl3) \
1654 - $(use_ssl sslv3 ssl3-method) \
1655 - $(use_ssl asm) \
1656 - $(use_ssl rfc3779) \
1657 - $(use_ssl sctp) \
1658 - $(use_ssl tls-heartbeat heartbeats) \
1659 - $(use_ssl zlib) \
1660 - --prefix="${EPREFIX%/}"/usr \
1661 - --openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
1662 - --libdir=$(get_libdir) \
1663 - shared threads \
1664 - || die
1665 -
1666 - # Clean out hardcoded flags that openssl uses
1667 - # Fix quoting for sed
1668 - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
1669 - -e 's:^CFLAGS=::' \
1670 - -e 's:-fomit-frame-pointer ::g' \
1671 - -e 's:-O[0-9] ::g' \
1672 - -e 's:-march=[-a-z0-9]* ::g' \
1673 - -e 's:-mcpu=[-a-z0-9]* ::g' \
1674 - -e 's:-m[a-z0-9]* ::g' \
1675 - -e 's:\\:\\\\:g' \
1676 - )
1677 - sed -i \
1678 - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
1679 - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
1680 - Makefile || die
1681 -}
1682 -
1683 -multilib_src_compile() {
1684 - # depend is needed to use $confopts; it also doesn't matter
1685 - # that it's -j1 as the code itself serializes subdirs
1686 - emake -j1 depend
1687 - emake all
1688 -}
1689 -
1690 -multilib_src_test() {
1691 - emake -j1 test
1692 -}
1693 -
1694 -multilib_src_install() {
1695 - # We need to create $ED/usr on our own to avoid a race condition #665130
1696 - if [[ ! -d "${ED%/}/usr" ]]; then
1697 - # We can only create this directory once
1698 - mkdir "${ED%/}"/usr || die
1699 - fi
1700 -
1701 - emake DESTDIR="${D%/}" install
1702 -}
1703 -
1704 -multilib_src_install_all() {
1705 - # openssl installs perl version of c_rehash by default, but
1706 - # we provide a shell version via app-misc/c_rehash
1707 - rm "${ED%/}"/usr/bin/c_rehash || die
1708 -
1709 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
1710 -
1711 - # This is crappy in that the static archives are still built even
1712 - # when USE=static-libs. But this is due to a failing in the openssl
1713 - # build system: the static archives are built as PIC all the time.
1714 - # Only way around this would be to manually configure+compile openssl
1715 - # twice; once with shared lib support enabled and once without.
1716 - use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a
1717 -
1718 - # create the certs directory
1719 - keepdir ${SSL_CNF_DIR}/certs
1720 -
1721 - # Namespace openssl programs to prevent conflicts with other man pages
1722 - cd "${ED%/}"/usr/share/man || die
1723 - local m d s
1724 - for m in $(find . -type f | xargs grep -L '#include') ; do
1725 - d=${m%/*} ; d=${d#./} ; m=${m##*/}
1726 - [[ ${m} == openssl.1* ]] && continue
1727 - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
1728 - mv ${d}/{,ssl-}${m}
1729 - # fix up references to renamed man pages
1730 - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
1731 - ln -s ssl-${m} ${d}/openssl-${m}
1732 - # locate any symlinks that point to this man page ... we assume
1733 - # that any broken links are due to the above renaming
1734 - for s in $(find -L ${d} -type l) ; do
1735 - s=${s##*/}
1736 - rm -f ${d}/${s}
1737 - # We don't want to "|| die" here
1738 - ln -s ssl-${m} ${d}/ssl-${s}
1739 - ln -s ssl-${s} ${d}/openssl-${s}
1740 - done
1741 - done
1742 - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
1743 -
1744 - dodir /etc/sandbox.d #254521
1745 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl
1746 -
1747 - diropts -m0700
1748 - keepdir ${SSL_CNF_DIR}/private
1749 -}
1750 -
1751 -pkg_postinst() {
1752 - ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
1753 - c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
1754 - eend $?
1755 -}
Report Message
Find on MARC Find on Google Groups