dev-libs/openssl: Add openssl-1.1.t back to source.
SDK masks OpenSSL-3.0.x and therefore, not having 1.1.1* version ebuild
will result into SDK build failure.
BUG=b/273847775
TEST=presubmit
RELEASE_NOTE=None
Change-Id: I27dec7cf9bdcc63c95d11ab329de402820f0d93f
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/chromiumos-overlay/+/45247
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 8a76994..5b940c8 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,2 +1,4 @@
+DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e857728625d31ab3244881cafa91c099a817a09def7746bce4133585bfc90b769f43527e77a81ed13e60a8c2fb4d8d SHA512 628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c
+DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b
DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6
diff --git a/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch b/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch
new file mode 100644
index 0000000..c6af44f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch
@@ -0,0 +1,22 @@
+https://github.com/openssl/openssl/issues/7679
+
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -77,8 +77,14 @@
+ # to. You're welcome.
+ sub dependmagic {
+ my $target = shift;
+-
+- return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target";
++ my $magic = <<"_____";
++$target: build_generated depend
++ \$(MAKE) _$target
++_$target
++_____
++ # Remove line ending
++ $magic =~ s|\R$||;
++ return $magic;
+ }
+ '';
+ -}
+
diff --git a/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch b/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch
new file mode 100644
index 0000000..9eb426e
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch
@@ -0,0 +1,60 @@
+99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@wdc.com>
+Date: Thu, 29 Aug 2019 13:56:21 -0700
+Subject: [PATCH] Add support for io_pgetevents_time64 syscall
+
+32-bit architectures that are y2038 safe don't include syscalls that use
+32-bit time_t. Instead these architectures have suffixed syscalls that
+always use a 64-bit time_t. In the case of the io_getevents syscall the
+syscall has been replaced with the io_pgetevents_time64 syscall instead.
+
+This patch changes the io_getevents() function to use the correct
+syscall based on the avaliable syscalls and the time_t size. We will
+only use the new 64-bit time_t syscall if the architecture is using a
+64-bit time_t. This is to avoid having to deal with 32/64-bit
+conversions and relying on a 64-bit timespec struct on 32-bit time_t
+platforms. As of Linux 5.3 there are no 32-bit time_t architectures
+without __NR_io_getevents. In the future if a 32-bit time_t architecture
+wants to use the 64-bit syscalls we can handle the conversion.
+
+This fixes build failures on 32-bit RISC-V.
+
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9819)
+---
+ engines/e_afalg.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/engines/e_afalg.c b/engines/e_afalg.c
+index dacbe358cb..99516cb1bb 100644
+--- a/engines/e_afalg.c
++++ b/engines/e_afalg.c
+@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
+ struct io_event *events,
+ struct timespec *timeout)
+ {
++#if defined(__NR_io_getevents)
+ return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
++#elif defined(__NR_io_pgetevents_time64)
++ /* Let's only support the 64 suffix syscalls for 64-bit time_t.
++ * This simplifies the code for us as we don't need to use a 64-bit
++ * version of timespec with a 32-bit time_t and handle converting
++ * between 64-bit and 32-bit times and check for overflows.
++ */
++ if (sizeof(timeout->tv_sec) == 8)
++ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
++ else {
++ errno = ENOSYS;
++ return -1;
++ }
++#else
++# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
++#endif
+ }
+
+ static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
+--
+2.26.2
diff --git a/dev-libs/openssl/files/openssl-1.1.1j-blocklist.patch b/dev-libs/openssl/files/openssl-1.1.1j-blocklist.patch
new file mode 100644
index 0000000..2320b4c
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1j-blocklist.patch
@@ -0,0 +1,358 @@
+From ef26f0407eed02a3b48775689c9ffe6c0aef5f10 Mon Sep 17 00:00:00 2001
+From: Mattias Nissler <mnissler@chromium.org>
+Date: Mon, 4 Nov 2019 20:47:18 +0100
+Subject: [PATCH] Support for blocklisting certificates for verification
+
+We can add certs to the blocklist by serial (with 'serial <n>') or by
+sha256sum with ('sha256 <n>').
+
+This is a forward-port of the original blocklisting patch for 1.0.2 by
+ellyjones@chromium.org. The code is somewhat problematic (for example
+it reads the blocklist file for each certificate it checks, only works
+for the internal verification code path we happen to use, doesn't have
+proper error handling), so ideally we'd find a better solution to do
+blocklisting moving forward. Alas, this is what we have right now.
+
+BUG=chromium:203154
+TEST=unit test,security_OpenSSLBlocklist
+TEST=FEATURES=test emerge openssl
+TEST=tast run <target> security.OpenSSLBlocklist
+---
+ crypto/x509/x509_vfy.c | 125 ++++++++++++++++++
+ test/recipes/90-test_blocklist.t | 71 ++++++++++
+ .../90-test_blocklist_data/globalsign.pem | 22 +++
+ .../recipes/90-test_blocklist_data/google.pem | 53 ++++++++
+ test/recipes/90-test_blocklist_data/gts.pem | 25 ++++
+ 5 files changed, 296 insertions(+)
+ create mode 100644 test/recipes/90-test_blocklist.t
+ create mode 100644 test/recipes/90-test_blocklist_data/globalsign.pem
+ create mode 100644 test/recipes/90-test_blocklist_data/google.pem
+ create mode 100644 test/recipes/90-test_blocklist_data/gts.pem
+
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -250,6 +250,127 @@ static int verify_chain(X509_STORE_CTX *ctx)
+ return ok;
+ }
+
++/* A version of fgets() that returns the first sz - 1 characters of the next
++ * line from 'in'. The rest of the line is discarded. */
++static int gets_trunc(BIO *in, char *buf, int sz)
++{
++ char b;
++ int i = 0;
++
++ if (sz < 1)
++ return i;
++
++ while (BIO_read(in, &b, 1)) {
++ if (i < sz - 1)
++ buf[i++] = b;
++ if (!b || b == '\n')
++ break;
++ }
++
++ buf[i] = '\0';
++
++ return i;
++}
++
++/* Converts a byte string into a hex string, null-terminated. The 'out' buffer
++ * must be at least 2 * insize + 1 bytes long. */
++static void hexify(unsigned char *in, char *out, int insize)
++{
++ int i;
++ static const char hex[] = "0123456789abcdef";
++ for (i = 0; i < insize; i++) {
++ out[i * 2] = hex[in[i] >> 4];
++ out[i * 2 + 1] = hex[in[i] & 0xf];
++ }
++ out[i * 2] = '\0';
++}
++
++static int is_blocklisted(X509 *x)
++{
++ /* See http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
++ * "Certificate users MUST be able to handle serialNumber values up to
++ * 20 octets. Conforming CAs MUST NOT use serialNumber values longer
++ * than 20 octets."
++ */
++ static const int MAX_SERIAL = 20;
++ static const int MAX_BLOCKLIST_LINE = 1024;
++
++ unsigned char md[EVP_MAX_MD_SIZE];
++ char hexsha256[EVP_MAX_MD_SIZE * 2 + 1];
++ char hexsha1[EVP_MAX_MD_SIZE * 2 + 1];
++ char hexserial[MAX_SERIAL * 2 + 1];
++ const EVP_MD *sha256 = EVP_sha256();
++ const EVP_MD *sha1 = EVP_sha1();
++ unsigned int n;
++ char line[MAX_BLOCKLIST_LINE];
++ BIO *file;
++ int ret = 0;
++ ASN1_INTEGER *serial = NULL;
++ unsigned int serial_len;
++ const char *path = getenv("OPENSSL_BLOCKLIST_PATH");
++
++ if (!path)
++ path = OPENSSLDIR "/blocklist";
++
++ file = BIO_new_file(path, "r");
++ if (!file) {
++ ERR_clear_error();
++ return 0;
++ }
++
++ if (!X509_digest(x, sha256, md, &n))
++ goto out;
++ hexify(md, hexsha256, n);
++ if (!X509_digest(x, sha1, md, &n))
++ goto out;
++ hexify(md, hexsha1, n);
++ serial = X509_get_serialNumber(x);
++ serial_len = serial->length;
++ if (serial_len > sizeof(hexserial) / 2)
++ /* We only match the first MAX_SERIAL bytes of the serial. */
++ serial_len = sizeof(hexserial) / 2;
++ hexify(serial->data, hexserial, serial_len);
++
++ while (gets_trunc(file, line, sizeof(line))) {
++ char *p, *str = line;
++ char *cmd = strsep(&str, " ");
++ char *arg = strsep(&str, " ");
++ if (!cmd || !arg || cmd[0] == '#')
++ continue;
++ if ((p = strchr(arg, '\n')))
++ *p = '\0';
++ if (!strcmp(cmd, "sha256") && !strcmp(arg, hexsha256)) {
++ ret = 1;
++ goto out;
++ }
++ if (!strcmp(cmd, "sha1") && !strcmp(arg, hexsha1)) {
++ ret = 1;
++ goto out;
++ }
++ if (!strcmp(cmd, "serial") && !strcmp(arg, hexserial)) {
++ ret = 1;
++ goto out;
++ }
++ }
++
++out:
++ BIO_free(file);
++ return ret;
++}
++
++static int check_blocklist(X509_STORE_CTX *ctx)
++{
++ int i;
++ X509 *x;
++
++ for (i = 0; i < ctx->num_untrusted; i++) {
++ x = sk_X509_value(ctx->chain, i);
++ if (is_blocklisted(x))
++ return 0;
++ }
++ return 1;
++}
++
+ int X509_verify_cert(X509_STORE_CTX *ctx)
+ {
+ SSL_DANE *dane = ctx->dane;
+@@ -3193,6 +3314,10 @@ static int build_chain(X509_STORE_CTX *ctx)
+ trust = check_trust(ctx, num);
+ }
+
++ if (!check_blocklist(ctx)) {
++ trust = X509_TRUST_REJECTED;
++ }
++
+ switch (trust) {
+ case X509_TRUST_TRUSTED:
+ return 1;
+--- /dev/null
++++ b/test/recipes/90-test_blocklist.t
+@@ -0,0 +1,71 @@
++#! /usr/bin/env perl
++# Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the OpenSSL license (the "License"). You may not use
++# this file except in compliance with the License. You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++use strict;
++use warnings;
++
++use File::Spec::Functions qw/catfile curdir/;
++use OpenSSL::Test;
++use OpenSSL::Test::Utils;
++use OpenSSL::Test qw/:DEFAULT with data_file/;
++
++setup("test_blocklist");
++
++# Fix time to 2019-11-01 for predictable validity.
++my @check_time=("-attime", "1572562800");
++
++sub test_blocklist {
++ my $desc = shift;
++ my $blocklist = shift;
++ my $expected_exit = shift;
++
++ # Use a blocklist file in the test-runs directory.
++ my $blocklist_file = catfile(curdir(), "blocklist");
++ $ENV{OPENSSL_BLOCKLIST_PATH} = $blocklist_file;
++
++ open(my $blocklist_fh, ">", $blocklist_file);
++ print $blocklist_fh $blocklist;
++ close $blocklist_fh;
++
++ with({ exit_checker => sub { return shift == $expected_exit; } },
++ sub { ok(run(app(["openssl", "verify", @check_time,
++ "-CAfile", data_file("globalsign.pem"),
++ "-untrusted", data_file("gts.pem"),
++ data_file("google.pem")])),
++ $desc);
++ });
++
++ unlink $blocklist_file;
++}
++
++plan tests => 3;
++
++subtest "=== Blocklist: Successful chain verification ===" => sub {
++ plan tests => 2;
++
++ test_blocklist("no blocklist", "", 0);
++
++ my $h = "60f1da1ee6967650f8e3f0d017effd9864d439367ee6839c999e668bd2b08131";
++ test_blocklist("non-matching sha256", "sha256 " + $h, 0);
++};
++
++subtest "=== Blocklist: Intermediate ===" => sub {
++ plan tests => 3;
++
++ test_blocklist("serial", "serial 01e3b49aa18d8aa981256950b8", 2);
++ test_blocklist("sha1", "sha1 dfe2070c79e7ff36a925ffa327ffe3deecf8f9c2", 2);
++ test_blocklist("sha256", "sha256 95c074e35902a14abd9d19afb6e7f80e669ff8e2363270539d963613f04aaa21", 2);
++};
++
++subtest "=== Blocklist: Leaf ===" => sub {
++ plan tests => 3;
++
++ test_blocklist("serial", "serial eaab738ecc290675020000000047d911", 2);
++ test_blocklist("sha1", "sha1 0fd9151c4d4a317b647e87713bd7226b8b4fcbda", 2);
++ test_blocklist("sha256", "sha256 49905184c9d70d7c850709f5bfa3f7c966dbe391e8e5d8aea1c11be942dcf0bb", 2);
++};
+--- /dev/null
++++ b/test/recipes/90-test_blocklist_data/globalsign.pem
+@@ -0,0 +1,22 @@
++-----BEGIN CERTIFICATE-----
++MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
++A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
++Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
++MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
++A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
++hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
++v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
++eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
++tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
++C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
++zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
++mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
++V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
++bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
++3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
++J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
++291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
++ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
++AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
++TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
++-----END CERTIFICATE-----
+--- /dev/null
++++ b/test/recipes/90-test_blocklist_data/google.pem
+@@ -0,0 +1,53 @@
++-----BEGIN CERTIFICATE-----
++MIIJRTCCCC2gAwIBAgIRAOqrc47MKQZ1AgAAAABH2REwDQYJKoZIhvcNAQELBQAw
++QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
++MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0xOTEwMTAyMTAyMjhaFw0yMDAxMDIyMTAy
++MjhaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
++Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
++Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASQGSFNZeb85+EY
++HSJTKF+w+U3aVOBYE5N2tU4DTzaEfJozQwEdxjjHflOLDowLzMUFQHuc0zGuBN5L
++MEkhPCyCo4IG2zCCBtcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
++BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP68VbeQZB5338zH/1Vw2jQ9fyHZ
++MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw
++VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG
++AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R
++BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp
++bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl
++Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2
++dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h
++bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j
++by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j
++b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds
++ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv
++b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu
++ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v
++Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds
++ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv
++bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv
++bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq
++Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu
++Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t
++gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1
++YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50
++cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v
++Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo
++dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t
++ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv
++bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v
++Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
++gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
++CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v
++Zy9HVFMxTzEuY3JsMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAsh4FzIuizYog
++Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFtt7HklQAABAMASDBGAiEAqQWtUhby
++6kN7bmQ6+HsTWHnsJ6JfetP6BPXd21tzIY8CIQCpj3/wBTW5ak1bJh2yyBaEiYhL
++X2U1QK/l6i1l3AbRhAB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVY
++AAABbbex5KsAAAQDAEcwRQIhAK5DgdFa7XEEqngyBJzkPL11moosB06YVdEG/e2Z
++4t+mAiBdH5bKDIqINpR32vBt8Nqp2L7f8e0jZLsQF/Pj3AP/5zANBgkqhkiG9w0B
++AQsFAAOCAQEAAz/Zkc3geb2WF2T6csWwtFel8aWSXecEWG/xvO0HDlpCPCDUlauI
++8LByL/gimC6Uwc4DJ8hZnr+sSELVo2dZhKhddF5n03VeJNIlOteW4+cFS5Yr2jxG
++vLUtp997vv+rI5p73mWW06GaEJlloHA6M7rfpt6emE6rpX6KESN7mghWUgToyoVw
++hRpGqCyTXvpFCqq9aOkFgPGJBL47NBHq2D7CbYMrooqsNiqZ1CtEWiAMjd2T9Uqz
++DEXc6vVfSEpvdxjKQTqjxnc6grQsBWrVgHU/6+1NBhC5WBqO/INFln2gXuo1CMhr
++Y37udPEQv3QqV2G0uJNcTjYyj1l45W8COA==
++-----END CERTIFICATE-----
++
+--- /dev/null
++++ b/test/recipes/90-test_blocklist_data/gts.pem
+@@ -0,0 +1,25 @@
++-----BEGIN CERTIFICATE-----
++MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw
++HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
++U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
++MTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
++U2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA
++A4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv
++UA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr
++mBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++Ac
++xGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmK
++FsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7X
++rJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV
++HQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud
++EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G
++A1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl
++BggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp
++MCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0g
++BDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9y
++ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7H
++TgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN
++FvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz
++mqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW
++IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ
++USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==
++-----END CERTIFICATE-----
+--
+2.21.0
+
diff --git a/dev-libs/openssl/files/openssl-1.1.1j-chromium-compatibility.patch b/dev-libs/openssl/files/openssl-1.1.1j-chromium-compatibility.patch
new file mode 100644
index 0000000..964f644
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1j-chromium-compatibility.patch
@@ -0,0 +1,143 @@
+From c6ceceef9a8de3609c2894c30d2df701170e2022 Mon Sep 17 00:00:00 2001
+From: Mattias Nissler <mnissler@chromium.org>
+Date: Mon, 3 Feb 2020 12:18:28 +0100
+Subject: [PATCH] CHROMIUM: compatiblity patches for OpenSSL migration
+
+This adds adjustments to the code to help smoothen migration to
+OpenSSL 1.1.1. Specifically:
+
+ * If OPENSSL_CHROMIUM_SKIP_TRUSTED_PURPOSE_CHECK is set in the
+ environment, don't fail if the certificate chain validation finds
+ an inadequate certificate purpose for a trusted certificate in a
+ chain. This restores previous OpenSSL behavior.
+ * If OPENSSL_CHROMIUM_GENERATE_METRICS is set in the environment, generate
+ metric reports for the condition described above. This will help
+ quantify the situation in the field in preparation to drop the
+ compatibility patches eventually.
+
+BUG=chromium:1041803
+TEST=network_8021xWiredAuthentication passes, metrics get emitted.
+---
+ crypto/x509/x509_vfy.c | 92 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -11,6 +11,11 @@
+ #include <time.h>
+ #include <errno.h>
+ #include <limits.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <ctype.h>
++#include <sys/types.h>
++#include <sys/wait.h>
+
+ #include "internal/ctype.h"
+ #include "internal/cryptlib.h"
+@@ -505,6 +508,88 @@ static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm)
+ return sk;
+ }
+
++/*
++ * Get the process' comm string. Technically this isn't thread safe, but in
++ * practice it is exceedingly unlikely that we run into race conditions here,
++ * and the worst case is that we'll expose a partial comm string, which isn't
++ * the end of the world.
++ */
++static const char* chromium_get_proc_comm() {
++ static char comm[16] = ""; /* TASK_COMM_LEN + null terminator */
++
++ if (!*comm) {
++ char* p = NULL;
++
++ int rlen = 0;
++ BIO* file = BIO_new_file("/proc/self/comm", "r");
++ if (file) {
++ rlen = BIO_read(file, comm, sizeof(comm));
++ BIO_free(file);
++ }
++
++ if (rlen > 0) {
++ /* Last char in comm is '\n', strip it. */
++ comm[rlen - 1] = '\0';
++ for (p = comm; *p; ++p) {
++ if (isalnum(*p)) {
++ *p = tolower(*p);
++ } else {
++ *p = '_';
++ }
++ }
++ } else {
++ strncpy(comm, "UNKNOWN", sizeof(comm) - 1);
++ }
++ }
++
++ return comm;
++}
++
++/*
++ * Generate a UMA metric sample. Instead of dealing with the complications of
++ * linking to the Chromium metrics infrastructure, this just spawns
++ * metrics_client in a child process to record the sample. Note that doing so
++ * requires fork() and exec() to work; specifically, the underlying clone() and
++ * execve() syscalls must not be filtered by seccomp, so only do this if
++ * instructed by an environment variable.
++ */
++static void chromium_maybe_generate_metric_sample(const char* name, int sample,
++ int max)
++{
++ if (getenv("OPENSSL_CHROMIUM_GENERATE_METRICS") == NULL) {
++ return;
++ }
++
++ /* Prepare strings before fork() to avoid potential locking issues. */
++ char metric_name[256] = "";
++ snprintf(metric_name, sizeof(metric_name) - 1, "%s.%s", name,
++ chromium_get_proc_comm());
++ char sample_str[16] = "";
++ snprintf(sample_str, sizeof(sample_str) - 1, "%d", sample);
++ char max_str[16] = "";
++ snprintf(max_str, sizeof(max_str) - 1, "%d", max);
++
++ pid_t child_pid = fork();
++ if (child_pid < 0) {
++ return;
++ }
++
++ if (child_pid > 0) {
++ /* Reap the child to avoid leaving around zombies. */
++ waitpid(child_pid, NULL, 0);
++ return;
++ }
++
++ /* Child process, launch metrics_client. */
++ char* const argv[] = { "metrics_client", metric_name, sample_str, "0",
++ max_str, max_str, NULL };
++ char* const envp[] = { NULL };
++ execve("/usr/bin/metrics_client", argv, envp);
++
++ /* Make sure to always terminate even if execve fails. */
++ abort();
++}
++
+ /*
+ * Check EE or CA certificate purpose. For trusted certificates explicit local
+ * auxiliary trust can be used to override EKU-restrictions.
+@@ -553,6 +638,13 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
+ break;
+ }
+
++ if (depth >= ctx->num_untrusted &&
++ getenv("OPENSSL_CHROMIUM_SKIP_TRUSTED_PURPOSE_CHECK") != NULL) {
++ chromium_maybe_generate_metric_sample(
++ "Platform.OpenSSL.SkipTrustedPurposeCheck", 1, 2);
++ return 1;
++ }
++
+ return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);
+ }
+
+--
+2.24.1
+
diff --git a/dev-libs/openssl/openssl-1.1.1t-r1.ebuild b/dev-libs/openssl/openssl-1.1.1t-r1.ebuild
new file mode 120000
index 0000000..76f2966
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1t-r1.ebuild
@@ -0,0 +1 @@
+openssl-1.1.1t.ebuild
\ No newline at end of file
diff --git a/dev-libs/openssl/openssl-1.1.1t.ebuild b/dev-libs/openssl/openssl-1.1.1t.ebuild
new file mode 100644
index 0000000..2f8de9d
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1t.ebuild
@@ -0,0 +1,305 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit flag-o-matic toolchain-funcs multilib-minimal verify-sig
+
+MY_P=${P/_/-}
+
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="https://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssl.org.asc
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+[[ "${PV}" = *_pre* ]] || \
+KEYWORDS="*"
+IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig bindist"
+RESTRICT="!test? ( test )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}"
+BDEPEND="
+ >=dev-lang/perl-5
+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+ test? (
+ sys-apps/diffutils
+ sys-devel/bc
+ kernel_linux? ( sys-process/procps )
+ )
+ verify-sig? ( sec-keys/openpgp-keys-openssl )"
+PDEPEND="app-misc/ca-certificates"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+ "${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
+ "${FILESDIR}"/${PN}-1.1.1j-blocklist.patch
+ "${FILESDIR}"/${PN}-1.1.1j-chromium-compatibility.patch
+)
+
+S="${WORKDIR}/${MY_P}"
+
+# force upgrade to prevent broken login, bug 696950
+RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
+
+MULTILIB_WRAPPED_HEADERS=(
+ usr/include/openssl/opensslconf.h
+)
+
+pkg_setup() {
+ [[ ${MERGE_TYPE} == binary ]] && return
+
+ # must check in pkg_setup; sysctl don't work with userpriv!
+ if use test && use sctp; then
+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+ # if sctp.auth_enable is not enabled.
+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+ if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+ fi
+ fi
+}
+
+src_prepare() {
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+ chmod a+rx gentoo.config || die
+
+ # keep this in sync with app-misc/c_rehash
+ SSL_CNF_DIR="/etc/ssl"
+
+ # Make sure we only ever touch Makefile.org and avoid patching a file
+ # that gets blown away anyways by the Configure script in src_configure
+ rm -f Makefile
+
+ if ! use vanilla ; then
+ if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
+ [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
+ fi
+ fi
+
+ eapply_user #332661
+
+ if use test && use sctp && has network-sandbox ${FEATURES}; then
+ ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
+ rm test/recipes/80-test_ssl_new.t || die
+ eend $?
+ fi
+
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ # Make DOCDIR Gentoo compliant
+ sed -i \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
+ Configurations/unix-Makefile.tmpl \
+ || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ append-flags -fno-strict-aliasing
+ append-flags $(test-flags-CC -Wa,--noexecstack)
+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
+
+ # Prefixify Configure shebang (#141906)
+ sed \
+ -e "1s,/usr/bin/env,${EPREFIX}&," \
+ -i Configure || die
+ # Remove test target when FEATURES=test isn't set
+ if ! use test ; then
+ sed \
+ -e '/^$config{dirs}/s@ "test",@@' \
+ -i Configure || die
+ fi
+
+ if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
+ # use GNU ld full option, not to confuse it on Solaris
+ sed -i \
+ -e 's/-Wl,-M,/-Wl,--version-script=/' \
+ -e 's/-Wl,-h,/-Wl,--soname=/' \
+ Configurations/10-main.conf || die
+
+ # fix building on Solaris 10
+ # https://github.com/openssl/openssl/issues/6333
+ sed -i \
+ -e 's/-lsocket -lnsl -ldl/-lsocket -lnsl -ldl -lrt/' \
+ Configurations/10-main.conf || die
+ fi
+
+ # The config script does stupid stuff to prompt the user. Kill it.
+ sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ cros_optimize_package_for_speed
+
+ unset APPS #197996
+ unset SCRIPTS #312551
+ unset CROSS_COMPILE #311473
+
+ tc-export CC AR RANLIB RC
+
+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ # See if our toolchain supports __uint128_t. If so, it's 64bit
+ # friendly and can use the nicely optimized code paths. #460790
+ local ec_nistp_64_gcc_128
+ # Disable it for now though #469976
+ # echo "__uint128_t i;" > "${T}"/128.c
+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+ # fi
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ # "disable-deprecated" option breaks too many consumers.
+ # Don't set it without thorough revdeps testing.
+ # Make sure user flags don't get added *yet* to avoid duplicated
+ # flags.
+ CFLAGS= LDFLAGS= echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ enable-ec \
+ enable-ec2m \
+ enable-sm2 \
+ enable-srp \
+ $(use elibc_musl && echo "no-async") \
+ ${ec_nistp_64_gcc_128} \
+ enable-idea \
+ enable-mdc2 \
+ enable-rc5 \
+ $(use_ssl sslv3 ssl3) \
+ $(use_ssl sslv3 ssl3-method) \
+ $(use_ssl asm) \
+ $(use_ssl rfc3779) \
+ $(use_ssl sctp) \
+ $(use_ssl tls-compression zlib) \
+ $(use_ssl tls-heartbeat heartbeats) \
+ --prefix="${EPREFIX}"/usr \
+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+ --libdir=$(get_libdir) \
+ shared threads \
+ || die
+
+ # Clean out hardcoded flags that openssl uses
+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAGS=::' \
+ -e 's:\(^\| \)-fomit-frame-pointer::g' \
+ -e 's:\(^\| \)-O[^ ]*::g' \
+ -e 's:\(^\| \)-march=[^ ]*::g' \
+ -e 's:\(^\| \)-mcpu=[^ ]*::g' \
+ -e 's:\(^\| \)-m[^ ]*::g' \
+ -e 's:^ *::' \
+ -e 's: *$::' \
+ -e 's: \+: :g' \
+ -e 's:\\:\\\\:g'
+ )
+
+ # Now insert clean default flags with user flags
+ sed -i \
+ -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
+ -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts; it also doesn't matter
+ # that it's -j1 as the code itself serializes subdirs
+ emake -j1 depend
+ emake all
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ # We need to create $ED/usr on our own to avoid a race condition #665130
+ if [[ ! -d "${ED}/usr" ]]; then
+ # We can only create this directory once
+ mkdir "${ED}"/usr || die
+ fi
+
+ emake DESTDIR="${D}" install
+
+ # This is crappy in that the static archives are still built even
+ # when USE=static-libs. But this is due to a failing in the openssl
+ # build system: the static archives are built as PIC all the time.
+ # Only way around this would be to manually configure+compile openssl
+ # twice; once with shared lib support enabled and once without.
+ if ! use static-libs; then
+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ # openssl installs perl version of c_rehash by default, but
+ # we provide a shell version via app-misc/c_rehash
+ rm "${ED}"/usr/bin/c_rehash || die
+
+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
+
+ # create the certs directory
+ keepdir ${SSL_CNF_DIR}/certs
+
+ # Namespace openssl programs to prevent conflicts with other man pages
+ cd "${ED}"/usr/share/man || die
+ local m d s
+ for m in $(find . -type f | xargs grep -L '#include') ; do
+ d=${m%/*} ; d=${d#./} ; m=${m##*/}
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+ mv ${d}/{,ssl-}${m}
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+ ln -s ssl-${m} ${d}/openssl-${m}
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L ${d} -type l) ; do
+ s=${s##*/}
+ rm -f ${d}/${s}
+ # We don't want to "|| die" here
+ ln -s ssl-${m} ${d}/ssl-${s}
+ ln -s ssl-${s} ${d}/openssl-${s}
+ done
+ done
+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+ dodir /etc/sandbox.d #254521
+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+ diropts -m0700
+ keepdir ${SSL_CNF_DIR}/private
+
+ insinto /etc/ssl
+ doins "${FILESDIR}"/openssl.cnf.compat
+ doins "${FILESDIR}"/blocklist
+}
+
+pkg_postinst() {
+ ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+ c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
+ eend $?
+}
