Add fix for s_client verify #472584 by Fabio Coatti. Disable 128bit math logic for now #469976 by Jim Faulkner.

Package-Manager: portage-2.2.0/cvs/Linux x86_64
Manifest-Sign-Key: 0xFB7C4156

4 files changed, 281 insertions, 15 deletions

diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog
index da676b557141..d254cdb92fb6 100644
--- a/dev-libs/openssl/ChangeLog
+++ b/dev-libs/openssl/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-libs/openssl
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.495 2013/10/15 01:53:27 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.496 2013/10/23 16:10:35 vapier Exp $
+
+*openssl-1.0.1e-r2 (23 Oct 2013)
+
+  23 Oct 2013; Mike Frysinger <vapier@gentoo.org>
+  +files/openssl-1.0.1e-s_client-verify.patch, +openssl-1.0.1e-r2.ebuild:
+  Add fix for s_client verify #472584 by Fabio Coatti.  Disable 128bit math
+  logic for now #469976 by Jim Faulkner.
 
   15 Oct 2013; Mike Frysinger <vapier@gentoo.org> openssl-1.0.1e-r1.ebuild:
   Disable 5 second delay in config when building for some targets.
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index e5837f7df8d8..afdc6fff35bd 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -24,6 +24,7 @@ AUX openssl-1.0.1d-s3-packet.patch 2577 SHA256 e5f420d6251284142c5263c0e018071f7
 AUX openssl-1.0.1e-bad-mac-aes-ni.patch 1220 SHA256 484fe928925965e98bb0fccc14d6a1e2469507e513a4257a1741e725e9fabf8d SHA512 0c3ad477cd4a8e61e6235eda23b5efbf15aef23f3a753f30c35ec170236d9d3a52d11736d25b9995dd60cf534382b9ad7bf36aa6a95aa9fbd12a3019176d04f2 WHIRLPOOL 1e40dd340dc06e1d13447a72dcc6e6acaaab3270b118e37699bccab05ac6f47d196239bdec6be24182e46d57f2f5e3f927e64bb7346e6d4aa19b28155c2918c6
 AUX openssl-1.0.1e-ipv6.patch 18596 SHA256 430d15f2f62c2d7b9bbb968d3c1d3cea51c97d549e01683fd6befb20e2b60946 SHA512 15bfcafc8c173d2875954a43db19d15956619528a0fc356b6d36877f7434321071cf707d950767491261adc1e6403e56b3e014e3d0ffb6cef563daca00a128bd WHIRLPOOL d1dd63d00b166efb1ca9e5d8da931a47e571f5784e3b47780355553b4d0cf656885375e3fe7fc1554b6c5eb749371efeb370c7462e4fcc52c0dd85c6e2318ad8
 AUX openssl-1.0.1e-perl-5.18.patch 8211 SHA256 0d2263de7cd1e814cf7583a738d7c439dadb6f195793a29356186b336edc5a98 SHA512 4b56cae218af916c5d7f1006f0a17e34eebc6ee9fb08789db0b18b7e0d6ca7ea0b297efdc712f8951b4db55d15dffea33faa939d2daa42db6be61670e43f0412 WHIRLPOOL 78ced5c41dba502f93f92322516ac8774ff73ce236c7cf793f7e502822c8b0c288f2ed4360d89d2ff2bfaf969f6bd0cc12b28151eda0217197c60bf6a561d8cf
+AUX openssl-1.0.1e-s_client-verify.patch 592 SHA256 6f540fce663eefbe68cee16ad7d8d561d6c898eeb4180c2f4a4caa7e43c6d0c9 SHA512 117b1017e1259667078d3ccdcd9fd46357c6f85cf2702794f49c612b37acdc044fe88f871dbe46fcad9ed4cd8aaaaee800dddb5286203322802efd7549a43b68 WHIRLPOOL 70a4cc36b1dcb24d7e9bcef016684fb2394977f7f20aa332ebd0aa15e3f4c16c74563d2fc0ba8d70669f6cc9a13bf8a30cdb28ebafe2d102cd2859a4e32c38d7
 DIST openssl-0.9.8u.tar.gz 3781776 SHA256 0548e4b9171a62dcbbe85e63d9b897a35de718e0fe19b3fe56002c8f5a3ba587 SHA512 5c5998a74b70fb0624086d22f2bc16b6114819deae13c777f93e1c3cf0c1efc6e7adad4a8b00a45c1a112596ac9ea07330356af02d86a82667bb216327cdde34 WHIRLPOOL c6059d0fa69fea76f645afaa0b9d40ea9c5cab310d1e522aaba5b7176dbe89136af74e70577e16e0926c824f646ee3c6902cdc0c87305fd7693a9e4b7e1f4585
 DIST openssl-0.9.8v.tar.gz 3782207 SHA256 701ac4dbd27b9237919b214b53bc0d08e5e1448f2d0fbe1c80479293d2379a65 SHA512 5e625c69b6176bbb4acd0c4b5751d694591156f672e79fecd72c2a7e782e27cb67f0bfe2aea662b2e81f2f4c71ce9805bb5b8da023b368f35952b052e04520f9 WHIRLPOOL 66ea39d7f67259bf17f614de17e76c4c01e910aece24a3f9b107c7f0119809c8b86e098e92639d7c94417e45bc80c670cc3838520743b5ccc632905d1140d66f
 DIST openssl-0.9.8w.tar.gz 3782900 SHA256 537411fe2cfe249a8a5b98b3f809a07ed5f913b94a216b3c510fd353318e4593 SHA512 3d93c96ec5550ae6936b353aa48081b9d8a4adfbd5a51d58b44916961e56fb9aedd30621a99ca3618aa3c6b3e15f30a10457d98629ef6ee0c6cb5518606981ca WHIRLPOOL 0ebc673d02489be248b62f800a99d714b7751702fcb7050f40c2231b318aeb3c868cdd48abc9dcecd018139c30b6e23764d0525bafde17097699e9767a3534dd
@@ -52,23 +53,24 @@ EBUILD openssl-1.0.1c.ebuild 7295 SHA256 da1088596931cd88539039a0015a5183eb185aa
 EBUILD openssl-1.0.1d-r1.ebuild 7434 SHA256 26fb761323ea41e4ee192ce86dd9903487f944dabd496127c41acbc7c897710c SHA512 06d5da0341b8a009c1117b9ad1868b38b46ed80c857654580543819ab1506e56be0d135baf284afbd520c22793e4ee637414df2f7b9f3f43507732010f8f8703 WHIRLPOOL b7d153979c4076ec228e3f922abda7cc4ad4bb35d9631b33718ec998ad5afd08ae749710885033687dc54337deae777cc0a5afa2cfa4880c9201d169e686adc1
 EBUILD openssl-1.0.1d.ebuild 7245 SHA256 7d8ce014bc036419385d2081d3fa7ec650f60a06adbfa4121edebd71266393e5 SHA512 9449a3265ce876b62ae1c0a44ad031d4db3ebaa805a3bb65abb55562a865519cab6c7808f3668b08f9c02abf59dad3307169e0cd648779910f7ed81ecc7e8553 WHIRLPOOL ec43e086e774d114d4caeb85e13a496070436cae8332db5a47f24a001f7fe0374afb2e74fbac3ab0dd264e6ab12ecbca1ed2d1faacb285959224657926c06b81
 EBUILD openssl-1.0.1e-r1.ebuild 8054 SHA256 81e9e19c822c08711498cbb78f70338837ee50b6887439d2f6b4638e6bcb5f06 SHA512 6d8e5c80439f7474977ef8c199da4aa6519498d173f8a60adb0b3879ad4a5503e71dd929da7cc51da3babab8c80fd765c70d8d6aa44fb26a7990174c88d3b004 WHIRLPOOL 9e2241dbe521ec4c31c6c3947beae11905d2b8d71c5c9f90e66b500721d0a71ad1680f4b367c483c20186099086b3e261e15819c5173c09a7a17dbac6a5702e6
+EBUILD openssl-1.0.1e-r2.ebuild 8170 SHA256 364b19958f6426e429159dc6de1b59b955f382ad3e85d01235b9835ecee229de SHA512 1fef3a928f7874d868acfe6568fc090b41a288ce05002674d8feefa009b6ff4ad58d9f2db57f3aa45469cabd8fa179375d11b20794f5a0ef85ea7f218a409e66 WHIRLPOOL 28955035911b5867d4daef173de080915a77eee055682e6ac18655e97afca77bdfcfaecdeab4ce02cf97320e6059067eb612f505243d30b79e4b82ae5cb0420c
 EBUILD openssl-1.0.1e.ebuild 7381 SHA256 a9553f47c918bf1ad707391e8de7ce27dd4c0ca82c0f9995db74e208d7ed9127 SHA512 0a68cff5641931682bd1b23ad02ee74b235eac2f0020206f223d0b0de5e86bb12ab4d684fee6692e85dbd050693aeb42095e89c3653a94e406c8e3a518262bc5 WHIRLPOOL 7eea97e122a721c76ae1b9d0ed523e332d5f100808856f2e2dd0bf4733069b4123dd79b8cafe4c905d88769aa61dbb0eb3b089d5b6c9ce0a81e614e5718d473c
-MISC ChangeLog 74635 SHA256 d9d9d53bdd6cab6b2219db9e156bc950ec2d8a286a25736a979bf24fae7405ea SHA512 8b065322e4df150062a411f45b96d4314217926bbacde60f4908fec87cb7d06998c70d7ff3b4515d4ce9abe893d70ba34ea9af2080becf22652c248e08219ba6 WHIRLPOOL 77b7f35442e8526777a3223bd9df4c6f8c6ddff747f804f7214cab19f7b580854796b0e41fd7be537676c5320fc4a62468320216f3247ef22d9c3cf0af51d996
+MISC ChangeLog 74911 SHA256 92c662c02f13e376ae55e4418348454882949fbfeee2c8aa7714614960f5c4f3 SHA512 521ebc0d75ca87065b10ac5a6f6544fc0c4be9d0a1cf8bfea3f2be457d6755931a05cb695bc0bea6c1ec59ca85303607d189f809766a2bc79d7baac97c217cc0 WHIRLPOOL 41f02f77420a2b6d8e2e69879e3d35ac904ff0d90c990852c015efa355aefcd2b20b8b029c2127ad745b465f6d8bf24553f605057d86e5eb10bc1264c59dac75
 MISC metadata.xml 537 SHA256 dfb61bab6de1d7e943f92be14ed54fb9275d568a11d6ba29e395f23f547603ee SHA512 0417c438c7f9586c7bbe7694707fec94f2ecf6fb59e36bc87d707fab0b24346a6c9fac5e58c69302e767cd8a7e50a508cdb2430b2cdf8fcc88921286e09756e1 WHIRLPOOL 0f21bab1258c7ee675c27cb7d78a90985437dc8d001a232661657549cebd9f2f26802686435bdd3a1346c5a0ff14bfffa740d6ded2288dc211ad0183f5b3f686
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.20 (GNU/Linux)
 
-iQIcBAEBCAAGBQJSXKAdAAoJELEHsLL7fEFW/x8P/1zbGLdU2DcJTnQeD9sSx1N3
-av07lhZf/I/vi8lv7M6MZaNGN0RFKuJVQnVfNEBslAH1ycglBYIDibJFi2T5pKmB
-MFdWHVXdzS6jdQ7PpDksNz9D0C6SiFFTXwKty/E2k2RdpY/4rn/I1U6LnrKv+Que
-shDOZUwdCa4f3YkU2fwqvnS/UhjjW4+BdnO2Nt8SwWOw/nS0Cs72wUSsaOCh30tA
-4GQiq/eaqr2XyVI+6HzgOi2AoO1crl+RQpug6VXeLCPnR1Xp0l23nFAZIbvl1Wz3
-P//utz/9oaPBat78zDHyMLScGIxw+4h6acWtNbJcGLhBVJ6l8h3YRvfrxoMIdiW8
-mDS65LEZ9bW9Q2XiAnuHmD2L+Hjs/0yT+38Jdlae0c/G0aUI9edW2f2sgftvaKft
-QOE1fZxYo7FgzSsrl+V487erRgEcaZ3IdOWDNWV2CP/LW2XcpNMNh5F7ehOfSlP6
-2GOVkp0yNfWykkIKzIViqr4NCPjdJEFmkybBZLrE6Ya1EjhwZHZANtHbS8++jwQ+
-10Lstys1sITq3PTpwXVykrzb1Ieaw3HPVpPoeuK2/ljkYgfTVHDQDluMeiSIYe8G
-v5XqM20BioCQynz+lLqzEN28f8T/49zyY0kBrrNUIbSfx3DTT09kUQ2vVEOVDzX9
-JTSFb2nyNzcPIuXJQVNv
-=KXuv
+iQIcBAEBCAAGBQJSZ/T/AAoJELEHsLL7fEFWP9IP/18yKT/K/asweK/UOgEkcVmG
+ubGxV2f6dQaSioc3/dkxnrl95YP4ATx94NEwGNoncQ9uW+s1VNwx/PYwlO7CKRyq
+ucdLwQtohWAVYuScYDI3JES91BUeE0jsCbYYzY3DDDz+IGPGlT/HEvv1ck6jHb/G
+hEBkPO/InqfSf4ZMgiGqXKrKTiSsFt51Ys7SMZ+S7YhcEg4Ge5aFjM6gskZFko1Q
+vQtfhOwvP4ytzy9P6XqBGQ8jycvchFUov4Dv/bYQFxpk56FCn0GBV1KFdf6HyKKe
+MMHB37ygjG1cSBPXtuX2YlaDuFNvawfF7rINmYSJUZgFqB6fSBEwRIZtP3jgepNV
+zQe3pcUWTj0qLDJlCb7YdiAxXpdJDgrgXwb21Zw7Lxm3KHk/FuVBVLJ8df+Gnc5j
+K0P7c6aMnzn1cLuHbTH9UKgztVNNuocjVSlOMvTvBfwVTnKBVRBI1NBO2I/P2qhz
+LV+hyUuSm8C/oNIralHyLirQLKoSItotTDHzU13h6MBjTz1E5VZhzE+MJoKH64bO
+E743DyfDoQlGD0ntfjkfnMxYb5YaGcdbFzK0T9q6To3mY/OnWcZWOmV5xJVTPaUD
+70KYGL9cvVariqNQpMUbU1ZnCUOdy2TE6Uf6mbd2IqYntBOYV9csiWqbPXIX7qyF
+2lPeGwSQKAk8NIl+kLaU
+=b15t
 -----END PGP SIGNATURE-----
diff --git a/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch b/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch
new file mode 100644
index 000000000000..03e4f59989cb
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch
@@ -0,0 +1,18 @@
+https://bugs.gentoo.org/472584
+http://rt.openssl.org/Ticket/Display.html?id=2387&user=guest&pass=guest
+
+fix verification handling in s_client.  when loading paths, make sure
+we properly fallback to setting the default paths.
+
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -899,7 +899,7 @@
+ 	if (!set_cert_key_stuff(ctx,cert,key))
+ 		goto end;
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
++	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) &&
+ 		(!SSL_CTX_set_default_verify_paths(ctx)))
+ 		{
+ 		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+
diff --git a/dev-libs/openssl/openssl-1.0.1e-r2.ebuild b/dev-libs/openssl/openssl-1.0.1e-r2.ebuild
new file mode 100644
index 000000000000..108b1db0fab3
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.1e-r2.ebuild
@@ -0,0 +1,239 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-1.0.1e-r2.ebuild,v 1.1 2013/10/23 16:10:35 vapier Exp $
+
+EAPI="4"
+
+inherit eutils flag-o-matic toolchain-funcs multilib
+
+REV="1.7"
+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${P}.tar.gz
+	http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib"
+
+# Have the sub-libs in RDEPEND with [static-libs] since, logically,
+# our libssl.a depends on libz.a/etc... at runtime.
+LIB_DEPEND="gmp? ( dev-libs/gmp[static-libs(+)] )
+	zlib? ( sys-libs/zlib[static-libs(+)] )
+	kerberos? ( app-crypt/mit-krb5 )"
+# The blocks are temporary just to make sure people upgrade to a
+# version that lack runtime version checking.  We'll drop them in
+# the future.
+RDEPEND="static-libs? ( ${LIB_DEPEND} )
+	!static-libs? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	!<net-misc/openssh-5.9_p1-r4
+	!<net-libs/neon-0.29.6-r1"
+DEPEND="${RDEPEND}
+	sys-apps/diffutils
+	>=dev-lang/perl-5
+	test? ( sys-devel/bc )"
+PDEPEND="app-misc/ca-certificates"
+
+src_unpack() {
+	unpack ${P}.tar.gz
+	SSL_CNF_DIR="/etc/ssl"
+	sed \
+		-e "/^DIR=/s:=.*:=${EPREFIX}${SSL_CNF_DIR}:" \
+		-e "s:SSL_CMD=/usr:SSL_CMD=${EPREFIX}/usr:" \
+		"${DISTDIR}"/${PN}-c_rehash.sh.${REV} \
+		> "${WORKDIR}"/c_rehash || die #416717
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421
+		epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743
+		epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch
+		epatch "${FILESDIR}"/${PN}-1.0.1-parallel-build.patch
+		epatch "${FILESDIR}"/${PN}-1.0.1-x32.patch
+		epatch "${FILESDIR}"/${PN}-1.0.1e-ipv6.patch
+		epatch "${FILESDIR}"/${P}-bad-mac-aes-ni.patch #463444
+		epatch "${FILESDIR}"/${PN}-1.0.1e-perl-5.18.patch #483820
+		epatch "${FILESDIR}"/${PN}-1.0.1e-s_client-verify.patch #472584
+		epatch_user #332661
+	fi
+
+	# disable fips in the build
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	sed -i \
+		-e '/DIRS/s: fips : :g' \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
+		Makefile.org \
+		|| die
+	# show the actual commands in the log
+	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die
+	chmod a+rx gentoo.config
+
+	append-flags -fno-strict-aliasing
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
+	# The config script does stupid stuff to prompt the user.  Kill it.
+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
+	./config --test-sanity || die "I AM NOT SANE"
+}
+
+src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+	unset CROSS_COMPILE #311473
+
+	tc-export CC AR RANLIB RC
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths. #460790
+	local ec_nistp_64_gcc_128
+	# Disable it for now though #469976
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
+	#fi
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		${ec_nistp_64_gcc_128} \
+		enable-idea \
+		enable-mdc2 \
+		$(use_ssl !bindist rc5) \
+		enable-tlsext \
+		$(use_ssl gmp gmp -lgmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl rfc3779) \
+		$(use_ssl tls-heartbeat heartbeats) \
+		$(use_ssl zlib) \
+		--prefix="${EPREFIX}"/usr \
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
+		--libdir=$(get_libdir) \
+		shared threads \
+		|| die
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+		Makefile || die
+}
+
+src_compile() {
+	# depend is needed to use $confopts; it also doesn't matter
+	# that it's -j1 as the code itself serializes subdirs
+	emake -j1 depend
+	emake all
+	# rehash is needed to prep the certs/ dir; do this
+	# separately to avoid parallel build issues.
+	emake rehash
+}
+
+src_test() {
+	emake -j1 test
+}
+
+src_install() {
+	emake INSTALL_PREFIX="${D}" install
+	dobin "${WORKDIR}"/c_rehash #333117
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+	dohtml -r doc/*
+	use rfc3779 && dodoc engines/ccgost/README.gost
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
+
+	# create the certs directory
+	dodir ${SSL_CNF_DIR}/certs
+	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${ED}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		# fix up references to renamed man pages
+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+
+	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}