Security bump (bug #543552)

(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC)
author: Lars Wendler <polynomial-c@gentoo.org> 2015-03-19 15:10:56 +0000
committer: Lars Wendler <polynomial-c@gentoo.org> 2015-03-19 15:10:56 +0000
commit: 5515b8f31809e49acb12bd306db6e01509982711 (patch)
tree: 5ccbb6e313c6424bd735db1ef972572869bdeffb /dev-libs/openssl
parent: Fix tcl/tk slotting; bump EAPI=5; fix for format-security (diff)
download: gentoo-2-5515b8f31809e49acb12bd306db6e01509982711.tar.gz
gentoo-2-5515b8f31809e49acb12bd306db6e01509982711.tar.bz2
gentoo-2-5515b8f31809e49acb12bd306db6e01509982711.zip
3 files changed, 493 insertions, 1 deletions
diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog
index 9241a6d632be..f091aeb603f6 100644
--- a/dev-libs/openssl/ChangeLog
+++ b/dev-libs/openssl/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for dev-libs/openssl
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.632 2015/03/19 14:28:24 polynomial-c Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.633 2015/03/19 15:10:56 polynomial-c Exp $
+
+*openssl-0.9.8z_p5-r1 (19 Mar 2015)
+
+  19 Mar 2015; Lars Wendler <polynomial-c@gentoo.org>
+  +openssl-0.9.8z_p5-r1.ebuild, +files/openssl-0.9.8ze-CVE-2015-0286.patch:
+  Security bump (bug #543552).
 
 *openssl-1.0.2-r3 (19 Mar 2015)
 *openssl-1.0.1l-r1 (19 Mar 2015)
diff --git a/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch b/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch
new file mode 100644
index 000000000000..facb77d203a1
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch
@@ -0,0 +1,326 @@
+--- openssl-0.9.8ze/crypto/asn1/a_type.c
++++ openssl-0.9.8ze/crypto/asn1/a_type.c
+@@ -121,6 +121,9 @@
+ 	case V_ASN1_OBJECT:
+ 		result = OBJ_cmp(a->value.object, b->value.object);
+ 		break;
++	case V_ASN1_BOOLEAN:
++		result = a->value.boolean - b->value.boolean;
++		break;
+ 	case V_ASN1_NULL:
+ 		result = 0;	/* They do not have content. */
+ 		break;
+--- openssl-0.9.8ze/crypto/asn1/tasn_dec.c
++++ openssl-0.9.8ze/crypto/asn1/tasn_dec.c
+@@ -128,11 +128,17 @@
+ 	{
+ 	ASN1_TLC c;
+ 	ASN1_VALUE *ptmpval = NULL;
+-	if (!pval)
+-		pval = &ptmpval;
+ 	c.valid = 0;
+-	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
+-		return *pval;
++	if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
++	    ptmpval = *pval;
++	if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
++	    if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
++		if (*pval)
++		    ASN1_item_free(*pval, it);
++		*pval = ptmpval;
++	    }
++	    return ptmpval;
++	}
+ 	return NULL;
+ 	}
+ 
+@@ -309,9 +315,16 @@
+ 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+ 				goto auxerr;
+ 
+-		/* Allocate structure */
+-		if (!*pval && !ASN1_item_ex_new(pval, it))
+-			{
++		if (*pval) {
++		    /* Free up and zero CHOICE value if initialised */
++		    i = asn1_get_choice_selector(pval, it);
++		    if ((i >= 0) && (i < it->tcount)) {
++			tt = it->templates + i;
++			pchptr = asn1_get_field_ptr(pval, tt);
++			ASN1_template_free(pchptr, tt);
++			asn1_set_choice_selector(pval, -1, it);
++		    }
++		} else if (!ASN1_item_ex_new(pval, it)) {
+ 			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+ 						ERR_R_NESTED_ASN1_ERROR);
+ 			goto err;
+@@ -405,6 +418,17 @@
+ 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+ 				goto auxerr;
+ 
++		/* Free up and zero any ADB found */
++		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
++		    if (tt->flags & ASN1_TFLG_ADB_MASK) {
++			const ASN1_TEMPLATE *seqtt;
++			ASN1_VALUE **pseqval;
++			seqtt = asn1_do_adb(pval, tt, 1);
++			pseqval = asn1_get_field_ptr(pval, seqtt);
++			ASN1_template_free(pseqval, seqtt);
++		    }
++		}
++
+ 		/* Get each field entry */
+ 		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
+ 			{
+--- openssl-0.9.8ze/crypto/pkcs7/pk7_doit.c
++++ openssl-0.9.8ze/crypto/pkcs7/pk7_doit.c
+@@ -151,6 +151,25 @@
+ 	EVP_PKEY *pkey;
+ 	ASN1_OCTET_STRING *os=NULL;
+ 
++    if (p7 == NULL) {
++	PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
++	return NULL;
++    }
++    /*
++     * The content field in the PKCS7 ContentInfo is optional, but that really
++     * only applies to inner content (precisely, detached signatures).
++     *
++     * When reading content, missing outer content is therefore treated as an
++     * error.
++     *
++     * When creating content, PKCS7_content_new() must be called before
++     * calling this method, so a NULL p7->d is always an error.
++     */
++    if (p7->d.ptr == NULL) {
++	PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
++	return NULL;
++    }
++
+ 	i=OBJ_obj2nid(p7->type);
+ 	p7->state=PKCS7_S_HEADER;
+ 
+@@ -344,6 +363,16 @@
+ 	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
+ 	PKCS7_RECIP_INFO *ri=NULL;
+ 
++    if (p7 == NULL) {
++	PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
++	return NULL;
++    }
++    
++    if (p7->d.ptr == NULL) {
++	PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
++	return NULL;
++    }
++
+ 	i=OBJ_obj2nid(p7->type);
+ 	p7->state=PKCS7_S_HEADER;
+ 
+@@ -637,6 +666,16 @@
+ 	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
+ 	ASN1_OCTET_STRING *os=NULL;
+ 
++    if (p7 == NULL) {
++	PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
++	return 0;
++    }
++
++    if (p7->d.ptr == NULL) {
++	PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
++	return 0;
++    }
++
+ 	EVP_MD_CTX_init(&ctx_tmp);
+ 	i=OBJ_obj2nid(p7->type);
+ 	p7->state=PKCS7_S_HEADER;
+@@ -668,6 +707,7 @@
+ 		/* If detached data then the content is excluded */
+ 		if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
+ 			M_ASN1_OCTET_STRING_free(os);
++			os = NULL;
+ 			p7->d.sign->contents->d.data = NULL;
+ 		}
+ 		break;
+@@ -678,6 +718,7 @@
+ 		if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
+ 			{
+ 			M_ASN1_OCTET_STRING_free(os);
++			os = NULL;
+ 			p7->d.digest->contents->d.data = NULL;
+ 			}
+ 		break;
+@@ -815,6 +856,11 @@
+ 
+ 	if (!PKCS7_is_detached(p7))
+ 		{
++		/*
++		 * NOTE(emilia): I think we only reach os == NULL here because detached
++		 */
++		if (os == NULL)
++		    goto err;
+ 		btmp=BIO_find_type(bio,BIO_TYPE_MEM);
+ 		if (btmp == NULL)
+ 			{
+@@ -849,6 +895,16 @@
+ 	STACK_OF(X509) *cert;
+ 	X509 *x509;
+ 
++    if (p7 == NULL) {
++	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
++	return 0;
++    }
++
++    if (p7->d.ptr == NULL) {
++	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
++	return 0;
++    }
++
+ 	if (PKCS7_type_is_signed(p7))
+ 		{
+ 		cert=p7->d.sign->cert;
+--- openssl-0.9.8ze/crypto/pkcs7/pk7_lib.c
++++ openssl-0.9.8ze/crypto/pkcs7/pk7_lib.c
+@@ -70,6 +70,7 @@
+ 
+ 	switch (cmd)
+ 		{
++	/* NOTE(emilia): does not support detached digested data. */
+ 	case PKCS7_OP_SET_DETACHED_SIGNATURE:
+ 		if (nid == NID_pkcs7_signed)
+ 			{
+@@ -473,6 +474,8 @@
+ 
+ STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
+ 	{
++	if (p7 == NULL || p7->d.ptr == NULL)
++		return NULL;
+ 	if (PKCS7_type_is_signed(p7))
+ 		{
+ 		return(p7->d.sign->signer_info);
+--- openssl-0.9.8ze/doc/crypto/d2i_X509.pod
++++ openssl-0.9.8ze/doc/crypto/d2i_X509.pod
+@@ -199,6 +199,12 @@
+ persist if they are not present in the new one. As a result the use
+ of this "reuse" behaviour is strongly discouraged.
+ 
++Current versions of OpenSSL will not modify B<*px> if an error occurs.
++If parsing succeeds then B<*px> is freed (if it is not NULL) and then
++set to the value of the newly decoded structure. As a result B<*px>
++B<must not> be allocated on the stack or an attempt will be made to
++free an invalid pointer.
++
+ i2d_X509() will not return an error in many versions of OpenSSL,
+ if mandatory fields are not initialized due to a programming error
+ then the encoded structure may contain invalid data or omit the
+@@ -210,7 +216,9 @@
+ 
+ d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
+ or B<NULL> if an error occurs. The error code that can be obtained by
+-L<ERR_get_error(3)|ERR_get_error(3)>. 
++L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
++with a valid X509 structure being passed in via B<px> then the object is not
++modified in the event of error.
+ 
+ i2d_X509() returns the number of bytes successfully encoded or a negative
+ value if an error occurs. The error code can be obtained by
+--- openssl-0.9.8ze/ssl/s2_lib.c
++++ openssl-0.9.8ze/ssl/s2_lib.c
+@@ -410,7 +410,7 @@
+ 
+ 		OPENSSL_assert(s->session->master_key_length >= 0
+ 		    && s->session->master_key_length
+-		    < (int)sizeof(s->session->master_key));
++		    <= (int)sizeof(s->session->master_key));
+ 		EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
+ 		EVP_DigestUpdate(&ctx,&c,1);
+ 		c++;
+--- openssl-0.9.8ze/ssl/s2_srvr.c
++++ openssl-0.9.8ze/ssl/s2_srvr.c
+@@ -446,10 +446,6 @@
+ 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
+ 		return(-1);
+ 		}
+-	i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
+-		&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
+-		(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
+-
+ 	is_export=SSL_C_IS_EXPORT(s->session->cipher);
+ 	
+ 	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
+@@ -467,21 +463,59 @@
+ 	else
+ 		ek=5;
+ 
++	/*
++	 * The format of the CLIENT-MASTER-KEY message is
++	 * 1 byte message type
++	 * 3 bytes cipher
++	 * 2-byte clear key length (stored in s->s2->tmp.clear)
++	 * 2-byte encrypted key length (stored in s->s2->tmp.enc)
++	 * 2-byte key args length (IV etc)
++	 * clear key
++	 * encrypted key
++	 * key args
++	 *
++	 * If the cipher is an export cipher, then the encrypted key bytes
++	 * are a fixed portion of the total key (5 or 8 bytes). The size of
++	 * this portion is in |ek|. If the cipher is not an export cipher,
++	 * then the entire key material is encrypted (i.e., clear key length
++	 * must be zero).
++	 */
++	if ((!is_export && s->s2->tmp.clear != 0) ||
++	    (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
++	    ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
++	    SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
++	    return -1;
++	}
++	/*
++	 * The encrypted blob must decrypt to the encrypted portion of the key.
++	 * Decryption can't be expanding, so if we don't have enough encrypted
++	 * bytes to fit the key in the buffer, stop now.
++	 */
++	if ((is_export && s->s2->tmp.enc < ek) ||
++	    (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
++	    ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
++	    SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
++	    return -1;
++	}
++
++	i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
++				    &(p[s->s2->tmp.clear]),
++				    &(p[s->s2->tmp.clear]),
++				    (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
++				    RSA_PKCS1_PADDING);
++
+ 	/* bad decrypt */
+ #if 1
+ 	/* If a bad decrypt, continue with protocol but with a
+ 	 * random master secret (Bleichenbacher attack) */
+-	if ((i < 0) ||
+-		((!is_export && (i != EVP_CIPHER_key_length(c)))
+-		|| (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
+-			(unsigned int)EVP_CIPHER_key_length(c))))))
+-		{
++	if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
++			|| (is_export && i != ek))) {
+ 		ERR_clear_error();
+ 		if (is_export)
+ 			i=ek;
+ 		else
+ 			i=EVP_CIPHER_key_length(c);
+-		if (RAND_pseudo_bytes(p,i) <= 0)
++		if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
+ 			return 0;
+ 		}
+ #else
+@@ -505,7 +539,8 @@
+ 		}
+ #endif
+ 
+-	if (is_export) i+=s->s2->tmp.clear;
++	if (is_export)
++		i = EVP_CIPHER_key_length(c);
+ 
+ 	if (i > SSL_MAX_MASTER_KEY_LENGTH)
+ 		{
diff --git a/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild b/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild
new file mode 100644
index 000000000000..8c008c98dc00
--- /dev/null
+++ b/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild
@@ -0,0 +1,160 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild,v 1.1 2015/03/19 15:10:56 polynomial-c Exp $
+
+# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME for ABI compat
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+PLEVEL=$(echo "${PV##*_p}" | tr '[1-9]' '[a-i]')
+MY_PV=${PV/_p*/${PLEVEL}}
+MY_P=${PN}-${MY_PV}
+S="${WORKDIR}/${MY_P}"
+DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0.9.8"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib"
+
+RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r4
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)
+	!=dev-libs/openssl-0.9.8*:0"
+DEPEND="${RDEPEND}
+	sys-apps/diffutils
+	>=dev-lang/perl-5
+	test? ( sys-devel/bc )"
+
+# Do not install any docs
+DOCS=()
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
+	epatch "${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130
+	epatch "${FILESDIR}"/${PN}-0.9.8ze-CVE-2015-0286.patch #543552
+
+	# disable fips in the build
+	# make sure the man pages are suffixed #302165
+	# don't bother building man pages if they're disabled
+	sed -i \
+		-e '/DIRS/s: fips : :g' \
+		-e '/^MANSUFFIX/s:=.*:=ssl:' \
+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+		-e $(has noman FEATURES \
+			&& echo '/^install:/s:install_docs::' \
+			|| echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
+		Makefile{,.org} \
+		|| die
+	# show the actual commands in the log
+	sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+	# update the enginedir path.
+	# punt broken config we don't care about as it fails sanity check.
+	sed -i \
+		-e '/^"debug-ben-debug-64"/d' \
+		-e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \
+		Configure || die
+
+	# since we're forcing $(CC) as makedep anyway, just fix
+	# the conditional as always-on
+	# helps clang (#417795), and versioned gcc (#499818)
+	sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+	# quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (#417795 again)
+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
+	chmod a+rx gentoo.config
+
+	append-flags -fno-strict-aliasing
+	append-flags -Wa,--noexecstack
+
+	sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906
+	sed -i '/^"debug-bodo/d' Configure # 0.9.8za shipped broken
+	./config --test-sanity || die "I AM NOT SANE"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	unset APPS #197996
+	unset SCRIPTS #312551
+
+	tc-export CC AR RANLIB
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		enable-idea \
+		enable-mdc2 \
+		$(use_ssl !bindist rc5) \
+		enable-tlsext \
+		$(use_ssl gmp gmp -lgmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl zlib) \
+		--prefix=/usr \
+		--openssldir=/etc/ssl \
+		shared threads \
+		|| die "Configure failed"
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^LIBDIR=/s|=.*|=$(get_libdir)|" \
+		-e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+		-e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+		Makefile || die
+}
+
+multilib_src_compile() {
+	# depend is needed to use $confopts
+	emake -j1 depend
+	emake -j1 build_libs
+}
+
+multilib_src_test() {
+	emake -j1 test
+}
+
+multilib_src_install() {
+	dolib.so lib{crypto,ssl}.so.0.9.8
+}
author	Lars Wendler <polynomial-c@gentoo.org>	2015-03-19 15:10:56 +0000
committer	Lars Wendler <polynomial-c@gentoo.org>	2015-03-19 15:10:56 +0000
commit	5515b8f31809e49acb12bd306db6e01509982711 (patch)
tree	5ccbb6e313c6424bd735db1ef972572869bdeffb /dev-libs/openssl
parent	Fix tcl/tk slotting; bump EAPI=5; fix for format-security (diff)
download	gentoo-2-5515b8f31809e49acb12bd306db6e01509982711.tar.gz gentoo-2-5515b8f31809e49acb12bd306db6e01509982711.tar.bz2 gentoo-2-5515b8f31809e49acb12bd306db6e01509982711.zip