Attachment #399290 for bug #543826

View | Details | Raw Unified | Return to bug 543826 | Differences between
Collapse All | Expand All




AUX gentoo.config-1.0.1 4784 SHA256 26d1b360f094dd4e1acf47c3e830b52343c0f778dcd8f2c5b6c213b7e5192d13 SHA512 605e86cc68bbce5405b359098cc0a5abdc071a36462ca868d2fce57cabd928536fbcb0f5dea7318c96b3f9fca39b8c303601fff4442a8e68d7f99254180980e7 WHIRLPOOL eb7540c99ad4bbc60a3decd30e9d7d3816bb7cdd948c9c76950b278acec34a4737f1afaf543e9e524ea0cef8ae26008c065bef44129673e40ccaec9509052575
AUX openssl-1.0.0a-ldflags.patch 1095 SHA256 2489ffbae4af11e1642d54992c404ca81b0c2a9c169032281f4f7778d945836f SHA512 d5a3f90ca0e9755940da525b8daba5b5d09b2b251863e9ca4f2b3b0a5db461e0aa25b2ae7a7d36d13a92ff64f2a37d4809b70aff9672c0f43398369bc7099979 WHIRLPOOL b7c2fbc833be856388110f2ac891976903e7c5dd4030249bcd79f915ae94fa93bff955ff3eaaf4a4bab306a09512bd861099c2738f5af7027174b79d023f7261
AUX openssl-1.0.0d-windres.patch 2912 SHA256 e5dbfd6af69bc3f69b51787cf1f6245207be9824dfffbdd9b4e278772ed8ab32 SHA512 d7a0238edea29aac7d20dca0778c67f8ae4dc0da190e5277e1b3519ae536f2c44533ac5dc1cbcd138bc4277ad669b13fca316bd962f26e2cb387f2ad3fd0111b WHIRLPOOL d62156820e55898d0a0393473c6ad8e49c5aa7bb9d3fc7043795de7102c3003d5f8b874c751e03cf832e306ac290790e871e1318bb830b3558a43e09be5b45b4
AUX openssl-1.0.0h-pkg-config.patch 1363 SHA256 dbbcc175f02e5edced01a13dd1e7d35dc4322c0970f78a7fd781a6c0766886af SHA512 c2f7a68c96098bd742235a40f27d6b1e5a0ebece53ca32dd0be74b85210479064efa1d5dc76e457b786067185768492fab2ed53762a22c511c2a2e3d43ed137b WHIRLPOOL 7f795dbed2124d8d2d126886d106675662f09b8e79c70fa2af3298486fdb75b7f1285dc17a53daf985bd4af1e58c36e13e49f46d18af860f0dabad1b3898c3b0
AUX openssl-1.0.1-parallel-build.patch 10614 SHA256 f3aa674880ffa53a891d3f9054a1ff162c4461b3ec160a365990275907636259 SHA512 439015b3b007adfbab047a1e3e12a9700030779a593bba1a30e9554c7c02eb1cffe9acb089546954e87163847cf86b13130abf9646eb5d00a2ff725b534f84d5 WHIRLPOOL 673f6f045765effb9ded607bf8116a81e7bfeee78ba0e8a34892081c272239a2b75fbb14f4c48b61d93593fac8e1b1e8bef7223f4cc64e8443e19c8f337ab6bc
AUX openssl-1.0.1-x32.patch 3273 SHA256 a4f05b8757e225a05a9c5a3ea485159066760d878c9ee54c4eaf61760e33c6cf SHA512 6bed57fe2fbe2d0ced1279b53804d94426a679d5d6b80ad7d0ed18523a7fda397e02038032c08cdd4e6034f9ff6e82cad365ff2a724d49d91467cf2b77f47752 WHIRLPOOL 1366632e7dc1c6e54efc5b9791bf24833d20e7a61ca29aa38d31b5b9629febf926a29742e370b7cd6767c810c0a1676100ca9169f0d836dfd19ff0b2c29e49c1
AUX openssl-1.0.1c-force-termios.patch 1849 SHA256 3c5a65f2961e5fd0031b0fabe0021f8531e901a5c8674c03d2b03157a184998b SHA512 6f938fc0778040104bd7d9fdf08e1200f25337089fdb0c2df935b6f5144849be550c66a9a83699bbec5b32304de5fea2ded325505412e2e4d3439dd49ed05db9 WHIRLPOOL 44f080f5f2ba75421495865486fbacc92a1d1b32100f1c4b384430957179b49ed0e91472832db12758504c87ffca2455a03db9d56da61532f5baffdefd94b390
AUX openssl-1.0.1e-ipv6.patch 18596 SHA256 430d15f2f62c2d7b9bbb968d3c1d3cea51c97d549e01683fd6befb20e2b60946 SHA512 15bfcafc8c173d2875954a43db19d15956619528a0fc356b6d36877f7434321071cf707d950767491261adc1e6403e56b3e014e3d0ffb6cef563daca00a128bd WHIRLPOOL d1dd63d00b166efb1ca9e5d8da931a47e571f5784e3b47780355553b4d0cf656885375e3fe7fc1554b6c5eb749371efeb370c7462e4fcc52c0dd85c6e2318ad8
AUX openssl-1.0.1e-perl-5.18.patch 8211 SHA256 0d2263de7cd1e814cf7583a738d7c439dadb6f195793a29356186b336edc5a98 SHA512 4b56cae218af916c5d7f1006f0a17e34eebc6ee9fb08789db0b18b7e0d6ca7ea0b297efdc712f8951b4db55d15dffea33faa939d2daa42db6be61670e43f0412 WHIRLPOOL 78ced5c41dba502f93f92322516ac8774ff73ce236c7cf793f7e502822c8b0c288f2ed4360d89d2ff2bfaf969f6bd0cc12b28151eda0217197c60bf6a561d8cf
AUX openssl-1.0.1e-s_client-verify.patch 592 SHA256 6f540fce663eefbe68cee16ad7d8d561d6c898eeb4180c2f4a4caa7e43c6d0c9 SHA512 117b1017e1259667078d3ccdcd9fd46357c6f85cf2702794f49c612b37acdc044fe88f871dbe46fcad9ed4cd8aaaaee800dddb5286203322802efd7549a43b68 WHIRLPOOL 70a4cc36b1dcb24d7e9bcef016684fb2394977f7f20aa332ebd0aa15e3f4c16c74563d2fc0ba8d70669f6cc9a13bf8a30cdb28ebafe2d102cd2859a4e32c38d7
AUX openssl-1.0.1e-tls-ver-crash.patch 1203 SHA256 4868de1b15bea5cc695ffd22ae414b03aaa6bdd5b99313654043e29d4d0c9f76 SHA512 b87457ae5c0f2b605b47a683eb16ab2f3432873765b401a49d0ad300e3f96fa817fc5a85c6fd2c65143d355322911d6da2bdf576d0c212715d6c6b3c662e96d2 WHIRLPOOL e728ce3f2c7325469629ea0ef5a3c02860df9264a46218bdf553ad8eec56c5d4bf3fd6c63e0b67ff5734d503e4c3182f29f16ce80198b272eacca11177f48e5c
AUX openssl-1.0.1f-perl-5.18.patch 7820 SHA256 e45c6856ef35b16e150282afa59432e783943e6aee62394f8a0e79ccd469fd84 SHA512 2fcda9f76968e8a193892170b2acc06b246c5a04bda2c501fa223231af0e4b2a38afd1adaf83cce4afd4210cdfd9cae8251aeb9510f24bcb50e7aeaa9fa09364 WHIRLPOOL 38768056d2bc4cd719c88038d201f765420a7d47b5dbd73b6d86347e59b4a1fc62f5f27d6c576fb73184fcfe26917446753d871db22aeac2a205f0bd18d2bbc3
AUX openssl-1.0.1f-revert-alpha-perl-generation.patch 3102 SHA256 6e502275b32ac0eca80f28448ae1bb88506f9135258f420fd857ea0b9b485778 SHA512 c80439da3d268e70fd492d0ca73c0a17ddb088b9330610794a338d1921ee13dad9caca4c81ca103b82a7541c8712f77e51f352ec1b1b02789d9aed291acb0cdc WHIRLPOOL cb760366c8759b1c78c5307134bb48c4fc12b1556276c2ef55455ea54725d20cb433ade966a7453f512d2feb5ae89a9798078ab535e4605366633a8e003c7ac6
AUX openssl-1.0.1h-ipv6.patch 17788 SHA256 7adeeb88cc544f8b210efbe2baff48fccf5029b582dff7010ae70e0e1f097d7b SHA512 0f0990d4294abcb5f3e51c84080883046a054c710b57a23f99b3323727d5e9aeb5ddeb6b6c2565b4be364f7c21419c90ce5288154e404cd663678f87e0d1c259 WHIRLPOOL cfe7a2e141a4a6252ffcfe215b16dd1082bc14a757dad7eb01bb9819de41ef0ee51a4b2dbf110c27b52e483341c337bf4d1f77f4f9f3172d2fee9e348c30af7e
AUX openssl-1.0.1l-CVE-2015-0286.patch 10790 SHA256 3d234f4b7bd79b7de1a6fe2f42016531732c81dcb73af45edc5b280858d32cb8 SHA512 432a9e556df26e3f0059f53556dbc088cfe7e30e2c38354e7a7879bb4db204330702ab8050b9b31b3ef48badb8f0abdbf047445b71aa0c4c96f5aeb0bf16f9df WHIRLPOOL c4834efebdca3bee769819fee40099f2d83f4282db98a96da853164dae2639adaef18fe3caf87801f52e53b47752a99fd693aab66239e30344b714119c4c1c7a
DIST openssl-1.0.1i.tar.gz 4422117 SHA256 3c179f46ca77069a6a0bac70212a9b3b838b2f66129cb52d568837fc79d8fcc7 SHA512 6cbcdcec8568236e8f20f0461f93df8a193a0ad88102ff548443e6ec87e2a7f649e314beee1e6bafda693934b4fb142244b61d14bf736828dda09e277b941d93 WHIRLPOOL 4baefe8a203243d08c2ca4dc9e1019a539135604a8ddfb09b9a7f2711108ad6ebd45eef1cfa09331f19fe57defbe7e1390f9ac2de086437a484c5819cabb5a4a
DIST openssl-1.0.1j.tar.gz 4432964 SHA256 1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3 SHA512 a786bb99b68d88c1de79d3c5372767f091ebeefb5abc1d4883253fd3ab5a86af53389f5ff36fdd8faa27c5fb78be8bbff406392c373358697da80d250eadebb8 WHIRLPOOL 467aa3b02d04837e3281670401985e492d15b561c03b97246e3c8e61b0d3b1927332e3a226de4ed5bd02265a04fb31ce84c3501f4af9685633d00a9b43c56978
DIST openssl-1.0.1k.tar.gz 4434910 SHA256 8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c SHA512 8b000fbd1bf919d9913a314f99aedd48a69f6caa4ccf43237889e73e08cbe0d82bfc27e9c7c4cade09fc459f91d6c4a831a9b3fc8bca0344fb864eadd7d1e8e8 WHIRLPOOL 5236a966d610c971e473cfc30e5412a72eef116fd259ada9c50da08bcd4ca967f80bb19babf530b4e5b9f1f24e9275e00391eb2e12a26d4544f593e2b4ba20b8
DIST openssl-1.0.1l.tar.gz 4429979 SHA256 b2cf4d48fe5d49f240c61c9e624193a6f232b5ed0baf010681e725963c40d1d4 SHA512 27fe42f33815a3aafff75f2b9a5604c328fe5945c5cecaca74e5d2c2a1e066d64ddcc1fdb14b54fc7523cc730ab8a57d7d56b2879c289e86673f91fee0cca65e WHIRLPOOL 79f5698585c68ba647fcdfc4b342a43d06d69230658ca1bc265dd10d8da939c3e27b9a4125bd2adfbf50002b1dddef18be086dfc23a5050e69fb77350131909f
DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1
EBUILD openssl-1.0.1i-r99.ebuild 8253 SHA256 dc8968fd4bf6b3b411830b7595a930da7b1d650bb16f19df3230f88ab1da049d SHA512 11df471e90ca2cbd39da411a491c9aa2e0afcd92fbcaa544ba2becda4a9fdb898cfafe416ec1c33e056c1c33c0e391bced26cf54874aa416a28a760fbeec5c9f WHIRLPOOL 6894250255bd7795c265c2a068b34ac46afb7204bef11e92bb69b227ee7d91a0bfdd2a8761746aeaa8cd1c61d00ec6f248c2ae49491122ac7b3cc163190b9cea
EBUILD openssl-1.0.1j-r99.ebuild 8702 SHA256 fecb57c49f7204e493712133b2d66b7683191fc538b4a49ec99d034682593d1b SHA512 5ed7256e544f1cc7097c3aa35b9b7e0a61a4afc565e876ee56fbd7d286f9f04184d31095431cd4cc109dee4c09dadfc360bed3ba5ce8c442170ffc079e22d9a1 WHIRLPOOL cae51be227c1dab31cbd339d58d23ad6e301d58171f564f9b1f8c20f4170103023bf636888f05cd23b579fcece5b7f9c6354962bdf50bdfd57d410b3c9d9675f
EBUILD openssl-1.0.1k-r99.ebuild 8702 SHA256 344303432380e2f0ea53ee64ca1a6cb8dfd2fbbddad419c26173f032a9d912e5 SHA512 3b8905b5f864ce18ac6241be4187ce0a2f9db465b3b09a42ce301307f3c82a65339308019a27c0541a383a3f03f3d38962aa909800d9ae2859b6e37fcdc5a3fc WHIRLPOOL 1ceb2f34f0f1f95ac27f36765e02b7797063a74333944e29a607639bf4aeed1bc3557ff50a73714fb87e689abbce0a226ddcf5c2352fc94f081815923e69fcc2
EBUILD openssl-1.0.1l-r99.ebuild 8936 SHA256 799412294dae22e173d59877717badb63ed427f7ca60bc1c15eb48faf7c509c4 SHA512 a32610227322954a2cf18cb1e0ce6e3bc957a90fd1111ee68ed3c6a550ff4b7a25bc52f8db91b943dd38f93e91eab9257fc888c47c3a04faf28db0921c0082ea WHIRLPOOL e0edfe12ad42a37b341bfbeb84b23ac6d5e07c8e44d9570c45d38c1cdc0cc16cef309354578b0ca29763710efee34acf00ad430c86849436721adb6ba7858147
MISC metadata.xml 537 SHA256 dfb61bab6de1d7e943f92be14ed54fb9275d568a11d6ba29e395f23f547603ee SHA512 0417c438c7f9586c7bbe7694707fec94f2ecf6fb59e36bc87d707fab0b24346a6c9fac5e58c69302e767cd8a7e50a508cdb2430b2cdf8fcc88921286e09756e1 WHIRLPOOL 0f21bab1258c7ee675c27cb7d78a90985437dc8d001a232661657549cebd9f2f26802686435bdd3a1346c5a0ff14bfffa740d6ded2288dc211ad0183f5b3f686




--- openssl-1.0.1l/crypto/asn1/a_type.c
+++ openssl-1.0.1l/crypto/asn1/a_type.c
@@ -124,6 +124,9 @@
 	case V_ASN1_OBJECT:
 		result = OBJ_cmp(a->value.object, b->value.object);
 		break;
+	case V_ASN1_BOOLEAN:
+		result = a->value.boolean - b->value.boolean;
+		break;
 	case V_ASN1_NULL:
 		result = 0;	/* They do not have content. */
 		break;
--- openssl-1.0.1l/crypto/asn1/tasn_dec.c
+++ openssl-1.0.1l/crypto/asn1/tasn_dec.c
@@ -130,11 +130,17 @@
 	{
 	ASN1_TLC c;
 	ASN1_VALUE *ptmpval = NULL;
-	if (!pval)
-		pval = &ptmpval;
 	asn1_tlc_clear_nc(&c);
-	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
-		return *pval;
+	if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
+	    ptmpval = *pval;
+	if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
+	    if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
+		if (*pval)
+		    ASN1_item_free(*pval, it);
+		*pval = ptmpval;
+	    }
+	    return ptmpval;
+	}
 	return NULL;
 	}
 
@@ -311,9 +317,16 @@
 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
 				goto auxerr;
 
-		/* Allocate structure */
-		if (!*pval && !ASN1_item_ex_new(pval, it))
-			{
+		if (*pval) {
+		    /* Free up and zero CHOICE value if initialised */
+		    i = asn1_get_choice_selector(pval, it);
+		    if ((i >= 0) && (i < it->tcount)) {
+			tt = it->templates + i;
+			pchptr = asn1_get_field_ptr(pval, tt);
+			ASN1_template_free(pchptr, tt);
+			asn1_set_choice_selector(pval, -1, it);
+		    }
+		} else if (!ASN1_item_ex_new(pval, it)) {
 			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
 						ERR_R_NESTED_ASN1_ERROR);
 			goto err;
@@ -407,6 +420,17 @@
 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
 				goto auxerr;
 
+		/* Free up and zero any ADB found */
+		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+		    if (tt->flags & ASN1_TFLG_ADB_MASK) {
+			const ASN1_TEMPLATE *seqtt;
+			ASN1_VALUE **pseqval;
+			seqtt = asn1_do_adb(pval, tt, 1);
+			pseqval = asn1_get_field_ptr(pval, seqtt);
+			ASN1_template_free(pseqval, seqtt);
+		    }
+		}
+
 		/* Get each field entry */
 		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
 			{
--- openssl-1.0.1l/crypto/pkcs7/pk7_doit.c
+++ openssl-1.0.1l/crypto/pkcs7/pk7_doit.c
@@ -272,6 +272,25 @@
 	PKCS7_RECIP_INFO *ri=NULL;
 	ASN1_OCTET_STRING *os=NULL;
 
+    if (p7 == NULL) {
+	PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
+	return NULL;
+    }
+    /*
+     * The content field in the PKCS7 ContentInfo is optional, but that really
+     * only applies to inner content (precisely, detached signatures).
+     *
+     * When reading content, missing outer content is therefore treated as an
+     * error.
+     *
+     * When creating content, PKCS7_content_new() must be called before
+     * calling this method, so a NULL p7->d is always an error.
+     */
+    if (p7->d.ptr == NULL) {
+	PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
+	return NULL;
+    }
+
 	i=OBJ_obj2nid(p7->type);
 	p7->state=PKCS7_S_HEADER;
 
@@ -433,6 +452,16 @@
        unsigned char *ek = NULL, *tkey = NULL;
        int eklen = 0, tkeylen = 0;
 
+    if (p7 == NULL) {
+	PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
+	return NULL;
+    }
+    
+    if (p7->d.ptr == NULL) {
+	PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+	return NULL;
+    }
+
 	i=OBJ_obj2nid(p7->type);
 	p7->state=PKCS7_S_HEADER;
 
@@ -752,6 +781,16 @@
 	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
 	ASN1_OCTET_STRING *os=NULL;
 
+    if (p7 == NULL) {
+	PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
+	return 0;
+    }
+
+    if (p7->d.ptr == NULL) {
+	PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
+	return 0;
+    }
+
 	EVP_MD_CTX_init(&ctx_tmp);
 	i=OBJ_obj2nid(p7->type);
 	p7->state=PKCS7_S_HEADER;
@@ -796,6 +835,7 @@
 		/* If detached data then the content is excluded */
 		if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
 			M_ASN1_OCTET_STRING_free(os);
+			os = NULL;
 			p7->d.sign->contents->d.data = NULL;
 		}
 		break;
@@ -806,6 +846,7 @@
 		if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
 			{
 			M_ASN1_OCTET_STRING_free(os);
+			os = NULL;
 			p7->d.digest->contents->d.data = NULL;
 			}
 		break;
@@ -878,24 +919,31 @@
 		M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
 		}
 
-	if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
-		{
+	if (!PKCS7_is_detached(p7)) {
+	    /*
+	     * NOTE(emilia): I think we only reach os == NULL here because detached
+	     * digested data support is broken.
+	     */
+	    if (os == NULL)
+		goto err;
+	    if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
 		char *cont;
 		long contlen;
-		btmp=BIO_find_type(bio,BIO_TYPE_MEM);
-		if (btmp == NULL)
-			{
-			PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
-			goto err;
-			}
+		btmp = BIO_find_type(bio, BIO_TYPE_MEM);
+		if (btmp == NULL) {
+		    PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+		    goto err;
+		}
 		contlen = BIO_get_mem_data(btmp, &cont);
-		/* Mark the BIO read only then we can use its copy of the data
+		/*
+		 * Mark the BIO read only then we can use its copy of the data
 		 * instead of making an extra copy.
 		 */
 		BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
 		BIO_set_mem_eof_return(btmp, 0);
 		ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
-		}
+	    }
+	}
 	ret=1;
 err:
 	EVP_MD_CTX_cleanup(&ctx_tmp);
@@ -971,6 +1019,16 @@
 	STACK_OF(X509) *cert;
 	X509 *x509;
 
+    if (p7 == NULL) {
+	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
+	return 0;
+    }
+
+    if (p7->d.ptr == NULL) {
+	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
+	return 0;
+    }
+
 	if (PKCS7_type_is_signed(p7))
 		{
 		cert=p7->d.sign->cert;
--- openssl-1.0.1l/crypto/pkcs7/pk7_lib.c
+++ openssl-1.0.1l/crypto/pkcs7/pk7_lib.c
@@ -71,6 +71,7 @@
 
 	switch (cmd)
 		{
+	/* NOTE(emilia): does not support detached digested data. */
 	case PKCS7_OP_SET_DETACHED_SIGNATURE:
 		if (nid == NID_pkcs7_signed)
 			{
@@ -459,6 +460,8 @@
 
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
 	{
+	if (p7 == NULL || p7->d.ptr == NULL)
+		return NULL;
 	if (PKCS7_type_is_signed(p7))
 		{
 		return(p7->d.sign->signer_info);
--- openssl-1.0.1l/doc/crypto/d2i_X509.pod
+++ openssl-1.0.1l/doc/crypto/d2i_X509.pod
@@ -199,6 +199,12 @@
 persist if they are not present in the new one. As a result the use
 of this "reuse" behaviour is strongly discouraged.
 
+Current versions of OpenSSL will not modify B<*px> if an error occurs.
+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
+set to the value of the newly decoded structure. As a result B<*px>
+B<must not> be allocated on the stack or an attempt will be made to
+free an invalid pointer.
+
 i2d_X509() will not return an error in many versions of OpenSSL,
 if mandatory fields are not initialized due to a programming error
 then the encoded structure may contain invalid data or omit the
@@ -210,7 +216,9 @@
 
 d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
 or B<NULL> if an error occurs. The error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. 
+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
+with a valid X509 structure being passed in via B<px> then the object is not
+modified in the event of error.
 
 i2d_X509() returns the number of bytes successfully encoded or a negative
 value if an error occurs. The error code can be obtained by
--- openssl-1.0.1l/ssl/s2_lib.c
+++ openssl-1.0.1l/ssl/s2_lib.c
@@ -488,7 +488,7 @@
 
 		OPENSSL_assert(s->session->master_key_length >= 0
 		    && s->session->master_key_length
-		    < (int)sizeof(s->session->master_key));
+		    <= (int)sizeof(s->session->master_key));
 		EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
 		EVP_DigestUpdate(&ctx,&c,1);
 		c++;
--- openssl-1.0.1l/ssl/s2_srvr.c
+++ openssl-1.0.1l/ssl/s2_srvr.c
@@ -454,10 +454,6 @@
 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
 		return(-1);
 		}
-	i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
-		&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
-		(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
-
 	is_export=SSL_C_IS_EXPORT(s->session->cipher);
 	
 	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
@@ -475,21 +471,59 @@
 	else
 		ek=5;
 
+	/*
+	 * The format of the CLIENT-MASTER-KEY message is
+	 * 1 byte message type
+	 * 3 bytes cipher
+	 * 2-byte clear key length (stored in s->s2->tmp.clear)
+	 * 2-byte encrypted key length (stored in s->s2->tmp.enc)
+	 * 2-byte key args length (IV etc)
+	 * clear key
+	 * encrypted key
+	 * key args
+	 *
+	 * If the cipher is an export cipher, then the encrypted key bytes
+	 * are a fixed portion of the total key (5 or 8 bytes). The size of
+	 * this portion is in |ek|. If the cipher is not an export cipher,
+	 * then the entire key material is encrypted (i.e., clear key length
+	 * must be zero).
+	 */
+	if ((!is_export && s->s2->tmp.clear != 0) ||
+	    (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
+	    ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+	    SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
+	    return -1;
+	}
+	/*
+	 * The encrypted blob must decrypt to the encrypted portion of the key.
+	 * Decryption can't be expanding, so if we don't have enough encrypted
+	 * bytes to fit the key in the buffer, stop now.
+	 */
+	if ((is_export && s->s2->tmp.enc < ek) ||
+	    (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
+	    ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+	    SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
+	    return -1;
+	}
+
+	i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
+				    &(p[s->s2->tmp.clear]),
+				    &(p[s->s2->tmp.clear]),
+				    (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
+				    RSA_PKCS1_PADDING);
+
 	/* bad decrypt */
 #if 1
 	/* If a bad decrypt, continue with protocol but with a
 	 * random master secret (Bleichenbacher attack) */
-	if ((i < 0) ||
-		((!is_export && (i != EVP_CIPHER_key_length(c)))
-		|| (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
-			(unsigned int)EVP_CIPHER_key_length(c))))))
-		{
+	if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
+			|| (is_export && i != ek))) {
 		ERR_clear_error();
 		if (is_export)
 			i=ek;
 		else
 			i=EVP_CIPHER_key_length(c);
-		if (RAND_pseudo_bytes(p,i) <= 0)
+		if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
 			return 0;
 		}
 #else
@@ -513,7 +547,8 @@
 		}
 #endif
 
-	if (is_export) i+=s->s2->tmp.clear;
+	if (is_export)
+		i = EVP_CIPHER_key_length(c);
 
 	if (i > SSL_MAX_MASTER_KEY_LENGTH)
 		{




# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-1.0.1l-r1.ebuild,v 1.5 2015/03/19 18:03:39 vapier Exp $

EAPI="4"

inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal

REV="1.7"
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
HOMEPAGE="http://www.openssl.org/"
SRC_URI="mirror://openssl/source/${P}.tar.gz
	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"

LICENSE="openssl"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
RESTRICT="!bindist? ( bindist )"

# The blocks are temporary just to make sure people upgrade to a
# version that lack runtime version checking.  We'll drop them in
# the future.
RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
	abi_x86_32? (
		!<=app-emulation/emul-linux-x86-baselibs-20140406-r3
		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
	)
	!<net-misc/openssh-5.9_p1-r4
	!<net-libs/neon-0.29.6-r1"
DEPEND="${RDEPEND}
	sys-apps/diffutils
	>=dev-lang/perl-5
	test? ( sys-devel/bc )"
PDEPEND="app-misc/ca-certificates"

src_unpack() {
	unpack ${P}.tar.gz
	SSL_CNF_DIR="/etc/ssl"
	sed \
		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
		> "${WORKDIR}"/c_rehash || die #416717
}

MULTILIB_WRAPPED_HEADERS=(
	usr/include/openssl/opensslconf.h
)

src_prepare() {
	# Make sure we only ever touch Makefile.org and avoid patching a file
	# that gets blown away anyways by the Configure script in src_configure
	rm -f Makefile

	if ! use vanilla ; then
		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
		epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
		epatch "${FILESDIR}"/${PN}-1.0.1-parallel-build.patch
		epatch "${FILESDIR}"/${PN}-1.0.1-x32.patch
		epatch "${FILESDIR}"/${PN}-1.0.1h-ipv6.patch
		epatch "${FILESDIR}"/${PN}-1.0.1e-s_client-verify.patch #472584
		epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
		epatch "${FILESDIR}"/${PN}-1.0.1l-CVE-2015-0286.patch #543552
		epatch "${FILESDIR}"/${PN}-1.0.1c-force-termios.patch
		epatch_user #332661
	fi

	# disable fips in the build
	# make sure the man pages are suffixed #302165
	# don't bother building man pages if they're disabled
	sed -i \
		-e '/DIRS/s: fips : :g' \
		-e '/^MANSUFFIX/s:=.*:=ssl:' \
		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
		-e $(has noman FEATURES \
			&& echo '/^install:/s:install_docs::' \
			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
		Makefile.org \
		|| die
	# show the actual commands in the log
	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared

	# since we're forcing $(CC) as makedep anyway, just fix
	# the conditional as always-on
	# helps clang (#417795), and versioned gcc (#499818)
	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die

	# quiet out unknown driver argument warnings since openssl
	# doesn't have well-split CFLAGS and we're making it even worse
	# and 'make depend' uses -Werror for added fun (#417795 again)
	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments

	# allow openssl to be cross-compiled
	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
	chmod a+rx gentoo.config

	append-flags -fno-strict-aliasing
	append-flags $(test-flags-CC -Wa,--noexecstack)

	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
	# The config script does stupid stuff to prompt the user.  Kill it.
	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
	./config --test-sanity || die "I AM NOT SANE"

	multilib_copy_sources
}

multilib_src_configure() {
	unset APPS #197996
	unset SCRIPTS #312551
	unset CROSS_COMPILE #311473

	tc-export CC AR RANLIB RC

	# Clean out patent-or-otherwise-encumbered code
	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5

	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
	echoit() { echo "$@" ; "$@" ; }

	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

	# See if our toolchain supports __uint128_t.  If so, it's 64bit
	# friendly and can use the nicely optimized code paths. #460790
	local ec_nistp_64_gcc_128
	# Disable it for now though #469976
	#if ! use bindist ; then
	#	echo "__uint128_t i;" > "${T}"/128.c
	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
	#	fi
	#fi

	local sslout=$(./gentoo.config)
	einfo "Use configuration ${sslout:-(openssl knows best)}"
	local config="Configure"
	[[ -z ${sslout} ]] && config="config"

	echoit \
	./${config} \
		${sslout} \
		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
		enable-camellia \
		$(use_ssl !bindist ec) \
		${ec_nistp_64_gcc_128} \
		enable-idea \
		enable-mdc2 \
		$(use_ssl !bindist rc5) \
		enable-tlsext \
		$(use_ssl gmp gmp -lgmp) \
		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
		$(use_ssl rfc3779) \
		$(use_ssl tls-heartbeat heartbeats) \
		$(use_ssl zlib) \
		--prefix="${EPREFIX}"/usr \
		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
		--libdir=$(get_libdir) \
		shared threads \
		|| die

	# Clean out hardcoded flags that openssl uses
	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
		-e 's:^CFLAG=::' \
		-e 's:-fomit-frame-pointer ::g' \
		-e 's:-O[0-9] ::g' \
		-e 's:-march=[-a-z0-9]* ::g' \
		-e 's:-mcpu=[-a-z0-9]* ::g' \
		-e 's:-m[a-z0-9]* ::g' \
	)
	sed -i \
		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
		Makefile || die
}

multilib_src_compile() {
	# depend is needed to use $confopts; it also doesn't matter
	# that it's -j1 as the code itself serializes subdirs
	emake -j1 depend
	emake all
	# rehash is needed to prep the certs/ dir; do this
	# separately to avoid parallel build issues.
	emake rehash
}

multilib_src_test() {
	emake -j1 test
}

multilib_src_install() {
	emake INSTALL_PREFIX="${D}" install
}

multilib_src_install_all() {
	dobin "${WORKDIR}"/c_rehash #333117
	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
	dohtml -r doc/*
	use rfc3779 && dodoc engines/ccgost/README.gost

	# This is crappy in that the static archives are still built even
	# when USE=static-libs.  But this is due to a failing in the openssl
	# build system: the static archives are built as PIC all the time.
	# Only way around this would be to manually configure+compile openssl
	# twice; once with shared lib support enabled and once without.
	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a

	# create the certs directory
	dodir ${SSL_CNF_DIR}/certs
	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}

	# Namespace openssl programs to prevent conflicts with other man pages
	cd "${ED}"/usr/share/man
	local m d s
	for m in $(find . -type f | xargs grep -L '#include') ; do
		d=${m%/*} ; d=${d#./} ; m=${m##*/}
		[[ ${m} == openssl.1* ]] && continue
		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
		mv ${d}/{,ssl-}${m}
		# fix up references to renamed man pages
		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
		ln -s ssl-${m} ${d}/openssl-${m}
		# locate any symlinks that point to this man page ... we assume
		# that any broken links are due to the above renaming
		for s in $(find -L ${d} -type l) ; do
			s=${s##*/}
			rm -f ${d}/${s}
			ln -s ssl-${m} ${d}/ssl-${s}
			ln -s ssl-${s} ${d}/openssl-${s}
		done
	done
	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

	dodir /etc/sandbox.d #254521
	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

	diropts -m0700
	keepdir ${SSL_CNF_DIR}/private
}

pkg_preinst() {
	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
}

pkg_postinst() {
	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
	eend $?

	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
}

Return to bug 543826

Lines 1-22 Link Here

(-)a/dev-libs/openssl/Manifest (-7 / +10 lines)
1	AUX gentoo.config-1.0.1 4784 SHA256 26d1b360f094dd4e1acf47c3e830b52343c0f778dcd8f2c5b6c213b7e5192d13 SHA512 605e86cc68bbce5405b359098cc0a5abdc071a36462ca868d2fce57cabd928536fbcb0f5dea7318c96b3f9fca39b8c303601fff4442a8e68d7f99254180980e7 WHIRLPOOL eb7540c99ad4bbc60a3decd30e9d7d3816bb7cdd948c9c76950b278acec34a4737f1afaf543e9e524ea0cef8ae26008c065bef44129673e40ccaec9509052575	1	AUX gentoo.config-1.0.1 4784 SHA256 26d1b360f094dd4e1acf47c3e830b52343c0f778dcd8f2c5b6c213b7e5192d13 SHA512 605e86cc68bbce5405b359098cc0a5abdc071a36462ca868d2fce57cabd928536fbcb0f5dea7318c96b3f9fca39b8c303601fff4442a8e68d7f99254180980e7 WHIRLPOOL eb7540c99ad4bbc60a3decd30e9d7d3816bb7cdd948c9c76950b278acec34a4737f1afaf543e9e524ea0cef8ae26008c065bef44129673e40ccaec9509052575
2	AUX openssl-1.0.0a-ldflags.patch 891 SHA256 f04cef1b912681393236f9631792cd404783586c2fd8e0f011ace6236cc6dc4a SHA512 8ced9f22e413f81ff0563793bd6b765912af16671a0d10bff0c518c44bced0177dbcd6536359ff5b6bd5d49fa5032de47c719198444254d4814e4b21301f606c WHIRLPOOL f9b2641b8df926ff5d9d5cf5a7737f5cb4a3a2be2225911ebebd944f13219acfac07d496eec9a8e91af3f50ac1275dc7b0652354e8e958a0d3f6708e641f8970	2	AUX openssl-1.0.0a-ldflags.patch 1095 SHA256 2489ffbae4af11e1642d54992c404ca81b0c2a9c169032281f4f7778d945836f SHA512 d5a3f90ca0e9755940da525b8daba5b5d09b2b251863e9ca4f2b3b0a5db461e0aa25b2ae7a7d36d13a92ff64f2a37d4809b70aff9672c0f43398369bc7099979 WHIRLPOOL b7c2fbc833be856388110f2ac891976903e7c5dd4030249bcd79f915ae94fa93bff955ff3eaaf4a4bab306a09512bd861099c2738f5af7027174b79d023f7261
3	AUX openssl-1.0.0d-windres.patch 2890 SHA256 27664cfab4852f1a301c4020375eba029c8a1728d58829c831a36d3aa2fbe9f4 SHA512 32187d0a04c85118cc763ff1fe8c4635622294fe629b920c47e16408aa720fee2bcc42f97120f6750b59996878e0a3d249143d728a5b5775ec3a022f81bc230a WHIRLPOOL d5979143f7e637b0072f7d5f214d80f5cc0e53f54358781d7f10c0cdb15c2b52813e12d2aa07dde2b40e7a88fcb26d1d619443a8012530d90789609cf5ac4083	3	AUX openssl-1.0.0d-windres.patch 2912 SHA256 e5dbfd6af69bc3f69b51787cf1f6245207be9824dfffbdd9b4e278772ed8ab32 SHA512 d7a0238edea29aac7d20dca0778c67f8ae4dc0da190e5277e1b3519ae536f2c44533ac5dc1cbcd138bc4277ad669b13fca316bd962f26e2cb387f2ad3fd0111b WHIRLPOOL d62156820e55898d0a0393473c6ad8e49c5aa7bb9d3fc7043795de7102c3003d5f8b874c751e03cf832e306ac290790e871e1318bb830b3558a43e09be5b45b4
4	AUX openssl-1.0.0h-pkg-config.patch 1289 SHA256 542dea12747b1cb667707250e3eb3803cbdd396bd0d8e836e48a8018417dc1b8 SHA512 4d1f66dc8615cdf7c96719c8cc909c7d908089e91b0cfe2dd08ae7a332c525b5384e2eb8eb3922e89cbc035167f581eaa606ba826fca6253f16f89f66a9ef225 WHIRLPOOL cdd63a06205b0237ddef1f56df2accf29e5f43f886aed01f95711b49a3af07d87afd0953cb3c12c7e97d4a3392f7c691257dcb7ad3e97cc6fbf1cf399a8a6394	4	AUX openssl-1.0.0h-pkg-config.patch 1363 SHA256 dbbcc175f02e5edced01a13dd1e7d35dc4322c0970f78a7fd781a6c0766886af SHA512 c2f7a68c96098bd742235a40f27d6b1e5a0ebece53ca32dd0be74b85210479064efa1d5dc76e457b786067185768492fab2ed53762a22c511c2a2e3d43ed137b WHIRLPOOL 7f795dbed2124d8d2d126886d106675662f09b8e79c70fa2af3298486fdb75b7f1285dc17a53daf985bd4af1e58c36e13e49f46d18af860f0dabad1b3898c3b0
5	AUX openssl-1.0.1-parallel-build.patch 9918 SHA256 bd56e5fe1b6fe594ab93f34d25fef0b7372633bad8532f81da998f3e6655d221 SHA512 7255b3315133e415631b2ecadc8f5c50a705b9db507c46efded0190363ce9eb31ffbfe01c500669c060878e5202f858b1d2475c64948426fbf70820b4c798ba1 WHIRLPOOL 8a8c71c3806db85d6c6b355717cb4aa1e421fa1777aa7dcd7ee817ac1e552d4b671cdd7cceef9aee1a7dc1b305eb722b1ba0219832c7a6c1b808a0c49212df05	5	AUX openssl-1.0.1-parallel-build.patch 10614 SHA256 f3aa674880ffa53a891d3f9054a1ff162c4461b3ec160a365990275907636259 SHA512 439015b3b007adfbab047a1e3e12a9700030779a593bba1a30e9554c7c02eb1cffe9acb089546954e87163847cf86b13130abf9646eb5d00a2ff725b534f84d5 WHIRLPOOL 673f6f045765effb9ded607bf8116a81e7bfeee78ba0e8a34892081c272239a2b75fbb14f4c48b61d93593fac8e1b1e8bef7223f4cc64e8443e19c8f337ab6bc
6	AUX openssl-1.0.1-x32.patch 3273 SHA256 a4f05b8757e225a05a9c5a3ea485159066760d878c9ee54c4eaf61760e33c6cf SHA512 6bed57fe2fbe2d0ced1279b53804d94426a679d5d6b80ad7d0ed18523a7fda397e02038032c08cdd4e6034f9ff6e82cad365ff2a724d49d91467cf2b77f47752 WHIRLPOOL 1366632e7dc1c6e54efc5b9791bf24833d20e7a61ca29aa38d31b5b9629febf926a29742e370b7cd6767c810c0a1676100ca9169f0d836dfd19ff0b2c29e49c1	6	AUX openssl-1.0.1-x32.patch 3273 SHA256 a4f05b8757e225a05a9c5a3ea485159066760d878c9ee54c4eaf61760e33c6cf SHA512 6bed57fe2fbe2d0ced1279b53804d94426a679d5d6b80ad7d0ed18523a7fda397e02038032c08cdd4e6034f9ff6e82cad365ff2a724d49d91467cf2b77f47752 WHIRLPOOL 1366632e7dc1c6e54efc5b9791bf24833d20e7a61ca29aa38d31b5b9629febf926a29742e370b7cd6767c810c0a1676100ca9169f0d836dfd19ff0b2c29e49c1
7	AUX openssl-1.0.1c-force-termios.patch 1849 SHA256 3c5a65f2961e5fd0031b0fabe0021f8531e901a5c8674c03d2b03157a184998b SHA512 6f938fc0778040104bd7d9fdf08e1200f25337089fdb0c2df935b6f5144849be550c66a9a83699bbec5b32304de5fea2ded325505412e2e4d3439dd49ed05db9 WHIRLPOOL 44f080f5f2ba75421495865486fbacc92a1d1b32100f1c4b384430957179b49ed0e91472832db12758504c87ffca2455a03db9d56da61532f5baffdefd94b390	7	AUX openssl-1.0.1c-force-termios.patch 1849 SHA256 3c5a65f2961e5fd0031b0fabe0021f8531e901a5c8674c03d2b03157a184998b SHA512 6f938fc0778040104bd7d9fdf08e1200f25337089fdb0c2df935b6f5144849be550c66a9a83699bbec5b32304de5fea2ded325505412e2e4d3439dd49ed05db9 WHIRLPOOL 44f080f5f2ba75421495865486fbacc92a1d1b32100f1c4b384430957179b49ed0e91472832db12758504c87ffca2455a03db9d56da61532f5baffdefd94b390
8	AUX openssl-1.0.1e-ipv6.patch 18596 SHA256 430d15f2f62c2d7b9bbb968d3c1d3cea51c97d549e01683fd6befb20e2b60946 SHA512 15bfcafc8c173d2875954a43db19d15956619528a0fc356b6d36877f7434321071cf707d950767491261adc1e6403e56b3e014e3d0ffb6cef563daca00a128bd WHIRLPOOL d1dd63d00b166efb1ca9e5d8da931a47e571f5784e3b47780355553b4d0cf656885375e3fe7fc1554b6c5eb749371efeb370c7462e4fcc52c0dd85c6e2318ad8	8	AUX openssl-1.0.1e-ipv6.patch 18596 SHA256 430d15f2f62c2d7b9bbb968d3c1d3cea51c97d549e01683fd6befb20e2b60946 SHA512 15bfcafc8c173d2875954a43db19d15956619528a0fc356b6d36877f7434321071cf707d950767491261adc1e6403e56b3e014e3d0ffb6cef563daca00a128bd WHIRLPOOL d1dd63d00b166efb1ca9e5d8da931a47e571f5784e3b47780355553b4d0cf656885375e3fe7fc1554b6c5eb749371efeb370c7462e4fcc52c0dd85c6e2318ad8
9	AUX openssl-1.0.1e-perl-5.18.patch 8211 SHA256 0d2263de7cd1e814cf7583a738d7c439dadb6f195793a29356186b336edc5a98 SHA512 4b56cae218af916c5d7f1006f0a17e34eebc6ee9fb08789db0b18b7e0d6ca7ea0b297efdc712f8951b4db55d15dffea33faa939d2daa42db6be61670e43f0412 WHIRLPOOL 78ced5c41dba502f93f92322516ac8774ff73ce236c7cf793f7e502822c8b0c288f2ed4360d89d2ff2bfaf969f6bd0cc12b28151eda0217197c60bf6a561d8cf	9	AUX openssl-1.0.1e-perl-5.18.patch 8211 SHA256 0d2263de7cd1e814cf7583a738d7c439dadb6f195793a29356186b336edc5a98 SHA512 4b56cae218af916c5d7f1006f0a17e34eebc6ee9fb08789db0b18b7e0d6ca7ea0b297efdc712f8951b4db55d15dffea33faa939d2daa42db6be61670e43f0412 WHIRLPOOL 78ced5c41dba502f93f92322516ac8774ff73ce236c7cf793f7e502822c8b0c288f2ed4360d89d2ff2bfaf969f6bd0cc12b28151eda0217197c60bf6a561d8cf
10	AUX openssl-1.0.1e-s_client-verify.patch 585 SHA256 e5a7093d80a52f741a40aa6dbf85dd46dbbaa466b5093a13f0b1dffc0cd73a24 SHA512 d6d308016d6c6449703f5edcebd97c77a96bb47b2adfe7beade078055b4fe743f0b19e39cb23326678b7b908798e45557931e4b46751ba88a7f4233c3ad833bd WHIRLPOOL 0a4c8f489ab9a964f3ad753078cafdbdcd329a428acb47bf90f4500436873052a4bc5e24634f657272683c030bcf263ce28a6938d91c0c965ddb2c7207167911	10	AUX openssl-1.0.1e-s_client-verify.patch 592 SHA256 6f540fce663eefbe68cee16ad7d8d561d6c898eeb4180c2f4a4caa7e43c6d0c9 SHA512 117b1017e1259667078d3ccdcd9fd46357c6f85cf2702794f49c612b37acdc044fe88f871dbe46fcad9ed4cd8aaaaee800dddb5286203322802efd7549a43b68 WHIRLPOOL 70a4cc36b1dcb24d7e9bcef016684fb2394977f7f20aa332ebd0aa15e3f4c16c74563d2fc0ba8d70669f6cc9a13bf8a30cdb28ebafe2d102cd2859a4e32c38d7
11	AUX openssl-1.0.1e-tls-ver-crash.patch 1203 SHA256 4868de1b15bea5cc695ffd22ae414b03aaa6bdd5b99313654043e29d4d0c9f76 SHA512 b87457ae5c0f2b605b47a683eb16ab2f3432873765b401a49d0ad300e3f96fa817fc5a85c6fd2c65143d355322911d6da2bdf576d0c212715d6c6b3c662e96d2 WHIRLPOOL e728ce3f2c7325469629ea0ef5a3c02860df9264a46218bdf553ad8eec56c5d4bf3fd6c63e0b67ff5734d503e4c3182f29f16ce80198b272eacca11177f48e5c	11	AUX openssl-1.0.1e-tls-ver-crash.patch 1203 SHA256 4868de1b15bea5cc695ffd22ae414b03aaa6bdd5b99313654043e29d4d0c9f76 SHA512 b87457ae5c0f2b605b47a683eb16ab2f3432873765b401a49d0ad300e3f96fa817fc5a85c6fd2c65143d355322911d6da2bdf576d0c212715d6c6b3c662e96d2 WHIRLPOOL e728ce3f2c7325469629ea0ef5a3c02860df9264a46218bdf553ad8eec56c5d4bf3fd6c63e0b67ff5734d503e4c3182f29f16ce80198b272eacca11177f48e5c
12	AUX openssl-1.0.1f-perl-5.18.patch 7820 SHA256 e45c6856ef35b16e150282afa59432e783943e6aee62394f8a0e79ccd469fd84 SHA512 2fcda9f76968e8a193892170b2acc06b246c5a04bda2c501fa223231af0e4b2a38afd1adaf83cce4afd4210cdfd9cae8251aeb9510f24bcb50e7aeaa9fa09364 WHIRLPOOL 38768056d2bc4cd719c88038d201f765420a7d47b5dbd73b6d86347e59b4a1fc62f5f27d6c576fb73184fcfe26917446753d871db22aeac2a205f0bd18d2bbc3	12	AUX openssl-1.0.1f-perl-5.18.patch 7820 SHA256 e45c6856ef35b16e150282afa59432e783943e6aee62394f8a0e79ccd469fd84 SHA512 2fcda9f76968e8a193892170b2acc06b246c5a04bda2c501fa223231af0e4b2a38afd1adaf83cce4afd4210cdfd9cae8251aeb9510f24bcb50e7aeaa9fa09364 WHIRLPOOL 38768056d2bc4cd719c88038d201f765420a7d47b5dbd73b6d86347e59b4a1fc62f5f27d6c576fb73184fcfe26917446753d871db22aeac2a205f0bd18d2bbc3
13	AUX openssl-1.0.1f-revert-alpha-perl-generation.patch 3029 SHA256 3b4b3e40f70330219a139d8562ed5ebc171c5e7ebf1ab2b29e295ccf435fb6eb SHA512 77f45b12211cb790ae362bed9417590f87a1749d6300dde408f00590ed86e7b05d05909f0a2356e5c64711319d2f8759ad452eaccc0f64c7578916b31462251f WHIRLPOOL a2140b00e69b2dc74d290db0c2d12d3d5e5ca7452710c3f3b2fdde8a06aa0f398212bd263d9a37cfea3df407aa1d26a996b852183955ca5eb4e8c061ca8cb68c	13	AUX openssl-1.0.1f-revert-alpha-perl-generation.patch 3102 SHA256 6e502275b32ac0eca80f28448ae1bb88506f9135258f420fd857ea0b9b485778 SHA512 c80439da3d268e70fd492d0ca73c0a17ddb088b9330610794a338d1921ee13dad9caca4c81ca103b82a7541c8712f77e51f352ec1b1b02789d9aed291acb0cdc WHIRLPOOL cb760366c8759b1c78c5307134bb48c4fc12b1556276c2ef55455ea54725d20cb433ade966a7453f512d2feb5ae89a9798078ab535e4605366633a8e003c7ac6
14	AUX openssl-1.0.1h-ipv6.patch 18675 SHA256 4ccbabad8c6b3e6710d54beb56322cddb79a55222198466843bb101fb4b4e4c6 SHA512 fc54a6e1afc4c395b0318bc264a31fa5e26add1106c61650aa9d2027a783d5d2390d223bae858149bc460e00114008577d30c6f45fccf43fbf9ab1019bcb7d25 WHIRLPOOL 539e101f8d5f53f266793880ea0cf197f246fbccdea22b802a51cf8f85ed2a3a172525c5c8796f3b457f3a0b84654db633a0df9d297c02491da40055036f9594	14	AUX openssl-1.0.1h-ipv6.patch 17788 SHA256 7adeeb88cc544f8b210efbe2baff48fccf5029b582dff7010ae70e0e1f097d7b SHA512 0f0990d4294abcb5f3e51c84080883046a054c710b57a23f99b3323727d5e9aeb5ddeb6b6c2565b4be364f7c21419c90ce5288154e404cd663678f87e0d1c259 WHIRLPOOL cfe7a2e141a4a6252ffcfe215b16dd1082bc14a757dad7eb01bb9819de41ef0ee51a4b2dbf110c27b52e483341c337bf4d1f77f4f9f3172d2fee9e348c30af7e
		15	AUX openssl-1.0.1l-CVE-2015-0286.patch 10790 SHA256 3d234f4b7bd79b7de1a6fe2f42016531732c81dcb73af45edc5b280858d32cb8 SHA512 432a9e556df26e3f0059f53556dbc088cfe7e30e2c38354e7a7879bb4db204330702ab8050b9b31b3ef48badb8f0abdbf047445b71aa0c4c96f5aeb0bf16f9df WHIRLPOOL c4834efebdca3bee769819fee40099f2d83f4282db98a96da853164dae2639adaef18fe3caf87801f52e53b47752a99fd693aab66239e30344b714119c4c1c7a
15	DIST openssl-1.0.1i.tar.gz 4422117 SHA256 3c179f46ca77069a6a0bac70212a9b3b838b2f66129cb52d568837fc79d8fcc7 SHA512 6cbcdcec8568236e8f20f0461f93df8a193a0ad88102ff548443e6ec87e2a7f649e314beee1e6bafda693934b4fb142244b61d14bf736828dda09e277b941d93 WHIRLPOOL 4baefe8a203243d08c2ca4dc9e1019a539135604a8ddfb09b9a7f2711108ad6ebd45eef1cfa09331f19fe57defbe7e1390f9ac2de086437a484c5819cabb5a4a	16	DIST openssl-1.0.1i.tar.gz 4422117 SHA256 3c179f46ca77069a6a0bac70212a9b3b838b2f66129cb52d568837fc79d8fcc7 SHA512 6cbcdcec8568236e8f20f0461f93df8a193a0ad88102ff548443e6ec87e2a7f649e314beee1e6bafda693934b4fb142244b61d14bf736828dda09e277b941d93 WHIRLPOOL 4baefe8a203243d08c2ca4dc9e1019a539135604a8ddfb09b9a7f2711108ad6ebd45eef1cfa09331f19fe57defbe7e1390f9ac2de086437a484c5819cabb5a4a
16	DIST openssl-1.0.1j.tar.gz 4432964 SHA256 1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3 SHA512 a786bb99b68d88c1de79d3c5372767f091ebeefb5abc1d4883253fd3ab5a86af53389f5ff36fdd8faa27c5fb78be8bbff406392c373358697da80d250eadebb8 WHIRLPOOL 467aa3b02d04837e3281670401985e492d15b561c03b97246e3c8e61b0d3b1927332e3a226de4ed5bd02265a04fb31ce84c3501f4af9685633d00a9b43c56978	17	DIST openssl-1.0.1j.tar.gz 4432964 SHA256 1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3 SHA512 a786bb99b68d88c1de79d3c5372767f091ebeefb5abc1d4883253fd3ab5a86af53389f5ff36fdd8faa27c5fb78be8bbff406392c373358697da80d250eadebb8 WHIRLPOOL 467aa3b02d04837e3281670401985e492d15b561c03b97246e3c8e61b0d3b1927332e3a226de4ed5bd02265a04fb31ce84c3501f4af9685633d00a9b43c56978
17	DIST openssl-1.0.1k.tar.gz 4434910 SHA256 8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c SHA512 8b000fbd1bf919d9913a314f99aedd48a69f6caa4ccf43237889e73e08cbe0d82bfc27e9c7c4cade09fc459f91d6c4a831a9b3fc8bca0344fb864eadd7d1e8e8 WHIRLPOOL 5236a966d610c971e473cfc30e5412a72eef116fd259ada9c50da08bcd4ca967f80bb19babf530b4e5b9f1f24e9275e00391eb2e12a26d4544f593e2b4ba20b8	18	DIST openssl-1.0.1k.tar.gz 4434910 SHA256 8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c SHA512 8b000fbd1bf919d9913a314f99aedd48a69f6caa4ccf43237889e73e08cbe0d82bfc27e9c7c4cade09fc459f91d6c4a831a9b3fc8bca0344fb864eadd7d1e8e8 WHIRLPOOL 5236a966d610c971e473cfc30e5412a72eef116fd259ada9c50da08bcd4ca967f80bb19babf530b4e5b9f1f24e9275e00391eb2e12a26d4544f593e2b4ba20b8
		19	DIST openssl-1.0.1l.tar.gz 4429979 SHA256 b2cf4d48fe5d49f240c61c9e624193a6f232b5ed0baf010681e725963c40d1d4 SHA512 27fe42f33815a3aafff75f2b9a5604c328fe5945c5cecaca74e5d2c2a1e066d64ddcc1fdb14b54fc7523cc730ab8a57d7d56b2879c289e86673f91fee0cca65e WHIRLPOOL 79f5698585c68ba647fcdfc4b342a43d06d69230658ca1bc265dd10d8da939c3e27b9a4125bd2adfbf50002b1dddef18be086dfc23a5050e69fb77350131909f
18	DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1	20	DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1
19	EBUILD openssl-1.0.1i-r99.ebuild 8253 SHA256 dc8968fd4bf6b3b411830b7595a930da7b1d650bb16f19df3230f88ab1da049d SHA512 11df471e90ca2cbd39da411a491c9aa2e0afcd92fbcaa544ba2becda4a9fdb898cfafe416ec1c33e056c1c33c0e391bced26cf54874aa416a28a760fbeec5c9f WHIRLPOOL 6894250255bd7795c265c2a068b34ac46afb7204bef11e92bb69b227ee7d91a0bfdd2a8761746aeaa8cd1c61d00ec6f248c2ae49491122ac7b3cc163190b9cea	21	EBUILD openssl-1.0.1i-r99.ebuild 8253 SHA256 dc8968fd4bf6b3b411830b7595a930da7b1d650bb16f19df3230f88ab1da049d SHA512 11df471e90ca2cbd39da411a491c9aa2e0afcd92fbcaa544ba2becda4a9fdb898cfafe416ec1c33e056c1c33c0e391bced26cf54874aa416a28a760fbeec5c9f WHIRLPOOL 6894250255bd7795c265c2a068b34ac46afb7204bef11e92bb69b227ee7d91a0bfdd2a8761746aeaa8cd1c61d00ec6f248c2ae49491122ac7b3cc163190b9cea
20	EBUILD openssl-1.0.1j-r99.ebuild 8702 SHA256 fecb57c49f7204e493712133b2d66b7683191fc538b4a49ec99d034682593d1b SHA512 5ed7256e544f1cc7097c3aa35b9b7e0a61a4afc565e876ee56fbd7d286f9f04184d31095431cd4cc109dee4c09dadfc360bed3ba5ce8c442170ffc079e22d9a1 WHIRLPOOL cae51be227c1dab31cbd339d58d23ad6e301d58171f564f9b1f8c20f4170103023bf636888f05cd23b579fcece5b7f9c6354962bdf50bdfd57d410b3c9d9675f	22	EBUILD openssl-1.0.1j-r99.ebuild 8702 SHA256 fecb57c49f7204e493712133b2d66b7683191fc538b4a49ec99d034682593d1b SHA512 5ed7256e544f1cc7097c3aa35b9b7e0a61a4afc565e876ee56fbd7d286f9f04184d31095431cd4cc109dee4c09dadfc360bed3ba5ce8c442170ffc079e22d9a1 WHIRLPOOL cae51be227c1dab31cbd339d58d23ad6e301d58171f564f9b1f8c20f4170103023bf636888f05cd23b579fcece5b7f9c6354962bdf50bdfd57d410b3c9d9675f
21	EBUILD openssl-1.0.1k-r99.ebuild 8702 SHA256 344303432380e2f0ea53ee64ca1a6cb8dfd2fbbddad419c26173f032a9d912e5 SHA512 3b8905b5f864ce18ac6241be4187ce0a2f9db465b3b09a42ce301307f3c82a65339308019a27c0541a383a3f03f3d38962aa909800d9ae2859b6e37fcdc5a3fc WHIRLPOOL 1ceb2f34f0f1f95ac27f36765e02b7797063a74333944e29a607639bf4aeed1bc3557ff50a73714fb87e689abbce0a226ddcf5c2352fc94f081815923e69fcc2	23	EBUILD openssl-1.0.1k-r99.ebuild 8702 SHA256 344303432380e2f0ea53ee64ca1a6cb8dfd2fbbddad419c26173f032a9d912e5 SHA512 3b8905b5f864ce18ac6241be4187ce0a2f9db465b3b09a42ce301307f3c82a65339308019a27c0541a383a3f03f3d38962aa909800d9ae2859b6e37fcdc5a3fc WHIRLPOOL 1ceb2f34f0f1f95ac27f36765e02b7797063a74333944e29a607639bf4aeed1bc3557ff50a73714fb87e689abbce0a226ddcf5c2352fc94f081815923e69fcc2
		24	EBUILD openssl-1.0.1l-r99.ebuild 8936 SHA256 799412294dae22e173d59877717badb63ed427f7ca60bc1c15eb48faf7c509c4 SHA512 a32610227322954a2cf18cb1e0ce6e3bc957a90fd1111ee68ed3c6a550ff4b7a25bc52f8db91b943dd38f93e91eab9257fc888c47c3a04faf28db0921c0082ea WHIRLPOOL e0edfe12ad42a37b341bfbeb84b23ac6d5e07c8e44d9570c45d38c1cdc0cc16cef309354578b0ca29763710efee34acf00ad430c86849436721adb6ba7858147
22	MISC metadata.xml 537 SHA256 dfb61bab6de1d7e943f92be14ed54fb9275d568a11d6ba29e395f23f547603ee SHA512 0417c438c7f9586c7bbe7694707fec94f2ecf6fb59e36bc87d707fab0b24346a6c9fac5e58c69302e767cd8a7e50a508cdb2430b2cdf8fcc88921286e09756e1 WHIRLPOOL 0f21bab1258c7ee675c27cb7d78a90985437dc8d001a232661657549cebd9f2f26802686435bdd3a1346c5a0ff14bfffa740d6ded2288dc211ad0183f5b3f686	25	MISC metadata.xml 537 SHA256 dfb61bab6de1d7e943f92be14ed54fb9275d568a11d6ba29e395f23f547603ee SHA512 0417c438c7f9586c7bbe7694707fec94f2ecf6fb59e36bc87d707fab0b24346a6c9fac5e58c69302e767cd8a7e50a508cdb2430b2cdf8fcc88921286e09756e1 WHIRLPOOL 0f21bab1258c7ee675c27cb7d78a90985437dc8d001a232661657549cebd9f2f26802686435bdd3a1346c5a0ff14bfffa740d6ded2288dc211ad0183f5b3f686

Line 0 Link Here

(-)a/dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch (+356 lines)
		1	--- openssl-1.0.1l/crypto/asn1/a_type.c
		2	+++ openssl-1.0.1l/crypto/asn1/a_type.c
		3	@@ -124,6 +124,9 @@
		4	case V_ASN1_OBJECT:
		5	result = OBJ_cmp(a->value.object, b->value.object);
		6	break;
		7	+ case V_ASN1_BOOLEAN:
		8	+ result = a->value.boolean - b->value.boolean;
		9	+ break;
		10	case V_ASN1_NULL:
		11	result = 0; /* They do not have content. */
		12	break;
		13	--- openssl-1.0.1l/crypto/asn1/tasn_dec.c
		14	+++ openssl-1.0.1l/crypto/asn1/tasn_dec.c
		15	@@ -130,11 +130,17 @@
		16	{
		17	ASN1_TLC c;
		18	ASN1_VALUE *ptmpval = NULL;
		19	- if (!pval)
		20	- pval = &ptmpval;
		21	asn1_tlc_clear_nc(&c);
		22	- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
		23	- return *pval;
		24	+ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
		25	+ ptmpval = *pval;
		26	+ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
		27	+ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
		28	+ if (*pval)
		29	+ ASN1_item_free(*pval, it);
		30	+ *pval = ptmpval;
		31	+ }
		32	+ return ptmpval;
		33	+ }
		34	return NULL;
		35	}
		36
		37	@@ -311,9 +317,16 @@
		38	if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
		39	goto auxerr;
		40
		41	- /* Allocate structure */
		42	- if (!*pval && !ASN1_item_ex_new(pval, it))
		43	- {
		44	+ if (*pval) {
		45	+ /* Free up and zero CHOICE value if initialised */
		46	+ i = asn1_get_choice_selector(pval, it);
		47	+ if ((i >= 0) && (i < it->tcount)) {
		48	+ tt = it->templates + i;
		49	+ pchptr = asn1_get_field_ptr(pval, tt);
		50	+ ASN1_template_free(pchptr, tt);
		51	+ asn1_set_choice_selector(pval, -1, it);
		52	+ }
		53	+ } else if (!ASN1_item_ex_new(pval, it)) {
		54	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
		55	ERR_R_NESTED_ASN1_ERROR);
		56	goto err;
		57	@@ -407,6 +420,17 @@
		58	if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
		59	goto auxerr;
		60
		61	+ /* Free up and zero any ADB found */
		62	+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
		63	+ if (tt->flags & ASN1_TFLG_ADB_MASK) {
		64	+ const ASN1_TEMPLATE *seqtt;
65	+ ASN1_VALUE **pseqval;
66	+ seqtt = asn1_do_adb(pval, tt, 1);
67	+ pseqval = asn1_get_field_ptr(pval, seqtt);
68	+ ASN1_template_free(pseqval, seqtt);
69	+ }
70	+ }
71	+
72	/* Get each field entry */
73	for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
74	{
75	--- openssl-1.0.1l/crypto/pkcs7/pk7_doit.c
76	+++ openssl-1.0.1l/crypto/pkcs7/pk7_doit.c
77	@@ -272,6 +272,25 @@
78	PKCS7_RECIP_INFO *ri=NULL;
79	ASN1_OCTET_STRING *os=NULL;
80
81	+ if (p7 == NULL) {
82	+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
83	+ return NULL;
84	+ }
85	+ /*
86	+ * The content field in the PKCS7 ContentInfo is optional, but that really
87	+ * only applies to inner content (precisely, detached signatures).
88	+ *
89	+ * When reading content, missing outer content is therefore treated as an
90	+ * error.
91	+ *
92	+ * When creating content, PKCS7_content_new() must be called before
93	+ * calling this method, so a NULL p7->d is always an error.
94	+ */
95	+ if (p7->d.ptr == NULL) {
96	+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
97	+ return NULL;
98	+ }
99	+
100	i=OBJ_obj2nid(p7->type);
101	p7->state=PKCS7_S_HEADER;
102
103	@@ -433,6 +452,16 @@
104	unsigned char ek = NULL, tkey = NULL;
105	int eklen = 0, tkeylen = 0;
106
107	+ if (p7 == NULL) {
108	+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
109	+ return NULL;
110	+ }
111	+
112	+ if (p7->d.ptr == NULL) {
113	+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
114	+ return NULL;
115	+ }
116	+
117	i=OBJ_obj2nid(p7->type);
118	p7->state=PKCS7_S_HEADER;
119
120	@@ -752,6 +781,16 @@
121	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
122	ASN1_OCTET_STRING *os=NULL;
123
124	+ if (p7 == NULL) {
125	+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
126	+ return 0;
127	+ }
128	+
129	+ if (p7->d.ptr == NULL) {
130	+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
131	+ return 0;
132	+ }
133	+
134	EVP_MD_CTX_init(&ctx_tmp);
135	i=OBJ_obj2nid(p7->type);
136	p7->state=PKCS7_S_HEADER;
137	@@ -796,6 +835,7 @@
138	/* If detached data then the content is excluded */
139	if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
140	M_ASN1_OCTET_STRING_free(os);
141	+ os = NULL;
142	p7->d.sign->contents->d.data = NULL;
143	}
144	break;
145	@@ -806,6 +846,7 @@
146	if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
147	{
148	M_ASN1_OCTET_STRING_free(os);
149	+ os = NULL;
150	p7->d.digest->contents->d.data = NULL;
151	}
152	break;
153	@@ -878,24 +919,31 @@
154	M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
155	}
156
157	- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
158	- {
159	+ if (!PKCS7_is_detached(p7)) {
160	+ /*
161	+ * NOTE(emilia): I think we only reach os == NULL here because detached
162	+ * digested data support is broken.
163	+ */
164	+ if (os == NULL)
165	+ goto err;
166	+ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
167	char *cont;
168	long contlen;
169	- btmp=BIO_find_type(bio,BIO_TYPE_MEM);
170	- if (btmp == NULL)
171	- {
172	- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
173	- goto err;
174	- }
175	+ btmp = BIO_find_type(bio, BIO_TYPE_MEM);
176	+ if (btmp == NULL) {
177	+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
178	+ goto err;
179	+ }
180	contlen = BIO_get_mem_data(btmp, &cont);
181	- /* Mark the BIO read only then we can use its copy of the data
182	+ /*
183	+ * Mark the BIO read only then we can use its copy of the data
184	* instead of making an extra copy.
185	*/
186	BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
187	BIO_set_mem_eof_return(btmp, 0);
188	ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
189	- }
190	+ }
191	+ }
192	ret=1;
193	err:
194	EVP_MD_CTX_cleanup(&ctx_tmp);
195	@@ -971,6 +1019,16 @@
196	STACK_OF(X509) *cert;
197	X509 *x509;
198
199	+ if (p7 == NULL) {
200	+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
201	+ return 0;
202	+ }
203	+
204	+ if (p7->d.ptr == NULL) {
205	+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
206	+ return 0;
207	+ }
208	+
209	if (PKCS7_type_is_signed(p7))
210	{
211	cert=p7->d.sign->cert;
212	--- openssl-1.0.1l/crypto/pkcs7/pk7_lib.c
213	+++ openssl-1.0.1l/crypto/pkcs7/pk7_lib.c
214	@@ -71,6 +71,7 @@
215
216	switch (cmd)
217	{
218	+ /* NOTE(emilia): does not support detached digested data. */
219	case PKCS7_OP_SET_DETACHED_SIGNATURE:
220	if (nid == NID_pkcs7_signed)
221	{
222	@@ -459,6 +460,8 @@
223
224	STACK_OF(PKCS7_SIGNER_INFO) PKCS7_get_signer_info(PKCS7 p7)
225	{
226	+ if (p7 == NULL \|\| p7->d.ptr == NULL)
227	+ return NULL;
228	if (PKCS7_type_is_signed(p7))
229	{
230	return(p7->d.sign->signer_info);
231	--- openssl-1.0.1l/doc/crypto/d2i_X509.pod
232	+++ openssl-1.0.1l/doc/crypto/d2i_X509.pod
233	@@ -199,6 +199,12 @@
234	persist if they are not present in the new one. As a result the use
235	of this "reuse" behaviour is strongly discouraged.
236
237	+Current versions of OpenSSL will not modify B<*px> if an error occurs.
238	+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
239	+set to the value of the newly decoded structure. As a result B<*px>
240	+B<must not> be allocated on the stack or an attempt will be made to
241	+free an invalid pointer.
242	+
243	i2d_X509() will not return an error in many versions of OpenSSL,
244	if mandatory fields are not initialized due to a programming error
245	then the encoded structure may contain invalid data or omit the
246	@@ -210,7 +216,9 @@
247
248	d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
249	or B<NULL> if an error occurs. The error code that can be obtained by
250	-L<ERR_get_error(3)\|ERR_get_error(3)>.
251	+L<ERR_get_error(3)\|ERR_get_error(3)>. If the "reuse" capability has been used
252	+with a valid X509 structure being passed in via B<px> then the object is not
253	+modified in the event of error.
254
255	i2d_X509() returns the number of bytes successfully encoded or a negative
256	value if an error occurs. The error code can be obtained by
257	--- openssl-1.0.1l/ssl/s2_lib.c
258	+++ openssl-1.0.1l/ssl/s2_lib.c
259	@@ -488,7 +488,7 @@
260
261	OPENSSL_assert(s->session->master_key_length >= 0
262	&& s->session->master_key_length
263	- < (int)sizeof(s->session->master_key));
264	+ <= (int)sizeof(s->session->master_key));
265	EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
266	EVP_DigestUpdate(&ctx,&c,1);
267	c++;
268	--- openssl-1.0.1l/ssl/s2_srvr.c
269	+++ openssl-1.0.1l/ssl/s2_srvr.c
270	@@ -454,10 +454,6 @@
271	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
272	return(-1);
273	}
274	- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
275	- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
276	- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
277	-
278	is_export=SSL_C_IS_EXPORT(s->session->cipher);
279
280	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
281	@@ -475,21 +471,59 @@
282	else
283	ek=5;
284
285	+ /*
286	+ * The format of the CLIENT-MASTER-KEY message is
287	+ * 1 byte message type
288	+ * 3 bytes cipher
289	+ * 2-byte clear key length (stored in s->s2->tmp.clear)
290	+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
291	+ * 2-byte key args length (IV etc)
292	+ * clear key
293	+ * encrypted key
294	+ * key args
295	+ *
296	+ * If the cipher is an export cipher, then the encrypted key bytes
297	+ * are a fixed portion of the total key (5 or 8 bytes). The size of
298	+ * this portion is in \|ek\|. If the cipher is not an export cipher,
299	+ * then the entire key material is encrypted (i.e., clear key length
300	+ * must be zero).
301	+ */
302	+ if ((!is_export && s->s2->tmp.clear != 0) \|\|
303	+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
304	+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
305	+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
306	+ return -1;
307	+ }
308	+ /*
309	+ * The encrypted blob must decrypt to the encrypted portion of the key.
310	+ * Decryption can't be expanding, so if we don't have enough encrypted
311	+ * bytes to fit the key in the buffer, stop now.
312	+ */
313	+ if ((is_export && s->s2->tmp.enc < ek) \|\|
314	+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
315	+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
316	+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
317	+ return -1;
318	+ }
319	+
320	+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
321	+ &(p[s->s2->tmp.clear]),
322	+ &(p[s->s2->tmp.clear]),
323	+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
324	+ RSA_PKCS1_PADDING);
325	+
326	/* bad decrypt */
327	#if 1
328	/* If a bad decrypt, continue with protocol but with a
329	* random master secret (Bleichenbacher attack) */
330	- if ((i < 0) \|\|
331	- ((!is_export && (i != EVP_CIPHER_key_length(c)))
332	- \|\| (is_export && ((i != ek) \|\| (s->s2->tmp.clear+(unsigned int)i !=
333	- (unsigned int)EVP_CIPHER_key_length(c))))))
334	- {
335	+ if ((i < 0) \|\| ((!is_export && i != EVP_CIPHER_key_length(c))
336	+ \|\| (is_export && i != ek))) {
337	ERR_clear_error();
338	if (is_export)
339	i=ek;
340	else
341	i=EVP_CIPHER_key_length(c);
342	- if (RAND_pseudo_bytes(p,i) <= 0)
343	+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
344	return 0;
345	}
346	#else
347	@@ -513,7 +547,8 @@
348	}
349	#endif
350
351	- if (is_export) i+=s->s2->tmp.clear;
352	+ if (is_export)
353	+ i = EVP_CIPHER_key_length(c);
354
355	if (i > SSL_MAX_MASTER_KEY_LENGTH)
356	{

Line 0 Link Here

(-)a/dev-libs/openssl/openssl-1.0.1l-r99.ebuild (-1 / +261 lines)
0	-	1	# Copyright 1999-2015 Gentoo Foundation
		2	# Distributed under the terms of the GNU General Public License v2
		3	# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-1.0.1l-r1.ebuild,v 1.5 2015/03/19 18:03:39 vapier Exp $
		4
		5	EAPI="4"
		6
		7	inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
		8
		9	REV="1.7"
		10	DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
		11	HOMEPAGE="http://www.openssl.org/"
		12	SRC_URI="mirror://openssl/source/${P}.tar.gz
		13	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
		14
		15	LICENSE="openssl"
		16	SLOT="0"
		17	KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
		18	IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
		19	RESTRICT="!bindist? ( bindist )"
		20
		21	# The blocks are temporary just to make sure people upgrade to a
		22	# version that lack runtime version checking. We'll drop them in
		23	# the future.
		24	RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
		25	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
		26	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
		27	abi_x86_32? (
		28	!<=app-emulation/emul-linux-x86-baselibs-20140406-r3
		29	!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
		30	)
		31	!<net-misc/openssh-5.9_p1-r4
		32	!<net-libs/neon-0.29.6-r1"
		33	DEPEND="${RDEPEND}
		34	sys-apps/diffutils
		35	>=dev-lang/perl-5
		36	test? ( sys-devel/bc )"
		37	PDEPEND="app-misc/ca-certificates"
		38
		39	src_unpack() {
		40	unpack ${P}.tar.gz
		41	SSL_CNF_DIR="/etc/ssl"
		42	sed \
		43	-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
		44	-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
		45	"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
		46	> "${WORKDIR}"/c_rehash \|\| die #416717
		47	}
		48
		49	MULTILIB_WRAPPED_HEADERS=(
		50	usr/include/openssl/opensslconf.h
		51	)
		52
		53	src_prepare() {
		54	# Make sure we only ever touch Makefile.org and avoid patching a file
		55	# that gets blown away anyways by the Configure script in src_configure
		56	rm -f Makefile
		57
		58	if ! use vanilla ; then
		59	epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
		60	epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
		61	epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
		62	epatch "${FILESDIR}"/${PN}-1.0.1-parallel-build.patch
		63	epatch "${FILESDIR}"/${PN}-1.0.1-x32.patch
		64	epatch "${FILESDIR}"/${PN}-1.0.1h-ipv6.patch
		65	epatch "${FILESDIR}"/${PN}-1.0.1e-s_client-verify.patch #472584
66	epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086
67	epatch "${FILESDIR}"/${PN}-1.0.1l-CVE-2015-0286.patch #543552
68	epatch "${FILESDIR}"/${PN}-1.0.1c-force-termios.patch
69	epatch_user #332661
70	fi
71
72	# disable fips in the build
73	# make sure the man pages are suffixed #302165
74	# don't bother building man pages if they're disabled
75	sed -i \
76	-e '/DIRS/s: fips : :g' \
77	-e '/^MANSUFFIX/s:=.*:=ssl:' \
78	-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
79	-e $(has noman FEATURES \
80	&& echo '/^install:/s:install_docs::' \
81	\|\| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
82	Makefile.org \
83	\|\| die
84	# show the actual commands in the log
85	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
86
87	# since we're forcing $(CC) as makedep anyway, just fix
88	# the conditional as always-on
89	# helps clang (#417795), and versioned gcc (#499818)
90	sed -i 's/expr.MAKEDEPEND.;/true;/' util/domd \|\| die
91
92	# quiet out unknown driver argument warnings since openssl
93	# doesn't have well-split CFLAGS and we're making it even worse
94	# and 'make depend' uses -Werror for added fun (#417795 again)
95	[[ ${CC} == clang ]] && append-flags -Qunused-arguments
96
97	# allow openssl to be cross-compiled
98	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config \|\| die
99	chmod a+rx gentoo.config
100
101	append-flags -fno-strict-aliasing
102	append-flags $(test-flags-CC -Wa,--noexecstack)
103
104	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
105	# The config script does stupid stuff to prompt the user. Kill it.
106	sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
107	./config --test-sanity \|\| die "I AM NOT SANE"
108
109	multilib_copy_sources
110	}
111
112	multilib_src_configure() {
113	unset APPS #197996
114	unset SCRIPTS #312551
115	unset CROSS_COMPILE #311473
116
117	tc-export CC AR RANLIB RC
118
119	# Clean out patent-or-otherwise-encumbered code
120	# Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
121	# IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
122	# EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
123	# MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
124	# RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5
125
126	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
127	echoit() { echo "$@" ; "$@" ; }
128
129	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
130
131	# See if our toolchain supports __uint128_t. If so, it's 64bit
132	# friendly and can use the nicely optimized code paths. #460790
133	local ec_nistp_64_gcc_128
134	# Disable it for now though #469976
135	#if ! use bindist ; then
136	# echo "__uint128_t i;" > "${T}"/128.c
137	# if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
138	# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
139	# fi
140	#fi
141
142	local sslout=$(./gentoo.config)
143	einfo "Use configuration ${sslout:-(openssl knows best)}"
144	local config="Configure"
145	[[ -z ${sslout} ]] && config="config"
146
147	echoit \
148	./${config} \
149	${sslout} \
150	$(use cpu_flags_x86_sse2 \|\| echo "no-sse2") \
151	enable-camellia \
152	$(use_ssl !bindist ec) \
153	${ec_nistp_64_gcc_128} \
154	enable-idea \
155	enable-mdc2 \
156	$(use_ssl !bindist rc5) \
157	enable-tlsext \
158	$(use_ssl gmp gmp -lgmp) \
159	$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
160	$(use_ssl rfc3779) \
161	$(use_ssl tls-heartbeat heartbeats) \
162	$(use_ssl zlib) \
163	--prefix="${EPREFIX}"/usr \
164	--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
165	--libdir=$(get_libdir) \
166	shared threads \
167	\|\| die
168
169	# Clean out hardcoded flags that openssl uses
170	local CFLAG=$(grep ^CFLAG= Makefile \| LC_ALL=C sed \
171	-e 's:^CFLAG=::' \
172	-e 's:-fomit-frame-pointer ::g' \
173	-e 's:-O[0-9] ::g' \
174	-e 's:-march=[-a-z0-9]* ::g' \
175	-e 's:-mcpu=[-a-z0-9]* ::g' \
176	-e 's:-m[a-z0-9]* ::g' \
177	)
178	sed -i \
179	-e "/^CFLAG/s\|=.*\|=${CFLAG} ${CFLAGS}\|" \
180	-e "/^SHARED_LDFLAGS=/s\|$\| ${LDFLAGS}\|" \
181	Makefile \|\| die
182	}
183
184	multilib_src_compile() {
185	# depend is needed to use $confopts; it also doesn't matter
186	# that it's -j1 as the code itself serializes subdirs
187	emake -j1 depend
188	emake all
189	# rehash is needed to prep the certs/ dir; do this
190	# separately to avoid parallel build issues.
191	emake rehash
192	}
193
194	multilib_src_test() {
195	emake -j1 test
196	}
197
198	multilib_src_install() {
199	emake INSTALL_PREFIX="${D}" install
200	}
201
202	multilib_src_install_all() {
203	dobin "${WORKDIR}"/c_rehash #333117
204	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
205	dohtml -r doc/*
206	use rfc3779 && dodoc engines/ccgost/README.gost
207
208	# This is crappy in that the static archives are still built even
209	# when USE=static-libs. But this is due to a failing in the openssl
210	# build system: the static archives are built as PIC all the time.
211	# Only way around this would be to manually configure+compile openssl
212	# twice; once with shared lib support enabled and once without.
213	use static-libs \|\| rm -f "${ED}"/usr/lib/lib.a
214
215	# create the certs directory
216	dodir ${SSL_CNF_DIR}/certs
217	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ \|\| die
218	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
219
220	# Namespace openssl programs to prevent conflicts with other man pages
221	cd "${ED}"/usr/share/man
222	local m d s
223	for m in $(find . -type f \| xargs grep -L '#include') ; do
224	d=${m%/} ; d=${d#./} ; m=${m##/}
225	[[ ${m} == openssl.1* ]] && continue
226	[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
227	mv ${d}/{,ssl-}${m}
228	# fix up references to renamed man pages
229	sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
230	ln -s ssl-${m} ${d}/openssl-${m}
231	# locate any symlinks that point to this man page ... we assume
232	# that any broken links are due to the above renaming
233	for s in $(find -L ${d} -type l) ; do
234	s=${s##*/}
235	rm -f ${d}/${s}
236	ln -s ssl-${m} ${d}/ssl-${s}
237	ln -s ssl-${s} ${d}/openssl-${s}
238	done
239	done
240	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
241
242	dodir /etc/sandbox.d #254521
243	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
244
245	diropts -m0700
246	keepdir ${SSL_CNF_DIR}/private
247	}
248
249	pkg_preinst() {
250	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
251	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
252	}
253
254	pkg_postinst() {
255	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
256	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
257	eend $?
258
259	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
260	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
261	}