summaryrefslogtreecommitdiff
path: root/patches/source/openssl
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2018-05-25 23:29:36 +0000
committerEric Hameleers <alien@slackware.com>2018-05-31 15:13:35 -0700
commit9097b9a1f29939d4996b0a685847517d02f7b5ad (patch)
treec74b091b97e2f7655593b7e011e8b37bcf1e8611 /patches/source/openssl
parent75a4a592e5ccda30715f93563d741b83e0dcf39e (diff)
downloadcurrent-9097b9a1f29939d4996b0a685847517d02f7b5ad.tar.gz
Fri May 25 23:29:36 UTC 201813.37
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack13.37.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'patches/source/openssl')
-rw-r--r--patches/source/openssl/certwatch130
-rw-r--r--patches/source/openssl/doinst.sh-openssl21
-rw-r--r--patches/source/openssl/doinst.sh-openssl-solibs12
-rwxr-xr-xpatches/source/openssl/openssl.SlackBuild199
-rw-r--r--patches/source/openssl/openssl.no.weak.sslv2.ciphers.diff51
-rw-r--r--patches/source/openssl/openssl.no.weak.sslv3.ciphers.diff356
-rw-r--r--patches/source/openssl/openssl.optsx86.diff11
-rw-r--r--patches/source/openssl/openssl.soname.diff11
-rw-r--r--patches/source/openssl/slack-desc.openssl19
-rw-r--r--patches/source/openssl/slack-desc.openssl-solibs19
10 files changed, 829 insertions, 0 deletions
diff --git a/patches/source/openssl/certwatch b/patches/source/openssl/certwatch
new file mode 100644
index 00000000..d52dc3dc
--- /dev/null
+++ b/patches/source/openssl/certwatch
@@ -0,0 +1,130 @@
+#!/bin/sh
+#
+# Will check all certificates stored in $CERTDIR for their expiration date,
+# and will display (if optional "stdout" argument is given), or mail a warning
+# message to $MAILADDR (if script is executed without any parameter
+# - unattended mode suitable for cron execution) for each particular certificate
+# that is about to expire in time less to, or equal to $DAYS after this script
+# has been executed, or if it has already expired.
+# This stupid script (C) 2006,2007 Jan Rafaj
+
+########################## CONFIGURATION SECTION BEGIN #########################
+# Note: all settings are mandatory
+# Warning will be sent if a certificate expires in time <= days given here
+DAYS=7
+# E-mail address where to send warnings
+MAILADDR=root
+# Directory with certificates to check
+CERTDIR=/etc/ssl/certs
+# Directory where to keep state files if this script isnt executed with "stdout"
+STATEDIR=/var/run
+########################### CONFIGURATION SECTION END ##########################
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAY_IN_SECS=$((60*60*24))
+DATE_CURRENT=$(date '+%s')
+
+usage()
+{
+ echo "Usage: $0 [stdout]"
+ echo
+ echo "Detailed description and configuration is embedded within the script."
+ exit 0
+}
+
+message()
+{
+ cat << EOF
+ WARNING: certificate $certfile
+ is about to expire in time equal to or less than $DAYS days from now on,
+ or has already expired - it might be a good idea to obtain/create new one.
+
+EOF
+}
+
+message_mail()
+{
+ message
+ cat << EOF
+ NOTE: This message is being sent only once.
+
+ A lock-file
+ $STATEDIR/certwatch-mailwarning-sent-$certfilebase
+ has been created, which will prevent this script from mailing you again
+ upon its subsequent executions by crond. You dont need to care about it;
+ the file will be auto-deleted as soon as you'll prolong your certificate.
+EOF
+}
+
+unset stdout
+case $# in
+ 0) ;;
+ 1) if [ "$1" = "-h" -o "$1" == "--help" ]; then
+ usage
+ elif [ "$1" = "stdout" ]; then
+ stdout=1
+ else
+ usage
+ fi
+ ;;
+ *) usage ;;
+esac
+
+for dir in $STATEDIR $CERTDIR ; do
+ if [ ! -d $dir ]; then
+ echo "ERROR: directory $dir does not exist"
+ exit 1
+ fi
+done
+for binary in basename date find grep mail openssl touch ; do
+ if [ ! \( -x /usr/bin/$binary -o -x /bin/$binary \) ]; then
+ echo "ERROR: /usr/bin/$binary not found"
+ exit 1
+ fi
+done
+
+find $CERTDIR -type f -maxdepth 1 | while read certfile ; do
+ if [ "$certfile" != "/etc/ssl/certs/ca-certificates.crt" ]; then
+ certfilebase="$(basename "$certfile")"
+ inform=PEM
+ echo "$certfile" | grep -q -i '\.net$'
+ if [ $? -eq 0 ]; then
+ # This is based purely on filename extension, so may give false results.
+ # But lets assume noone uses NET format certs today, ok?
+ continue
+ fi
+ echo "$certfile" | grep -q -i '\.der$'
+ if [ $? -eq 0 -o "$(file "$certfile" | egrep '(ASCII|PEM)')" == "" ]; then
+ inform=DER
+ fi
+ # We wont use '-checkend' since it is not properly documented (as of
+ # OpenSSL 0.9.8e).
+ DATE_CERT_EXPIRES=$(openssl x509 -in "$certfile" -inform $inform -noout -enddate | sed 's/^notAfter=//')
+ DATE_CERT_EXPIRES=$(date -d"$DATE_CERT_EXPIRES" +%s)
+ if [ $(($DATE_CERT_EXPIRES - $DATE_CURRENT)) -le $(($DAYS * $DAY_IN_SECS)) ]
+ then
+ if [ $stdout ]; then
+ message
+ else
+ if [ ! -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then
+ subject="$0: certificate $certfile expiration warning"
+ message_mail | mail -r "certwatch@$HOSTNAME" \
+ -s "$subject" \
+ $MAILADDR 2>/dev/null
+ # echo "Mail about expiring certificate $certfile sent to $MAILADDR."
+ # echo "If you need to send it again, please remove lock-file"
+ # echo "$STATEDIR/certwatch-mailwarning-sent-$certfilebase ."
+ # echo
+ fi
+ touch $STATEDIR/certwatch-mailwarning-sent-"$certfilebase"
+ fi
+ else
+ if [ ! $stdout ]; then
+ if [ -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then
+ rm $STATEDIR/certwatch-mailwarning-sent-"$certfilebase"
+ fi
+ fi
+ fi
+ fi
+done
+
diff --git a/patches/source/openssl/doinst.sh-openssl b/patches/source/openssl/doinst.sh-openssl
new file mode 100644
index 00000000..c92e6076
--- /dev/null
+++ b/patches/source/openssl/doinst.sh-openssl
@@ -0,0 +1,21 @@
+config() {
+ NEW="$1"
+ OLD="`dirname $NEW`/`basename $NEW .new`"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+# If there is a known buggy certwatch script with no local
+# modifications, just replace it:
+if [ "$(md5sum etc/cron.daily/certwatch 2> /dev/null)" = "32556321806f1850d56cb2ef8384b7a1 etc/cron.daily/certwatch" ]; then
+ cat etc/cron.daily/certwatch.new > etc/cron.daily/certwatch
+ touch -r etc/cron.daily/certwatch.new etc/cron.daily/certwatch
+fi
+
+config etc/ssl/openssl.cnf.new
+config etc/cron.daily/certwatch.new
diff --git a/patches/source/openssl/doinst.sh-openssl-solibs b/patches/source/openssl/doinst.sh-openssl-solibs
new file mode 100644
index 00000000..ed4fdfac
--- /dev/null
+++ b/patches/source/openssl/doinst.sh-openssl-solibs
@@ -0,0 +1,12 @@
+config() {
+ NEW="$1"
+ OLD="`dirname $NEW`/`basename $NEW .new`"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+config etc/ssl/openssl.cnf.new
diff --git a/patches/source/openssl/openssl.SlackBuild b/patches/source/openssl/openssl.SlackBuild
new file mode 100755
index 00000000..871b4307
--- /dev/null
+++ b/patches/source/openssl/openssl.SlackBuild
@@ -0,0 +1,199 @@
+#!/bin/sh
+
+# Copyright 2000 BSDi, Inc. Concord, CA, USA
+# Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA
+# Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2016 Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# Set initial variables:
+CWD=$(pwd)
+TMP=${TMP:-/tmp}
+
+VERSION=${VERSION:-$(echo openssl-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-2_slack13.37}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i486 ;;
+ arm*) export ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+fi
+
+PKG1=$TMP/package-openssl
+PKG2=$TMP/package-ossllibs
+NAME1=openssl-$VERSION-$ARCH-$BUILD
+NAME2=openssl-solibs-$VERSION-$ARCH-$BUILD
+
+NUMJOBS=${NUMJOBS:--j6}
+
+# So that ls has the right field counts for parsing...
+export LC_ALL=C
+
+cd $TMP
+rm -rf $PKG1 $PKG2 openssl-$VERSION
+tar xvf $CWD/openssl-$VERSION.tar.gz || exit 1
+cd openssl-$VERSION
+
+# Use .so.0, not .so.0.9.8:
+zcat $CWD/openssl.soname.diff.gz | patch -p1 --backup --verbose --suffix=.orig || exit 1
+if [ "$ARCH" = "i486" ]; then
+ # Build with -march=i486 -mtune=i686:
+ zcat $CWD/openssl.optsx86.diff.gz | patch -p1 --backup --verbose --suffix=.orig || exit 1
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+ LIBDIRSUFFIX="64"
+fi
+
+# Mitigate DROWN:
+zcat $CWD/openssl.no.weak.sslv2.ciphers.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/openssl.no.weak.sslv3.ciphers.diff.gz | patch -p1 --verbose || exit 1
+
+# OpenSSL has a (nasty?) habit of bumping the internal version number with
+# every release. This wouldn't be so bad, but some applications are so
+# paranoid that they won't run against a different OpenSSL version than
+# what they were compiled against, whether or not the ABI has changed.
+#
+# So, we will use the OPENSSL_VERSION_NUMBER from openssl-0.9.8o unless ABI
+# breakage forces it to change. Yes, we're finally using this old trick. :)
+sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x009080efL (0.9.8o) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x009080efL/g" crypto/opensslv.h || exit 1
+
+chown -R root:root .
+mkdir -p $PKG1/usr/doc/openssl-$VERSION
+cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \
+ LICENSE NEWS README README.ENGINE doc $PKG1/usr/doc/openssl-$VERSION
+find $PKG1/usr/doc/openssl-$VERSION -type d -exec chmod 755 {} \;
+find $PKG1/usr/doc/openssl-$VERSION -type f -exec chmod 644 {} \;
+
+# If there's a CHANGES file, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r CHANGES ]; then
+ DOCSDIR=$(echo $PKG1/usr/doc/*-$VERSION)
+ cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES
+ touch -r CHANGES $DOCSDIR/CHANGES
+fi
+
+# These are the known patent issues with OpenSSL:
+# name # expires
+# MDC-2: 4,908,861 2007-03-13, included. :-)
+# IDEA: 5,214,703 2010-05-25, not included.
+# RC5: 5,724,428 2015-03-03, not included.
+
+./config \
+ --prefix=/usr \
+ --openssldir=/etc/ssl \
+ no-idea \
+ no-rc5 \
+ no-sse2 \
+ shared
+
+make $NUMJOBS depend || make depend || exit 1
+
+make $NUMJOBS || make || exit 1
+
+make install INSTALL_PREFIX=$PKG1 || exit 1
+
+# Use proper libdir:
+( cd $PKG1/usr; mv lib lib${LIBDIRSUFFIX} )
+
+# Make the .so.? library symlinks:
+( cd $PKG1/usr/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.* )
+
+# Move libraries, as they might be needed by programs that bring a network
+# mounted /usr online:
+
+mkdir $PKG1/lib${LIBDIRSUFFIX}
+( cd $PKG1/usr/lib${LIBDIRSUFFIX}
+ for file in lib*.so.?.* ; do
+ mv $file ../../lib${LIBDIRSUFFIX}
+ ln -sf ../../lib${LIBDIRSUFFIX}/$file .
+ done
+ cp -a lib*.so.? ../../lib${LIBDIRSUFFIX}
+)
+
+# Add a cron script to warn root if a certificate is going to expire soon:
+mkdir -p $PKG1/etc/cron.daily
+zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new
+chmod 755 $PKG1/etc/cron.daily/certwatch.new
+
+mv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new
+
+( cd $PKG1
+ find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+ find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+)
+
+mv $PKG1/etc/ssl/man $PKG1/usr
+( cd $PKG1/usr/man/man1 ; mv passwd.1 ssl_passwd.1 )
+( cd $PKG1/usr/man/man3 ; mv rand.3 ssl_rand.3 )
+( cd $PKG1/usr/man/man3 ; mv err.3 ssl_err.3 )
+# Compress and symlink the man pages:
+if [ -d $PKG1/usr/man ]; then
+ ( cd $PKG1/usr/man
+ for manpagedir in $(find . -type d -name "man*") ; do
+ ( cd $manpagedir
+ for eachpage in $( find . -type l -maxdepth 1) ; do
+ ln -s $( readlink $eachpage ).gz $eachpage.gz
+ rm $eachpage
+ done
+ gzip -9 *.?
+ )
+ done
+ )
+fi
+
+cd $PKG1
+chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig
+sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc
+mkdir -p install
+zcat $CWD/doinst.sh-openssl.gz > install/doinst.sh
+cat $CWD/slack-desc.openssl > install/slack-desc
+/sbin/makepkg -l y -c n $TMP/${NAME1}.txz
+
+# Make runtime package:
+mkdir -p $PKG2/lib${LIBDIRSUFFIX}
+( cd lib${LIBDIRSUFFIX} ; cp -a lib*.so.* $PKG2/lib${LIBDIRSUFFIX} )
+( cd $PKG2/lib${LIBDIRSUFFIX} ; ldconfig -l * )
+mkdir -p $PKG2/etc
+( cd $PKG2/etc ; cp -a $PKG1/etc/ssl . )
+mkdir -p $PKG2/usr/doc/openssl-$VERSION
+( cd $TMP/openssl-$VERSION
+ cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \
+ LICENSE NEWS README README.ENGINE $PKG2/usr/doc/openssl-$VERSION
+)
+
+# If there's a CHANGES file, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r CHANGES ]; then
+ DOCSDIR=$(echo $PKG2/usr/doc/*-$VERSION)
+ cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES
+ touch -r CHANGES $DOCSDIR/CHANGES
+fi
+
+find $PKG2/usr/doc/openssl-$VERSION -type d -exec chmod 755 {} \;
+find $PKG2/usr/doc/openssl-$VERSION -type f -exec chmod 644 {} \;
+cd $PKG2
+mkdir -p install
+zcat $CWD/doinst.sh-openssl-solibs.gz > install/doinst.sh
+cat $CWD/slack-desc.openssl-solibs > install/slack-desc
+/sbin/makepkg -l y -c n $TMP/${NAME2}.txz
diff --git a/patches/source/openssl/openssl.no.weak.sslv2.ciphers.diff b/patches/source/openssl/openssl.no.weak.sslv2.ciphers.diff
new file mode 100644
index 00000000..a7075ba4
--- /dev/null
+++ b/patches/source/openssl/openssl.no.weak.sslv2.ciphers.diff
@@ -0,0 +1,51 @@
+diff -u -r --new-file openssl-0.9.8zh.orig/ssl/s2_lib.c openssl-0.9.8zh/ssl/s2_lib.c
+--- openssl-0.9.8zh.orig/ssl/s2_lib.c 2015-12-03 08:59:08.000000000 -0600
++++ openssl-0.9.8zh/ssl/s2_lib.c 2016-03-01 18:29:20.998111828 -0600
+@@ -97,6 +97,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# if 0
+ /* RC4_128_EXPORT40_WITH_MD5 */
+ {
+ 1,
+@@ -110,6 +111,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* RC2_128_CBC_WITH_MD5 */
+ {
+ 1,
+@@ -123,6 +125,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# if 0
+ /* RC2_128_CBC_EXPORT40_WITH_MD5 */
+ {
+ 1,
+@@ -136,6 +139,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* IDEA_128_CBC_WITH_MD5 */
+ # ifndef OPENSSL_NO_IDEA
+ {
+@@ -151,6 +155,7 @@
+ SSL_ALL_STRENGTHS,
+ },
+ # endif
++# if 0
+ /* DES_64_CBC_WITH_MD5 */
+ {
+ 1,
+@@ -164,6 +169,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* DES_192_EDE3_CBC_WITH_MD5 */
+ {
+ 1,
diff --git a/patches/source/openssl/openssl.no.weak.sslv3.ciphers.diff b/patches/source/openssl/openssl.no.weak.sslv3.ciphers.diff
new file mode 100644
index 00000000..17326a56
--- /dev/null
+++ b/patches/source/openssl/openssl.no.weak.sslv3.ciphers.diff
@@ -0,0 +1,356 @@
+diff -u -r --new-file openssl-0.9.8zh.orig/ssl/s3_lib.c openssl-0.9.8zh/ssl/s3_lib.c
+--- openssl-0.9.8zh.orig/ssl/s3_lib.c 2015-12-03 08:59:08.000000000 -0600
++++ openssl-0.9.8zh/ssl/s3_lib.c 2016-03-01 18:42:26.295095103 -0600
+@@ -166,6 +166,7 @@
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 03 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_RSA_RC4_40_MD5,
+@@ -178,6 +179,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 04 */
+ {
+ 1,
+@@ -205,6 +207,7 @@
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 06 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_RSA_RC2_40_MD5,
+@@ -217,6 +220,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 07 */
+ #ifndef OPENSSL_NO_IDEA
+ {
+@@ -233,6 +237,7 @@
+ },
+ #endif
+ /* Cipher 08 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_RSA_DES_40_CBC_SHA,
+@@ -245,7 +250,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 09 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_RSA_DES_64_CBC_SHA,
+@@ -258,6 +265,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 0A */
+ {
+ 1,
+@@ -273,6 +281,7 @@
+ },
+ /* The DH ciphers */
+ /* Cipher 0B */
++# if 0
+ {
+ 0,
+ SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
+@@ -285,7 +294,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 0C */
++# if 0
+ {
+ 0,
+ SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
+@@ -298,6 +309,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 0D */
+ {
+ 0,
+@@ -312,6 +324,7 @@
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 0E */
++# if 0
+ {
+ 0,
+ SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
+@@ -324,7 +337,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 0F */
++# if 0
+ {
+ 0,
+ SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
+@@ -337,6 +352,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 10 */
+ {
+ 0,
+@@ -353,6 +369,7 @@
+
+ /* The Ephemeral DH ciphers */
+ /* Cipher 11 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
+@@ -365,7 +382,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 12 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
+@@ -378,6 +397,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 13 */
+ {
+ 1,
+@@ -392,6 +412,7 @@
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 14 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
+@@ -404,7 +425,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 15 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
+@@ -417,6 +440,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 16 */
+ {
+ 1,
+@@ -431,6 +455,7 @@
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 17 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_ADH_RC4_40_MD5,
+@@ -443,6 +468,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 18 */
+ {
+ 1,
+@@ -457,6 +483,7 @@
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 19 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_ADH_DES_40_CBC_SHA,
+@@ -469,7 +496,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 1A */
++# if 0
+ {
+ 1,
+ SSL3_TXT_ADH_DES_64_CBC_SHA,
+@@ -482,6 +511,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 1B */
+ {
+ 1,
+@@ -543,6 +573,7 @@
+
+ #ifndef OPENSSL_NO_KRB5
+ /* The Kerberos ciphers */
++# if 0
+ /* Cipher 1E */
+ {
+ 1,
+@@ -556,6 +587,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+
+ /* Cipher 1F */
+ {
+@@ -600,6 +632,7 @@
+ },
+
+ /* Cipher 22 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_64_CBC_MD5,
+@@ -612,6 +645,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+
+ /* Cipher 23 */
+ {
+@@ -656,6 +690,7 @@
+ },
+
+ /* Cipher 26 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_40_CBC_SHA,
+@@ -668,8 +703,10 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+
+ /* Cipher 27 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_KRB5_RC2_40_CBC_SHA,
+@@ -682,8 +719,10 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+
+ /* Cipher 28 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_KRB5_RC4_40_SHA,
+@@ -696,8 +735,10 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+
+ /* Cipher 29 */
++# if 0
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_40_CBC_MD5,
+@@ -710,8 +751,10 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+
+ /* Cipher 2A */
++# if 0
+ {
+ 1,
+ SSL3_TXT_KRB5_RC2_40_CBC_MD5,
+@@ -724,8 +767,10 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+
+ /* Cipher 2B */
++# if 0
+ {
+ 1,
+ SSL3_TXT_KRB5_RC4_40_MD5,
+@@ -738,6 +783,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ #endif /* OPENSSL_NO_KRB5 */
+
+ /* New AES ciphersuites */
+@@ -1007,6 +1053,7 @@
+ },
+ # endif
+ /* Cipher 62 */
++# if 0
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+@@ -1019,7 +1066,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 63 */
++# if 0
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+@@ -1032,7 +1081,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 64 */
++# if 0
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
+@@ -1045,7 +1096,9 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 65 */
++# if 0
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+@@ -1058,6 +1111,7 @@
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
++# endif
+ /* Cipher 66 */
+ {
+ 1,
diff --git a/patches/source/openssl/openssl.optsx86.diff b/patches/source/openssl/openssl.optsx86.diff
new file mode 100644
index 00000000..a1a289a2
--- /dev/null
+++ b/patches/source/openssl/openssl.optsx86.diff
@@ -0,0 +1,11 @@
+--- ./Configure.orig 2005-08-02 03:59:42.000000000 -0700
++++ ./Configure 2005-10-12 20:04:43.000000000 -0700
+@@ -317,7 +317,7 @@
+ "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ #### IA-32 targets...
+ "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -mtune=i686 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+ ####
+ "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/patches/source/openssl/openssl.soname.diff b/patches/source/openssl/openssl.soname.diff
new file mode 100644
index 00000000..f660e93b
--- /dev/null
+++ b/patches/source/openssl/openssl.soname.diff
@@ -0,0 +1,11 @@
+--- ./Makefile.shared.orig 2005-06-23 13:47:54.000000000 -0700
++++ ./Makefile.shared 2005-10-12 20:02:28.000000000 -0700
+@@ -151,7 +151,7 @@
+ SHLIB_SUFFIX=; \
+ ALLSYMSFLAGS='-Wl,--whole-archive'; \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB.0"
+
+ DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
+
diff --git a/patches/source/openssl/slack-desc.openssl b/patches/source/openssl/slack-desc.openssl
new file mode 100644
index 00000000..57227c04
--- /dev/null
+++ b/patches/source/openssl/slack-desc.openssl
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|' on
+# the right side marks the last column you can put a character in. You must make
+# exactly 11 lines for the formatting to be correct. It's also customary to
+# leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+openssl: openssl (Secure Sockets Layer toolkit)
+openssl:
+openssl: The OpenSSL certificate management tool and the shared libraries that
+openssl: provide various encryption and decryption algorithms and protocols.
+openssl:
+openssl: This product includes software developed by the OpenSSL Project for
+openssl: use in the OpenSSL Toolkit (http://www.openssl.org). This product
+openssl: includes cryptographic software written by Eric Young
+openssl: (eay@cryptsoft.com). This product includes software written by Tim
+openssl: Hudson (tjh@cryptsoft.com).
+openssl:
diff --git a/patches/source/openssl/slack-desc.openssl-solibs b/patches/source/openssl/slack-desc.openssl-solibs
new file mode 100644
index 00000000..f65bf12c
--- /dev/null
+++ b/patches/source/openssl/slack-desc.openssl-solibs
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|' on
+# the right side marks the last column you can put a character in. You must make
+# exactly 11 lines for the formatting to be correct. It's also customary to
+# leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+openssl-solibs: openssl-solibs (OpenSSL shared libraries)
+openssl-solibs:
+openssl-solibs: These shared libraries provide encryption routines required by
+openssl-solibs: programs such as openssh. They are also used by KDE's Konqueror web
+openssl-solibs: browser to provide secure web connections.
+openssl-solibs:
+openssl-solibs: This product includes software developed by the OpenSSL Project for
+openssl-solibs: use in the OpenSSL Toolkit (http://www.openssl.org). This product
+openssl-solibs: includes cryptographic software written by Eric Young
+openssl-solibs: (eay@cryptsoft.com). This product includes software written by Tim
+openssl-solibs: Hudson (tjh@cryptsoft.com).