summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'dev-libs/openssl')
-rw-r--r--dev-libs/openssl/ChangeLog10
-rw-r--r--dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1387.patch59
-rw-r--r--dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch34
-rw-r--r--dev-libs/openssl/files/openssl-0.9.8l-dtls-compat.patch167
-rw-r--r--dev-libs/openssl/openssl-0.9.8l-r1.ebuild182
5 files changed, 451 insertions, 1 deletions
diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog
index 708ee71619e0..4a3d1488b90d 100644
--- a/dev-libs/openssl/ChangeLog
+++ b/dev-libs/openssl/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for dev-libs/openssl
# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.300 2009/11/08 20:38:28 nixnut Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.301 2009/11/21 03:09:54 vapier Exp $
+
+*openssl-0.9.8l-r1 (21 Nov 2009)
+
+ 21 Nov 2009; Mike Frysinger <vapier@gentoo.org> +openssl-0.9.8l-r1.ebuild,
+ +files/openssl-0.9.8l-CVE-2009-1387.patch,
+ +files/openssl-0.9.8l-CVE-2009-2409.patch,
+ +files/openssl-0.9.8l-dtls-compat.patch:
+ Add fixes from upstream but not in the 0.9.8l release.
08 Nov 2009; nixnut <nixnut@gentoo.org> openssl-0.9.8l.ebuild:
ppc stable #292022
diff --git a/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1387.patch b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1387.patch
new file mode 100644
index 000000000000..a9e5ea054f5c
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1387.patch
@@ -0,0 +1,59 @@
+http://bugs.gentoo.org/270305
+
+fix from upstream
+
+Index: ssl/d1_both.c
+===================================================================
+RCS file: /usr/local/src/openssl/CVSROOT/openssl/ssl/d1_both.c,v
+retrieving revision 1.4.2.7
+retrieving revision 1.4.2.8
+diff -u -p -r1.4.2.7 -r1.4.2.8
+--- ssl/d1_both.c 17 Oct 2007 21:17:49 -0000 1.4.2.7
++++ ssl/d1_both.c 2 Apr 2009 22:12:13 -0000 1.4.2.8
+@@ -575,30 +575,31 @@ dtls1_process_out_of_seq_message(SSL *s,
+ }
+ }
+
+- frag = dtls1_hm_fragment_new(frag_len);
+- if ( frag == NULL)
+- goto err;
++ if (frag_len)
++ {
++ frag = dtls1_hm_fragment_new(frag_len);
++ if ( frag == NULL)
++ goto err;
+
+- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
++ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+
+- if (frag_len)
+- {
+- /* read the body of the fragment (header has already been read */
++ /* read the body of the fragment (header has already been read) */
+ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+ frag->fragment,frag_len,0);
+ if (i<=0 || (unsigned long)i!=frag_len)
+ goto err;
+- }
+
+- pq_64bit_init(&seq64);
+- pq_64bit_assign_word(&seq64, msg_hdr->seq);
++ pq_64bit_init(&seq64);
++ pq_64bit_assign_word(&seq64, msg_hdr->seq);
+
+- item = pitem_new(seq64, frag);
+- pq_64bit_free(&seq64);
+- if ( item == NULL)
+- goto err;
++ item = pitem_new(seq64, frag);
++ pq_64bit_free(&seq64);
++ if ( item == NULL)
++ goto err;
++
++ pqueue_insert(s->d1->buffered_messages, item);
++ }
+
+- pqueue_insert(s->d1->buffered_messages, item);
+ return DTLS1_HM_FRAGMENT_RETRY;
+
+ err:
diff --git a/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch
new file mode 100644
index 000000000000..ad4bf3dac9fa
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch
@@ -0,0 +1,34 @@
+http://bugs.gentoo.org/280591
+
+fix from upstream
+
+Index: openssl/crypto/evp/c_alld.c
+RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v
+rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null
+--- c_alld.c 2005/04/30 21:51:40 1.7
++++ c_alld.c 2009/07/08 08:33:26 1.7.2.1
+@@ -64,9 +64,6 @@
+
+ void OpenSSL_add_all_digests(void)
+ {
+-#ifndef OPENSSL_NO_MD2
+- EVP_add_digest(EVP_md2());
+-#endif
+ #ifndef OPENSSL_NO_MD4
+ EVP_add_digest(EVP_md4());
+ #endif
+Index: openssl/ssl/ssl_algs.c
+RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v
+rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null
+--- ssl_algs.c 2007/04/23 23:50:21 1.12.2.3
++++ ssl_algs.c 2009/07/08 08:33:27 1.12.2.4
+@@ -92,9 +92,6 @@
+ EVP_add_cipher(EVP_seed_cbc());
+ #endif
+
+-#ifndef OPENSSL_NO_MD2
+- EVP_add_digest(EVP_md2());
+-#endif
+ #ifndef OPENSSL_NO_MD5
+ EVP_add_digest(EVP_md5());
+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
diff --git a/dev-libs/openssl/files/openssl-0.9.8l-dtls-compat.patch b/dev-libs/openssl/files/openssl-0.9.8l-dtls-compat.patch
new file mode 100644
index 000000000000..4d30c9b47d6f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8l-dtls-compat.patch
@@ -0,0 +1,167 @@
+http://bugs.gentoo.org/280370
+
+fix from upstream
+
+Index: openssl/ssl/d1_clnt.c
+RCS File: /v/openssl/cvs/openssl/ssl/d1_clnt.c,v
+rcsdiff -q -kk '-r1.3.2.15' '-r1.3.2.16' -u '/v/openssl/cvs/openssl/ssl/d1_clnt.c,v' 2>/dev/null
+--- d1_clnt.c 2009/04/14 15:20:47 1.3.2.15
++++ d1_clnt.c 2009/04/19 18:08:11 1.3.2.16
+@@ -130,7 +130,7 @@
+
+ static SSL_METHOD *dtls1_get_client_method(int ver)
+ {
+- if (ver == DTLS1_VERSION)
++ if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
+ return(DTLSv1_client_method());
+ else
+ return(NULL);
+@@ -181,7 +181,8 @@
+ s->server=0;
+ if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+- if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
++ if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
++ (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
+ {
+ SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
+ ret = -1;
+Index: openssl/ssl/d1_lib.c
+RCS File: /v/openssl/cvs/openssl/ssl/d1_lib.c,v
+rcsdiff -q -kk '-r1.1.2.7' '-r1.1.2.8' -u '/v/openssl/cvs/openssl/ssl/d1_lib.c,v' 2>/dev/null
+--- d1_lib.c 2009/04/02 22:34:59 1.1.2.7
++++ d1_lib.c 2009/04/19 18:08:11 1.1.2.8
+@@ -198,7 +198,10 @@
+ void dtls1_clear(SSL *s)
+ {
+ ssl3_clear(s);
+- s->version=DTLS1_VERSION;
++ if (s->options & SSL_OP_CISCO_ANYCONNECT)
++ s->version=DTLS1_BAD_VER;
++ else
++ s->version=DTLS1_VERSION;
+ }
+
+ /*
+Index: openssl/ssl/d1_pkt.c
+RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v
+rcsdiff -q -kk '-r1.4.2.15' '-r1.4.2.16' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null
+--- d1_pkt.c 2009/04/02 22:34:59 1.4.2.15
++++ d1_pkt.c 2009/04/19 18:08:12 1.4.2.16
+@@ -1024,15 +1024,17 @@
+ if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+ {
+ struct ccs_header_st ccs_hdr;
++ int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
+
+ dtls1_get_ccs_header(rr->data, &ccs_hdr);
+
+ /* 'Change Cipher Spec' is just a single byte, so we know
+ * exactly what the record payload has to look like */
+ /* XDTLS: check that epoch is consistent */
+- if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
+- (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
+- (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
++ if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
++ ccs_hdr_len = 3;
++
++ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
+ {
+ i=SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+@@ -1358,7 +1360,7 @@
+ #if 0
+ /* 'create_empty_fragment' is true only when this function calls itself */
+ if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
+- && SSL_version(s) != DTLS1_VERSION)
++ && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
+ {
+ /* countermeasure against known-IV weakness in CBC ciphersuites
+ * (see http://www.openssl.org/~bodo/tls-cbc.txt)
+Index: openssl/ssl/s3_clnt.c
+RCS File: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v
+rcsdiff -q -kk '-r1.88.2.21' '-r1.88.2.22' -u '/v/openssl/cvs/openssl/ssl/s3_clnt.c,v' 2>/dev/null
+--- s3_clnt.c 2009/02/14 21:50:14 1.88.2.21
++++ s3_clnt.c 2009/04/19 18:08:12 1.88.2.22
+@@ -708,7 +708,7 @@
+
+ if (!ok) return((int)n);
+
+- if ( SSL_version(s) == DTLS1_VERSION)
++ if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+ {
+ if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
+ {
+Index: openssl/ssl/ssl.h
+RCS File: /v/openssl/cvs/openssl/ssl/ssl.h,v
+rcsdiff -q -kk '-r1.161.2.21' '-r1.161.2.22' -u '/v/openssl/cvs/openssl/ssl/ssl.h,v' 2>/dev/null
+--- ssl.h 2008/08/13 19:44:44 1.161.2.21
++++ ssl.h 2009/04/19 18:08:12 1.161.2.22
+@@ -510,6 +510,8 @@
+ #define SSL_OP_COOKIE_EXCHANGE 0x00002000L
+ /* Don't use RFC4507 ticket extension */
+ #define SSL_OP_NO_TICKET 0x00004000L
++/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
++#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
+
+ /* As server, disallow session resumption on renegotiation */
+ #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
+Index: openssl/ssl/ssl_lib.c
+RCS File: /v/openssl/cvs/openssl/ssl/ssl_lib.c,v
+rcsdiff -q -kk '-r1.133.2.16' '-r1.133.2.17' -u '/v/openssl/cvs/openssl/ssl/ssl_lib.c,v' 2>/dev/null
+--- ssl_lib.c 2009/02/23 16:02:47 1.133.2.16
++++ ssl_lib.c 2009/04/19 18:08:12 1.133.2.17
+@@ -995,7 +995,8 @@
+ s->max_cert_list=larg;
+ return(l);
+ case SSL_CTRL_SET_MTU:
+- if (SSL_version(s) == DTLS1_VERSION)
++ if (SSL_version(s) == DTLS1_VERSION ||
++ SSL_version(s) == DTLS1_BAD_VER)
+ {
+ s->d1->mtu = larg;
+ return larg;
+Index: openssl/ssl/ssl_sess.c
+RCS File: /v/openssl/cvs/openssl/ssl/ssl_sess.c,v
+rcsdiff -q -kk '-r1.51.2.9' '-r1.51.2.10' -u '/v/openssl/cvs/openssl/ssl/ssl_sess.c,v' 2>/dev/null
+--- ssl_sess.c 2008/06/04 18:35:27 1.51.2.9
++++ ssl_sess.c 2009/04/19 18:08:12 1.51.2.10
+@@ -211,6 +211,11 @@
+ ss->ssl_version=TLS1_VERSION;
+ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+ }
++ else if (s->version == DTLS1_BAD_VER)
++ {
++ ss->ssl_version=DTLS1_BAD_VER;
++ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
++ }
+ else if (s->version == DTLS1_VERSION)
+ {
+ ss->ssl_version=DTLS1_VERSION;
+Index: openssl/ssl/t1_enc.c
+RCS File: /v/openssl/cvs/openssl/ssl/t1_enc.c,v
+rcsdiff -q -kk '-r1.35.2.8' '-r1.35.2.9' -u '/v/openssl/cvs/openssl/ssl/t1_enc.c,v' 2>/dev/null
+--- t1_enc.c 2009/01/05 14:43:07 1.35.2.8
++++ t1_enc.c 2009/04/19 18:08:12 1.35.2.9
+@@ -765,10 +765,10 @@
+ HMAC_CTX_init(&hmac);
+ HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
+
+- if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
++ if (ssl->version == DTLS1_BAD_VER ||
++ (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
+ {
+ unsigned char dtlsseq[8],*p=dtlsseq;
+-
+ s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
+ memcpy (p,&seq[2],6);
+
+@@ -793,7 +793,7 @@
+ {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
+ #endif
+
+- if ( SSL_version(ssl) != DTLS1_VERSION)
++ if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
+ {
+ for (i=7; i>=0; i--)
+ {
diff --git a/dev-libs/openssl/openssl-0.9.8l-r1.ebuild b/dev-libs/openssl/openssl-0.9.8l-r1.ebuild
new file mode 100644
index 000000000000..ab41d1a74852
--- /dev/null
+++ b/dev-libs/openssl/openssl-0.9.8l-r1.ebuild
@@ -0,0 +1,182 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8l-r1.ebuild,v 1.1 2009/11/21 03:09:54 vapier Exp $
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist gmp kerberos sse2 test zlib"
+
+RDEPEND="gmp? ( dev-libs/gmp )
+ zlib? ( sys-libs/zlib )
+ kerberos? ( app-crypt/mit-krb5 )"
+DEPEND="${RDEPEND}
+ sys-apps/diffutils
+ >=dev-lang/perl-5
+ test? ( sys-devel/bc )"
+PDEPEND="app-misc/ca-certificates"
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ epatch "${FILESDIR}"/${PN}-0.9.7e-gentoo.patch
+ epatch "${FILESDIR}"/${PN}-0.9.7-alpha-default-gcc.patch
+ #Forward port of the -b patch. Parallel make fails though.
+ epatch "${FILESDIR}"/${PN}-0.9.8j-parallel-build.patch
+ epatch "${FILESDIR}"/${PN}-0.9.8-make-engines-dir.patch
+ epatch "${FILESDIR}"/${PN}-0.9.8k-toolchain.patch
+ epatch "${FILESDIR}"/${PN}-0.9.8b-doc-updates.patch
+ epatch "${FILESDIR}"/${PN}-0.9.8-makedepend.patch #149583
+ epatch "${FILESDIR}"/${PN}-0.9.8e-make.patch #146316
+ #epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
+ epatch "${FILESDIR}"/${PN}-0.9.8g-sslv3-no-tlsext.patch
+ #epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
+ epatch "${FILESDIR}"/${PN}-0.9.8l-CVE-2009-137{7,8,9}.patch #270305
+ epatch "${FILESDIR}"/${P}-CVE-2009-1387.patch #270305
+ epatch "${FILESDIR}"/${P}-CVE-2009-2409.patch #280591
+ epatch "${FILESDIR}"/${P}-dtls-compat.patch #280370
+ sed -i -e '/DIRS/ s/ fips / /g' Makefile{,.org} \
+ || die "Removing fips from openssl failed."
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
+ chmod a+rx gentoo.config
+
+ # Don't build manpages if we don't want them
+ has noman FEATURES \
+ && sed -i '/^install:/s:install_docs::' Makefile.org \
+ || sed -i '/^MANDIR=/s:=.*:=/usr/share/man:' Makefile.org
+
+ # Try to derice users and work around broken ass toolchains
+ if [[ $(gcc-major-version) == "3" ]] ; then
+ filter-flags -fprefetch-loop-arrays -freduce-all-givs -funroll-loops
+ [[ $(tc-arch) == "ppc64" ]] && replace-flags -O? -O
+ fi
+ [[ $(tc-arch) == ppc* ]] && append-flags -fno-strict-aliasing
+ append-flags -Wa,--noexecstack
+
+ # using a library directory other than lib requires some magic
+ sed -i \
+ -e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/$(get_libdir)+g" \
+ -e "s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/$(get_libdir)+g" \
+ Makefile.org engines/Makefile \
+ || die "sed failed"
+ sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906
+ sed -i '/^"debug-steve/d' Configure # 0.9.8k shipped broken
+ ./config --test-sanity || die "I AM NOT SANE"
+}
+
+src_compile() {
+ unset APPS #197996
+
+ tc-export CC AR RANLIB
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: 5,214,703 25/05/2010 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ $(use_ssl !bindist idea) \
+ enable-mdc2 \
+ $(use_ssl !bindist rc5) \
+ enable-tlsext \
+ $(use_ssl gmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl zlib) \
+ --prefix=/usr \
+ --openssldir=/etc/ssl \
+ shared threads \
+ || die "Configure failed"
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^CFLAG/s:=.*:=${CFLAG} ${CFLAGS}:" \
+ -e "/^SHARED_LDFLAGS=/s:$: ${LDFLAGS}:" \
+ Makefile || die
+
+ # depend is needed to use $confopts
+ # rehash is needed to prep the certs/ dir
+ emake -j1 depend || die "depend failed"
+ emake -j1 all rehash || die "make all failed"
+}
+
+src_test() {
+ emake -j1 test || die "make test failed"
+}
+
+src_install() {
+ emake -j1 INSTALL_PREFIX="${D}" install || die
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+ dohtml -r doc/*
+
+ # create the certs directory
+ dodir /etc/ssl/certs
+ cp -RP certs/* "${D}"/etc/ssl/certs/ || die "failed to install certs"
+ rm -r "${D}"/etc/ssl/certs/{demo,expired}
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${D}"/usr/share/man
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${D}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir /etc/ssl/private
+}
+
+pkg_preinst() {
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7}
+}
+
+pkg_postinst() {
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7}
+}