diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2009-11-21 03:09:54 +0000 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2009-11-21 03:09:54 +0000 |
| commit | 4c60d87717872f20eeb7e96c615860c2a84009df (patch) | |
| tree | af89fbb5496c0cc60644f3a7138afa631a20b35c /dev-libs/openssl | |
| parent | Version bump. (diff) | |
| download | gentoo-2-4c60d87717872f20eeb7e96c615860c2a84009df.tar.gz gentoo-2-4c60d87717872f20eeb7e96c615860c2a84009df.tar.bz2 gentoo-2-4c60d87717872f20eeb7e96c615860c2a84009df.zip | |
Add fixes from upstream but not in the 0.9.8l release.
(Portage version: 2.2_rc49/cvs/Linux x86_64)
Diffstat (limited to 'dev-libs/openssl')
| -rw-r--r-- | dev-libs/openssl/ChangeLog | 10 | ||||
| -rw-r--r-- | dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1387.patch | 59 | ||||
| -rw-r--r-- | dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch | 34 | ||||
| -rw-r--r-- | dev-libs/openssl/files/openssl-0.9.8l-dtls-compat.patch | 167 | ||||
| -rw-r--r-- | dev-libs/openssl/openssl-0.9.8l-r1.ebuild | 182 |
5 files changed, 451 insertions, 1 deletions
diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog index 708ee71619e0..4a3d1488b90d 100644 --- a/dev-libs/openssl/ChangeLog +++ b/dev-libs/openssl/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for dev-libs/openssl # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.300 2009/11/08 20:38:28 nixnut Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.301 2009/11/21 03:09:54 vapier Exp $ + +*openssl-0.9.8l-r1 (21 Nov 2009) + + 21 Nov 2009; Mike Frysinger <vapier@gentoo.org> +openssl-0.9.8l-r1.ebuild, + +files/openssl-0.9.8l-CVE-2009-1387.patch, + +files/openssl-0.9.8l-CVE-2009-2409.patch, + +files/openssl-0.9.8l-dtls-compat.patch: + Add fixes from upstream but not in the 0.9.8l release. 08 Nov 2009; nixnut <nixnut@gentoo.org> openssl-0.9.8l.ebuild: ppc stable #292022 diff --git a/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1387.patch b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1387.patch new file mode 100644 index 000000000000..a9e5ea054f5c --- /dev/null +++ b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1387.patch @@ -0,0 +1,59 @@ +http://bugs.gentoo.org/270305 + +fix from upstream + +Index: ssl/d1_both.c +=================================================================== +RCS file: /usr/local/src/openssl/CVSROOT/openssl/ssl/d1_both.c,v +retrieving revision 1.4.2.7 +retrieving revision 1.4.2.8 +diff -u -p -r1.4.2.7 -r1.4.2.8 +--- ssl/d1_both.c 17 Oct 2007 21:17:49 -0000 1.4.2.7 ++++ ssl/d1_both.c 2 Apr 2009 22:12:13 -0000 1.4.2.8 +@@ -575,30 +575,31 @@ dtls1_process_out_of_seq_message(SSL *s, + } + } + +- frag = dtls1_hm_fragment_new(frag_len); +- if ( frag == NULL) +- goto err; ++ if (frag_len) ++ { ++ frag = dtls1_hm_fragment_new(frag_len); ++ if ( frag == NULL) ++ goto err; + +- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); ++ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + +- if (frag_len) +- { +- /* read the body of the fragment (header has already been read */ ++ /* read the body of the fragment (header has already been read) */ + i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, + frag->fragment,frag_len,0); + if (i<=0 || (unsigned long)i!=frag_len) + goto err; +- } + +- pq_64bit_init(&seq64); +- pq_64bit_assign_word(&seq64, msg_hdr->seq); ++ pq_64bit_init(&seq64); ++ pq_64bit_assign_word(&seq64, msg_hdr->seq); + +- item = pitem_new(seq64, frag); +- pq_64bit_free(&seq64); +- if ( item == NULL) +- goto err; ++ item = pitem_new(seq64, frag); ++ pq_64bit_free(&seq64); ++ if ( item == NULL) ++ goto err; ++ ++ pqueue_insert(s->d1->buffered_messages, item); ++ } + +- pqueue_insert(s->d1->buffered_messages, item); + return DTLS1_HM_FRAGMENT_RETRY; + + err: diff --git a/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch new file mode 100644 index 000000000000..ad4bf3dac9fa --- /dev/null +++ b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch @@ -0,0 +1,34 @@ +http://bugs.gentoo.org/280591 + +fix from upstream + +Index: openssl/crypto/evp/c_alld.c +RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v +rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null +--- c_alld.c 2005/04/30 21:51:40 1.7 ++++ c_alld.c 2009/07/08 08:33:26 1.7.2.1 +@@ -64,9 +64,6 @@ + + void OpenSSL_add_all_digests(void) + { +-#ifndef OPENSSL_NO_MD2 +- EVP_add_digest(EVP_md2()); +-#endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); + #endif +Index: openssl/ssl/ssl_algs.c +RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v +rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null +--- ssl_algs.c 2007/04/23 23:50:21 1.12.2.3 ++++ ssl_algs.c 2009/07/08 08:33:27 1.12.2.4 +@@ -92,9 +92,6 @@ + EVP_add_cipher(EVP_seed_cbc()); + #endif + +-#ifndef OPENSSL_NO_MD2 +- EVP_add_digest(EVP_md2()); +-#endif + #ifndef OPENSSL_NO_MD5 + EVP_add_digest(EVP_md5()); + EVP_add_digest_alias(SN_md5,"ssl2-md5"); diff --git a/dev-libs/openssl/files/openssl-0.9.8l-dtls-compat.patch b/dev-libs/openssl/files/openssl-0.9.8l-dtls-compat.patch new file mode 100644 index 000000000000..4d30c9b47d6f --- /dev/null +++ b/dev-libs/openssl/files/openssl-0.9.8l-dtls-compat.patch @@ -0,0 +1,167 @@ +http://bugs.gentoo.org/280370 + +fix from upstream + +Index: openssl/ssl/d1_clnt.c +RCS File: /v/openssl/cvs/openssl/ssl/d1_clnt.c,v +rcsdiff -q -kk '-r1.3.2.15' '-r1.3.2.16' -u '/v/openssl/cvs/openssl/ssl/d1_clnt.c,v' 2>/dev/null +--- d1_clnt.c 2009/04/14 15:20:47 1.3.2.15 ++++ d1_clnt.c 2009/04/19 18:08:11 1.3.2.16 +@@ -130,7 +130,7 @@ + + static SSL_METHOD *dtls1_get_client_method(int ver) + { +- if (ver == DTLS1_VERSION) ++ if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) + return(DTLSv1_client_method()); + else + return(NULL); +@@ -181,7 +181,8 @@ + s->server=0; + if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); + +- if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) ++ if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) && ++ (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) + { + SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); + ret = -1; +Index: openssl/ssl/d1_lib.c +RCS File: /v/openssl/cvs/openssl/ssl/d1_lib.c,v +rcsdiff -q -kk '-r1.1.2.7' '-r1.1.2.8' -u '/v/openssl/cvs/openssl/ssl/d1_lib.c,v' 2>/dev/null +--- d1_lib.c 2009/04/02 22:34:59 1.1.2.7 ++++ d1_lib.c 2009/04/19 18:08:11 1.1.2.8 +@@ -198,7 +198,10 @@ + void dtls1_clear(SSL *s) + { + ssl3_clear(s); +- s->version=DTLS1_VERSION; ++ if (s->options & SSL_OP_CISCO_ANYCONNECT) ++ s->version=DTLS1_BAD_VER; ++ else ++ s->version=DTLS1_VERSION; + } + + /* +Index: openssl/ssl/d1_pkt.c +RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v +rcsdiff -q -kk '-r1.4.2.15' '-r1.4.2.16' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null +--- d1_pkt.c 2009/04/02 22:34:59 1.4.2.15 ++++ d1_pkt.c 2009/04/19 18:08:12 1.4.2.16 +@@ -1024,15 +1024,17 @@ + if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) + { + struct ccs_header_st ccs_hdr; ++ int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; + + dtls1_get_ccs_header(rr->data, &ccs_hdr); + + /* 'Change Cipher Spec' is just a single byte, so we know + * exactly what the record payload has to look like */ + /* XDTLS: check that epoch is consistent */ +- if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) || +- (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || +- (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) ++ if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER) ++ ccs_hdr_len = 3; ++ ++ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) + { + i=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); +@@ -1358,7 +1360,7 @@ + #if 0 + /* 'create_empty_fragment' is true only when this function calls itself */ + if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done +- && SSL_version(s) != DTLS1_VERSION) ++ && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) + { + /* countermeasure against known-IV weakness in CBC ciphersuites + * (see http://www.openssl.org/~bodo/tls-cbc.txt) +Index: openssl/ssl/s3_clnt.c +RCS File: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v +rcsdiff -q -kk '-r1.88.2.21' '-r1.88.2.22' -u '/v/openssl/cvs/openssl/ssl/s3_clnt.c,v' 2>/dev/null +--- s3_clnt.c 2009/02/14 21:50:14 1.88.2.21 ++++ s3_clnt.c 2009/04/19 18:08:12 1.88.2.22 +@@ -708,7 +708,7 @@ + + if (!ok) return((int)n); + +- if ( SSL_version(s) == DTLS1_VERSION) ++ if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + { + if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) + { +Index: openssl/ssl/ssl.h +RCS File: /v/openssl/cvs/openssl/ssl/ssl.h,v +rcsdiff -q -kk '-r1.161.2.21' '-r1.161.2.22' -u '/v/openssl/cvs/openssl/ssl/ssl.h,v' 2>/dev/null +--- ssl.h 2008/08/13 19:44:44 1.161.2.21 ++++ ssl.h 2009/04/19 18:08:12 1.161.2.22 +@@ -510,6 +510,8 @@ + #define SSL_OP_COOKIE_EXCHANGE 0x00002000L + /* Don't use RFC4507 ticket extension */ + #define SSL_OP_NO_TICKET 0x00004000L ++/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */ ++#define SSL_OP_CISCO_ANYCONNECT 0x00008000L + + /* As server, disallow session resumption on renegotiation */ + #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L +Index: openssl/ssl/ssl_lib.c +RCS File: /v/openssl/cvs/openssl/ssl/ssl_lib.c,v +rcsdiff -q -kk '-r1.133.2.16' '-r1.133.2.17' -u '/v/openssl/cvs/openssl/ssl/ssl_lib.c,v' 2>/dev/null +--- ssl_lib.c 2009/02/23 16:02:47 1.133.2.16 ++++ ssl_lib.c 2009/04/19 18:08:12 1.133.2.17 +@@ -995,7 +995,8 @@ + s->max_cert_list=larg; + return(l); + case SSL_CTRL_SET_MTU: +- if (SSL_version(s) == DTLS1_VERSION) ++ if (SSL_version(s) == DTLS1_VERSION || ++ SSL_version(s) == DTLS1_BAD_VER) + { + s->d1->mtu = larg; + return larg; +Index: openssl/ssl/ssl_sess.c +RCS File: /v/openssl/cvs/openssl/ssl/ssl_sess.c,v +rcsdiff -q -kk '-r1.51.2.9' '-r1.51.2.10' -u '/v/openssl/cvs/openssl/ssl/ssl_sess.c,v' 2>/dev/null +--- ssl_sess.c 2008/06/04 18:35:27 1.51.2.9 ++++ ssl_sess.c 2009/04/19 18:08:12 1.51.2.10 +@@ -211,6 +211,11 @@ + ss->ssl_version=TLS1_VERSION; + ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; + } ++ else if (s->version == DTLS1_BAD_VER) ++ { ++ ss->ssl_version=DTLS1_BAD_VER; ++ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; ++ } + else if (s->version == DTLS1_VERSION) + { + ss->ssl_version=DTLS1_VERSION; +Index: openssl/ssl/t1_enc.c +RCS File: /v/openssl/cvs/openssl/ssl/t1_enc.c,v +rcsdiff -q -kk '-r1.35.2.8' '-r1.35.2.9' -u '/v/openssl/cvs/openssl/ssl/t1_enc.c,v' 2>/dev/null +--- t1_enc.c 2009/01/05 14:43:07 1.35.2.8 ++++ t1_enc.c 2009/04/19 18:08:12 1.35.2.9 +@@ -765,10 +765,10 @@ + HMAC_CTX_init(&hmac); + HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); + +- if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER) ++ if (ssl->version == DTLS1_BAD_VER || ++ (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)) + { + unsigned char dtlsseq[8],*p=dtlsseq; +- + s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); + memcpy (p,&seq[2],6); + +@@ -793,7 +793,7 @@ + {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } + #endif + +- if ( SSL_version(ssl) != DTLS1_VERSION) ++ if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER) + { + for (i=7; i>=0; i--) + { diff --git a/dev-libs/openssl/openssl-0.9.8l-r1.ebuild b/dev-libs/openssl/openssl-0.9.8l-r1.ebuild new file mode 100644 index 000000000000..ab41d1a74852 --- /dev/null +++ b/dev-libs/openssl/openssl-0.9.8l-r1.ebuild @@ -0,0 +1,182 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8l-r1.ebuild,v 1.1 2009/11/21 03:09:54 vapier Exp $ + +inherit eutils flag-o-matic toolchain-funcs + +DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1" +HOMEPAGE="http://www.openssl.org/" +SRC_URI="mirror://openssl/source/${P}.tar.gz" + +LICENSE="openssl" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" +IUSE="bindist gmp kerberos sse2 test zlib" + +RDEPEND="gmp? ( dev-libs/gmp ) + zlib? ( sys-libs/zlib ) + kerberos? ( app-crypt/mit-krb5 )" +DEPEND="${RDEPEND} + sys-apps/diffutils + >=dev-lang/perl-5 + test? ( sys-devel/bc )" +PDEPEND="app-misc/ca-certificates" + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}"/${PN}-0.9.7e-gentoo.patch + epatch "${FILESDIR}"/${PN}-0.9.7-alpha-default-gcc.patch + #Forward port of the -b patch. Parallel make fails though. + epatch "${FILESDIR}"/${PN}-0.9.8j-parallel-build.patch + epatch "${FILESDIR}"/${PN}-0.9.8-make-engines-dir.patch + epatch "${FILESDIR}"/${PN}-0.9.8k-toolchain.patch + epatch "${FILESDIR}"/${PN}-0.9.8b-doc-updates.patch + epatch "${FILESDIR}"/${PN}-0.9.8-makedepend.patch #149583 + epatch "${FILESDIR}"/${PN}-0.9.8e-make.patch #146316 + #epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch + epatch "${FILESDIR}"/${PN}-0.9.8g-sslv3-no-tlsext.patch + #epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438 + epatch "${FILESDIR}"/${PN}-0.9.8l-CVE-2009-137{7,8,9}.patch #270305 + epatch "${FILESDIR}"/${P}-CVE-2009-1387.patch #270305 + epatch "${FILESDIR}"/${P}-CVE-2009-2409.patch #280591 + epatch "${FILESDIR}"/${P}-dtls-compat.patch #280370 + sed -i -e '/DIRS/ s/ fips / /g' Makefile{,.org} \ + || die "Removing fips from openssl failed." + + # allow openssl to be cross-compiled + cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed" + chmod a+rx gentoo.config + + # Don't build manpages if we don't want them + has noman FEATURES \ + && sed -i '/^install:/s:install_docs::' Makefile.org \ + || sed -i '/^MANDIR=/s:=.*:=/usr/share/man:' Makefile.org + + # Try to derice users and work around broken ass toolchains + if [[ $(gcc-major-version) == "3" ]] ; then + filter-flags -fprefetch-loop-arrays -freduce-all-givs -funroll-loops + [[ $(tc-arch) == "ppc64" ]] && replace-flags -O? -O + fi + [[ $(tc-arch) == ppc* ]] && append-flags -fno-strict-aliasing + append-flags -Wa,--noexecstack + + # using a library directory other than lib requires some magic + sed -i \ + -e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/$(get_libdir)+g" \ + -e "s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/$(get_libdir)+g" \ + Makefile.org engines/Makefile \ + || die "sed failed" + sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906 + sed -i '/^"debug-steve/d' Configure # 0.9.8k shipped broken + ./config --test-sanity || die "I AM NOT SANE" +} + +src_compile() { + unset APPS #197996 + + tc-export CC AR RANLIB + + # Clean out patent-or-otherwise-encumbered code + # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) + # IDEA: 5,214,703 25/05/2010 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm + # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography + # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 + # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5 + + use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; } + echoit() { echo "$@" ; "$@" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + local sslout=$(./gentoo.config) + einfo "Use configuration ${sslout:-(openssl knows best)}" + local config="Configure" + [[ -z ${sslout} ]] && config="config" + echoit \ + ./${config} \ + ${sslout} \ + $(use sse2 || echo "no-sse2") \ + enable-camellia \ + $(use_ssl !bindist ec) \ + $(use_ssl !bindist idea) \ + enable-mdc2 \ + $(use_ssl !bindist rc5) \ + enable-tlsext \ + $(use_ssl gmp) \ + $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ + $(use_ssl zlib) \ + --prefix=/usr \ + --openssldir=/etc/ssl \ + shared threads \ + || die "Configure failed" + + # Clean out hardcoded flags that openssl uses + local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ + -e 's:^CFLAG=::' \ + -e 's:-fomit-frame-pointer ::g' \ + -e 's:-O[0-9] ::g' \ + -e 's:-march=[-a-z0-9]* ::g' \ + -e 's:-mcpu=[-a-z0-9]* ::g' \ + -e 's:-m[a-z0-9]* ::g' \ + ) + sed -i \ + -e "/^CFLAG/s:=.*:=${CFLAG} ${CFLAGS}:" \ + -e "/^SHARED_LDFLAGS=/s:$: ${LDFLAGS}:" \ + Makefile || die + + # depend is needed to use $confopts + # rehash is needed to prep the certs/ dir + emake -j1 depend || die "depend failed" + emake -j1 all rehash || die "make all failed" +} + +src_test() { + emake -j1 test || die "make test failed" +} + +src_install() { + emake -j1 INSTALL_PREFIX="${D}" install || die + dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el + dohtml -r doc/* + + # create the certs directory + dodir /etc/ssl/certs + cp -RP certs/* "${D}"/etc/ssl/certs/ || die "failed to install certs" + rm -r "${D}"/etc/ssl/certs/{demo,expired} + + # Namespace openssl programs to prevent conflicts with other man pages + cd "${D}"/usr/share/man + local m d s + for m in $(find . -type f | xargs grep -L '#include') ; do + d=${m%/*} ; d=${d#./} ; m=${m##*/} + [[ ${m} == openssl.1* ]] && continue + [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" + mv ${d}/{,ssl-}${m} + ln -s ssl-${m} ${d}/openssl-${m} + # locate any symlinks that point to this man page ... we assume + # that any broken links are due to the above renaming + for s in $(find -L ${d} -type l) ; do + s=${s##*/} + rm -f ${d}/${s} + ln -s ssl-${m} ${d}/ssl-${s} + ln -s ssl-${s} ${d}/openssl-${s} + done + done + [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" + + dodir /etc/sandbox.d #254521 + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${D}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir /etc/ssl/private +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7} +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7} +} |