dev-libs/openssl/openssl-1.0.2u.ebuild - third_party/overlays/chromiumos-overlay - Git at Google

 # Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

 EAPI="5"

 inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal cros-sanitizers

 # openssl-1.0.2-patches-1.6 contain additional CVE patches
 # which got fixed with this release.
 # Please use 1.7 version number when rolling a new tarball!
 PATCH_SET="openssl-1.0.2-patches-1.5"
 MY_P=${P/_/-}
 DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
 HOMEPAGE="https://www.openssl.org/"
 SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
 	!vanilla? (
 		mirror://gentoo/${PATCH_SET}.tar.xz
 		https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
 		https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
 		https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz
 	)"

 LICENSE="openssl"
 SLOT="legacy"
 KEYWORDS="*"
 IUSE="+asm bindist cros_host gmp kerberos msan oldssl rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
 RESTRICT="!bindist? ( bindist )"

 RDEPEND=">=app-misc/c_rehash-1.7-r1
 	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
 	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
 	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
 	!<dev-libs/openssl-1.1.1g-r1:0
 	!<dev-libs/openssl-1.0.2t-r4:0"
 DEPEND="${RDEPEND}
 	>=dev-lang/perl-5
 	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
 	test? (
 		sys-apps/diffutils
 		sys-devel/bc
 	)"
 PDEPEND="app-misc/ca-certificates"

 # This does not copy the entire Fedora patchset, but JUST the parts that
 # are needed to make it safe to use EC with RESTRICT=bindist.
 # See openssl.spec for the matching numbering of SourceNNN, PatchNNN
 SOURCE1=hobble-openssl
 SOURCE12=ec_curve.c
 SOURCE13=ectest.c
 # These are ported instead
 #PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
 #PATCH37=openssl-1.1.0-ec-curves.patch
 FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
 FEDORA_GIT_BRANCH='f25'
 FEDORA_SRC_URI=()
 FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
 FEDORA_PATCH=( $PATCH1 $PATCH37 )
 for i in "${FEDORA_SOURCE[@]}" ; do
 	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
 done
 for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
 	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
 done
 SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"

 S="${WORKDIR}/${MY_P}"

 HEADER_TAINT="#ifdef CHROMEOS_OPENSSL_IS_BORINGSSL
 #error \"Do not mix OpenSSL and BoringSSL headers.\"
 #endif
 #define CHROMEOS_OPENSSL_IS_OPENSSL\n"

 MULTILIB_WRAPPED_HEADERS=(
 	usr/include/openssl/opensslconf.h
 )

 src_prepare() {
 	# Taint OpenSSL headers so they don't silently mix with BoringSSL.
 	find . -name "*.h" -exec awk -i inplace -v "taint=${HEADER_TAINT}" \
 		'NR == 1 {print taint} {print}' {} \;

 	if use bindist; then
 		# This just removes the prefix, and puts it into WORKDIR like the RPM.
 		for i in "${FEDORA_SOURCE[@]}" ; do
 			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
 		done
 		# .spec %prep
 		bash "${WORKDIR}"/"${SOURCE1}" || die
 		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
 		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1
 		for i in "${FEDORA_PATCH[@]}" ; do
 			epatch "${DISTDIR}"/"${i}"
 		done
 		epatch "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
 		# Also see the configure parts below:
 		# enable-ec \
 		# $(use_ssl !bindist ec2m) \
 		# $(use_ssl !bindist srp) \
 	fi

 	# keep this in sync with app-misc/c_rehash
 	SSL_CNF_DIR="/etc/ssl"

 	# Make sure we only ever touch Makefile.org and avoid patching a file
 	# that gets blown away anyways by the Configure script in src_configure
 	rm -f Makefile

 	if ! use vanilla ; then
 		epatch "${WORKDIR}"/patch/*.patch

 		# Chromium OS patches.
 		epatch "${FILESDIR}"/${PN}-1.0.2-blacklist-by-sha1.patch
 	fi

 	epatch_user

 	# Upstream asm syntax fixes from OpenSSL 1.1.1.
 	epatch "${FILESDIR}"/${PN}-1.0.2-asm.patch
 	epatch "${FILESDIR}"/${PN}-1.0.2-asm-armv4-mont.patch

 	# disable fips in the build
 	# make sure the man pages are suffixed #302165
 	# don't bother building man pages if they're disabled
 	sed -i \
 		-e '/DIRS/s: fips : :g' \
 		-e '/^MANSUFFIX/s:=.*:=ssl:' \
 		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
 		-e $(has noman FEATURES \
 			&& echo '/^install:/s:install_docs::' \
 			|| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
 		Makefile.org \
 		|| die
 	# show the actual commands in the log
 	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared

 	# since we're forcing $(CC) as makedep anyway, just fix
 	# the conditional as always-on
 	# helps clang (#417795), and versioned gcc (#499818)
 	# this breaks build with 1.0.2p, not sure if it is needed anymore
 	#sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die

 	# quiet out unknown driver argument warnings since openssl
 	# doesn't have well-split CFLAGS and we're making it even worse
 	# and 'make depend' uses -Werror for added fun (#417795 again)
 	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments

 	# allow openssl to be cross-compiled
 	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
 	chmod a+rx gentoo.config || die

 	append-flags -fno-strict-aliasing
 	append-flags $(test-flags-CC -Wa,--noexecstack)
 	append-cppflags -DOPENSSL_NO_BUF_FREELISTS

 	# Enable code coverage flags when requested
 	coverage-setup-env

 	# Add PURIFY=1 for msan builds, https://crbug.com/960520
 	use msan && append-cppflags "-DPURIFY=1"

 	sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906
 	# The config script does stupid stuff to prompt the user.  Kill it.
 	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
 	./config --test-sanity || die "I AM NOT SANE"

 	multilib_copy_sources
 }

 multilib_src_configure() {
 	cros_optimize_package_for_speed

 	unset APPS #197996
 	unset SCRIPTS #312551
 	unset CROSS_COMPILE #311473

 	tc-export CC AR RANLIB RC

 	# Clean out patent-or-otherwise-encumbered code
 	# Camellia: Royalty Free            https://en.wikipedia.org/wiki/Camellia_(cipher)
 	# IDEA:     Expired                 https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
 	# EC:       ????????? ??/??/2015    https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
 	# MDC2:     Expired                 https://en.wikipedia.org/wiki/MDC-2
 	# RC5:      Expired                 https://en.wikipedia.org/wiki/RC5

 	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
 	echoit() { echo "$@" ; "$@" ; }

 	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

 	# See if our toolchain supports __uint128_t.  If so, it's 64bit
 	# friendly and can use the nicely optimized code paths. #460790
 	local ec_nistp_64_gcc_128
 	# Disable it for now though #469976
 	#if ! use bindist ; then
 	#	echo "__uint128_t i;" > "${T}"/128.c
 	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
 	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
 	#	fi
 	#fi

 	# https://github.com/openssl/openssl/issues/2286
 	if use ia64 ; then
 		replace-flags -g3 -g2
 		replace-flags -ggdb3 -ggdb2
 	fi

 	local sslout=$(./gentoo.config)
 	einfo "Use configuration ${sslout:-(openssl knows best)}"
 	local config="Configure"
 	[[ -z ${sslout} ]] && config="config"

 	# Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
 	echoit \
 	./${config} \
 		${sslout} \
 		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
 		enable-camellia \
 		enable-ec \
 		$(use_ssl !bindist ec2m) \
 		$(use_ssl !bindist srp) \
 		${ec_nistp_64_gcc_128} \
 		enable-idea \
 		enable-mdc2 \
 		enable-rc5 \
 		enable-tlsext \
 		$(use_ssl asm) \
 		$(use_ssl gmp gmp -lgmp) \
 		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
 		$(use_ssl rfc3779) \
 		$(use_ssl sctp) \
 		$(use_ssl sslv2 ssl2) \
 		$(use_ssl sslv3 ssl3) \
 		$(use_ssl tls-heartbeat heartbeats) \
 		$(use_ssl zlib) \
 		--prefix="${EPREFIX%/}"/usr \
 		--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
 		--libdir=$(get_libdir) \
 		shared threads \
 		|| die

 	# Clean out hardcoded flags that openssl uses
 	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
 		-e 's:^CFLAG=::' \
 		-e 's:-fomit-frame-pointer ::g' \
 		-e 's:-O[0-9] ::g' \
 		-e 's:-march=[-a-z0-9]* ::g' \
 		-e 's:-mcpu=[-a-z0-9]* ::g' \
 		-e 's:-m[a-z0-9]* ::g' \
 	)
 	sed -i \
 		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
 		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
 		Makefile || die
 }

 multilib_src_compile() {
 	# depend is needed to use $confopts; it also doesn't matter
 	# that it's -j1 as the code itself serializes subdirs
 	emake -j1 V=1 depend
 	emake all

 	# rehash is needed to prep the certs/ dir; do this
 	# separately to avoid parallel build issues.
 	emake rehash
 }

 multilib_src_test() {
 	emake -j1 test
 }

 compat_only() {
 	! use oldssl
 }

 multilib_src_install() {
 	if compat_only; then
 		if use cros_host; then
 			# Only install the libraries so binaries that depend on
 			# them keep working. Once these binaries are rebuilt
 			# against the new version, we can drop this ebuild.
 			dolib.so libcrypto.so.1.0.0
 			dolib.so libssl.so.1.0.0
 		fi

 		return
 	fi

 	# We need to create $ED/usr on our own to avoid a race condition #665130
 	if [[ ! -d "${ED%/}/usr" ]]; then
 		# We can only create this directory once
 		mkdir "${ED%/}"/usr || die
 	fi

 	emake INSTALL_PREFIX="${D%/}" install
 }

 multilib_src_install_all() {
 	if compat_only; then
 		return
 	fi

 	# openssl installs perl version of c_rehash by default, but
 	# we provide a shell version via app-misc/c_rehash
 	rm "${ED%/}"/usr/bin/c_rehash || die

 	local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
 	einstalldocs

 	use rfc3779 && dodoc engines/ccgost/README.gost

 	# This is crappy in that the static archives are still built even
 	# when USE=static-libs.  But this is due to a failing in the openssl
 	# build system: the static archives are built as PIC all the time.
 	# Only way around this would be to manually configure+compile openssl
 	# twice; once with shared lib support enabled and once without.
 	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a

 	# create the certs directory
 	dodir ${SSL_CNF_DIR}/certs
 	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
 	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}

 	# Namespace openssl programs to prevent conflicts with other man pages
 	cd "${ED}"/usr/share/man
 	local m d s
 	for m in $(find . -type f | xargs grep -L '#include') ; do
 		d=${m%/*} ; d=${d#./} ; m=${m##*/}
 		[[ ${m} == openssl.1* ]] && continue
 		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
 		mv ${d}/{,ssl-}${m}
 		# fix up references to renamed man pages
 		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
 		ln -s ssl-${m} ${d}/openssl-${m}
 		# locate any symlinks that point to this man page ... we assume
 		# that any broken links are due to the above renaming
 		for s in $(find -L ${d} -type l) ; do
 			s=${s##*/}
 			rm -f ${d}/${s}
 			ln -s ssl-${m} ${d}/ssl-${s}
 			ln -s ssl-${s} ${d}/openssl-${s}
 		done
 	done
 	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

 	dodir /etc/sandbox.d #254521
 	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

 	diropts -m0700
 	keepdir ${SSL_CNF_DIR}/private

 	insinto ${SSL_CNF_DIR}
 	doins "${FILESDIR}"/blacklist
 }

 pkg_postinst() {
 	if compat_only; then
 		return
 	fi

 	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
 	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
 	eend $?
 }
	# Copyright 1999-2019 Gentoo Authors
	# Distributed under the terms of the GNU General Public License v2

	EAPI="5"

	inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal cros-sanitizers

	# openssl-1.0.2-patches-1.6 contain additional CVE patches
	# which got fixed with this release.
	# Please use 1.7 version number when rolling a new tarball!
	PATCH_SET="openssl-1.0.2-patches-1.5"
	MY_P=${P/_/-}
	DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
	HOMEPAGE="https://www.openssl.org/"
	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
	!vanilla? (
	mirror://gentoo/${PATCH_SET}.tar.xz
	https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
	https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz
	)"

	LICENSE="openssl"
	SLOT="legacy"
	KEYWORDS="*"
	IUSE="+asm bindist cros_host gmp kerberos msan oldssl rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
	RESTRICT="!bindist? ( bindist )"

	RDEPEND=">=app-misc/c_rehash-1.7-r1
	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
	!<dev-libs/openssl-1.1.1g-r1:0
	!<dev-libs/openssl-1.0.2t-r4:0"
	DEPEND="${RDEPEND}
	>=dev-lang/perl-5
	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
	test? (
	sys-apps/diffutils
	sys-devel/bc
	)"
	PDEPEND="app-misc/ca-certificates"

	# This does not copy the entire Fedora patchset, but JUST the parts that
	# are needed to make it safe to use EC with RESTRICT=bindist.
	# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
	SOURCE1=hobble-openssl
	SOURCE12=ec_curve.c
	SOURCE13=ectest.c
	# These are ported instead
	#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
	#PATCH37=openssl-1.1.0-ec-curves.patch
	FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
	FEDORA_GIT_BRANCH='f25'
	FEDORA_SRC_URI=()
	FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
	FEDORA_PATCH=( $PATCH1 $PATCH37 )
	for i in "${FEDORA_SOURCE[@]}" ; do
	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
	done
	for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
	done
	SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"

	S="${WORKDIR}/${MY_P}"

	HEADER_TAINT="#ifdef CHROMEOS_OPENSSL_IS_BORINGSSL
	#error \"Do not mix OpenSSL and BoringSSL headers.\"
	#endif
	#define CHROMEOS_OPENSSL_IS_OPENSSL\n"

	MULTILIB_WRAPPED_HEADERS=(
	usr/include/openssl/opensslconf.h
	)

	src_prepare() {
	# Taint OpenSSL headers so they don't silently mix with BoringSSL.
	find . -name "*.h" -exec awk -i inplace -v "taint=${HEADER_TAINT}" \
	'NR == 1 {print taint} {print}' {} \;

	if use bindist; then
	# This just removes the prefix, and puts it into WORKDIR like the RPM.
	for i in "${FEDORA_SOURCE[@]}" ; do
	cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" \|\| die
	done
	# .spec %prep
	bash "${WORKDIR}"/"${SOURCE1}" \|\| die
	cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ \|\| die
	cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ \|\| die # Moves to test/ in OpenSSL-1.1
	for i in "${FEDORA_PATCH[@]}" ; do
	epatch "${DISTDIR}"/"${i}"
	done
	epatch "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch
	# Also see the configure parts below:
	# enable-ec \
	# $(use_ssl !bindist ec2m) \
	# $(use_ssl !bindist srp) \
	fi

	# keep this in sync with app-misc/c_rehash
	SSL_CNF_DIR="/etc/ssl"

	# Make sure we only ever touch Makefile.org and avoid patching a file
	# that gets blown away anyways by the Configure script in src_configure
	rm -f Makefile

	if ! use vanilla ; then
	epatch "${WORKDIR}"/patch/*.patch

	# Chromium OS patches.
	epatch "${FILESDIR}"/${PN}-1.0.2-blacklist-by-sha1.patch
	fi

	epatch_user

	# Upstream asm syntax fixes from OpenSSL 1.1.1.
	epatch "${FILESDIR}"/${PN}-1.0.2-asm.patch
	epatch "${FILESDIR}"/${PN}-1.0.2-asm-armv4-mont.patch

	# disable fips in the build
	# make sure the man pages are suffixed #302165
	# don't bother building man pages if they're disabled
	sed -i \
	-e '/DIRS/s: fips : :g' \
	-e '/^MANSUFFIX/s:=.*:=ssl:' \
	-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
	-e $(has noman FEATURES \
	&& echo '/^install:/s:install_docs::' \
	\|\| echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \
	Makefile.org \
	\|\| die
	# show the actual commands in the log
	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared

	# since we're forcing $(CC) as makedep anyway, just fix
	# the conditional as always-on
	# helps clang (#417795), and versioned gcc (#499818)
	# this breaks build with 1.0.2p, not sure if it is needed anymore
	#sed -i 's/expr.MAKEDEPEND.;/true;/' util/domd \|\| die

	# quiet out unknown driver argument warnings since openssl
	# doesn't have well-split CFLAGS and we're making it even worse
	# and 'make depend' uses -Werror for added fun (#417795 again)
	[[ ${CC} == clang ]] && append-flags -Qunused-arguments

	# allow openssl to be cross-compiled
	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config \|\| die
	chmod a+rx gentoo.config \|\| die

	append-flags -fno-strict-aliasing
	append-flags $(test-flags-CC -Wa,--noexecstack)
	append-cppflags -DOPENSSL_NO_BUF_FREELISTS

	# Enable code coverage flags when requested
	coverage-setup-env

	# Add PURIFY=1 for msan builds, https://crbug.com/960520
	use msan && append-cppflags "-DPURIFY=1"

	sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906
	# The config script does stupid stuff to prompt the user. Kill it.
	sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
	./config --test-sanity \|\| die "I AM NOT SANE"

	multilib_copy_sources
	}

	multilib_src_configure() {
	cros_optimize_package_for_speed

	unset APPS #197996
	unset SCRIPTS #312551
	unset CROSS_COMPILE #311473

	tc-export CC AR RANLIB RC

	# Clean out patent-or-otherwise-encumbered code
	# Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
	# IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
	# EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
	# MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
	# RC5: Expired https://en.wikipedia.org/wiki/RC5

	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
	echoit() { echo "$@" ; "$@" ; }

	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")

	# See if our toolchain supports __uint128_t. If so, it's 64bit
	# friendly and can use the nicely optimized code paths. #460790
	local ec_nistp_64_gcc_128
	# Disable it for now though #469976
	#if ! use bindist ; then
	# echo "__uint128_t i;" > "${T}"/128.c
	# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
	# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
	# fi
	#fi

	# https://github.com/openssl/openssl/issues/2286
	if use ia64 ; then
	replace-flags -g3 -g2
	replace-flags -ggdb3 -ggdb2
	fi

	local sslout=$(./gentoo.config)
	einfo "Use configuration ${sslout:-(openssl knows best)}"
	local config="Configure"
	[[ -z ${sslout} ]] && config="config"

	# Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
	echoit \
	./${config} \
	${sslout} \
	$(use cpu_flags_x86_sse2 \|\| echo "no-sse2") \
	enable-camellia \
	enable-ec \
	$(use_ssl !bindist ec2m) \
	$(use_ssl !bindist srp) \
	${ec_nistp_64_gcc_128} \
	enable-idea \
	enable-mdc2 \
	enable-rc5 \
	enable-tlsext \
	$(use_ssl asm) \
	$(use_ssl gmp gmp -lgmp) \
	$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
	$(use_ssl rfc3779) \
	$(use_ssl sctp) \
	$(use_ssl sslv2 ssl2) \
	$(use_ssl sslv3 ssl3) \
	$(use_ssl tls-heartbeat heartbeats) \
	$(use_ssl zlib) \
	--prefix="${EPREFIX%/}"/usr \
	--openssldir="${EPREFIX%/}"${SSL_CNF_DIR} \
	--libdir=$(get_libdir) \
	shared threads \
	\|\| die

	# Clean out hardcoded flags that openssl uses
	local CFLAG=$(grep ^CFLAG= Makefile \| LC_ALL=C sed \
	-e 's:^CFLAG=::' \
	-e 's:-fomit-frame-pointer ::g' \
	-e 's:-O[0-9] ::g' \
	-e 's:-march=[-a-z0-9]* ::g' \
	-e 's:-mcpu=[-a-z0-9]* ::g' \
	-e 's:-m[a-z0-9]* ::g' \
	)
	sed -i \
	-e "/^CFLAG/s\|=.*\|=${CFLAG} ${CFLAGS}\|" \
	-e "/^SHARED_LDFLAGS=/s\|$\| ${LDFLAGS}\|" \
	Makefile \|\| die
	}

	multilib_src_compile() {
	# depend is needed to use $confopts; it also doesn't matter
	# that it's -j1 as the code itself serializes subdirs
	emake -j1 V=1 depend
	emake all

	# rehash is needed to prep the certs/ dir; do this
	# separately to avoid parallel build issues.
	emake rehash
	}

	multilib_src_test() {
	emake -j1 test
	}

	compat_only() {
	! use oldssl
	}

	multilib_src_install() {
	if compat_only; then
	if use cros_host; then
	# Only install the libraries so binaries that depend on
	# them keep working. Once these binaries are rebuilt
	# against the new version, we can drop this ebuild.
	dolib.so libcrypto.so.1.0.0
	dolib.so libssl.so.1.0.0
	fi

	return
	fi

	# We need to create $ED/usr on our own to avoid a race condition #665130
	if [[ ! -d "${ED%/}/usr" ]]; then
	# We can only create this directory once
	mkdir "${ED%/}"/usr \|\| die
	fi

	emake INSTALL_PREFIX="${D%/}" install
	}

	multilib_src_install_all() {
	if compat_only; then
	return
	fi

	# openssl installs perl version of c_rehash by default, but
	# we provide a shell version via app-misc/c_rehash
	rm "${ED%/}"/usr/bin/c_rehash \|\| die

	local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
	einstalldocs

	use rfc3779 && dodoc engines/ccgost/README.gost

	# This is crappy in that the static archives are still built even
	# when USE=static-libs. But this is due to a failing in the openssl
	# build system: the static archives are built as PIC all the time.
	# Only way around this would be to manually configure+compile openssl
	# twice; once with shared lib support enabled and once without.
	use static-libs \|\| rm -f "${ED}"/usr/lib/lib.a

	# create the certs directory
	dodir ${SSL_CNF_DIR}/certs
	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ \|\| die
	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}

	# Namespace openssl programs to prevent conflicts with other man pages
	cd "${ED}"/usr/share/man
	local m d s
	for m in $(find . -type f \| xargs grep -L '#include') ; do
	d=${m%/} ; d=${d#./} ; m=${m##/}
	[[ ${m} == openssl.1* ]] && continue
	[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
	mv ${d}/{,ssl-}${m}
	# fix up references to renamed man pages
	sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
	ln -s ssl-${m} ${d}/openssl-${m}
	# locate any symlinks that point to this man page ... we assume
	# that any broken links are due to the above renaming
	for s in $(find -L ${d} -type l) ; do
	s=${s##*/}
	rm -f ${d}/${s}
	ln -s ssl-${m} ${d}/ssl-${s}
	ln -s ssl-${s} ${d}/openssl-${s}
	done
	done
	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

	dodir /etc/sandbox.d #254521
	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

	diropts -m0700
	keepdir ${SSL_CNF_DIR}/private

	insinto ${SSL_CNF_DIR}
	doins "${FILESDIR}"/blacklist
	}

	pkg_postinst() {
	if compat_only; then
	return
	fi

	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
	eend $?
	}