- update to new upstream version, no soname bump needed

- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used so the compatibility with unfixed clients is not broken. The protocol extension is also not final.
2009-11-12 21:15:24 +00:00 · 2009-11-12 21:15:24 +00:00 · 27847ae318
commit 27847ae318
parent a650e4abcb
26 changed files with 833 additions and 2701 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1 +1 @@
-openssl-1.0.0-beta3-usa.tar.bz2
+openssl-1.0.0-beta4-usa.tar.bz2
--- a/openssl-0.9.8b-aliasing-bug.patch
+++ b/openssl-0.9.8b-aliasing-bug.patch
@ -1,24 +0,0 @@
 This patch fixes a violation of the C aliasing rules that can cause
 miscompilation with some compiler versions.
 --- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig	2006-10-30 18:21:35.000000000 +0100
 +++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c	2006-10-30 18:21:37.000000000 +0100
@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co
 static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
 	{
 	void *ptr;
 -	DSO_FUNC_TYPE sym, *tsym = &sym;
 +	DSO_FUNC_TYPE sym;
 	if((dso == NULL) || (symname == NULL))
 		{
@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO
 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
 		return(NULL);
 		}
 -	*(void **)(tsym) = dlsym(ptr, symname);
 +	sym = dlsym(ptr, symname);
 	if(sym == NULL)
 		{
 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
--- a/openssl-0.9.8j-ca-dir.patch
+++ b/openssl-0.9.8j-ca-dir.patch
@ -1,36 +0,0 @@
 diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
 --- openssl-0.9.8j/apps/openssl.cnf.ca-dir	2009-01-13 23:20:10.000000000 +0100
 +++ openssl-0.9.8j/apps/openssl.cnf	2009-01-13 23:20:10.000000000 +0100
@@ -34,7 +34,7 @@ default_ca	= CA_default		# The default c
 ####################################################################
 [ CA_default ]
 -dir		= ./demoCA		# Where everything is kept
 +dir		= /etc/pki/CA		# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
 --- openssl-0.9.8j/apps/CA.sh.ca-dir	2005-07-04 23:44:22.000000000 +0200
 +++ openssl-0.9.8j/apps/CA.sh	2009-01-13 23:20:10.000000000 +0100
@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
 VERIFY="$OPENSSL verify"
 X509="$OPENSSL x509"
 -CATOP=./demoCA
 +CATOP=/etc/pki/CA
 CAKEY=./cakey.pem
 CAREQ=./careq.pem
 CACERT=./cacert.pem
 diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
 --- openssl-0.9.8j/apps/CA.pl.in.ca-dir	2006-04-28 02:28:51.000000000 +0200
 +++ openssl-0.9.8j/apps/CA.pl.in	2009-01-13 23:20:10.000000000 +0100
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
 $X509="$openssl x509";
 $PKCS12="$openssl pkcs12";
 -$CATOP="./demoCA";
 +$CATOP="/etc/pki/CA";
 $CAKEY="cakey.pem";
 $CAREQ="careq.pem";
 $CACERT="cacert.pem";
--- a/openssl-1.0.0-beta3-camellia-rounds.patch
+++ b/openssl-1.0.0-beta3-camellia-rounds.patch
@ -1,12 +0,0 @@
 diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl.rounds openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl
 --- openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl.rounds	2009-09-15 12:09:08.000000000 +0200
 +++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl	2009-09-15 12:09:48.000000000 +0200
@@ -656,7 +656,7 @@ Camellia_cbc_encrypt:
 	mov	%rsi,$out		# out argument
 	mov	%r8,%rbx		# ivp argument
 	mov	%rcx,$key		# key argument
 -	mov	272(%rcx),$keyend	# grandRounds
 +	mov	272(%rcx),${keyend}d	# grandRounds
 	mov	%r8,$_ivp
 	mov	%rbp,$_rsp
--- a/openssl-1.0.0-beta3-const.patch
+++ b/openssl-1.0.0-beta3-const.patch
@ -1,36 +0,0 @@
 diff -up openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod
 --- openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const	2009-02-14 22:49:37.000000000 +0100
 +++ openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod	2009-08-22 16:15:32.000000000 +0200
@@ -11,7 +11,7 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits
  const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
  int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
  char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
 - char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
 + char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);
 =head1 DESCRIPTION
 diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.const openssl-1.0.0-beta3/ssl/ssl_ciph.c
 --- openssl-1.0.0-beta3/ssl/ssl_ciph.c.const	2009-08-22 15:56:12.000000000 +0200
 +++ openssl-1.0.0-beta3/ssl/ssl_ciph.c	2009-08-22 15:56:12.000000000 +0200
@@ -1458,7 +1458,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
 	return(cipherstack);
 	}
 -char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
 +char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	{
 	int is_export,pkl,kl;
 	const char *ver,*exp_str;
 diff -up openssl-1.0.0-beta3/ssl/ssl.h.const openssl-1.0.0-beta3/ssl/ssl.h
 --- openssl-1.0.0-beta3/ssl/ssl.h.const	2009-08-22 15:56:11.000000000 +0200
 +++ openssl-1.0.0-beta3/ssl/ssl.h	2009-08-22 15:56:12.000000000 +0200
@@ -1638,7 +1638,7 @@ long SSL_get_default_timeout(const SSL *
 int SSL_library_init(void );
 -char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
 +char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size);
 STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
 SSL *SSL_dup(SSL *ssl);
--- a/openssl-1.0.0-beta3-curl.patch
+++ b/openssl-1.0.0-beta3-curl.patch
@ -1,27 +0,0 @@
 diff -up openssl-1.0.0-beta3/apps/tsget.curl openssl-1.0.0-beta3/apps/tsget
 --- openssl-1.0.0-beta3/apps/tsget.curl	2006-02-13 00:11:21.000000000 +0100
 +++ openssl-1.0.0-beta3/apps/tsget	2009-08-21 15:37:24.000000000 +0200
@@ -7,7 +7,7 @@ use strict;
 use IO::Handle;
 use Getopt::Std;
 use File::Basename;
 -use WWW::Curl::easy;
 +use WWW::Curl::Easy;
 use vars qw(%options);
@@ -37,7 +37,7 @@ sub create_curl {
     my $url = shift;
     # Create Curl object.
 -    my $curl = WWW::Curl::easy::new();
 +    my $curl = WWW::Curl::Easy::new();
     # Error-handling related options.
     $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
@@ -192,4 +192,4 @@ REQUEST: foreach (@ARGV) {
     STDERR->printflush(", $output written.\n") if $options{v};
 }
 $curl->cleanup();
 -WWW::Curl::easy::global_cleanup();
 +WWW::Curl::Easy::global_cleanup();
--- a/openssl-1.0.0-beta3-dss1.patch
+++ b/openssl-1.0.0-beta3-dss1.patch
@ -1,11 +0,0 @@
 diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c.dss1 openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c
 --- openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c.dss1	2008-11-05 19:38:56.000000000 +0100
 +++ openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c	2009-08-31 12:53:47.000000000 +0200
@@ -186,6 +186,7 @@ static int pkey_dsa_ctrl(EVP_PKEY_CTX *c
 		case EVP_PKEY_CTRL_MD:
 		if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1   &&
 +		    EVP_MD_type((const EVP_MD *)p2) != NID_dsa    &&
 		    EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
 		    EVP_MD_type((const EVP_MD *)p2) != NID_sha256)
 			{
--- a/openssl-1.0.0-beta3-dtls1-fix.patch
+++ b/openssl-1.0.0-beta3-dtls1-fix.patch
@ -1,28 +0,0 @@
 Index: openssl/ssl/d1_clnt.c
 RCS File: /v/openssl/cvs/openssl/ssl/d1_clnt.c,v
 rcsdiff -q -kk '-r1.16.2.10' '-r1.16.2.11' -u '/v/openssl/cvs/openssl/ssl/d1_clnt.c,v' 2>/dev/null
 --- openssl/ssl/d1_clnt.c 2009/07/15 11:32:57 1.16.2.10
 +++ openssl/ssl/d1_clnt.c 2009/07/24 11:52:32 1.16.2.11
@@ -223,6 +223,8 @@
 			s->init_num=0;
 			/* mark client_random uninitialized */
 			memset(s->s3->client_random,0,sizeof(s->s3->client_random));
 +			s->d1->send_cookie = 0;
 +			s->hit = 0;
 			break;
 		case SSL3_ST_CW_CLNT_HELLO_A:
 Index: openssl/ssl/d1_pkt.c
 RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v
 rcsdiff -q -kk '-r1.27.2.13' '-r1.27.2.14' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null
 --- openssl/ssl/d1_pkt.c 2009/07/13 11:44:04 1.27.2.13
 +++ openssl/ssl/d1_pkt.c 2009/07/24 11:52:32 1.27.2.14
@@ -775,7 +775,7 @@
 	/* Check for timeout */
 	if (dtls1_is_timer_expired(s))
 		{
 -		if (dtls1_read_failed(s, -1) > 0);
 +		if (dtls1_read_failed(s, -1) > 0)
 			goto start;
 		}
--- a/openssl-1.0.0-beta3-enginesdir.patch
+++ b/openssl-1.0.0-beta3-enginesdir.patch
@ -1,52 +0,0 @@
 diff -up openssl-1.0.0-beta3/Configure.enginesdir openssl-1.0.0-beta3/Configure
 --- openssl-1.0.0-beta3/Configure.enginesdir	2009-08-10 19:46:32.000000000 +0200
 +++ openssl-1.0.0-beta3/Configure	2009-08-10 19:46:32.000000000 +0200
@@ -616,6 +616,7 @@ my $idx_multilib = $idx++;
 my $prefix="";
 my $openssldir="";
 +my $enginesdir="";
 my $exe_ext="";
 my $install_prefix="";
 my $cross_compile_prefix="";
@@ -820,6 +821,10 @@ PROCESS_ARGS:
 				{
 				$openssldir=$1;
 				}
 +			elsif (/^--enginesdir=(.*)$/)
 +				{
 +				$enginesdir=$1;
 +				}
 			elsif (/^--install.prefix=(.*)$/)
 				{
 				$install_prefix=$1;
@@ -1037,7 +1042,7 @@ chop $prefix if $prefix =~ /.\/$/;
 $openssldir=$prefix . "/ssl" if $openssldir eq "";
 $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 -
 +$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
 print "IsMK1MF=$IsMK1MF\n";
@@ -1645,7 +1650,7 @@ while (<IN>)
 		# $foo is to become "$prefix/lib$multilib/engines";
 		# as Makefile.org and engines/Makefile are adapted for
 		# $multilib suffix.
 -		my $foo = "$prefix/lib/engines";
 +		my $foo = "$enginesdir";
 		$foo =~ s/\\/\\\\/g;
 		print OUT "#define ENGINESDIR \"$foo\"\n";
 		}
 diff -up openssl-1.0.0-beta3/engines/Makefile.enginesdir openssl-1.0.0-beta3/engines/Makefile
 --- openssl-1.0.0-beta3/engines/Makefile.enginesdir	2009-06-14 04:37:22.000000000 +0200
 +++ openssl-1.0.0-beta3/engines/Makefile	2009-08-10 19:46:48.000000000 +0200
@@ -123,7 +123,7 @@ install:
 				sfx=".so"; \
 				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
 			  fi; \
 -			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
 +			  chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx ); \
 		done; \
 	fi
--- a/openssl-1.0.0-beta3-fipsmode.patch
+++ b/openssl-1.0.0-beta3-fipsmode.patch
@ -222,7 +222,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
 #ifndef OPENSSL_NO_DES
 	EVP_add_cipher(EVP_des_cbc());
 	EVP_add_cipher(EVP_des_ede3_cbc());
-@@ -115,6 +121,38 @@ int SSL_library_init(void)
+@@ -115,6 +121,40 @@ int SSL_library_init(void)
 	EVP_add_digest(EVP_sha());
 	EVP_add_digest(EVP_dss());
 #endif
@ -241,6 +241,8 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
 +#ifndef OPENSSL_NO_MD5
 +	/* needed even in the FIPS mode for TLS MAC */
 +	EVP_add_digest(EVP_md5());
 +	EVP_add_digest_alias(SN_md5,"ssl2-md5");
 +	EVP_add_digest_alias(SN_md5,"ssl3-md5");
 +#endif
 +#ifndef OPENSSL_NO_SHA
 +	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
--- a/openssl-1.0.0-beta3-krb5.patch
+++ b/openssl-1.0.0-beta3-krb5.patch
@ -1,12 +0,0 @@
 diff -up openssl-1.0.0-beta3/Makefile.org.krb5 openssl-1.0.0-beta3/Makefile.org
 --- openssl-1.0.0-beta3/Makefile.org.krb5	2009-04-23 18:12:09.000000000 +0200
 +++ openssl-1.0.0-beta3/Makefile.org	2009-08-04 23:01:16.000000000 +0200
@@ -299,7 +299,7 @@ build-shared: do_$(SHLIB_TARGET) link-sh
 do_$(SHLIB_TARGET):
 	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
 -		if [ "$(SHLIBDIRS)" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 +		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
--- a/openssl-1.0.0-beta3-namingblk.patch
+++ b/openssl-1.0.0-beta3-namingblk.patch
@ -1,253 +0,0 @@
 Index: openssl/crypto/asn1/a_set.c
 RCS File: /v/openssl/cvs/openssl/crypto/asn1/a_set.c,v
 rcsdiff -q -kk '-r1.20' '-r1.20.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/a_set.c,v' 2>/dev/null
 --- openssl/crypto/asn1/a_set.c 2009/01/01 18:30:50 1.20
 +++ openssl/crypto/asn1/a_set.c 2009/07/27 21:21:25 1.20.2.1
@@ -85,7 +85,7 @@
     }
 /* int is_set:  if TRUE, then sort the contents (i.e. it isn't a SEQUENCE)    */
 -int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
 +int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
 		 i2d_of_void *i2d, int ex_tag, int ex_class,
 		 int is_set)
 	{
@@ -97,8 +97,8 @@
         int totSize;
 	if (a == NULL) return(0);
 -	for (i=sk_BLOCK_num(a)-1; i>=0; i--)
 -		ret+=i2d(sk_BLOCK_value(a,i),NULL);
 +	for (i=sk_OPENSSL_BLOCK_num(a)-1; i>=0; i--)
 +		ret+=i2d(sk_OPENSSL_BLOCK_value(a,i),NULL);
 	r=ASN1_object_size(1,ret,ex_tag);
 	if (pp == NULL) return(r);
@@ -109,10 +109,10 @@
 	/* And then again by Ben */
 	/* And again by Steve */
 -	if(!is_set || (sk_BLOCK_num(a) < 2))
 +	if(!is_set || (sk_OPENSSL_BLOCK_num(a) < 2))
 		{
 -		for (i=0; i<sk_BLOCK_num(a); i++)
 -                	i2d(sk_BLOCK_value(a,i),&p);
 +		for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
 +                	i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
 		*pp=p;
 		return(r);
@@ -120,17 +120,17 @@
         pStart  = p; /* Catch the beg of Setblobs*/
 		/* In this array we will store the SET blobs */
 -		rgSetBlob = OPENSSL_malloc(sk_BLOCK_num(a) * sizeof(MYBLOB));
 +		rgSetBlob = OPENSSL_malloc(sk_OPENSSL_BLOCK_num(a) * sizeof(MYBLOB));
 		if (rgSetBlob == NULL)
 			{
 			ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
 			return(0);
 			}
 -        for (i=0; i<sk_BLOCK_num(a); i++)
 +        for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
 	        {
                 rgSetBlob[i].pbData = p;  /* catch each set encode blob */
 -                i2d(sk_BLOCK_value(a,i),&p);
 +                i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
                 rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; /* Length of this
 SetBlob
 */
@@ -140,7 +140,7 @@
  /* Now we have to sort the blobs. I am using a simple algo.
     *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
 -        qsort( rgSetBlob, sk_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
 +        qsort( rgSetBlob, sk_OPENSSL_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
 		if (!(pTempMem = OPENSSL_malloc(totSize)))
 			{
 			ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
@@ -149,7 +149,7 @@
 /* Copy to temp mem */
         p = pTempMem;
 -        for(i=0; i<sk_BLOCK_num(a); ++i)
 +        for(i=0; i<sk_OPENSSL_BLOCK_num(a); ++i)
 		{
                 memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData);
                 p += rgSetBlob[i].cbData;
@@ -163,17 +163,18 @@
         return(r);
         }
 -STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
 +STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
 +			      const unsigned char **pp,
 			      long length, d2i_of_void *d2i,
 -			      void (*free_func)(BLOCK), int ex_tag,
 +			      void (*free_func)(OPENSSL_BLOCK), int ex_tag,
 			      int ex_class)
 	{
 	ASN1_const_CTX c;
 -	STACK_OF(BLOCK) *ret=NULL;
 +	STACK_OF(OPENSSL_BLOCK) *ret=NULL;
 	if ((a == NULL) || ((*a) == NULL))
 		{
 -		if ((ret=sk_BLOCK_new_null()) == NULL)
 +		if ((ret=sk_OPENSSL_BLOCK_new_null()) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
 			goto err;
@@ -221,7 +222,7 @@
 			asn1_add_error(*pp,(int)(c.p- *pp));
 			goto err;
 			}
 -		if (!sk_BLOCK_push(ret,s)) goto err;
 +		if (!sk_OPENSSL_BLOCK_push(ret,s)) goto err;
 		}
 	if (a != NULL) (*a)=ret;
 	*pp=c.p;
@@ -230,9 +231,9 @@
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		{
 		if (free_func != NULL)
 -			sk_BLOCK_pop_free(ret,free_func);
 +			sk_OPENSSL_BLOCK_pop_free(ret,free_func);
 		else
 -			sk_BLOCK_free(ret);
 +			sk_OPENSSL_BLOCK_free(ret);
 		}
 	return(NULL);
 	}
 Index: openssl/crypto/asn1/asn1.h
 RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn1.h,v
 rcsdiff -q -kk '-r1.166.2.3' '-r1.166.2.4' -u '/v/openssl/cvs/openssl/crypto/asn1/asn1.h,v' 2>/dev/null
 --- openssl/crypto/asn1/asn1.h 2009/07/24 11:15:55 1.166.2.3
 +++ openssl/crypto/asn1/asn1.h 2009/07/27 21:21:25 1.166.2.4
@@ -887,12 +887,13 @@
 ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
 int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
 -int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
 +int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
 		 i2d_of_void *i2d, int ex_tag, int ex_class,
 		 int is_set);
 -STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
 +STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
 +			      const unsigned char **pp,
 			      long length, d2i_of_void *d2i,
 -			      void (*free_func)(BLOCK), int ex_tag,
 +			      void (*free_func)(OPENSSL_BLOCK), int ex_tag,
 			      int ex_class);
 #ifndef OPENSSL_NO_BIO
@@ -1045,9 +1046,9 @@
 int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
 	unsigned char *data, int max_len);
 -STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
 -				 d2i_of_void *d2i, void (*free_func)(BLOCK));
 -unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
 +STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
 +				 d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK));
 +unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
 			     unsigned char **buf, int *len );
 void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i);
 void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it);
 Index: openssl/crypto/asn1/asn_pack.c
 RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v
 rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v' 2>/dev/null
 --- openssl/crypto/asn1/asn_pack.c 2008/11/12 03:57:49 1.19
 +++ openssl/crypto/asn1/asn_pack.c 2009/07/27 21:21:25 1.19.2.1
@@ -66,10 +66,10 @@
 /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
 -STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
 -				 d2i_of_void *d2i, void (*free_func)(BLOCK))
 +STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
 +			 d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK))
 {
 -    STACK_OF(BLOCK) *sk;
 +    STACK_OF(OPENSSL_BLOCK) *sk;
     const unsigned char *pbuf;
     pbuf =  buf;
     if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
@@ -82,7 +82,7 @@
  * OPENSSL_malloc'ed buffer
  */
 -unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
 +unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
 			     unsigned char **buf, int *len)
 {
 	int safelen;
 Index: openssl/crypto/stack/safestack.h
 RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v
 rcsdiff -q -kk '-r1.72.2.4' '-r1.72.2.5' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null
 --- openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4
 +++ openssl/crypto/stack/safestack.h 2009/07/27 21:21:25 1.72.2.5
@@ -128,8 +128,8 @@
  * nul-terminated. These should also be distinguished from "normal"
  * stacks. */
 -typedef void *BLOCK;
 -DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 +typedef void *OPENSSL_BLOCK;
 +DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
 /* SKM_sk_... stack macros are internal to safestack.h:
  * never use them directly, use sk_<type>_... instead */
@@ -2055,29 +2055,29 @@
 #define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
 -#define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
 -#define sk_BLOCK_new_null() ((STACK_OF(BLOCK) *)sk_new_null())
 -#define sk_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
 -#define sk_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
 -#define sk_BLOCK_value(st, i) ((BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(BLOCK), st), i))
 -#define sk_BLOCK_num(st) SKM_sk_num(BLOCK, st)
 -#define sk_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_FREE_FUNC2(BLOCK, free_func))
 -#define sk_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val), i)
 -#define sk_BLOCK_free(st) SKM_sk_free(BLOCK, st)
 -#define sk_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), i, CHECKED_PTR_OF(void, val))
 -#define sk_BLOCK_zero(st) SKM_sk_zero(BLOCK, (st))
 -#define sk_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
 -#define sk_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
 -#define sk_BLOCK_delete(st, i) SKM_sk_delete(BLOCK, (st), (i))
 -#define sk_BLOCK_delete_ptr(st, ptr) (BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, ptr))
 -#define sk_BLOCK_set_cmp_func(st, cmp)  \
 +#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
 +#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
 +#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
 +#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
 +#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i))
 +#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
 +#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
 +#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i)
 +#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
 +#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val))
 +#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
 +#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
 +#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
 +#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
 +#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr))
 +#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp)  \
 	((int (*)(const void * const *,const void * const *)) \
 -	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
 -#define sk_BLOCK_dup(st) SKM_sk_dup(BLOCK, st)
 -#define sk_BLOCK_shift(st) SKM_sk_shift(BLOCK, (st))
 -#define sk_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st))
 -#define sk_BLOCK_sort(st) SKM_sk_sort(BLOCK, (st))
 -#define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st))
 +	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
 +#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
 +#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
 +#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st))
 +#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
 +#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
 #define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
--- a/openssl-1.0.0-beta3-namingstr.patch
+++ b/openssl-1.0.0-beta3-namingstr.patch
--- a/openssl-1.0.0-beta3-ssl-free.patch
+++ b/openssl-1.0.0-beta3-ssl-free.patch
@ -1,31 +0,0 @@
 diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.ctx-free openssl-1.0.0-beta3/ssl/ssl_lib.c
 --- openssl-1.0.0-beta3/ssl/ssl_lib.c.ctx-free	2009-10-08 20:44:26.000000000 +0200
 +++ openssl-1.0.0-beta3/ssl/ssl_lib.c	2009-10-16 11:56:53.000000000 +0200
@@ -556,7 +556,6 @@ void SSL_free(SSL *s)
 	if (s->cert != NULL) ssl_cert_free(s->cert);
 	/* Free up if allocated */
 -	if (s->ctx) SSL_CTX_free(s->ctx);
 #ifndef OPENSSL_NO_TLSEXT
 	if (s->tlsext_hostname)
 		OPENSSL_free(s->tlsext_hostname);
@@ -580,6 +579,8 @@ void SSL_free(SSL *s)
 	if (s->method != NULL) s->method->ssl_free(s);
 +	if (s->ctx) SSL_CTX_free(s->ctx);
 +
 #ifndef	OPENSSL_NO_KRB5
 	if (s->kssl_ctx != NULL)
 		kssl_ctx_free(s->kssl_ctx);
 diff -up openssl-1.0.0-beta3/ssl/s3_lib.c.hbuf-clear openssl-1.0.0-beta3/ssl/s3_lib.c
 --- openssl-1.0.0-beta3/ssl/s3_lib.c.hbuf-clear	2009-05-28 20:10:47.000000000 +0200
 +++ openssl-1.0.0-beta3/ssl/s3_lib.c	2009-10-16 09:50:24.000000000 +0200
@@ -2211,6 +2211,7 @@ void ssl3_clear(SSL *s)
  	wlen = s->s3->wbuf.len;
 	if (s->s3->handshake_buffer) {
 		BIO_free(s->s3->handshake_buffer);
 +		s->s3->handshake_buffer = NULL;
 	}
 	if (s->s3->handshake_dgst) {
 		ssl3_free_digest_list(s);
--- a/openssl-1.0.0-beta3-ssl-session.patch
+++ b/openssl-1.0.0-beta3-ssl-session.patch
@ -1,27 +0,0 @@
 Index: openssl/ssl/ssl_asn1.c
 RCS File: /v/openssl/cvs/openssl/ssl/ssl_asn1.c,v
 rcsdiff -q -kk '-r1.36.2.2' '-r1.36.2.3' -u '/v/openssl/cvs/openssl/ssl/ssl_asn1.c,v' 2>/dev/null
 --- openssl/ssl/ssl_asn1.c 2009/08/05 15:29:14 1.36.2.2
 +++ openssl/ssl/ssl_asn1.c 2009/09/02 13:20:22 1.36.2.3
@@ -413,8 +413,8 @@
 		}
 	else
 		{
 -		SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
 -		return(NULL);
 +		c.error=SSL_R_UNKNOWN_SSL_VERSION;
 +		goto err;
 		}
 	ret->cipher=NULL;
@@ -505,8 +505,8 @@
 	    {
 	    if (os.length > SSL_MAX_SID_CTX_LENGTH)
 		{
 -		ret->sid_ctx_length=os.length;
 -		SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
 +		c.error=SSL_R_BAD_LENGTH;
 +		goto err;
 		}
 	    else
 		{
--- a/openssl-1.0.0-beta4-algo-doc.patch
+++ b/openssl-1.0.0-beta4-algo-doc.patch
@ -1,6 +1,6 @@
-diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod
+diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
--- openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc	2004-05-20 23:39:50.000000000 +0200
+--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc	2009-10-16 17:29:34.000000000 +0200
-+++ openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod	2009-06-30 12:04:47.000000000 +0200
+++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod	2009-11-12 14:13:21.000000000 +0100
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
 EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
 EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
@ -45,8 +45,8 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
 +signature algorithm is RSA in each case.
 EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
- algorithms but using DSS (DSA) for the signature algorithm.
+ algorithms but using DSS (DSA) for the signature algorithm. Note: there is 
-@@ -156,7 +163,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
+@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
 EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block
 size in bytes.
@ -56,9 +56,9 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
 EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
 corresponding EVP_MD structures.
-diff -up openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod
+diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
--- openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
+--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
-+++ openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod	2009-06-30 12:04:47.000000000 +0200
+++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod	2009-11-12 14:11:03.000000000 +0100
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher 
  int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
  int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
--- a/openssl-1.0.0-beta4-binutils.patch
+++ b/openssl-1.0.0-beta4-binutils.patch
@ -0,0 +1,56 @@
 diff -up openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl
 --- openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils	2009-11-12 15:17:29.000000000 +0100
 +++ openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl	2009-11-12 17:26:08.000000000 +0100
@@ -19,6 +19,7 @@ my $code;
 sub round1_step
 {
     my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
 +    $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
     $code .= " mov	0*4(%rsi),	%r10d		/* (NEXT STEP) X[0] */\n" if ($pos == -1);
     $code .= " mov	%edx,		%r11d		/* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
     $code .= <<EOF;
@@ -43,6 +44,7 @@ EOF
 sub round2_step
 {
     my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
 +    $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
     $code .= " mov	1*4(%rsi),	%r10d		/* (NEXT STEP) X[1] */\n" if ($pos == -1);
     $code .= " mov	%edx,		%r11d		/* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
     $code .= " mov	%edx,		%r12d		/* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
@@ -69,6 +71,7 @@ EOF
 sub round3_step
 {
     my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
 +    $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
     $code .= " mov	5*4(%rsi),	%r10d		/* (NEXT STEP) X[5] */\n" if ($pos == -1);
     $code .= " mov	%ecx,		%r11d		/* (NEXT STEP) y' = %ecx */\n" if ($pos == -1);
     $code .= <<EOF;
@@ -91,6 +94,7 @@ EOF
 sub round4_step
 {
     my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
 +    $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
     $code .= " mov	0*4(%rsi),	%r10d		/* (NEXT STEP) X[0] */\n" if ($pos == -1);
     $code .= " mov	\$0xffffffff,	%r11d\n" if ($pos == -1);
     $code .= " xor	%edx,		%r11d		/* (NEXT STEP) not z' = not %edx*/\n"
 diff -up openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl
 --- openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils	2009-11-12 15:17:29.000000000 +0100
 +++ openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl	2009-11-12 17:24:18.000000000 +0100
@@ -150,7 +150,7 @@ ___
 sub BODY_20_39 {
 my ($i,$a,$b,$c,$d,$e,$f)=@_;
 my $j=$i+1;
 -my $K=($i<40)?0x6ed9eba1:0xca62c1d6;
 +my $K=($i<40)?0x6ed9eba1:-0x359d3e2a;
 $code.=<<___ if ($i<79);
 	lea	$K($xi,$e),$f
 	mov	`4*($j%16)`(%rsp),$xi
@@ -187,7 +187,7 @@ sub BODY_40_59 {
 my ($i,$a,$b,$c,$d,$e,$f)=@_;
 my $j=$i+1;
 $code.=<<___;
 -	lea	0x8f1bbcdc($xi,$e),$f
 +	lea	-0x70e44324($xi,$e),$f
 	mov	`4*($j%16)`(%rsp),$xi
 	mov	$b,$t0
 	mov	$b,$t1
--- a/openssl-1.0.0-beta4-ca-dir.patch
+++ b/openssl-1.0.0-beta4-ca-dir.patch
@ -0,0 +1,36 @@
 diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in
 --- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir	2006-04-28 02:30:49.000000000 +0200
 +++ openssl-1.0.0-beta4/apps/CA.pl.in	2009-11-12 12:33:13.000000000 +0100
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
 $X509="$openssl x509";
 $PKCS12="$openssl pkcs12";
 -$CATOP="./demoCA";
 +$CATOP="/etc/pki/CA";
 $CAKEY="cakey.pem";
 $CAREQ="careq.pem";
 $CACERT="cacert.pem";
 diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh
 --- openssl-1.0.0-beta4/apps/CA.sh.ca-dir	2009-10-15 19:27:47.000000000 +0200
 +++ openssl-1.0.0-beta4/apps/CA.sh	2009-11-12 12:35:14.000000000 +0100
@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
 X509="$OPENSSL x509"
 PKCS12="openssl pkcs12"
 -if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
 +if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
 CAKEY=./cakey.pem
 CAREQ=./careq.pem
 CACERT=./cacert.pem
 diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf
 --- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir	2009-11-12 12:33:13.000000000 +0100
 +++ openssl-1.0.0-beta4/apps/openssl.cnf	2009-11-12 12:33:13.000000000 +0100
@@ -39,7 +39,7 @@ default_ca	= CA_default		# The default c
 ####################################################################
 [ CA_default ]
 -dir		= ./demoCA		# Where everything is kept
 +dir		= /etc/pki/CA		# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
--- a/openssl-1.0.0-beta4-default-paths.patch
+++ b/openssl-1.0.0-beta4-default-paths.patch
@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/apps/s_client.c
+diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c
--- openssl-1.0.0-beta3/apps/s_client.c.default-paths	2009-06-30 18:10:24.000000000 +0200
+--- openssl-1.0.0-beta4/apps/s_client.c.default-paths	2009-08-12 15:21:26.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_client.c	2009-08-05 18:17:52.000000000 +0200
+++ openssl-1.0.0-beta4/apps/s_client.c	2009-11-12 12:26:32.000000000 +0100
-@@ -888,12 +888,13 @@ bad:
+@@ -889,12 +889,13 @@ bad:
 	if (!set_cert_key_stuff(ctx,cert,key))
 		goto end;
@ -19,10 +19,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/a
 		}
 #ifndef OPENSSL_NO_TLSEXT
-diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/apps/s_server.c
+diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c
--- openssl-1.0.0-beta3/apps/s_server.c.default-paths	2009-06-30 18:10:24.000000000 +0200
+--- openssl-1.0.0-beta4/apps/s_server.c.default-paths	2009-10-28 18:49:37.000000000 +0100
-+++ openssl-1.0.0-beta3/apps/s_server.c	2009-08-05 18:18:40.000000000 +0200
+++ openssl-1.0.0-beta4/apps/s_server.c	2009-11-12 12:31:23.000000000 +0100
-@@ -1403,12 +1403,13 @@ bad:
+@@ -1408,12 +1408,13 @@ bad:
 		}
 #endif
@ -40,9 +40,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
 		}
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);
-@@ -1457,8 +1458,11 @@ bad:
+@@ -1465,8 +1466,11 @@ bad:
- 
+ 		else
- 		SSL_CTX_sess_set_cache_size(ctx2,128);
+ 			SSL_CTX_sess_set_cache_size(ctx2,128);
 -		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
 -			(!SSL_CTX_set_default_verify_paths(ctx2)))
@ -54,9 +54,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
 			{
 			ERR_print_errors(bio_err);
 			}
-diff -up openssl-1.0.0-beta3/apps/s_time.c.default-paths openssl-1.0.0-beta3/apps/s_time.c
+diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c
--- openssl-1.0.0-beta3/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
+--- openssl-1.0.0-beta4/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_time.c	2009-08-05 18:00:35.000000000 +0200
+++ openssl-1.0.0-beta4/apps/s_time.c	2009-11-12 12:26:32.000000000 +0100
@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
 	SSL_load_error_strings();
--- a/openssl-1.0.0-beta4-dtls1-abi.patch
+++ b/openssl-1.0.0-beta4-dtls1-abi.patch
@ -0,0 +1,25 @@
 Adding struct member is ABI breaker however as the structure is always allocated by
 the library calls we just move it to the end and it should be reasonably safe.
 diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
 --- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi	2009-11-12 14:34:37.000000000 +0100
 +++ openssl-1.0.0-beta4/ssl/dtls1.h	2009-11-12 14:47:57.000000000 +0100
@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
 	 */
 	record_pqueue buffered_app_data;
 -	/* Is set when listening for new connections with dtls1_listen() */
 -	unsigned int listen;
 -
 	unsigned int mtu; /* max DTLS packet size */
 	struct hm_header_st w_msg_hdr;
@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
 	unsigned int retransmitting;
 	unsigned int change_cipher_spec_ok;
 +	/* Is set when listening for new connections with dtls1_listen() */
 +	unsigned int listen;
 +
 	} DTLS1_STATE;
 typedef struct dtls1_record_data_st
--- a/openssl-1.0.0-beta4-enginesdir.patch
+++ b/openssl-1.0.0-beta4-enginesdir.patch
@ -0,0 +1,52 @@
 diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
 --- openssl-1.0.0-beta4/Configure.enginesdir	2009-11-12 12:17:59.000000000 +0100
 +++ openssl-1.0.0-beta4/Configure	2009-11-12 12:19:45.000000000 +0100
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
 my $prefix="";
 my $libdir="";
 my $openssldir="";
 +my $enginesdir="";
 my $exe_ext="";
 my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
 my $cross_compile_prefix="";
@@ -833,6 +834,10 @@ PROCESS_ARGS:
 				{
 				$openssldir=$1;
 				}
 +			elsif (/^--enginesdir=(.*)$/)
 +				{
 +				$enginesdir=$1;
 +				}
 			elsif (/^--install.prefix=(.*)$/)
 				{
 				$install_prefix=$1;
@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/;
 $openssldir=$prefix . "/ssl" if $openssldir eq "";
 $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 -
 +$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
 print "IsMK1MF=$IsMK1MF\n";
@@ -1676,7 +1681,7 @@ while (<IN>)
 		# $foo is to become "$prefix/lib$multilib/engines";
 		# as Makefile.org and engines/Makefile are adapted for
 		# $multilib suffix.
 -		my $foo = "$prefix/lib/engines";
 +		my $foo = "$enginesdir";
 		$foo =~ s/\\/\\\\/g;
 		print OUT "#define ENGINESDIR \"$foo\"\n";
 		}
 diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile
 --- openssl-1.0.0-beta4/engines/Makefile.enginesdir	2009-11-10 02:52:52.000000000 +0100
 +++ openssl-1.0.0-beta4/engines/Makefile	2009-11-12 12:23:06.000000000 +0100
@@ -124,7 +124,7 @@ install:
 				sfx=".so"; \
 				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
 			  fi; \
 -			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
 +			  chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
 		done; \
 	fi
--- a/openssl-1.0.0-beta4-fips.patch
+++ b/openssl-1.0.0-beta4-fips.patch
--- a/openssl-1.0.0-beta4-redhat.patch
+++ b/openssl-1.0.0-beta4-redhat.patch
@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
+diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
--- openssl-1.0.0-beta3/Configure.redhat	2009-07-08 10:50:52.000000000 +0200
+--- openssl-1.0.0-beta4/Configure.redhat	2009-11-09 15:11:13.000000000 +0100
-+++ openssl-1.0.0-beta3/Configure	2009-08-04 22:46:59.000000000 +0200
+++ openssl-1.0.0-beta4/Configure	2009-11-12 12:15:27.000000000 +0100
-@@ -331,32 +331,32 @@ my %table=(
+@@ -336,32 +336,32 @@ my %table=(
 ####
 # *-generic* is endian-neutral target, but ./config is free to
 # throw in -D[BL]_ENDIAN, whichever appropriate...
@ -27,9 +27,9 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
 +"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 -"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 +"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 #### SPARC Linux setups
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
@ -46,7 +46,7 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
 #### Alpha Linux with GNU C and Compaq C setups
 # Special notes:
 # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -370,8 +370,8 @@ my %table=(
+@@ -375,8 +375,8 @@ my %table=(
 #
 #					<appro@fy.chalmers.se>
 #
--- a/openssl-1.0.0-beta4-reneg.patch
+++ b/openssl-1.0.0-beta4-reneg.patch
@ -0,0 +1,237 @@
 diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c
 --- openssl-1.0.0-beta4/apps/s_cb.c.reneg	2009-10-15 20:48:47.000000000 +0200
 +++ openssl-1.0.0-beta4/apps/s_cb.c	2009-11-12 15:02:30.000000000 +0100
@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c
 		extname = "server ticket";
 		break;
 +		case TLSEXT_TYPE_renegotiate:
 +		extname = "renegotiate";
 +		break;
 +
 #ifdef TLSEXT_TYPE_opaque_prf_input
 		case TLSEXT_TYPE_opaque_prf_input:
 		extname = "opaque PRF input";
 diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c
 --- openssl-1.0.0-beta4/apps/s_client.c.reneg	2009-11-12 14:57:48.000000000 +0100
 +++ openssl-1.0.0-beta4/apps/s_client.c	2009-11-12 15:01:48.000000000 +0100
@@ -343,6 +343,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -status           - request certificate status from server\n");
 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
 #endif
 +	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
 	}
 #ifndef OPENSSL_NO_TLSEXT
@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv)
 #endif
 		else if (strcmp(*argv,"-serverpref") == 0)
 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
 +		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
 +			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
 		else if	(strcmp(*argv,"-cipher") == 0)
 			{
 			if (--argc < 1) goto bad;
 diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c
 --- openssl-1.0.0-beta4/apps/s_server.c.reneg	2009-11-12 14:57:48.000000000 +0100
 +++ openssl-1.0.0-beta4/apps/s_server.c	2009-11-12 15:01:48.000000000 +0100
@@ -491,6 +491,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
 	BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
 	BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
 +	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
 #endif
 	}
@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[])
 			verify_return_error = 1;
 		else if	(strcmp(*argv,"-serverpref") == 0)
 			{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
 +		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
 +			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
 		else if	(strcmp(*argv,"-cipher") == 0)
 			{
 			if (--argc < 1) goto bad;
 diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h
 --- openssl-1.0.0-beta4/ssl/tls1.h.reneg	2009-11-12 14:57:47.000000000 +0100
 +++ openssl-1.0.0-beta4/ssl/tls1.h	2009-11-12 15:02:30.000000000 +0100
@@ -201,6 +201,9 @@ extern "C" {
 # define TLSEXT_TYPE_opaque_prf_input		?? */
 #endif
 +/* Temporary extension type */
 +#define TLSEXT_TYPE_renegotiate                 0xff01
 +
 /* NameType value from RFC 3546 */
 #define TLSEXT_NAMETYPE_host_name 0
 /* status request value from RFC 3546 */
 diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c
 --- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg	2009-11-08 15:36:32.000000000 +0100
 +++ openssl-1.0.0-beta4/ssl/t1_lib.c	2009-11-12 15:02:30.000000000 +0100
@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex
 		ret+=size_str;
 		}
 +        /* Add the renegotiation option: TODOEKR switch */
 +        {
 +          int el;
 +          
 +          if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
 +              {
 +              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 +              return NULL;
 +              }
 +
 +          if((limit - p - 4 - el) < 0) return NULL;
 +          
 +          s2n(TLSEXT_TYPE_renegotiate,ret);
 +          s2n(el,ret);
 +
 +          if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
 +              {
 +              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 +              return NULL;
 +              }
 +
 +          ret += el;
 +        }
 +
 #ifndef OPENSSL_NO_EC
 	if (s->tlsext_ecpointformatlist != NULL)
 		{
@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex
 		s2n(TLSEXT_TYPE_server_name,ret);
 		s2n(0,ret);
 		}
 +
 +        if(s->s3->send_connection_binding)
 +        {
 +          int el;
 +          
 +          if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
 +              {
 +              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 +              return NULL;
 +              }
 +
 +          if((limit - p - 4 - el) < 0) return NULL;
 +          
 +          s2n(TLSEXT_TYPE_renegotiate,ret);
 +          s2n(el,ret);
 +
 +          if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
 +              {
 +              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 +              return NULL;
 +              }
 +
 +          ret += el;
 +        }
 +
 #ifndef OPENSSL_NO_EC
 	if (s->tlsext_ecpointformatlist != NULL)
 		{
@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 	unsigned short size;
 	unsigned short len;
 	unsigned char *data = *p;
 +	int renegotiate_seen = 0;
 +
 	s->servername_done = 0;
 	s->tlsext_status_type = -1;
 +	s->s3->send_connection_binding = 0;
 	if (data >= (d+n-2))
 +		{
 +		if (s->new_session
 +			&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 +			{
 +			/* We should always see one extension: the renegotiate extension */
 +			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
 +			return 0;
 +			}
 		return 1;
 +		}
 	n2s(data,len);
 	if (data > (d+n-len)) 
@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 				return 0;
 				}
 			}
 +		else if (type == TLSEXT_TYPE_renegotiate)
 +			{
 +			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
 +				return 0;
 +			renegotiate_seen = 1;
 +			}
 		else if (type == TLSEXT_TYPE_status_request
 						&& s->ctx->tlsext_status_cb)
 			{
@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 		/* session ticket processed earlier */
 		data+=size;
 		}
 +  
 + 	if (s->new_session && !renegotiate_seen
 + 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 + 		{
 + 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
 + 		return 0;
 + 		}
 + 
 	*p = data;
 	return 1;
@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 	unsigned short size;
 	unsigned short len;  
 	unsigned char *data = *p;
 -
 	int tlsext_servername = 0;
 +	int renegotiate_seen = 0;
 	if (data >= (d+n-2))
 +		{
 +		/* Because the client does not see any renegotiation during an
 +		   attack, we must enforce this on all server hellos, even the
 +		   first */
 +		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 +			{
 +			/* We should always see one extension: the renegotiate extension */
 +			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
 +			return 0;
 +			}
 		return 1;
 +		}
 	n2s(data,len);
@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 			/* Set flag to expect CertificateStatus message */
 			s->tlsext_status_expected = 1;
 			}
 -
 +		else if (type == TLSEXT_TYPE_renegotiate)
 +			{
 +			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
 +				return 0;
 +			renegotiate_seen = 1;
 +			}
 		data+=size;		
 		}
@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 		return 0;
 		}
 +	if (!renegotiate_seen
 +		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 +		{
 +		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
 +		return 0;
 +		}
 +
 	if (!s->hit && tlsext_servername == 1)
 		{
  		if (s->tlsext_hostname)
--- a/openssl.spec
+++ b/openssl.spec
@ -11,7 +11,7 @@
 # 1.0.0 soversion = 10
 %define soversion 10
-%define beta beta3
+%define beta beta4
 # Number of threads to spawn when testing some threading fixes.
 %define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0
-Release: 0.10.%{beta}%{?dist}
+Release: 0.11.%{beta}%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-%{beta}-usa.tar.bz2
@ -35,41 +35,33 @@ Source9: opensslconf-new.h
 Source10: opensslconf-new-warning.h
 Source11: README.FIPS
 # Build changes
-Patch0: openssl-1.0.0-beta3-redhat.patch
+Patch0: openssl-1.0.0-beta4-redhat.patch
 Patch1: openssl-1.0.0-beta3-defaults.patch
 Patch2: openssl-1.0.0-beta3-krb5.patch
 Patch3: openssl-1.0.0-beta3-soversion.patch
-Patch4: openssl-1.0.0-beta3-enginesdir.patch
+Patch4: openssl-1.0.0-beta4-enginesdir.patch
 Patch5: openssl-0.9.8a-no-rpath.patch
 Patch6: openssl-0.9.8b-test-use-localhost.patch
 # Bug fixes
-Patch21: openssl-0.9.8b-aliasing-bug.patch
+Patch23: openssl-1.0.0-beta4-default-paths.patch
-Patch23: openssl-1.0.0-beta3-default-paths.patch
+Patch24: openssl-1.0.0-beta4-binutils.patch
 # Functionality changes
 Patch32: openssl-0.9.8g-ia64.patch
-Patch33: openssl-0.9.8j-ca-dir.patch
+Patch33: openssl-1.0.0-beta4-ca-dir.patch
 Patch34: openssl-0.9.6-x509.patch
 Patch35: openssl-0.9.8j-version-add-engines.patch
 Patch38: openssl-1.0.0-beta3-cipher-change.patch
 Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
-Patch40: openssl-1.0.0-beta3-fips.patch
+Patch40: openssl-1.0.0-beta4-fips.patch
 Patch41: openssl-1.0.0-beta3-fipscheck.patch
 Patch43: openssl-1.0.0-beta3-fipsmode.patch
 Patch44: openssl-1.0.0-beta3-fipsrng.patch
 Patch45: openssl-0.9.8j-env-nozlib.patch
 Patch47: openssl-0.9.8j-readme-warning.patch
 Patch48: openssl-0.9.8j-bad-mime.patch
-Patch49: openssl-0.9.8k-algo-doc.patch
+Patch49: openssl-1.0.0-beta4-algo-doc.patch
-Patch50: openssl-1.0.0-beta3-curl.patch
+Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
 Patch51: openssl-1.0.0-beta3-const.patch
 Patch52: openssl-1.0.0-beta3-dss1.patch
 # Backported fixes including security fixes
-Patch60: openssl-1.0.0-beta3-namingstr.patch
+Patch60: openssl-1.0.0-beta4-reneg.patch
 Patch61: openssl-1.0.0-beta3-namingblk.patch
 Patch62: openssl-1.0.0-beta3-camellia-rounds.patch
 Patch63: openssl-1.0.0-beta3-dtls1-fix.patch
 Patch64: openssl-1.0.0-beta3-ssl-session.patch
 Patch65: openssl-1.0.0-beta3-ssl-free.patch
 License: OpenSSL
 Group: System Environment/Libraries
@ -124,15 +116,13 @@ from other formats to the formats used by the OpenSSL toolkit.
 %{SOURCE1} > /dev/null
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .defaults
 # Fix link line for libssl (bug #111154).
 %patch2 -p1 -b .krb5
 %patch3 -p1 -b .soversion
 %patch4 -p1 -b .enginesdir
 %patch5 -p1 -b .no-rpath
 %patch6 -p1 -b .use-localhost
 %patch21 -p1 -b .aliasing-bug
 %patch23 -p1 -b .default-paths
 %patch24 -p1 -b .binutils
 %patch32 -p1 -b .ia64
 %patch33 -p1 -b .ca-dir
@ -148,15 +138,9 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch47 -p1 -b .warning
 %patch48 -p1 -b .bad-mime
 %patch49 -p1 -b .algo-doc
-%patch50 -p1 -b .curl
+%patch50 -p1 -b .dtls1-abi
-%patch51 -p1 -b .const
+
-%patch52 -p1 -b .dss1
+%patch60 -p1 -b .reneg
 %patch60 -p1 -b .namingstr
 %patch61 -p1 -b .namingblk
 %patch62 -p1 -b .cmll-rounds
 %patch63 -p1 -b .dtls1-fix
 %patch64 -p1 -b .ssl-session
 %patch65 -p1 -b .ssl-free
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@ -405,6 +389,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig
 %changelog
 * Thu Nov 12 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.11.beta4
 - update to new upstream version, no soname bump needed 
 - fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
  so the compatibility with unfixed clients is not broken. The
  protocol extension is also not final.
 * Fri Oct 16 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.10.beta3
 - fix use of freed memory if SSL_CTX_free() is called before
  SSL_free() (#521342)
--- a/2
+++ b/2
@ -1 +1 @@
-9926dcf78e797a12d8e3ffd7a018824b  openssl-1.0.0-beta3-usa.tar.bz2
+1fc0e41c230d0698f834413dfba864ad  openssl-1.0.0-beta4-usa.tar.bz2
`@ -1 +1 @@`
	`openssl-1.0.0-beta3-usa.tar.bz2`	`openssl-1.0.0-beta4-usa.tar.bz2`
`@ -1 +1 @@`
	`9926dcf78e797a12d8e3ffd7a018824b openssl-1.0.0-beta3-usa.tar.bz2`	`1fc0e41c230d0698f834413dfba864ad openssl-1.0.0-beta4-usa.tar.bz2`