new upstream version fixing CVE-2012-2110

2012-04-20 12:24:39 +02:00 · 2012-04-20 12:24:39 +02:00 · e8c18345a4
commit e8c18345a4
parent d46b44c249
8 changed files with 403 additions and 645 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,3 +8,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.0.1-beta2-usa.tar.xz
 /openssl-1.0.1-beta3-usa.tar.xz
 /openssl-1.0.1-usa.tar.xz
+/openssl-1.0.1a-usa.tar.xz
--- a/openssl-1.0.1-backport.patch
+++ b/openssl-1.0.1-backport.patch
@ -1,226 +0,0 @@
-diff -up openssl-1.0.1/apps/s_client.c.backport openssl-1.0.1/apps/s_client.c
--- openssl-1.0.1/apps/s_client.c.backport	2012-03-14 21:15:04.736897459 +0100
-+++ openssl-1.0.1/apps/s_client.c	2012-04-05 19:48:40.469998965 +0200
-@@ -622,13 +622,7 @@ int MAIN(int argc, char **argv)
- 	SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
- #endif
- 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
- 	meth=SSLv23_client_method();
-#elif !defined(OPENSSL_NO_SSL3)
-	meth=SSLv3_client_method();
-#elif !defined(OPENSSL_NO_SSL2)
-	meth=SSLv2_client_method();
-#endif
- 
- 	apps_startup();
- 	c_Pause=0;
-diff -up openssl-1.0.1/apps/s_server.c.backport openssl-1.0.1/apps/s_server.c
--- openssl-1.0.1/apps/s_server.c.backport	2012-03-14 21:15:04.690896516 +0100
-+++ openssl-1.0.1/apps/s_server.c	2012-04-05 19:48:40.474999072 +0200
-@@ -969,17 +969,7 @@ int MAIN(int argc, char *argv[])
- 	char *srpuserseed = NULL;
- 	char *srp_verifier_file = NULL;
- #endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
- 	meth=SSLv23_server_method();
-#elif !defined(OPENSSL_NO_SSL3)
-	meth=SSLv3_server_method();
-#elif !defined(OPENSSL_NO_SSL2)
-	meth=SSLv2_server_method();
-#elif !defined(OPENSSL_NO_TLS1)
-	meth=TLSv1_server_method();
-#else
-  /*  #error no SSL version enabled */
-#endif
- 
- 	local_argc=argc;
- 	local_argv=argv;
-diff -up openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport openssl-1.0.1/crypto/aes/asm/aes-armv4.pl
--- openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport	2012-03-14 21:15:04.777898297 +0100
-+++ openssl-1.0.1/crypto/aes/asm/aes-armv4.pl	2012-04-05 19:51:35.555528155 +0200
-@@ -408,6 +408,7 @@ _armv4_AES_encrypt:
- .type   private_AES_set_encrypt_key,%function
- .align	5
- private_AES_set_encrypt_key:
-+_armv4_AES_set_encrypt_key:
- 	sub	r3,pc,#8		@ AES_set_encrypt_key
- 	teq	r0,#0
- 	moveq	r0,#-1
-@@ -425,7 +426,7 @@ private_AES_set_encrypt_key:
- 	bne	.Labrt
- 
- .Lok:	stmdb   sp!,{r4-r12,lr}
-	sub	$tbl,r3,#private_AES_set_encrypt_key-AES_Te-1024	@ Te4
-+	sub	$tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024	@ Te4
- 
- 	mov	$rounds,r0		@ inp
- 	mov	lr,r1			@ bits
-@@ -685,7 +686,7 @@ private_AES_set_encrypt_key:
- .align	5
- private_AES_set_decrypt_key:
- 	str	lr,[sp,#-4]!            @ push lr
-	bl	private_AES_set_encrypt_key
-+	bl	_armv4_AES_set_encrypt_key
- 	teq	r0,#0
- 	ldrne	lr,[sp],#4              @ pop lr
- 	bne	.Labrt
-diff -up openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport openssl-1.0.1/crypto/aes/asm/aes-s390x.pl
--- openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport	2012-03-14 21:15:04.782898400 +0100
-+++ openssl-1.0.1/crypto/aes/asm/aes-s390x.pl	2012-04-05 19:50:41.290593267 +0200
-@@ -783,6 +783,7 @@ $code.=<<___;
- .type	private_AES_set_encrypt_key,\@function
- .align	16
- private_AES_set_encrypt_key:
-+_s390x_AES_set_encrypt_key:
- 	lghi	$t0,0
- 	cl${g}r	$inp,$t0
- 	je	.Lminus1
-@@ -1068,7 +1069,7 @@ $code.=<<___;
- private_AES_set_decrypt_key:
- 	st${g}	$key,4*$SIZE_T($sp)	# I rely on AES_set_encrypt_key to
- 	st${g}	$ra,14*$SIZE_T($sp)	# save non-volatile registers!
-	bras	$ra,AES_set_encrypt_key
-+	bras	$ra,_s390x_AES_set_encrypt_key
- 	l${g}	$key,4*$SIZE_T($sp)
- 	l${g}	$ra,14*$SIZE_T($sp)
- 	ltgr	%r2,%r2
-diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl
--- openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport	2012-03-14 21:15:04.777898297 +0100
-+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl	2012-04-05 19:48:22.036603157 +0200
-@@ -263,7 +263,7 @@ _vpaes_decrypt_core:
- 	pshufb  %xmm2,  %xmm4	# 4 = sbou
- 	pxor	%xmm0,  %xmm4	# 4 = sb1u + k
- 	movdqa	0x70(%r10), %xmm0	# 0 : sbot
-	movdqa	.Lk_sr-.Lk_dsbd(%r11), %xmm2
-+	movdqa	-0x160(%r11), %xmm2	# .Lk_sr-.Lk_dsbd=-0x160
- 	pshufb  %xmm3,	%xmm0	# 0 = sb1t
- 	pxor	%xmm4,	%xmm0	# 0 = A
- 	pshufb	%xmm2,	%xmm0
-@@ -869,6 +869,8 @@ ${PREFIX}_cbc_encrypt:
- ___
- ($len,$key)=($key,$len);
- $code.=<<___;
-+	sub	\$16,$len
-+	jc	.Lcbc_abort
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -887,7 +889,6 @@ ___
- $code.=<<___;
- 	movdqu	($ivp),%xmm6		# load IV
- 	sub	$inp,$out
-	sub	\$16,$len
- 	call	_vpaes_preheat
- 	cmp	\$0,${enc}d
- 	je	.Lcbc_dec_loop
-@@ -932,6 +933,7 @@ $code.=<<___ if ($win64);
- .Lcbc_epilogue:
- ___
- $code.=<<___;
-+.Lcbc_abort:
- 	ret
- .size	${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
- ___
-diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl
--- openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport	2012-03-14 21:15:04.775898257 +0100
-+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl	2012-04-05 19:48:22.036603157 +0200
-@@ -843,6 +843,8 @@ $k_dsbo=0x2c0;		# decryption sbox final
- 	&mov	($out,&wparam(1));		# out
- 	&mov	($round,&wparam(2));		# len
- 	&mov	($key,&wparam(3));		# key
-+	&sub	($round,16);
-+	&jc	(&label("cbc_abort"));
- 	&lea	($base,&DWP(-56,"esp"));
- 	&mov	($const,&wparam(4));		# ivp
- 	&and	($base,-16);
-@@ -853,7 +855,6 @@ $k_dsbo=0x2c0;		# decryption sbox final
- 	&mov	(&DWP(48,"esp"),$base);
- 
- 	&mov	(&DWP(0,"esp"),$out);		# save out
-	&sub	($round,16);
- 	&mov	(&DWP(4,"esp"),$key)		# save key
- 	&mov	(&DWP(8,"esp"),$const);		# save ivp
- 	&mov	($out,$round);			# $out works as $len
-@@ -896,6 +897,7 @@ $k_dsbo=0x2c0;		# decryption sbox final
- 	&mov	($base,&DWP(8,"esp"));		# restore ivp
- 	&mov	("esp",&DWP(48,"esp"));
- 	&movdqu	(&QWP(0,$base),"xmm1");		# write IV
-+&set_label("cbc_abort");
- &function_end("${PREFIX}_cbc_encrypt");
- 
- &asm_finish();
-diff -up openssl-1.0.1/crypto/evp/p5_crpt.c.backport openssl-1.0.1/crypto/evp/p5_crpt.c
--- openssl-1.0.1/crypto/evp/p5_crpt.c.backport	2011-06-03 22:52:57.000000000 +0200
-+++ openssl-1.0.1/crypto/evp/p5_crpt.c	2012-04-05 19:49:01.512450795 +0200
-@@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *c
- 	OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
- 	rv = 1;
- 	err:
-+	EVP_MD_CTX_cleanup(&ctx);
- 	return rv;
- }
-diff -up openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport openssl-1.0.1/crypto/pkcs7/pk7_doit.c
--- openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport	2012-03-12 17:27:50.000000000 +0100
-+++ openssl-1.0.1/crypto/pkcs7/pk7_doit.c	2012-04-05 19:49:40.591289911 +0200
-@@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- 	STACK_OF(X509_ALGOR) *md_sk=NULL;
- 	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
- 	PKCS7_RECIP_INFO *ri=NULL;
-+       unsigned char *ek = NULL, *tkey = NULL;
-+       int eklen = 0, tkeylen = 0;
- 
- 	i=OBJ_obj2nid(p7->type);
- 	p7->state=PKCS7_S_HEADER;
-@@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- 		int max;
- 		X509_OBJECT ret;
- #endif
-		unsigned char *ek = NULL, *tkey = NULL;
-		int eklen, tkeylen;
- 
- 		if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
- 			{
-@@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- 			{
- 			OPENSSL_cleanse(ek,eklen);
- 			OPENSSL_free(ek);
-+                       ek = NULL;
- 			}
- 		if (tkey)
- 			{
- 			OPENSSL_cleanse(tkey,tkeylen);
- 			OPENSSL_free(tkey);
-+                       tkey = NULL;
- 			}
- 
- 		if (out == NULL)
-@@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- 	if (0)
- 		{
- err:
-+               if (ek)
-+                       {
-+                       OPENSSL_cleanse(ek,eklen);
-+                       OPENSSL_free(ek);
-+                       }
-+               if (tkey)
-+                       {
-+                       OPENSSL_cleanse(tkey,tkeylen);
-+                       OPENSSL_free(tkey);
-+                       }
- 		if (out != NULL) BIO_free_all(out);
- 		if (btmp != NULL) BIO_free_all(btmp);
- 		if (etmp != NULL) BIO_free_all(etmp);
-diff -up openssl-1.0.1/ssl/d1_srvr.c.backport openssl-1.0.1/ssl/d1_srvr.c
--- openssl-1.0.1/ssl/d1_srvr.c.backport	2012-03-06 14:24:16.000000000 +0100
-+++ openssl-1.0.1/ssl/d1_srvr.c	2012-04-05 19:47:36.812632091 +0200
-@@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s)
- 		p=s->s3->server_random;
- 		Time=(unsigned long)time(NULL);			/* Time */
- 		l2n(Time,p);
-		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
-+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
- 		/* Do the message type and length last */
- 		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
- 
--- a/openssl-1.0.1-beta3-s390xbuild.patch
+++ b/openssl-1.0.1-beta3-s390xbuild.patch
@ -1,26 +0,0 @@
-diff -up openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl.s390xbuild openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl
--- openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl.s390xbuild	2012-02-29 17:40:30.000000000 +0100
-+++ openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl	2012-02-29 20:03:39.642182906 +0100
-@@ -171,10 +171,10 @@ $ikey="%r7";
- $iinp="%r8";
- 
- $code.=<<___;
-.globl	RC4_set_key
-.type	RC4_set_key,\@function
-+.globl	private_RC4_set_key
-+.type	private_RC4_set_key,\@function
- .align	64
-RC4_set_key:
-+private_RC4_set_key:
- 	stm${g}	%r6,%r8,6*$SIZE_T($sp)
- 	lhi	$cnt,256
- 	la	$idx,0(%r0)
-@@ -210,7 +210,7 @@ RC4_set_key:
- .Ldone:
- 	lm${g}	%r6,%r8,6*$SIZE_T($sp)
- 	br	$rp
-.size	RC4_set_key,.-RC4_set_key
-+.size	private_RC4_set_key,.-private_RC4_set_key
- 
- ___
- }
--- a/openssl-1.0.0-beta4-algo-doc.patch
+++ b/openssl-1.0.0-beta4-algo-doc.patch
@ -1,28 +1,7 @@
-diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc	2009-10-16 17:29:34.000000000 +0200
-+++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod	2009-11-12 14:13:21.000000000 +0100
-@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
- EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
- EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
- EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
-+EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224,
-+EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
- EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
- EVP digest routines
- 
-@@ -51,6 +52,10 @@ EVP digest routines
-  const EVP_MD *EVP_md5(void);
-  const EVP_MD *EVP_sha(void);
-  const EVP_MD *EVP_sha1(void);
-+ const EVP_MD *EVP_sha224(void);
-+ const EVP_MD *EVP_sha256(void);
-+ const EVP_MD *EVP_sha384(void);
-+ const EVP_MD *EVP_sha512(void);
-  const EVP_MD *EVP_dss(void);
-  const EVP_MD *EVP_dss1(void);
-  const EVP_MD *EVP_mdc2(void);
-@@ -70,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
+diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
+--- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc	2012-04-11 00:28:22.000000000 +0200
+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod	2012-04-20 09:14:01.865167011 +0200
+@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
 
 EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
 B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
@ -31,22 +10,7 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
 If B<impl> is NULL then the default implementation of digest B<type> is used.
 
 EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
-@@ -127,9 +132,11 @@ with this digest. For example EVP_sha1()
- return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
- algorithms may not be retained in future versions of OpenSSL.
- 
-EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
-return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
-algorithms respectively. The associated signature algorithm is RSA in each case.
-+EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
-+EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160()
-+return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384,
-+SHA512, MDC2 and RIPEMD160 digest algorithms respectively. The associated
-+signature algorithm is RSA in each case.
- 
- EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
- algorithms but using DSS (DSA) for the signature algorithm. Note: there is 
-@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
+@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
 EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block
 size in bytes.
 
@ -56,10 +20,10 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
 EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
 corresponding EVP_MD structures.
 
-diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
-+++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod	2009-11-12 14:11:03.000000000 +0100
-@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher 
+diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
+--- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod	2012-04-20 09:10:59.114736465 +0200
+@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
  int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
  int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
 
--- a/openssl-1.0.1a-backport.patch
+++ b/openssl-1.0.1a-backport.patch
@ -0,0 +1,41 @@
+diff -up openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c.backport openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c
+--- openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c.backport	2012-04-18 19:51:33.000000000 +0200
+++ openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c	2012-04-20 09:20:29.411861130 +0200
+@@ -121,6 +121,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
+ 		md5_off = MD5_CBLOCK-key->md.num,
+ 		blocks;
+ 	unsigned int l;
+	extern unsigned int OPENSSL_ia32cap_P[];
+ #endif
+ 	size_t	plen = key->payload_length;
+ 
+@@ -132,7 +133,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
+ 		/* cipher has to "fall behind" */
+ 		if (rc4_off>md5_off) md5_off+=MD5_CBLOCK;
+ 
+-		if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK)) {
+		if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK) &&
+		    (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
+ 			MD5_Update(&key->md,in,md5_off);
+ 			RC4(&key->ks,rc4_off,in,out);
+ 
+@@ -172,7 +174,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
+ 		if (md5_off>rc4_off)	rc4_off += 2*MD5_CBLOCK;
+ 		else			rc4_off += MD5_CBLOCK;
+ 
+-		if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK)) {
+		if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK) &&
+		    (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
+ 			RC4(&key->ks,rc4_off,in,out);
+ 			MD5_Update(&key->md,out,md5_off);
+ 
+@@ -289,8 +292,6 @@ static EVP_CIPHER r4_hmac_md5_cipher=
+ 
+ const EVP_CIPHER *EVP_rc4_hmac_md5(void)
+ 	{
+-	extern unsigned int OPENSSL_ia32cap_P[];
+-	/* RC4_CHAR flag ------------vvvvv */
+-	return(OPENSSL_ia32cap_P[0]&(1<<20) ? NULL : &r4_hmac_md5_cipher);
+	return(&r4_hmac_md5_cipher);
+ 	}
+ #endif
--- a/openssl-1.0.1-beta3-fips.patch
+++ b/openssl-1.0.1-beta3-fips.patch
--- a/openssl.spec
+++ b/openssl.spec
@ -20,8 +20,8 @@

 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.0.1
-Release: 3%{?dist}
+Version: 1.0.1a
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -43,7 +43,6 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch
 Patch7: openssl-1.0.0-timezone.patch
 # Bug fixes
 Patch23: openssl-1.0.0-beta4-default-paths.patch
-Patch24: openssl-1.0.1-beta3-s390xbuild.patch
 # Functionality changes
 Patch33: openssl-1.0.0-beta4-ca-dir.patch
 Patch34: openssl-0.9.6-x509.patch
@ -51,10 +50,10 @@ Patch35: openssl-0.9.8j-version-add-engines.patch
 Patch36: openssl-1.0.0e-doc-noeof.patch
 Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
 Patch39: openssl-1.0.1-beta2-ipv6-apps.patch
-Patch40: openssl-1.0.1-beta3-fips.patch
+Patch40: openssl-1.0.1a-fips.patch
 Patch45: openssl-0.9.8j-env-nozlib.patch
 Patch47: openssl-1.0.0-beta5-readme-warning.patch
-Patch49: openssl-1.0.0-beta4-algo-doc.patch
+Patch49: openssl-1.0.1a-algo-doc.patch
 Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
 Patch51: openssl-1.0.1-version.patch
 Patch56: openssl-1.0.0c-rsa-x931.patch
@ -65,7 +64,7 @@ Patch65: openssl-1.0.0e-chil-fixes.patch
 Patch66: openssl-1.0.1-pkgconfig-krb5.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.1-beta2-padlock64.patch
-Patch82: openssl-1.0.1-backport.patch
+Patch82: openssl-1.0.1a-backport.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -142,7 +141,6 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch7 -p1 -b .timezone

 %patch23 -p1 -b .default-paths
-%patch24 -p1 -b .s390xbuild

 %patch33 -p1 -b .ca-dir
 %patch34 -p1 -b .x509
@ -165,6 +163,7 @@ from other formats to the formats used by the OpenSSL toolkit.

 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .backport
+
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`

@ -419,6 +418,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig

 %changelog
+* Fri Apr 20 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1a-1
+- new upstream version fixing CVE-2012-2110
+
 * Wed Apr 11 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-3
 - add Kerberos 5 libraries to pkgconfig for static linking (#807050)

--- a/2
+++ b/2
@ -1 +1 @@
-7df6ebc8dfe463b7af7ce4c4b86341e2  openssl-1.0.1-usa.tar.xz
+21a3b8bee1fdb7e60ca2e4aa50529f81  openssl-1.0.1a-usa.tar.xz