Initial import.

.cvsignore

@@ -0,0 +1 @@
+openssl-0.9.8j-usa.tar.bz2

Makefile.certificate

@@ -0,0 +1,74 @@
+UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
+SERIAL=0
+
+.PHONY: usage
+.SUFFIXES: .key .csr .crt .pem
+.PRECIOUS: %.key %.csr %.crt %.pem
+
+usage:
+	@echo "This makefile allows you to create:"
+	@echo "  o public/private key pairs"
+	@echo "  o SSL certificate signing requests (CSRs)"
+	@echo "  o self-signed SSL test certificates"
+	@echo
+	@echo "To create a key pair, run \"make SOMETHING.key\"."
+	@echo "To create a CSR, run \"make SOMETHING.csr\"."
+	@echo "To create a test certificate, run \"make SOMETHING.crt\"."
+	@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
+	@echo
+	@echo "To create a key for use with Apache, run \"make genkey\"."
+	@echo "To create a CSR for use with Apache, run \"make certreq\"."
+	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
+	@echo
+	@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
+	@echo
+	@echo Examples:
+	@echo "  make server.key"
+	@echo "  make server.csr"
+	@echo "  make server.crt"
+	@echo "  make stunnel.pem"
+	@echo "  make genkey"
+	@echo "  make certreq"
+	@echo "  make testcert"
+	@echo "  make server.crt SERIAL=1"
+	@echo "  make stunnel.pem SERIAL=2"
+	@echo "  make testcert SERIAL=3"
+
+%.pem:
+	umask 77 ; \
+	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+	/usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+	cat $$PEM1 >  $@ ; \
+	echo ""    >> $@ ; \
+	cat $$PEM2 >> $@ ; \
+	$(RM) $$PEM1 $$PEM2
+
+%.key:
+	umask 77 ; \
+	/usr/bin/openssl genrsa -des3 1024 > $@
+
+%.csr: %.key
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
+
+%.crt: %.key
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
+
+TLSROOT=/etc/pki/tls
+KEY=$(TLSROOT)/private/localhost.key
+CSR=$(TLSROOT)/certs/localhost.csr
+CRT=$(TLSROOT)/certs/localhost.crt
+
+genkey: $(KEY)
+certreq: $(CSR)
+testcert: $(CRT)
+
+$(CSR): $(KEY)
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
+
+$(CRT): $(KEY)
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)

hobble-openssl

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# Quit out if anything fails.
+set -e
+
+# Clean out patent-or-otherwise-encumbered code.
+# MDC-2: 4,908,861 13/03/2007
+# IDEA:  5,214,703 25/05/2010
+# RC5:   5,724,428 03/03/2015
+# EC:    ????????? ??/??/2015
+
+# Remove assembler portions of IDEA, MDC2, and RC5.
+(find crypto/{idea,mdc2,rc5}/asm -type f | xargs -r rm -fv)
+
+# IDEA, MDC2, RC5, EC.
+for a in idea mdc2 rc5 ec ecdh ecdsa; do
+  for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
+	echo Destroying $c
+	> $c
+  done
+done
+
+for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_mdc2.c" -o -name "*_ecdsa.c"`; do
+	echo Destroying $c
+	> $c
+done
+
+for h in `find crypto ssl apps test -name "*.h"` ; do
+	echo Removing IDEA, MDC2, RC5, and EC references from $h
+	cat $h | \
+	awk    'BEGIN {ech=1;} \
+		/^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_MDC2/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \
+                /^#[ \t]*if/ {if(ech < 1) ech--;} \
+		{if(ech>0) {;print $0};} \
+		/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
+	mv $h.hobbled $h
+done
+
+# Make the makefiles happy.
+touch crypto/rc5/asm/rc5-586.pl

import.log

@@ -0,0 +1 @@
+mingw32-openssl-0_9_8j-2_fc11:HEAD:mingw32-openssl-0.9.8j-2.fc11.src.rpm:1234171576

make-dummy-cert

@@ -0,0 +1,28 @@
+#!/bin/sh
+umask 077
+
+answers() {
+	echo --
+	echo SomeState
+	echo SomeCity
+	echo SomeOrganization
+	echo SomeOrganizationalUnit
+	echo localhost.localdomain
+	echo root@localhost.localdomain
+}
+
+if [ $# -eq 0 ] ; then
+	echo $"Usage: `basename $0` filename [...]"
+	exit 0
+fi
+
+for target in $@ ; do
+	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
+	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
+	trap "rm -f $PEM1 $PEM2" SIGINT
+	answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+	cat $PEM1 >  ${target}
+	echo ""   >> ${target}
+	cat $PEM2 >> ${target}
+	rm -f $PEM1 $PEM2
+done

mingw32-openssl-0.9.8g-global.patch

@@ -0,0 +1,16 @@
+Fix global variable macros.
+
+ - RWMJ 2008-09-30
+
+diff -ur openssl-0.9.8g.orig/e_os2.h openssl-0.9.8g.mingw/e_os2.h
+--- openssl-0.9.8g.orig/e_os2.h	2005-12-18 18:57:07.000000000 +0000
++++ openssl-0.9.8g.mingw/e_os2.h	2008-09-30 14:27:53.000000000 +0100
+@@ -264,7 +264,7 @@
+ # define OPENSSL_IMPLEMENT_GLOBAL(type,name)			     \
+ 	extern type _hide_##name;				     \
+ 	type *_shadow_##name(void) { return &_hide_##name; }	     \
+-	static type _hide_##name
++	type _hide_##name
+ # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void)
+ # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name()))
+ #else

mingw32-openssl-0.9.8g-sfx.patch

@@ -0,0 +1,14 @@
+--- openssl-0.9.8g.orig/engines/Makefile	2006-02-04 01:49:34.000000000 +0000
++++ openssl-0.9.8g.mingw/engines/Makefile	2008-09-30 20:05:30.000000000 +0100
+@@ -91,7 +91,10 @@
+ 		set -e; \
+ 		for l in $(LIBNAMES); do \
+ 			( echo installing $$l; \
+-			  if [ "$(PLATFORM)" != "Cygwin" ]; then \
++			  if [ "$(PLATFORM)" = "mingw" ]; then \
++				sfx=dll; \
++				cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
++			  elif [ "$(PLATFORM)" != "Cygwin" ]; then \
+ 				case "$(CFLAGS)" in \
+ 				*DSO_DLFCN*)	sfx="so";;	\
+ 				*DSO_DL*)	sfx="sl";;	\

mingw32-openssl-0.9.8j-configure.patch

@@ -0,0 +1,16 @@
+The 'mingw' target to Configure has some problems with cross-compilation.
+
+ - RWMJ 2008-09-30
+
+diff -ur openssl-0.9.8g.orig/Configure openssl-0.9.8g.mingw/Configure
+--- openssl-0.9.8g.orig/Configure	2008-09-30 14:16:16.000000000 +0100
++++ openssl-0.9.8g.mingw/Configure	2008-09-30 14:59:34.000000000 +0100
+@@ -468,7 +468,7 @@
+ "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32",
+ 
+ # MinGW
+-"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a",
++"mingw", "MINGW32_CC:-DL_ENDIAN -Wall MINGW32_CFLAGS -D_WIN32_WINNT=0x333 -DMK1MF_BUILD:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-shared:.dll.a:MINGW32_RANLIB",
+ 
+ # UWIN 
+ "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",

mingw32-openssl-0.9.8j-header-files.patch

@@ -0,0 +1,141 @@
+--- ./crypto/seed/seed_ecb.c.mingw-header-files	2007-04-24 01:50:10.000000000 +0200
++++ ./crypto/seed/seed_ecb.c	2009-02-02 18:28:55.000000000 +0100
+@@ -49,7 +49,7 @@
+  *
+  */
+ 
+-#include <openssl/seed.h>
++#include "seed.h"
+ 
+ void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, const SEED_KEY_SCHEDULE *ks, int enc) 
+ 	{
+--- ./crypto/seed/seed_locl.h.mingw-header-files	2009-02-02 18:28:48.000000000 +0100
++++ ./crypto/seed/seed_locl.h	2009-02-02 18:28:55.000000000 +0100
+@@ -27,7 +27,7 @@
+ #define HEADER_SEED_LOCL_H
+ 
+ #include "openssl/e_os2.h"
+-#include <openssl/seed.h>
++#include "seed.h"
+ 
+ 
+ #ifdef SEED_LONG /* need 32-bit type */
+--- ./crypto/seed/seed.c.mingw-header-files	2007-04-24 01:50:10.000000000 +0200
++++ ./crypto/seed/seed.c	2009-02-02 18:28:55.000000000 +0100
+@@ -32,7 +32,7 @@
+ #include <memory.h>
+ #endif
+ 
+-#include <openssl/seed.h>
++#include "seed.h"
+ #include "seed_locl.h"
+ 
+ static seed_word SS[4][256] = {	{
+--- ./crypto/camellia/cmll_cbc.c.mingw-header-files	2006-12-02 13:00:27.000000000 +0100
++++ ./crypto/camellia/cmll_cbc.c	2009-02-02 18:28:54.000000000 +0100
+@@ -58,7 +58,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ 
+-#include <openssl/camellia.h>
++#include "camellia.h"
+ #include "cmll_locl.h"
+ 
+ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out,
+--- ./crypto/camellia/cmll_cfb.c.mingw-header-files	2006-06-10 00:31:05.000000000 +0200
++++ ./crypto/camellia/cmll_cfb.c	2009-02-02 18:28:54.000000000 +0100
+@@ -113,7 +113,7 @@
+ #include <assert.h>
+ #include <string.h>
+ 
+-#include <openssl/camellia.h>
++#include "camellia.h"
+ #include "cmll_locl.h"
+ #include "e_os.h"
+ 
+--- ./crypto/camellia/cmll_ofb.c.mingw-header-files	2006-06-10 00:31:05.000000000 +0200
++++ ./crypto/camellia/cmll_ofb.c	2009-02-02 18:28:55.000000000 +0100
+@@ -111,7 +111,7 @@
+ # endif
+ #endif
+ #include <assert.h>
+-#include <openssl/camellia.h>
++#include "camellia.h"
+ #include "cmll_locl.h"
+ 
+ /* The input and output encrypted as though 128bit ofb mode is being
+--- ./crypto/camellia/cmll_misc.c.mingw-header-files	2009-02-02 18:29:19.000000000 +0100
++++ ./crypto/camellia/cmll_misc.c	2009-02-02 18:29:32.000000000 +0100
+@@ -50,7 +50,7 @@
+  */
+  
+ #include <openssl/opensslv.h>
+-#include <openssl/camellia.h>
++#include "camellia.h"
+ #include "cmll_locl.h"
+ #include <openssl/crypto.h>
+ #ifdef OPENSSL_FIPS
+--- ./crypto/camellia/cmll_ecb.c.mingw-header-files	2006-06-10 00:31:05.000000000 +0200
++++ ./crypto/camellia/cmll_ecb.c	2009-02-02 18:28:54.000000000 +0100
+@@ -56,7 +56,7 @@
+ #endif
+ #include <assert.h>
+ 
+-#include <openssl/camellia.h>
++#include "camellia.h"
+ #include "cmll_locl.h"
+ 
+ void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out,
+--- ./crypto/camellia/cmll_ctr.c.mingw-header-files	2006-06-10 00:31:05.000000000 +0200
++++ ./crypto/camellia/cmll_ctr.c	2009-02-02 18:28:54.000000000 +0100
+@@ -56,7 +56,7 @@
+ #endif
+ #include <assert.h>
+ 
+-#include <openssl/camellia.h>
++#include "camellia.h"
+ #include "cmll_locl.h"
+ 
+ /* NOTE: the IV/counter CTR mode is big-endian.  The rest of the Camellia code
+--- ./crypto/evp/e_seed.c.mingw-header-files	2007-07-04 14:56:32.000000000 +0200
++++ ./crypto/evp/e_seed.c	2009-02-02 18:28:55.000000000 +0100
+@@ -59,7 +59,7 @@
+ #include <string.h>
+ #include <assert.h>
+ #ifndef OPENSSL_NO_SEED
+-#include <openssl/seed.h>
++#include "../seed/seed.h"
+ #include "evp_locl.h"
+ 
+ static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,	const unsigned char *iv, int enc);
+--- ./crypto/evp/e_camellia.c.mingw-header-files	2008-09-21 12:24:08.000000000 +0200
++++ ./crypto/evp/e_camellia.c	2009-02-02 18:28:55.000000000 +0100
+@@ -59,7 +59,7 @@
+ #include <openssl/err.h>
+ #include <string.h>
+ #include <assert.h>
+-#include <openssl/camellia.h>
++#include "../camellia/camellia.h"
+ #include "evp_locl.h"
+ 
+ static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+--- ./apps/speed.c.mingw-header-files	2009-01-07 11:48:22.000000000 +0100
++++ ./apps/speed.c	2009-02-02 18:28:54.000000000 +0100
+@@ -165,7 +165,7 @@
+ #include <openssl/aes.h>
+ #endif
+ #ifndef OPENSSL_NO_CAMELLIA
+-#include <openssl/camellia.h>
++#include "../crypto/camellia/camellia.h"
+ #endif
+ #ifndef OPENSSL_NO_MD2
+ #include <openssl/md2.h>
+@@ -202,7 +202,7 @@
+ #include <openssl/idea.h>
+ #endif
+ #ifndef OPENSSL_NO_SEED
+-#include <openssl/seed.h>
++#include "../crypto/seed/seed.h"
+ #endif
+ #ifndef OPENSSL_NO_BF
+ #include <openssl/blowfish.h>

mingw32-openssl-0.9.8j-shared.patch

@@ -0,0 +1,20 @@
+--- ./Makefile.shared.lfarkas	2009-01-28 16:39:05.000000000 +0100
++++ ./Makefile.shared	2009-01-28 16:41:51.000000000 +0100
+@@ -238,7 +238,7 @@
+ 	SHLIB=cyg$(LIBNAME); \
+ 	base=-Wl,--enable-auto-image-base; \
+ 	if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+-		SHLIB=$(LIBNAME)eay32; base=; \
++		SHLIB=lib$(LIBNAME); base=; \
+ 	fi; \
+ 	SHLIB_SUFFIX=.dll; \
+ 	LIBVERSION="$(LIBVERSION)"; \
+@@ -253,7 +253,7 @@
+ 	SHLIB=cyg$(LIBNAME); \
+ 	base=-Wl,--enable-auto-image-base; \
+ 	if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+-		SHLIB=$(LIBNAME)eay32; \
++		SHLIB=lib$(LIBNAME); \
+ 		base=;  [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
+ 	fi; \
+ 	SHLIB_SUFFIX=.dll; \

mingw32-openssl.spec

@@ -0,0 +1,342 @@
+%define __strip %{_mingw32_strip}
+%define __objdump %{_mingw32_objdump}
+%define _use_internal_dependency_generator 0
+%define __find_requires %{_mingw32_findrequires}
+%define __find_provides %{_mingw32_findprovides}
+
+# For the curious:
+# 0.9.5a soversion = 0
+# 0.9.6  soversion = 1
+# 0.9.6a soversion = 2
+# 0.9.6c soversion = 3
+# 0.9.7a soversion = 4
+# 0.9.7ef soversion = 5
+# 0.9.8ab soversion = 6
+# 0.9.8g soversion = 7
+# 0.9.8j + EAP-FAST soversion = 8
+%define soversion 8
+
+# Enable the tests.
+# These only work some of the time, but fail randomly at other times
+# (although I have had them complete a few times, so I don't think
+# there is any actual problem with the binaries).
+%define run_tests 0
+
+# Number of threads to spawn when testing some threading fixes.
+%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
+
+Name:           mingw32-openssl
+Version:        0.9.8j
+Release:        2%{?dist}
+Summary:        MinGW port of the OpenSSL toolkit
+
+License:        OpenSSL
+Group:          Development/Libraries
+URL:            http://www.openssl.org/
+
+# Use the hobble-openssl script to create the source file.
+Source0:        openssl-%{version}-usa.tar.bz2
+
+Source1:        hobble-openssl
+Source2:        Makefile.certificate
+Source6:        make-dummy-cert
+Source8:        openssl-thread-test.c
+Source9:        opensslconf-new.h
+Source10:       opensslconf-new-warning.h
+
+# Patches from Fedora native package.
+# Build changes
+Patch0:         openssl-0.9.8j-redhat.patch
+Patch1:         openssl-0.9.8a-defaults.patch
+Patch2:         openssl-0.9.8a-link-krb5.patch
+Patch3:         openssl-0.9.8j-soversion.patch
+Patch4:         openssl-0.9.8j-enginesdir.patch
+Patch5:         openssl-0.9.8a-no-rpath.patch
+Patch6:         openssl-0.9.8b-test-use-localhost.patch
+Patch7:         openssl-0.9.8j-shlib-version.patch
+# Bug fixes
+Patch21:        openssl-0.9.8b-aliasing-bug.patch
+Patch22:        openssl-0.9.8b-x509-name-cmp.patch
+Patch23:        openssl-0.9.8g-default-paths.patch
+Patch24:        openssl-0.9.8g-no-extssl.patch
+# Functionality changes
+Patch32:        openssl-0.9.8g-ia64.patch
+Patch33:        openssl-0.9.8j-ca-dir.patch
+Patch34:        openssl-0.9.6-x509.patch
+Patch35:        openssl-0.9.8j-version-add-engines.patch
+Patch38:        openssl-0.9.8a-reuse-cipher-change.patch
+# Disabled this because it uses getaddrinfo which is lacking on Windows.
+#Patch39:        openssl-0.9.8g-ipv6-apps.patch
+Patch40:        openssl-0.9.8j-nocanister.patch
+Patch41:        openssl-0.9.8j-use-fipscheck.patch
+Patch42:        openssl-0.9.8j-fipscheck-hmac.patch
+Patch43:        openssl-0.9.8j-evp-nonfips.patch
+Patch44:        openssl-0.9.8j-kernel-fipsmode.patch
+Patch45:        openssl-0.9.8j-env-nozlib.patch
+Patch46:        openssl-0.9.8j-eap-fast.patch
+Patch47:        openssl-0.9.8j-readme-warning.patch
+Patch48:        openssl-0.9.8j-bad-mime.patch
+Patch49:        openssl-0.9.8j-fips-no-pairwise.patch
+# Backported fixes including security fixes
+
+# MinGW-specific patches.
+Patch100:       mingw32-openssl-0.9.8j-header-files.patch
+Patch101:       mingw32-openssl-0.9.8j-configure.patch
+Patch102:       mingw32-openssl-0.9.8j-shared.patch
+Patch103:       mingw32-openssl-0.9.8g-global.patch
+Patch104:       mingw32-openssl-0.9.8g-sfx.patch
+
+BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+BuildArch:      noarch
+
+BuildRequires:  mingw32-filesystem >= 40
+BuildRequires:  mingw32-gcc
+BuildRequires:  mingw32-binutils
+
+BuildRequires:  mingw32-zlib
+BuildRequires:  mingw32-pthreads
+
+BuildRequires:  mktemp
+#BuildRequires:  krb5-devel
+BuildRequires:  perl
+BuildRequires:  sed
+BuildRequires:  /usr/bin/cmp
+BuildRequires:  /usr/bin/rename
+
+# XXX Not really sure about this one.  The build script uses
+# /usr/bin/makedepend which comes from imake.
+BuildRequires:  imake
+
+%if %{run_tests}
+# Required both to build, and to run the tests.
+# XXX This needs to be fixed - cross-compilation should not
+# require running executables.
+BuildRequires:  wine
+
+# Required to run the tests.
+BuildRequires:  xorg-x11-server-Xvfb
+%endif
+
+#Requires:       ca-certificates >= 2008-5
+Requires:       pkgconfig
+
+
+%description
+The OpenSSL toolkit provides support for secure communications between
+machines. OpenSSL includes a certificate management tool and shared
+libraries which provide various cryptographic algorithms and
+protocols.
+
+This package contains Windows (MinGW) libraries and development tools.
+
+
+%prep
+%setup -q -n openssl-%{version}
+
+%{SOURCE1} > /dev/null
+%patch0 -p1 -b .redhat
+%patch1 -p1 -b .defaults
+# Fix link line for libssl (bug #111154).
+%patch2 -p1 -b .krb5
+%patch3 -p1 -b .soversion
+%patch4 -p1 -b .enginesdir
+%patch5 -p1 -b .no-rpath
+%patch6 -p1 -b .use-localhost
+%patch7 -p1 -b .shlib-version
+
+%patch21 -p1 -b .aliasing-bug
+%patch22 -p1 -b .name-cmp
+%patch23 -p1 -b .default-paths
+%patch24 -p1 -b .no-extssl
+
+%patch32 -p1 -b .ia64
+#patch33 is applied after make test
+%patch34 -p1 -b .x509
+%patch35 -p1 -b .version-add-engines
+%patch38 -p1 -b .cipher-change
+#%patch39 -p1 -b .ipv6-apps
+%patch40 -p1 -b .nocanister
+%patch41 -p1 -b .use-fipscheck
+%patch42 -p1 -b .fipscheck-hmac
+%patch43 -p1 -b .evp-nonfips
+%patch44 -p1 -b .fipsmode
+%patch45 -p1 -b .env-nozlib
+%patch46 -p1 -b .eap-fast
+%patch47 -p1 -b .warning
+%patch48 -p1 -b .bad-mime
+%patch49 -p1 -b .no-pairwise
+
+%patch100 -p1 -b .mingw-header-files
+%patch101 -p1 -b .mingw-configure
+%patch102 -p1 -b .mingw-shared
+%patch103 -p1 -b .mingw-global
+%patch104 -p1 -b .mingw-sfx
+
+# Modify the various perl scripts to reference perl in the right location.
+perl util/perlpath.pl `dirname %{__perl}`
+
+# Generate a table with the compile settings for my perusal.
+touch Makefile
+make TABLE PERL=%{__perl}
+
+%build
+# NB: 'no-hw' is vital.  MinGW cannot build the hardware drivers
+# and if you don't have this you'll get an obscure link error.
+%{_mingw32_env}; \
+sed -i -e "s/MINGW32_CC/%{_mingw32_cc}/" -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" -e "s/MINGW32_RANLIB/%{_mingw32_ranlib}/" Configure; \
+./Configure \
+  --prefix=%{_mingw32_prefix} \
+  --openssldir=%{_mingw32_sysconfdir}/pki/tls \
+  zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
+  no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-hw shared \
+  --enginesdir=%{_mingw32_libdir}/openssl/engines \
+  mingw
+#  --with-krb5-flavor=MIT
+#  -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib}
+%{_mingw32_make} depend
+%{_mingw32_make} all build-shared
+
+# Generate hashes for the included certs.
+%{_mingw32_make} rehash build-shared
+
+%if %{run_tests}
+#----------------------------------------------------------------------
+# Run some tests.  I don't know why this isn't in a %-check section
+# but this is how it is in the native RPM.
+
+# This is a bit of a hack, but the test scripts look for 'openssl'
+# by name.
+pushd apps
+ln -s openssl.exe openssl
+popd
+
+# This is useful for diagnosing Wine problems.
+WINEDEBUG=+loaddll
+export WINEDEBUG
+
+# Make sure we can find the installed DLLs.
+WINEDLLPATH=%{_mingw32_bindir}
+export WINEDLLPATH
+
+# The tests run Wine and require an X server (but don't really use
+# it).  Therefore we create a virtual framebuffer for the duration of
+# the tests.
+# XXX There is no good way to choose a random, unused display.
+# XXX Setting depth to 24 bits avoids bug 458219.
+unset DISPLAY
+display=:21
+Xvfb $display -screen 0 1024x768x24 -ac -noreset & xpid=$!
+trap "kill -TERM $xpid ||:" EXIT
+sleep 3
+DISPLAY=$display
+export DISPLAY
+
+%{_mingw32_make} LDCMD=%{_mingw32_cc} -C test apps tests
+
+# Disable this thread test, because we don't have pthread on Windows.
+%{_mingw32_cc} -o openssl-thread-test \
+  -I./include \
+  %-{_mingw32_cflags} \
+  %-{SOURCE8} \
+  -L. \
+  -lssl -lcrypto \
+  -lpthread -lz -ldl
+
+## `krb5-config --cflags`
+## `krb5-config --libs`
+#
+./openssl-thread-test --threads %{thread_test_threads}
+
+#----------------------------------------------------------------------
+%endif
+
+# Patch33 must be patched after tests otherwise they will fail
+patch -p1 -b -z .ca-dir < %{PATCH33}
+
+# Add generation of HMAC checksum of the final stripped library
+#%define __spec_install_post \
+#    %{?__debug_package:%{__debug_install_post}} \
+#    %{__arch_install_post} \
+#    %{__os_install_post} \
+#    fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
+#    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
+#%{nil}
+
+if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then
+  iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \
+    mv -f CHANGES.utf8 CHANGES
+fi
+
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}/openssl
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_bindir}
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_includedir}
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_mandir}
+make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared
+
+# Install the actual DLLs.
+install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir}
+install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir}
+
+# Remove static libraries but DON'T remove *.dll.a files.
+rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.a
+rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.a
+
+# I have no idea why it installs the manpages in /etc, but
+# we remove them anyway.
+rm -r $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/man
+
+# Set permissions on lib*.dll.a so that strip works.
+chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.dll.a
+chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.dll.a
+
+# Install a makefile for generating keys and self-signed certs, and a script
+# for generating them on the fly.
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs
+install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/Makefile
+install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert
+
+# Pick a CA script.
+pushd  $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/misc
+mv CA.sh CA
+popd
+
+mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA
+mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA/private
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+
+%files
+%defattr(-,root,root)
+%doc LICENSE
+%{_mingw32_bindir}/openssl.exe
+%{_mingw32_bindir}/c_rehash
+%{_mingw32_bindir}/libcrypto-%{soversion}.dll
+%{_mingw32_bindir}/libssl-%{soversion}.dll
+#{_mingw32_bindir}/.libcrypto*.hmac
+%{_mingw32_libdir}/libcrypto.dll.a
+%{_mingw32_libdir}/libssl.dll.a
+%{_mingw32_libdir}/engines
+%{_mingw32_libdir}/pkgconfig/*.pc
+%{_mingw32_includedir}/openssl
+%config(noreplace) %{_mingw32_sysconfdir}/pki
+
+
+%changelog
+* Mon Feb  2 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-2
+- Various build fixes.
+
+* Wed Jan 28 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-1
+- update to new upstream version.
+
+* Mon Dec 29 2008 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8g-2
+- minor cleanup.
+
+* Tue Sep 30 2008 Richard W.M. Jones <rjones@redhat.com> - 0.9.8g-1
+- Initial RPM release.

openssl-0.9.6-x509.patch

@@ -0,0 +1,29 @@
+Do not treat duplicate certs as an error.
+
+--- openssl-0.9.6/crypto/x509/by_file.c	Wed Sep 27 15:09:05 2000
++++ openssl-0.9.6/crypto/x509/by_file.c	Wed Sep 27 14:21:20 2000
+@@ -163,8 +163,12 @@
+ 					}
+ 				}
+ 			i=X509_STORE_add_cert(ctx->store_ctx,x);
+-			if (!i) goto err;
+-			count++;
++			/* ignore any problems with current certificate 
++			    and continue with the next one */
++			if (i)
++			    count++;
++			else
++			    ERR_clear_error();
+ 			X509_free(x);
+ 			x=NULL;
+ 			}
+@@ -179,7 +183,8 @@
+ 			goto err;
+ 			}
+ 		i=X509_STORE_add_cert(ctx->store_ctx,x);
+-		if (!i) goto err;
++		if (!i)
++		  ERR_clear_error();
+ 		ret=i;
+ 		}
+ 	else

openssl-0.9.8a-defaults.patch

@@ -0,0 +1,50 @@
+--- openssl-0.9.8a/apps/openssl.cnf.defaults	2005-09-16 14:20:24.000000000 +0200
++++ openssl-0.9.8a/apps/openssl.cnf	2005-11-04 11:00:37.000000000 +0100
+@@ -99,6 +99,7 @@
+ ####################################################################
+ [ req ]
+ default_bits		= 1024
++default_md		= sha1
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+@@ -116,23 +117,26 @@
+ # MASK:XXXX a literal mask value.
+ # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+ # so use this option with caution!
+-string_mask = nombstr
++# we use PrintableString+UTF8String mask so if pure ASCII texts are used
++# the resulting certificates are compatible with Netscape
++string_mask = MASK:0x2002
+ 
+ # req_extensions = v3_req # The extensions to add to a certificate request
+ 
+ [ req_distinguished_name ]
+ countryName			= Country Name (2 letter code)
+-countryName_default		= AU
++countryName_default		= GB
+ countryName_min			= 2
+ countryName_max			= 2
+ 
+ stateOrProvinceName		= State or Province Name (full name)
+-stateOrProvinceName_default	= Some-State
++stateOrProvinceName_default	= Berkshire
+ 
+ localityName			= Locality Name (eg, city)
++localityName_default		= Newbury
+ 
+ 0.organizationName		= Organization Name (eg, company)
+-0.organizationName_default	= Internet Widgits Pty Ltd
++0.organizationName_default	= My Company Ltd
+ 
+ # we can do this but it is not needed normally :-)
+ #1.organizationName		= Second Organization Name (eg, company)
+@@ -141,7 +145,7 @@
+ organizationalUnitName		= Organizational Unit Name (eg, section)
+ #organizationalUnitName_default	=
+ 
+-commonName			= Common Name (eg, YOUR name)
++commonName			= Common Name (eg, your name or your server\'s hostname)
+ commonName_max			= 64
+ 
+ emailAddress			= Email Address

openssl-0.9.8a-link-krb5.patch

@@ -0,0 +1,11 @@
+--- openssl-0.9.8a/Makefile.org.link-krb5	2005-07-05 07:14:21.000000000 +0200
++++ openssl-0.9.8a/Makefile.org	2005-11-07 18:00:08.000000000 +0100
+@@ -266,7 +266,7 @@
+ 
+ do_$(SHLIB_TARGET):
+ 	@ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
++		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+ 			libs="$(LIBKRB5) $$libs"; \
+ 		fi; \
+ 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \

openssl-0.9.8a-no-rpath.patch

@@ -0,0 +1,11 @@
+--- openssl-0.9.8a/Makefile.shared.no-rpath	2005-06-23 22:47:54.000000000 +0200
++++ openssl-0.9.8a/Makefile.shared	2005-11-16 22:35:37.000000000 +0100
+@@ -153,7 +153,7 @@
+ 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+ 
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+ 
+ #This is rather special.  It's a special target with which one can link
+ #applications without bothering with any features that have anything to

openssl-0.9.8a-reuse-cipher-change.patch

@@ -0,0 +1,20 @@
+--- openssl-0.9.8a/ssl/ssl.h.cipher-change	2005-11-22 16:36:22.000000000 +0100
++++ openssl-0.9.8a/ssl/ssl.h	2005-12-15 11:28:05.000000000 +0100
+@@ -477,7 +477,7 @@
+ 
+ #define SSL_OP_MICROSOFT_SESS_ID_BUG			0x00000001L
+ #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L
+-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
++#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L /* can break some security expectations */
+ #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
+ #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
+ #define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
+@@ -494,7 +494,7 @@
+ 
+ /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
+  *             This used to be 0x000FFFFFL before 0.9.7. */
+-#define SSL_OP_ALL					0x00000FFFL
++#define SSL_OP_ALL					0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */
+ 
+ /* DTLS options */
+ #define SSL_OP_NO_QUERY_MTU                 0x00001000L

openssl-0.9.8b-aliasing-bug.patch

@@ -0,0 +1,24 @@
+
+This patch fixes a violation of the C aliasing rules that can cause
+miscompilation with some compiler versions.
+
+--- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig	2006-10-30 18:21:35.000000000 +0100
++++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c	2006-10-30 18:21:37.000000000 +0100
+@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co
+ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
+ 	{
+ 	void *ptr;
+-	DSO_FUNC_TYPE sym, *tsym = &sym;
++	DSO_FUNC_TYPE sym;
+ 
+ 	if((dso == NULL) || (symname == NULL))
+ 		{
+@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO
+ 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
+ 		return(NULL);
+ 		}
+-	*(void **)(tsym) = dlsym(ptr, symname);
++	sym = dlsym(ptr, symname);
+ 	if(sym == NULL)
+ 		{
+ 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);

openssl-0.9.8b-test-use-localhost.patch

@@ -0,0 +1,24 @@
+diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c
+--- openssl-0.9.8b/ssl/ssltest.c.use-localhost	2006-02-24 18:58:35.000000000 +0100
++++ openssl-0.9.8b/ssl/ssltest.c	2007-08-03 14:06:16.000000000 +0200
+@@ -839,19 +839,8 @@ bad:
+ #ifndef OPENSSL_NO_KRB5
+ 	if (c_ssl  &&  c_ssl->kssl_ctx)
+                 {
+-                char	localhost[MAXHOSTNAMELEN+2];
+-
+-		if (gethostname(localhost, sizeof localhost-1) == 0)
+-                        {
+-			localhost[sizeof localhost-1]='\0';
+-			if(strlen(localhost) == sizeof localhost-1)
+-				{
+-				BIO_printf(bio_err,"localhost name too long\n");
+-				goto end;
+-				}
+ 			kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
+-                                localhost);
+-			}
++                                "localhost");
+ 		}
+ #endif    /* OPENSSL_NO_KRB5  */
+ 

openssl-0.9.8b-x509-name-cmp.patch

@@ -0,0 +1,18 @@
+--- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp	2004-12-01 02:45:30.000000000 +0100
++++ openssl-0.9.8b/crypto/x509/x509_cmp.c	2006-11-30 23:37:26.000000000 +0100
+@@ -282,14 +282,7 @@
+ 		nb=sk_X509_NAME_ENTRY_value(b->entries,i);
+ 		j=na->value->type-nb->value->type;
+ 		if (j)
+-			{
+-			nabit = ASN1_tag2bit(na->value->type);
+-			nbbit = ASN1_tag2bit(nb->value->type);
+-			if (!(nabit & STR_TYPE_CMP) ||
+-				!(nbbit & STR_TYPE_CMP))
+-				return j;
+-			j = asn1_string_memcmp(na->value, nb->value);
+-			}
++			return j;
+ 		else if (na->value->type == V_ASN1_PRINTABLESTRING)
+ 			j=nocase_spacenorm_cmp(na->value, nb->value);
+ 		else if (na->value->type == V_ASN1_IA5STRING

openssl-0.9.8g-default-paths.patch

@@ -0,0 +1,77 @@
+diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c
+--- openssl-0.9.8g/apps/s_server.c.default-paths	2007-12-13 17:41:34.000000000 +0100
++++ openssl-0.9.8g/apps/s_server.c	2007-12-13 17:36:58.000000000 +0100
+@@ -1077,12 +1077,13 @@ bad:
+ 		}
+ #endif
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(ctx))
+ 		{
+-		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 	store = SSL_CTX_get_cert_store(ctx);
+ 	X509_STORE_set_flags(store, vflags);
+@@ -1132,8 +1133,11 @@ bad:
+ 
+ 		SSL_CTX_sess_set_cache_size(ctx2,128);
+ 
+-		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
+-			(!SSL_CTX_set_default_verify_paths(ctx2)))
++		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
++		if (!SSL_CTX_set_default_verify_paths(ctx2))
+ 			{
+ 			ERR_print_errors(bio_err);
+ 			}
+diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c
+--- openssl-0.9.8g/apps/s_client.c.default-paths	2007-12-13 17:41:34.000000000 +0100
++++ openssl-0.9.8g/apps/s_client.c	2007-12-13 17:37:34.000000000 +0100
+@@ -673,12 +673,13 @@ bad:
+ 	if (!set_cert_key_stuff(ctx,cert,key))
+ 		goto end;
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(ctx))
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 
+ 	store = SSL_CTX_get_cert_store(ctx);
+diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c
+--- openssl-0.9.8g/apps/s_time.c.default-paths	2003-12-27 15:40:17.000000000 +0100
++++ openssl-0.9.8g/apps/s_time.c	2007-12-13 17:35:27.000000000 +0100
+@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv)
+ 
+ 	SSL_load_error_strings();
+ 
+-	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
++	if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 
+ 	if (tm_cipher == NULL)

openssl-0.9.8g-ia64.patch

@@ -0,0 +1,19 @@
+diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h
+--- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64	2008-08-10 22:23:55.000000000 +0200
++++ openssl-0.9.8g/crypto/bn/bn_lcl.h	2008-08-10 22:23:55.000000000 +0200
+@@ -279,6 +279,15 @@ extern "C" {
+ #   define BN_UMULT_HIGH(a,b)		__umulh((a),(b))
+ #   define BN_UMULT_LOHI(low,high,a,b)	((low)=_umul128((a),(b),&(high)))
+ #  endif
++# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
++#  if defined(__GNUC__)
++#   define BN_UMULT_HIGH(a,b) ({      \
++      register BN_ULONG ret;          \
++      asm ("xmpy.hu %0 = %1, %2"      \
++           : "=f"(ret)                \
++           : "f"(a), "f"(b));         \
++      ret;                    })
++#  endif      /* compiler */
+ # endif		/* cpu */
+ #endif		/* OPENSSL_NO_ASM */
+ 

openssl-0.9.8g-no-extssl.patch

@@ -0,0 +1,27 @@
+diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
+--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl	2007-10-19 09:44:10.000000000 +0200
++++ openssl-0.9.8g/ssl/t1_lib.c	2008-08-10 21:42:11.000000000 +0200
+@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
+ 	int extdatalen=0;
+ 	unsigned char *ret = p;
+ 
++	if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
++		{
++		return ret;
++		}
++
+ 	ret+=2;
+ 
+ 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
+@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex
+ 	int extdatalen=0;
+ 	unsigned char *ret = p;
+ 
++	if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION)
++		{
++		return ret;
++		}
++
+ 	ret+=2;
+ 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
+ 

openssl-0.9.8j-bad-mime.patch

@@ -0,0 +1,14 @@
+diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c
+--- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime	2008-08-05 17:56:11.000000000 +0200
++++ openssl-0.9.8j/crypto/asn1/asn_mime.c	2009-01-14 22:08:34.000000000 +0100
+@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER
+ static int mime_hdr_cmp(const MIME_HEADER * const *a,
+ 			const MIME_HEADER * const *b)
+ {
++	if ((*a)->name == NULL || (*b)->name == NULL)
++		return (*a)->name - (*b)->name < 0 ? -1 :
++			(*a)->name - (*b)->name > 0 ? 1 : 0;
++
+ 	return(strcmp((*a)->name, (*b)->name));
+ }
+ 

openssl-0.9.8j-ca-dir.patch

@@ -0,0 +1,36 @@
+diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
+--- openssl-0.9.8j/apps/openssl.cnf.ca-dir	2009-01-13 23:20:10.000000000 +0100
++++ openssl-0.9.8j/apps/openssl.cnf	2009-01-13 23:20:10.000000000 +0100
+@@ -34,7 +34,7 @@ default_ca	= CA_default		# The default c
+ ####################################################################
+ [ CA_default ]
+ 
+-dir		= ./demoCA		# Where everything is kept
++dir		= ../../CA		# Where everything is kept
+ certs		= $dir/certs		# Where the issued certs are kept
+ crl_dir		= $dir/crl		# Where the issued crl are kept
+ database	= $dir/index.txt	# database index file.
+diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
+--- openssl-0.9.8j/apps/CA.sh.ca-dir	2005-07-04 23:44:22.000000000 +0200
++++ openssl-0.9.8j/apps/CA.sh	2009-01-13 23:20:10.000000000 +0100
+@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
+ VERIFY="$OPENSSL verify"
+ X509="$OPENSSL x509"
+ 
+-CATOP=./demoCA
++CATOP=../../CA
+ CAKEY=./cakey.pem
+ CAREQ=./careq.pem
+ CACERT=./cacert.pem
+diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
+--- openssl-0.9.8j/apps/CA.pl.in.ca-dir	2006-04-28 02:28:51.000000000 +0200
++++ openssl-0.9.8j/apps/CA.pl.in	2009-01-13 23:20:10.000000000 +0100
+@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
+ $X509="$openssl x509";
+ $PKCS12="$openssl pkcs12";
+ 
+-$CATOP="./demoCA";
++$CATOP="../../CA";
+ $CAKEY="cakey.pem";
+ $CAREQ="careq.pem";
+ $CACERT="cacert.pem";

openssl-0.9.8j-eap-fast.patch

@@ -0,0 +1,378 @@
+diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c
+--- openssl-0.9.8j/ssl/t1_lib.c.eap-fast	2009-01-14 16:39:41.000000000 +0100
++++ openssl-0.9.8j/ssl/t1_lib.c	2009-01-14 21:35:38.000000000 +0100
+@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
+ 
+ void tls1_free(SSL *s)
+ 	{
++#ifndef OPENSSL_NO_TLSEXT
++	if (s && s->tlsext_session_ticket)
++		{
++		OPENSSL_free(s->tlsext_session_ticket);
++		}
++#endif /* OPENSSL_NO_TLSEXT */
+ 	ssl3_free(s);
+ 	}
+ 
+@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex
+ 		int ticklen;
+ 		if (s->session && s->session->tlsext_tick)
+ 			ticklen = s->session->tlsext_ticklen;
++		else if (s->session && s->tlsext_session_ticket &&
++			 s->tlsext_session_ticket->data)
++			{
++			ticklen = s->tlsext_session_ticket->length;
++			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
++			if (!s->session->tlsext_tick)
++				return NULL;
++			memcpy(s->session->tlsext_tick,
++			       s->tlsext_session_ticket->data,
++			       ticklen);
++			s->session->tlsext_ticklen = ticklen;
++			}
+ 		else
+ 			ticklen = 0;
++		if (ticklen == 0 && s->tlsext_session_ticket &&
++		    s->tlsext_session_ticket->data == NULL)
++			goto skip_ext;
+ 		/* Check for enough room 2 for extension type, 2 for len
+  		 * rest for ticket
+   		 */
+@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex
+ 			ret += ticklen;
+ 			}
+ 		}
++		skip_ext:
+ 
+ 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
+ 		{
+@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 				}
+ 
+ 			}
++		else if (type == TLSEXT_TYPE_session_ticket) 
++			{ 
++			if (s->tls_session_ticket_ext_cb && 
++			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 
++				{ 
++				*al = TLS1_AD_INTERNAL_ERROR; 
++				return 0; 
++				} 
++			} 
+ 		else if (type == TLSEXT_TYPE_status_request
+ 						&& s->ctx->tlsext_status_cb)
+ 			{
+@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 			}
+ 		else if (type == TLSEXT_TYPE_session_ticket)
+ 			{
++			if (s->tls_session_ticket_ext_cb &&
++			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
++				{
++				*al = TLS1_AD_INTERNAL_ERROR;
++				return 0;
++				}
+ 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
+ 				|| (size > 0))
+ 				{
+@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned
+ 				s->tlsext_ticket_expected = 1;
+ 				return 0;	/* Cache miss */
+ 				}
++			if (s->tls_session_secret_cb)
++				{
++				/* Indicate cache miss here and instead of
++				 * generating the session from ticket now,
++				 * trigger abbreviated handshake based on
++				 * external mechanism to calculate the master
++				 * secret later. */
++				return 0;
++				}
+ 			return tls_decrypt_ticket(s, p, size, session_id, len,
+ 									ret);
+ 			}
+diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c
+--- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast	2009-01-07 11:48:23.000000000 +0100
++++ openssl-0.9.8j/ssl/s3_clnt.c	2009-01-14 21:13:47.000000000 +0100
+@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s)
+ 		goto f_err;
+ 		}
+ 
++#ifndef OPENSSL_NO_TLSEXT
++	/* check if we want to resume the session based on external pre-shared secret */
++	if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
++		{
++		SSL_CIPHER *pref_cipher=NULL;
++		s->session->master_key_length=sizeof(s->session->master_key);
++		if (s->tls_session_secret_cb(s, s->session->master_key,
++					     &s->session->master_key_length,
++					     NULL, &pref_cipher,
++					     s->tls_session_secret_cb_arg))
++			{
++			s->session->cipher = pref_cipher ?
++				pref_cipher : ssl_get_cipher_by_char(s, p+j);
++			}
++		}
++#endif /* OPENSSL_NO_TLSEXT */
++
+ 	if (j != 0 && j == s->session->session_id_length
+ 	    && memcmp(p,s->session->session_id,j) == 0)
+ 	    {
+@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s)
+ 	{
+ 	int ok;
+ 	long n;
+-	/* If we have no ticket or session ID is non-zero length (a match of
+-	 * a non-zero session length would never reach here) it cannot be a
+-	 * resumed session.
+-	 */
+-	if (!s->session->tlsext_tick || s->session->session_id_length)
++	/* If we have no ticket it cannot be a resumed session. */
++	if (!s->session->tlsext_tick)
+ 		return 1;
+ 	/* this function is called when we really expect a Certificate
+ 	 * message, so permit appropriate message length */
+diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c
+--- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast	2008-06-04 20:35:27.000000000 +0200
++++ openssl-0.9.8j/ssl/ssl_sess.c	2009-01-14 21:13:47.000000000 +0100
+@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX *
+ 	return(s->session_timeout);
+ 	}
+ 
++#ifndef OPENSSL_NO_TLSEXT
++int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
++	STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
++	{
++	if (s == NULL) return(0);
++	s->tls_session_secret_cb = tls_session_secret_cb;
++	s->tls_session_secret_cb_arg = arg;
++	return(1);
++	}
++
++int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
++				  void *arg)
++	{
++	if (s == NULL) return(0);
++	s->tls_session_ticket_ext_cb = cb;
++	s->tls_session_ticket_ext_cb_arg = arg;
++	return(1);
++	}
++
++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
++	{
++	if (s->version >= TLS1_VERSION)
++		{
++		if (s->tlsext_session_ticket)
++			{
++			OPENSSL_free(s->tlsext_session_ticket);
++			s->tlsext_session_ticket = NULL;
++			}
++
++		s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
++		if (!s->tlsext_session_ticket)
++			{
++			SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
++			return 0;
++			}
++
++		if (ext_data)
++			{
++			s->tlsext_session_ticket->length = ext_len;
++			s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
++			memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
++			}
++		else
++			{
++			s->tlsext_session_ticket->length = 0;
++			s->tlsext_session_ticket->data = NULL;
++			}
++
++		return 1;
++		}
++
++	return 0;
++	}
++#endif /* OPENSSL_NO_TLSEXT */
++
+ typedef struct timeout_param_st
+ 	{
+ 	SSL_CTX *ctx;
+diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
+--- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast	2009-01-07 11:48:23.000000000 +0100
++++ openssl-0.9.8j/ssl/s3_srvr.c	2009-01-14 21:22:37.000000000 +0100
+@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s)
+ 			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+ 			goto err;
+ 		}
++
++	/* Check if we want to use external pre-shared secret for this
++	 * handshake for not reused session only. We need to generate
++	 * server_random before calling tls_session_secret_cb in order to allow
++	 * SessionTicket processing to use it in key derivation. */
++	{
++		unsigned long Time;
++		unsigned char *pos;
++		Time=(unsigned long)time(NULL);			/* Time */
++		pos=s->s3->server_random;
++		l2n(Time,pos);
++		if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
++			{
++			al=SSL_AD_INTERNAL_ERROR;
++			goto f_err;
++			}
++	}
++
++	if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
++		{
++		SSL_CIPHER *pref_cipher=NULL;
++
++		s->session->master_key_length=sizeof(s->session->master_key);
++		if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
++			ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
++			{
++			s->hit=1;
++			s->session->ciphers=ciphers;
++			s->session->verify_result=X509_V_OK;
++
++			ciphers=NULL;
++
++			/* check if some cipher was preferred by call back */
++			pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
++			if (pref_cipher == NULL)
++				{
++				al=SSL_AD_HANDSHAKE_FAILURE;
++				SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
++				goto f_err;
++				}
++
++			s->session->cipher=pref_cipher;
++
++			if (s->cipher_list)
++				sk_SSL_CIPHER_free(s->cipher_list);
++
++			if (s->cipher_list_by_id)
++				sk_SSL_CIPHER_free(s->cipher_list_by_id);
++
++			s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
++			s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
++			}
++		}
+ #endif
+ 	/* Worst case, we will use the NULL compression, but if we have other
+ 	 * options, we will now look for them.  We have i-1 compression
+@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s)
+ 	unsigned char *buf;
+ 	unsigned char *p,*d;
+ 	int i,sl;
+-	unsigned long l,Time;
++	unsigned long l;
++#ifdef OPENSSL_NO_TLSEXT
++	unsigned long Time;
++#endif
+ 
+ 	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
+ 		{
+ 		buf=(unsigned char *)s->init_buf->data;
++#ifdef OPENSSL_NO_TLSEXT
+ 		p=s->s3->server_random;
++		/* Generate server_random if it was not needed previously */
+ 		Time=(unsigned long)time(NULL);			/* Time */
+ 		l2n(Time,p);
+ 		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+ 			return -1;
++#endif
+ 		/* Do the message type and length last */
+ 		d=p= &(buf[4]);
+ 
+diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h
+--- openssl-0.9.8j/ssl/tls1.h.eap-fast	2009-01-14 16:39:41.000000000 +0100
++++ openssl-0.9.8j/ssl/tls1.h	2009-01-14 21:13:47.000000000 +0100
+@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
+ #define TLS_MD_MASTER_SECRET_CONST    "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"  /*master secret*/
+ #endif
+ 
++/* TLS Session Ticket extension struct */
++struct tls_session_ticket_ext_st
++	{
++	unsigned short length;
++	void *data;
++	};
++
+ #ifdef  __cplusplus
+ }
+ #endif
+diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c
+--- openssl-0.9.8j/ssl/ssl_err.c.eap-fast	2008-08-13 21:44:44.000000000 +0200
++++ openssl-0.9.8j/ssl/ssl_err.c	2009-01-14 21:13:47.000000000 +0100
+@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_TLS1_ENC),	"TLS1_ENC"},
+ {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),	"TLS1_SETUP_KEY_BLOCK"},
+ {ERR_FUNC(SSL_F_WRITE_PENDING),	"WRITE_PENDING"},
++{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
+ {0,NULL}
+ 	};
+ 
+diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h
+--- openssl-0.9.8j/ssl/ssl.h.eap-fast	2009-01-14 16:39:41.000000000 +0100
++++ openssl-0.9.8j/ssl/ssl.h	2009-01-14 21:26:45.000000000 +0100
+@@ -344,6 +344,7 @@ extern "C" {
+  * 'struct ssl_st *' function parameters used to prototype callbacks
+  * in SSL_CTX. */
+ typedef struct ssl_st *ssl_crock_st;
++typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
+ 
+ /* used to hold info on the particular ciphers used */
+ typedef struct ssl_cipher_st
+@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st
+ 
+ DECLARE_STACK_OF(SSL_CIPHER)
+ 
++typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
++typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
++
+ /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
+ typedef struct ssl_method_st
+ 	{
+@@ -1034,6 +1038,18 @@ struct ssl_st
+ 
+ 	/* RFC4507 session ticket expected to be received or sent */
+ 	int tlsext_ticket_expected;
++
++	/* TLS Session Ticket extension override */ 
++	TLS_SESSION_TICKET_EXT *tlsext_session_ticket; 
++
++	/* TLS Session Ticket extension callback */ 
++	tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; 
++	void *tls_session_ticket_ext_cb_arg; 
++
++	/* TLS pre-shared secret session resumption */ 
++	tls_session_secret_cb_fn tls_session_secret_cb; 
++	void *tls_session_secret_cb_arg; 
++
+ 	SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
+ #define session_ctx initial_ctx
+ #else
+@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v
+ int SSL_COMP_add_compression_method(int id,void *cm);
+ #endif
+ 
++/* TLS extensions functions */
++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
++
++int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
++				  void *arg);
++
++/* Pre-shared secret session resumption functions */
++int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
++
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes
+  * made after this point may be overwritten when the script is next run.
+@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_TLS1_ENC					 210
+ #define SSL_F_TLS1_SETUP_KEY_BLOCK			 211
+ #define SSL_F_WRITE_PENDING				 212
++#define SSL_F_SSL_SET_SESSION_TICKET_EXT		 213
+ 
+ /* Reason codes. */
+ #define SSL_R_APP_DATA_IN_HANDSHAKE			 100

openssl-0.9.8j-enginesdir.patch

@@ -0,0 +1,40 @@
+diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure
+--- openssl-0.9.8j/Configure.enginesdir	2009-01-13 23:17:40.000000000 +0100
++++ openssl-0.9.8j/Configure	2009-01-13 23:17:40.000000000 +0100
+@@ -577,6 +577,7 @@ my $idx_arflags = $idx++;
+ 
+ my $prefix="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix="";
+ my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
+@@ -815,6 +816,10 @@ PROCESS_ARGS:
+ 				{
+ 				$openssldir=$1;
+ 				}
++			elsif (/^--enginesdir=(.*)$/)
++				{
++				$enginesdir=$1;
++				}
+ 			elsif (/^--install.prefix=(.*)$/)
+ 				{
+ 				$install_prefix=$1;
+@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/;
+ 
+ $openssldir=$prefix . "/ssl" if $openssldir eq "";
+ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+-
++$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
+ 
+ print "IsMK1MF=$IsMK1MF\n";
+ 
+@@ -1635,7 +1640,7 @@ while (<IN>)
+ 	if	(/^#define\s+OPENSSLDIR/)
+ 		{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
+ 	elsif	(/^#define\s+ENGINESDIR/)
+-		{ print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
++		{ print OUT "#define ENGINESDIR \"$enginesdir\"\n"; }
+ 	elsif	(/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
+ 		{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
+ 			if $export_var_as_fn;

openssl-0.9.8j-env-nozlib.patch

@@ -0,0 +1,13 @@
+Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set.
+diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c
+--- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib	2009-01-05 15:43:07.000000000 +0100
++++ openssl-0.9.8j/ssl/ssl_ciph.c	2009-01-14 17:47:46.000000000 +0100
+@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo
+ 
+ 			MemCheck_off();
+ 			ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+-			if (ssl_comp_methods != NULL)
++			if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
+ 				{
+ 				comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ 				if (comp != NULL)

openssl-0.9.8j-evp-nonfips.patch

@@ -0,0 +1,127 @@
+diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c
+--- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips	2005-04-30 23:51:40.000000000 +0200
++++ openssl-0.9.8j/crypto/evp/c_alld.c	2009-01-14 17:51:41.000000000 +0100
+@@ -64,6 +64,11 @@
+ 
+ void OpenSSL_add_all_digests(void)
+ 	{
++#ifdef OPENSSL_FIPS
++	OPENSSL_init();
++	if (!FIPS_mode())
++		{
++#endif
+ #ifndef OPENSSL_NO_MD2
+ 	EVP_add_digest(EVP_md2());
+ #endif
+@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
+ 	EVP_add_digest(EVP_sha384());
+ 	EVP_add_digest(EVP_sha512());
+ #endif
++#ifdef OPENSSL_FIPS
++		}
++	else
++		{
++#ifndef OPENSSL_NO_SHA
++	EVP_add_digest(EVP_sha1());
++	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
++	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
++#ifndef OPENSSL_NO_DSA
++	EVP_add_digest(EVP_dss1());
++	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
++	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
++	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
++#endif
++#ifndef OPENSSL_NO_ECDSA
++	EVP_add_digest(EVP_ecdsa());
++#endif
++#endif
++#ifndef OPENSSL_NO_SHA256
++	EVP_add_digest(EVP_sha224());
++	EVP_add_digest(EVP_sha256());
++#endif
++#ifndef OPENSSL_NO_SHA512
++	EVP_add_digest(EVP_sha384());
++	EVP_add_digest(EVP_sha512());
++#endif
++		}
++#endif
+ 	}
+diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c
+--- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips	2007-04-24 01:50:04.000000000 +0200
++++ openssl-0.9.8j/crypto/evp/c_allc.c	2009-01-14 17:51:41.000000000 +0100
+@@ -65,6 +65,11 @@
+ void OpenSSL_add_all_ciphers(void)
+ 	{
+ 
++#ifdef OPENSSL_FIPS
++	OPENSSL_init();
++	if(!FIPS_mode()) 
++		{
++#endif
+ #ifndef OPENSSL_NO_DES
+ 	EVP_add_cipher(EVP_des_cfb());
+ 	EVP_add_cipher(EVP_des_cfb1());
+@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
+ 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
+ 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
+ #endif
++#ifdef OPENSSL_FIPS
++		}
++	else
++		{
++#ifndef OPENSSL_NO_DES
++	EVP_add_cipher(EVP_des_ede_cfb());
++	EVP_add_cipher(EVP_des_ede3_cfb());
++
++	EVP_add_cipher(EVP_des_ede_ofb());
++	EVP_add_cipher(EVP_des_ede3_ofb());
++
++	EVP_add_cipher(EVP_des_ede_cbc());
++	EVP_add_cipher(EVP_des_ede3_cbc());
++	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
++	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
++
++	EVP_add_cipher(EVP_des_ede());
++	EVP_add_cipher(EVP_des_ede3());
++#endif
++
++#ifndef OPENSSL_NO_AES
++	EVP_add_cipher(EVP_aes_128_ecb());
++	EVP_add_cipher(EVP_aes_128_cbc());
++	EVP_add_cipher(EVP_aes_128_cfb());
++	EVP_add_cipher(EVP_aes_128_cfb1());
++	EVP_add_cipher(EVP_aes_128_cfb8());
++	EVP_add_cipher(EVP_aes_128_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_128_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
++	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
++	EVP_add_cipher(EVP_aes_192_ecb());
++	EVP_add_cipher(EVP_aes_192_cbc());
++	EVP_add_cipher(EVP_aes_192_cfb());
++	EVP_add_cipher(EVP_aes_192_cfb1());
++	EVP_add_cipher(EVP_aes_192_cfb8());
++	EVP_add_cipher(EVP_aes_192_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_192_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
++	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
++	EVP_add_cipher(EVP_aes_256_ecb());
++	EVP_add_cipher(EVP_aes_256_cbc());
++	EVP_add_cipher(EVP_aes_256_cfb());
++	EVP_add_cipher(EVP_aes_256_cfb1());
++	EVP_add_cipher(EVP_aes_256_cfb8());
++	EVP_add_cipher(EVP_aes_256_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_256_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
++	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
++#endif
++		}
++#endif
+ 
+ 	PKCS12_PBE_add();
+ 	PKCS5_PBE_add();

openssl-0.9.8j-fips-no-pairwise.patch

@@ -0,0 +1,24 @@
+diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c
+--- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise	2009-01-17 20:27:37.000000000 +0100
++++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c	2009-01-17 20:27:28.000000000 +0100
+@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa, 
+ 	if (fips_rsa_pairwise_fail)
+ 		BN_add_word(rsa->n, 1);
+ 
+-	if(!fips_check_rsa(rsa))
++	if(FIPS_mode() && !fips_check_rsa(rsa))
+ 	    goto err;
+ 
+ 	ok=1;
+diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c
+--- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise	2008-09-16 12:12:15.000000000 +0200
++++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c	2009-01-17 20:26:20.000000000 +0100
+@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa)
+ 	dsa->pub_key=pub_key;
+ 	if (fips_dsa_pairwise_fail)
+ 		BN_add_word(dsa->pub_key, 1);
+-	if(!fips_check_dsa(dsa))
++	if(FIPS_mode() && !fips_check_dsa(dsa))
+ 	    goto err;
+ 	ok=1;
+ 

openssl-0.9.8j-fipscheck-hmac.patch

@@ -0,0 +1,125 @@
+Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary.
+We use the binary just during the OpenSSL build to checksum the libcrypto.
+diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile
+--- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac	2008-10-26 19:42:05.000000000 +0100
++++ openssl-0.9.8j/fips/sha/Makefile	2009-01-14 16:39:41.000000000 +0100
+@@ -46,7 +46,7 @@ lib:	$(LIBOBJ)
+ 	@echo $(LIBOBJ) > lib
+ 
+ ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
+-	FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
++	FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
+ 	$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
+ 
+ files:
+diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c
+--- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac	2008-09-16 12:12:23.000000000 +0200
++++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c	2009-01-14 17:07:56.000000000 +0100
+@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
+ 
+ #ifdef OPENSSL_FIPS
+ 
+-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
++static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
+ 		      const char *key)
+     {
+     int len=strlen(key);
+@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
+ 
+     if (len > SHA_CBLOCK)
+ 	{
+-	SHA1_Init(md_ctx);
+-	SHA1_Update(md_ctx,key,len);
+-	SHA1_Final(keymd,md_ctx);
+-	len=20;
++	SHA256_Init(md_ctx);
++	SHA256_Update(md_ctx,key,len);
++	SHA256_Final(keymd,md_ctx);
++	len=SHA256_DIGEST_LENGTH;
+ 	}
+     else
+ 	memcpy(keymd,key,len);
+@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
+ 
+     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
+ 	pad[i]=0x36^keymd[i];
+-    SHA1_Init(md_ctx);
+-    SHA1_Update(md_ctx,pad,SHA_CBLOCK);
++    SHA256_Init(md_ctx);
++    SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
+ 
+     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
+ 	pad[i]=0x5c^keymd[i];
+-    SHA1_Init(o_ctx);
+-    SHA1_Update(o_ctx,pad,SHA_CBLOCK);
++    SHA256_Init(o_ctx);
++    SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
+     }
+ 
+-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
++static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
+     {
+-    unsigned char buf[20];
++    unsigned char buf[SHA256_DIGEST_LENGTH];
+ 
+-    SHA1_Final(buf,md_ctx);
+-    SHA1_Update(o_ctx,buf,sizeof buf);
+-    SHA1_Final(md,o_ctx);
++    SHA256_Final(buf,md_ctx);
++    SHA256_Update(o_ctx,buf,sizeof buf);
++    SHA256_Final(md,o_ctx);
+     }
+ 
+ #endif
+@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
+ int main(int argc,char **argv)
+     {
+ #ifdef OPENSSL_FIPS
+-    static char key[]="etaonrishdlcupfm";
++    static char key[]="orboDeJITITejsirpADONivirpUkvarP";
+     int n,binary=0;
+ 
+     if(argc < 2)
+@@ -125,8 +125,8 @@ int main(int argc,char **argv)
+     for(; n < argc ; ++n)
+ 	{
+ 	FILE *f=fopen(argv[n],"rb");
+-	SHA_CTX md_ctx,o_ctx;
+-	unsigned char md[20];
++	SHA256_CTX md_ctx,o_ctx;
++	unsigned char md[SHA256_DIGEST_LENGTH];
+ 	int i;
+ 
+ 	if(!f)
+@@ -139,7 +139,7 @@ int main(int argc,char **argv)
+ 	for( ; ; )
+ 	    {
+ 	    char buf[1024];
+-	    int l=fread(buf,1,sizeof buf,f);
++	    size_t l=fread(buf,1,sizeof buf,f);
+ 
+ 	    if(l == 0)
+ 		{
+@@ -151,18 +151,18 @@ int main(int argc,char **argv)
+ 		else
+ 		    break;
+ 		}
+-	    SHA1_Update(&md_ctx,buf,l);
++	    SHA256_Update(&md_ctx,buf,l);
+ 	    }
+ 	hmac_final(md,&md_ctx,&o_ctx);
+ 
+ 	if (binary)
+ 	    {
+-	    fwrite(md,20,1,stdout);
++	    fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
+ 	    break;	/* ... for single(!) file */
+ 	    }
+ 
+-	printf("HMAC-SHA1(%s)= ",argv[n]);
+-	for(i=0 ; i < 20 ; ++i)
++/*	printf("HMAC-SHA1(%s)= ",argv[n]); */
++	for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
+ 	    printf("%02x",md[i]);
+ 	printf("\n");
+ 	}

openssl-0.9.8j-kernel-fipsmode.patch

@@ -0,0 +1,62 @@
+diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c
+--- openssl-0.9.8j/crypto/o_init.c.fipsmode	2008-11-05 19:36:36.000000000 +0100
++++ openssl-0.9.8j/crypto/o_init.c	2009-01-14 17:57:39.000000000 +0100
+@@ -59,6 +59,45 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+ 
++#ifdef OPENSSL_FIPS
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
++#include <stdlib.h>
++#include <openssl/fips.h>
++#include <openssl/evp.h>
++#include <openssl/rand.h>
++
++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++	{
++	char buf[2] = "0";
++	int fd;
++	
++	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
++		{
++		buf[0] = '1';
++		}
++	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
++		{
++		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
++		close(fd);
++		}
++	/* Failure reading the fips mode switch file means just not
++	 * switching into FIPS mode. We would break too many things
++	 * otherwise. 
++	 */
++	
++	if (buf[0] == '1')
++		{
++		FIPS_mode_set(1);
++		}
++	}
++#endif
++
+ /* Perform any essential OpenSSL initialization operations.
+  * Currently only sets FIPS callbacks
+  */
+@@ -73,11 +112,10 @@ void OPENSSL_init(void)
+ #ifdef CRYPTO_MDEBUG
+ 		CRYPTO_malloc_debug_init();
+ #endif
+-#ifdef OPENSSL_ENGINE
++		init_fips_mode();
+ 		int_EVP_MD_init_engine_callbacks();
+ 		int_EVP_CIPHER_init_engine_callbacks();
+ 		int_RAND_init_engine_callbacks();
+-#endif
+ 		done = 1;
+ 		}
+ #endif

openssl-0.9.8j-nocanister.patch

@@ -0,0 +1,31 @@
+Do not create a fipscanister.o, add the objects directly.
+diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile
+--- openssl-0.9.8j/fips/Makefile.nocanister	2009-01-13 18:26:15.000000000 +0100
++++ openssl-0.9.8j/fips/Makefile	2009-01-13 21:43:43.000000000 +0100
+@@ -142,8 +142,24 @@ lib:	$(LIB)
+ 	if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi
+ 	@touch lib
+ 
+-$(LIB):	$(FIPSLIBDIR)fipscanister.o
+-	$(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
++$(LIB):	$(LIBOBJ) $(FIPS_OBJ_LISTS)
++	FIPS_ASM=""; \
++	list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
++	list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
++	list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
++	list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
++	if [ -n "$(CPUID_OBJ)" ]; then \
++		CPUID=../crypto/$(CPUID_OBJ) ; \
++	else \
++		CPUID="" ; \
++	fi ; \
++	objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
++	for i in $(FIPS_OBJ_LISTS); do \
++		dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
++		objs="$$objs `sed "$$script" $$i`"; \
++	done; \
++	objs="$$objs" ; \
++	$(AR) $(LIB) $$objs 
+ 	$(RANLIB) $(LIB) || echo Never mind.
+ 
+ $(FIPSCANLIB):	$(FIPSCANLOC)

openssl-0.9.8j-readme-warning.patch

@@ -0,0 +1,35 @@
+diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
+--- openssl-0.9.8j/README.warning	2009-01-07 11:50:53.000000000 +0100
++++ openssl-0.9.8j/README	2009-01-14 17:43:02.000000000 +0100
+@@ -5,6 +5,31 @@
+  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+  All rights reserved.
+ 
++ WARNING
++ -------
++
++ This version of OpenSSL is built in a way that supports operation in
++ the so called FIPS mode. Note though that the library as we build it
++ is not FIPS validated and the FIPS mode is present for testing purposes
++ only.
++ 
++ This version also contains a few differences from the upstream code
++ some of which are:
++   * The FIPS integrity verification check is implemented differently
++     from the upstream FIPS validated OpenSSL module. It verifies
++     HMAC-SHA256 checksum of the whole libcrypto shared library.
++   * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
++     tries to initialize the FIPS mode if it is set to 1 aborting if the
++     FIPS mode could not be initialized. It is also possible to force the
++     OpenSSL library to FIPS mode especially for debugging purposes by
++     setting the environment variable OPENSSL_FORCE_FIPS_MODE.
++   * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
++     will not automatically load the built in compression method ZLIB
++     when initialized. Applications can still explicitely ask for ZLIB
++     compression method.
++   * There is added a support for EAP-FAST through TLS extension. This code
++     is backported from OpenSSL upstream development branch.
++
+  DESCRIPTION
+  -----------
+ 

openssl-0.9.8j-redhat.patch

@@ -0,0 +1,53 @@
+diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
+--- openssl-0.9.8j/Configure.redhat	2008-12-29 01:18:23.000000000 +0100
++++ openssl-0.9.8j/Configure	2009-01-13 14:03:54.000000000 +0100
+@@ -320,28 +320,28 @@ my %table=(
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ #### IA-32 targets...
+ "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+ ####
+-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc64",	"gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-x86_64",	"gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # it's a real mess with -mcpu=ultrasparc option under Linux, but
+ # -Wa,-Av8plus should do the trick no matter what.
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # GCC 3.1 is a requirement
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ #### Alpha Linux with GNU C and Compaq C setups
+ # Special notes:
+ # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+@@ -355,8 +355,8 @@ my %table=(
+ #
+ #					<appro@fy.chalmers.se>
+ #
+-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
+ "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
+ 

openssl-0.9.8j-shlib-version.patch

@@ -0,0 +1,12 @@
+diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h
+--- openssl-0.9.8j/crypto/opensslv.h.shlib-version	2007-12-13 17:57:40.000000000 +0100
++++ openssl-0.9.8j/crypto/opensslv.h	2008-01-25 17:10:13.000000000 +0100
+@@ -83,7 +83,7 @@
+  * should only keep the versions that are binary compatible with the current.
+  */
+ #define SHLIB_VERSION_HISTORY ""
+-#define SHLIB_VERSION_NUMBER "0.9.8"
++#define SHLIB_VERSION_NUMBER "0.9.8j"
+ 
+ 
+ #endif /* HEADER_OPENSSLV_H */

openssl-0.9.8j-soversion.patch

@@ -0,0 +1,49 @@
+Define and use a soname -- because we have to care about binary
+compatibility, we have to increment the soname in order to allow
+this version to co-exist with another versions and have everything
+work right.
+
+diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure
+--- openssl-0.9.8j/Configure.soversion	2007-12-03 14:41:19.000000000 +0100
++++ openssl-0.9.8j/Configure	2007-12-03 14:41:19.000000000 +0100
+@@ -1371,7 +1371,7 @@ while (<IN>)
+ 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ 		{
+ 		my $sotmp = $1;
+-		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
+ 		}
+ 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ 		{
+diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org
+--- openssl-0.9.8j/Makefile.org.soversion	2007-12-03 14:41:19.000000000 +0100
++++ openssl-0.9.8j/Makefile.org	2007-12-03 14:41:19.000000000 +0100
+@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=
+ SHLIB_MINOR=
+ SHLIB_EXT=
++SHLIB_SONAMEVER=8
+ PLATFORM=dist
+ OPTIONS=
+ CONFIGURE_ARGS=
+@@ -277,10 +278,9 @@ clean-shared:
+ link-shared:
+ 	@ set -e; for i in ${SHLIBDIRS}; do \
+ 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+-			LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
++			LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
+ 			LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
+ 			symlink.$(SHLIB_TARGET); \
+-		libs="$$libs -l$$i"; \
+ 	done
+ 
+ build-shared: do_$(SHLIB_TARGET) link-shared
+@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET):
+ 			libs="$(LIBKRB5) $$libs"; \
+ 		fi; \
+ 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+-			LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
++			LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
+ 			LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
+ 			LIBDEPS="$$libs $(EX_LIBS)" \
+ 			link_a.$(SHLIB_TARGET); \

openssl-0.9.8j-use-fipscheck.patch

@@ -0,0 +1,384 @@
+Use fipscheck compatible way of verification of the integrity of the libcrypto
+shared library.
+diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
+--- openssl-0.9.8j/test/Makefile.use-fipscheck	2008-12-13 13:22:47.000000000 +0100
++++ openssl-0.9.8j/test/Makefile	2009-01-13 22:49:25.000000000 +0100
+@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
+ 	if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ 		LIBRARIES="-L$(TOP) -lfips"; \
+ 	elif [ -n "$(FIPSCANLIB)" ]; then \
+-		FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
+-		LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
++		LIBRARIES="$(LIBCRYPTO)"; \
+ 	fi; \
+ 	$(MAKE) -f $(TOP)/Makefile.shared -e \
+ 		CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
+@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if 
+ 		shlib_target="$(SHLIB_TARGET)"; \
+ 	fi; \
+ 	LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
+-	if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
+-		FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
+-	fi; \
+ 	[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
+ 	$(MAKE) -f $(TOP)/Makefile.shared -e \
+ 		CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
+diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
+--- openssl-0.9.8j/Makefile.org.use-fipscheck	2009-01-13 22:35:48.000000000 +0100
++++ openssl-0.9.8j/Makefile.org	2009-01-13 22:35:49.000000000 +0100
+@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
+ 			$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+ 			$(AR) libcrypto.a fips/fipscanister.o ; \
+ 		else \
+-			if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
+-				FIPSLD_CC=$(CC); CC=fips/fipsld; \
+-				export CC FIPSLD_CC; \
+-			fi; \
+ 			$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
+ 		fi \
+ 	else \
+@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
+ fips/fipscanister.o:	build_fips
+ libfips$(SHLIB_EXT):		fips/fipscanister.o
+ 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
+-		FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
+ 		$(MAKE) -f Makefile.shared -e $(BUILDENV) \
+-			CC=$${CC} LIBNAME=fips THIS=$@ \
++			CC=$(CC) LIBNAME=fips THIS=$@ \
+ 			LIBEXTRAS=fips/fipscanister.o \
+ 			LIBDEPS="$(EX_LIBS)" \
+ 			LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+@@ -469,7 +464,7 @@ openssl.pc: Makefile
+ 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+ 	    echo 'Version: '$(VERSION); \
+ 	    echo 'Requires: '; \
+-	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
++	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
+ 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+ 
+ Makefile: Makefile.org Configure config
+diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
+--- openssl-0.9.8j/fips/fips.c.use-fipscheck	2008-09-16 12:12:09.000000000 +0200
++++ openssl-0.9.8j/fips/fips.c	2009-01-13 22:35:49.000000000 +0100
+@@ -47,6 +47,7 @@
+  *
+  */
+ 
++#define _GNU_SOURCE
+ 
+ #include <openssl/rand.h>
+ #include <openssl/fips_rand.h>
+@@ -56,6 +57,9 @@
+ #include <openssl/rsa.h>
+ #include <string.h>
+ #include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
+ #include "fips_locl.h"
+ 
+ #ifdef OPENSSL_FIPS
+@@ -165,6 +169,7 @@ int FIPS_selftest()
+ 	&& FIPS_selftest_dsa();
+     }
+ 
++#if 0
+ extern const void         *FIPS_text_start(),  *FIPS_text_end();
+ extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
+ unsigned char              FIPS_signature [20] = { 0 };
+@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void)
+ 
+     return 1;
+     }
++#else
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
++{
++	Dl_info info;
++	void *dl, *sym;
++	int rv = -1;
++
++        dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
++        if (dl == NULL) {
++	        return -1;
++        }       
++
++	sym = dlsym(dl, symbolname);
++
++	if (sym != NULL && dladdr(sym, &info)) {
++		strncpy(path, info.dli_fname, pathlen-1);
++		path[pathlen-1] = '\0';
++		rv = 0;
++	}
++
++	dlclose(dl);	
++	
++	return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *
++bin2hex(void *buf, size_t len)
++{
++	char *hex, *p;
++	unsigned char *src = buf;
++	
++	hex = malloc(len * 2 + 1);
++	if (hex == NULL)
++		return NULL;
++
++	p = hex;
++
++	while (len > 0) {
++		unsigned c;
++
++		c = *src;
++		src++;
++
++		*p = conv[c >> 4];
++		++p;
++		*p = conv[c & 0x0f];
++		++p;
++		--len;
++	}
++	*p = '\0';
++	return hex;
++}
++
++#define HMAC_PREFIX "." 
++#define HMAC_SUFFIX ".hmac" 
++#define READ_BUFFER_LENGTH 16384
++
++static char *
++make_hmac_path(const char *origpath)
++{
++	char *path, *p;
++	const char *fn;
++
++	path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++	if(path == NULL) {
++		return NULL;
++	}
++
++	fn = strrchr(origpath, '/');
++	if (fn == NULL) {
++		fn = origpath;
++	} else {
++		++fn;
++	}
++
++	strncpy(path, origpath, fn-origpath);
++	p = path + (fn - origpath);
++	p = stpcpy(p, HMAC_PREFIX);
++	p = stpcpy(p, fn);
++	p = stpcpy(p, HMAC_SUFFIX);
++
++	return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int
++compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++	FILE *f = NULL;
++	int rv = -1;
++	unsigned char rbuf[READ_BUFFER_LENGTH];
++	size_t len;
++	unsigned int hlen;
++	HMAC_CTX c;
++
++	HMAC_CTX_init(&c);
++
++	f = fopen(path, "r");
++
++	if (f == NULL) {
++		goto end;
++	}
++
++	HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
++
++	while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++		HMAC_Update(&c, rbuf, len);
++	}
++
++	len = sizeof(rbuf);
++	/* reuse rbuf for hmac */
++	HMAC_Final(&c, rbuf, &hlen);
++
++	*buf = malloc(hlen);
++	if (*buf == NULL) {
++		goto end;
++	}
++
++	*hmaclen = hlen;
++
++	memcpy(*buf, rbuf, hlen);
++
++	rv = 0;
++end:
++	HMAC_CTX_cleanup(&c);
++
++	if (f)
++		fclose(f);
++
++	return rv;
++}
++
++static int
++FIPSCHECK_verify(const char *libname, const char *symbolname)
++{
++	char path[PATH_MAX+1];
++	int rv;
++	FILE *hf;
++	char *hmacpath, *p;
++	char *hmac = NULL;
++	size_t n;
++	
++	rv = get_library_path(libname, symbolname, path, sizeof(path));
++
++	if (rv < 0)
++		return 0;
++
++	hmacpath = make_hmac_path(path);
++
++	hf = fopen(hmacpath, "r");
++	if (hf == NULL) {
++		free(hmacpath);
++		return 0;
++	}
++
++	if (getline(&hmac, &n, hf) > 0) {
++		void *buf;
++		size_t hmaclen;
++		char *hex;
++
++		if ((p=strchr(hmac, '\n')) != NULL)
++			*p = '\0';
++
++		if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++			rv = -4;
++			goto end;
++		}
++
++		if ((hex=bin2hex(buf, hmaclen)) == NULL) {
++			free(buf);
++			rv = -5;
++			goto end;
++		}
++
++		if (strcmp(hex, hmac) != 0) {
++			rv = -1;
++		}
++		free(buf);
++		free(hex);
++	}
++
++end:
++	free(hmac);
++	free(hmacpath);
++	fclose(hf);
++
++	if (rv < 0)
++		return 0;
++
++	/* check successful */
++	return 1;	
++}
++
++#endif
+ 
+ int FIPS_mode_set(int onoff)
+     {
+@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff)
+ 	    }
+ #endif
+ 
+-	if(fips_signature_witness() != FIPS_signature)
+-	    {
+-	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
+-	    fips_selftest_fail = 1;
+-	    ret = 0;
+-	    goto end;
+-	    }
+-
+-	if(!FIPS_check_incore_fingerprint())
++	if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
+ 	    {
++	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ 	    fips_selftest_fail = 1;
+ 	    ret = 0;
+ 	    goto end;
+@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void)
+ 	return ret;
+ 	}
+ 
++#if 0
+ unsigned char *fips_signature_witness(void)
+ 	{
+ 	extern unsigned char FIPS_signature[];
+ 	return FIPS_signature;
+ 	}
++#endif
+ 
+ /* Generalized public key test routine. Signs and verifies the data
+  * supplied in tbs using mesage digest md and setting option digest
+diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
+--- openssl-0.9.8j/fips/Makefile.use-fipscheck	2009-01-13 22:35:49.000000000 +0100
++++ openssl-0.9.8j/fips/Makefile	2009-01-13 22:36:15.000000000 +0100
+@@ -62,9 +62,9 @@ testapps:
+ 
+ all:
+ 	@if [ -z "$(FIPSLIBDIR)" ]; then \
+-		$(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
++		$(MAKE) -e subdirs lib; \
+ 	else \
+-		$(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
++		$(MAKE) -e lib; \
+ 	fi
+ 
+ # Idea behind fipscanister.o is to "seize" the sequestered code between
+@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
+ 		HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
+ 		*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
+ 	esac fi
+-	./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+ 
+ # If another exception is immediately required, assign approprite
+ # site-specific ld command to FIPS_SITE_LD environment variable.
+@@ -171,7 +170,7 @@ $(FIPSCANLIB):	$(FIPSCANLOC)
+ 	$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
+ 	@touch lib
+ 
+-shared:	lib subdirs fips_premain_dso$(EXE_EXT)
++shared:	lib subdirs
+ 
+ libs:
+ 	@target=lib; $(RECURSIVE_MAKE)
+@@ -195,10 +194,6 @@ install:
+ 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ 	done;
+ 	@target=install; $(RECURSIVE_MAKE)
+-	@cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
+-		fips_premain.c.sha1 \
+-		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
+-	chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
+ 
+ lint:
+ 	@target=lint; $(RECURSIVE_MAKE)
+diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h
+--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck	2008-09-16 12:12:10.000000000 +0200
++++ openssl-0.9.8j/fips/fips_locl.h	2009-01-13 22:35:49.000000000 +0100
+@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
+ int fips_set_owning_thread(void);
+ void fips_set_selftest_fail(void);
+ int fips_clear_owning_thread(void);
++#if 0
+ unsigned char *fips_signature_witness(void);
++#endif
+ 
+ #define FIPS_MAX_CIPHER_TEST_SIZE	16
+ 

openssl-0.9.8j-version-add-engines.patch

@@ -0,0 +1,48 @@
+diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
+--- openssl-0.9.8j/apps/version.c.version-add-engines	2008-10-20 14:53:33.000000000 +0200
++++ openssl-0.9.8j/apps/version.c	2009-01-13 23:22:03.000000000 +0100
+@@ -131,6 +131,7 @@
+ #ifndef OPENSSL_NO_BF
+ # include <openssl/blowfish.h>
+ #endif
++#include <openssl/engine.h>
+ 
+ #undef PROG
+ #define PROG	version_main
+@@ -140,7 +141,7 @@ int MAIN(int, char **);
+ int MAIN(int argc, char **argv)
+ 	{
+ 	int i,ret=0;
+-	int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
++	int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
+ 
+ 	apps_startup();
+ 
+@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
+ 		else if (strcmp(argv[i],"-d") == 0)
+ 			dir=1;
+ 		else if (strcmp(argv[i],"-a") == 0)
+-			date=version=cflags=options=platform=dir=1;
++			date=version=cflags=options=platform=dir=engines=1;
+ 		else
+ 			{
+ 			BIO_printf(bio_err,"usage:version -[avbofpd]\n");
+@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
+ 		}
+ 	if (cflags)  printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
+ 	if (dir)  printf("%s\n",SSLeay_version(SSLEAY_DIR));
++	if (engines)
++		{
++		ENGINE *e;
++		printf("engines:  ");
++		e = ENGINE_get_first();
++		while (e)
++			{
++			printf("%s ", ENGINE_get_id(e));
++			e = ENGINE_get_next(e);
++			}
++		printf("\n");
++		}
+ end:
+ 	apps_shutdown();
+ 	OPENSSL_EXIT(ret);

openssl-thread-test.c

@@ -0,0 +1,400 @@
+/* Test program to verify that RSA signing is thread-safe in OpenSSL. */
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+#include <openssl/md5.h>
+#include <openssl/ssl.h>
+
+/* Just assume we want to do engine stuff if we're using 0.9.6b or
+ * higher. This assumption is only valid for versions bundled with RHL. */
+#if OPENSSL_VERSION_NUMBER  >= 0x0090602fL
+#include <openssl/engine.h>
+#define USE_ENGINE
+#endif
+
+#define MAX_THREAD_COUNT	10000
+#define ITERATION_COUNT		10
+#define MAIN_COUNT		100
+
+/* OpenSSL requires us to provide thread ID and locking primitives. */
+pthread_mutex_t *mutex_locks = NULL;
+static unsigned long
+thread_id_cb(void)
+{
+	return (unsigned long) pthread_self();
+}
+static void
+lock_cb(int mode, int n, const char *file, int line)
+{
+	if (mode & CRYPTO_LOCK) {
+		pthread_mutex_lock(&mutex_locks[n]);
+	} else {
+		pthread_mutex_unlock(&mutex_locks[n]);
+	}
+}
+
+struct thread_args {
+	RSA *rsa;
+	int digest_type;
+	unsigned char *digest;
+	unsigned int digest_len;
+	unsigned char *signature;
+	unsigned int signature_len;
+	pthread_t main_thread;
+};
+
+static int print = 0;
+
+pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER;
+static int locked_sign = 0;
+static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);}
+static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);}
+
+pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER;
+static int locked_verify = 0;
+static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);}
+static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);}
+
+pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER;
+long failure_count = 0;
+static void
+failure()
+{
+	pthread_mutex_lock(&failure_count_lock);
+	failure_count++;
+	pthread_mutex_unlock(&failure_count_lock);
+}
+
+static void *
+thread_main(void *argp)
+{
+	struct thread_args *args = argp;
+	unsigned char *signature;
+	unsigned int signature_len, signature_alloc_len;
+	int ret, i;
+
+	signature_alloc_len = args->signature_len;
+	if (RSA_size(args->rsa) > signature_alloc_len) {
+		signature_alloc_len = RSA_size(args->rsa);
+	}
+	signature = malloc(signature_alloc_len);
+	if (signature == NULL) {
+		fprintf(stderr, "Skipping checks in thread %lu -- %s.\n",
+			(unsigned long) pthread_self(), strerror(errno));
+		pthread_exit(0);
+		return NULL;
+	}
+	for (i = 0; i < ITERATION_COUNT; i++) {
+		signature_len = signature_alloc_len;
+		SIGN_LOCK();
+		ret = RSA_check_key(args->rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+			break;
+		}
+		ret = RSA_sign(args->digest_type,
+			       args->digest,
+			       args->digest_len,
+			       signature, &signature_len,
+			       args->rsa);
+		SIGN_UNLOCK();
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+			break;
+		}
+
+		VERIFY_LOCK();
+		ret = RSA_verify(args->digest_type,
+			         args->digest,
+			         args->digest_len,
+			         signature, signature_len,
+			         args->rsa);
+		VERIFY_UNLOCK();
+		if (ret != 1) {
+			fprintf(stderr,
+				"Signature from thread %lu(%d) fails "
+				"verification (passed in thread #%lu)!\n",
+				(long) pthread_self(), i,
+				(long) args->main_thread);
+			ERR_print_errors_fp(stdout);
+			failure();
+			continue;
+		}
+		if (print) {
+			fprintf(stderr, ">%d\n", i);
+		}
+	}
+	free(signature);
+
+	pthread_exit(0);
+
+	return NULL;
+}
+
+unsigned char *
+xmemdup(unsigned char *s, size_t len)
+{
+	unsigned char *r;
+	r = malloc(len);
+	if (r == NULL) {
+		fprintf(stderr, "Out of memory.\n");
+		ERR_print_errors_fp(stdout);
+		assert(r != NULL);
+	}
+	memcpy(r, s, len);
+	return r;
+}
+
+int
+main(int argc, char **argv)
+{
+	RSA *rsa;
+	MD5_CTX md5;
+	int fd, i;
+	pthread_t threads[MAX_THREAD_COUNT];
+	int thread_count = 1000;
+	unsigned char *message, *digest;
+	unsigned int message_len, digest_len;
+	unsigned char *correct_signature;
+	unsigned int correct_siglen, ret;
+	struct thread_args master_args, *args;
+	int sync = 0, seed = 0;
+	int again = 1;
+#ifdef USE_ENGINE
+	char *engine = NULL;
+	ENGINE *e = NULL;
+#endif
+
+	pthread_mutex_init(&failure_count_lock, NULL);
+
+	for (i = 1; i < argc; i++) {
+		if (strcmp(argv[i], "--seed") == 0) {
+			printf("Seeding PRNG.\n");
+			seed++;
+		} else
+		if (strcmp(argv[i], "--sync") == 0) {
+			printf("Running synchronized.\n");
+			sync++;
+		} else
+		if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) {
+			i++;
+			thread_count = atol(argv[i]);
+			if (thread_count > MAX_THREAD_COUNT) {
+				thread_count = MAX_THREAD_COUNT;
+			}
+			printf("Starting %d threads.\n", thread_count);
+			sync++;
+		} else
+		if (strcmp(argv[i], "--sign") == 0) {
+			printf("Locking signing.\n");
+			locked_sign++;
+		} else
+		if (strcmp(argv[i], "--verify") == 0) {
+			printf("Locking verifies.\n");
+			locked_verify++;
+		} else
+		if (strcmp(argv[i], "--print") == 0) {
+			printf("Tracing.\n");
+			print++;
+#ifdef USE_ENGINE
+		} else
+		if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) {
+			printf("Using engine \"%s\".\n", argv[i + 1]);
+			engine = argv[i + 1];
+			i++;
+#endif
+		} else {
+			printf("Bad argument: %s\n", argv[i]);
+			return 1;
+		}
+	}
+
+	/* Get some random data to sign. */
+	fd = open("/dev/urandom", O_RDONLY);
+	if (fd == -1) {
+		fprintf(stderr, "Error opening /dev/urandom: %s\n",
+			strerror(errno));
+	}
+
+	if (print) {
+		fprintf(stderr, "Reading random data.\n");
+	}
+	message = malloc(message_len = 9371);
+	read(fd, message, message_len);
+	close(fd);
+
+	/* Initialize the SSL library and set up thread-safe locking. */
+	ERR_load_crypto_strings();
+	SSL_library_init();
+	mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
+	for (i = 0; i < CRYPTO_num_locks(); i++) {
+		pthread_mutex_init(&mutex_locks[i], NULL);
+	}
+	CRYPTO_set_id_callback(thread_id_cb);
+	CRYPTO_set_locking_callback(lock_cb);
+	ERR_print_errors_fp(stdout);
+
+	/* Seed the PRNG if we were asked to do so. */
+	if (seed) {
+		if (print) {
+			fprintf(stderr, "Seeding PRNG.\n");
+		}
+		RAND_add(message, message_len, message_len);
+		ERR_print_errors_fp(stdout);
+	}
+
+	/* Turn on a hardware crypto device if asked to do so. */
+#ifdef USE_ENGINE
+	if (engine) {
+#if OPENSSL_VERSION_NUMBER  >= 0x0090700fL
+		ENGINE_load_builtin_engines();
+#endif
+		if (print) {
+			fprintf(stderr, "Initializing \"%s\" engine.\n",
+				engine);
+		}
+		e = ENGINE_by_id(engine);
+		ERR_print_errors_fp(stdout);
+		if (e) {
+			i = ENGINE_init(e);
+			ERR_print_errors_fp(stdout);
+			i = ENGINE_set_default_RSA(e);
+			ERR_print_errors_fp(stdout);
+		}
+	}
+#endif
+
+	/* Compute the digest for the signature. */
+	if (print) {
+		fprintf(stderr, "Computing digest.\n");
+	}
+	digest = malloc(digest_len = MD5_DIGEST_LENGTH);
+	MD5_Init(&md5);
+	MD5_Update(&md5, message, message_len);
+	MD5_Final(digest, &md5);
+
+	/* Generate a signing key. */
+	if (print) {
+		fprintf(stderr, "Generating key.\n");
+	}
+	rsa = RSA_generate_key(4096, 3, NULL, NULL);
+	ERR_print_errors_fp(stdout);
+	if (rsa == NULL) {
+		_exit(1);
+	}
+
+	/* Sign the data. */
+	correct_siglen = RSA_size(rsa);
+	correct_signature = malloc(correct_siglen);
+	for (i = 0; i < MAIN_COUNT; i++) {
+		if (print) {
+			fprintf(stderr, "Signing data (%d).\n", i);
+		}
+		ret = RSA_check_key(rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+		}
+		correct_siglen = RSA_size(rsa);
+		ret = RSA_sign(NID_md5, digest, digest_len,
+			       correct_signature, &correct_siglen,
+			       rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			_exit(2);
+		}
+		if (print) {
+			fprintf(stderr, "Verifying data (%d).\n", i);
+		}
+		ret = RSA_verify(NID_md5, digest, digest_len,
+			         correct_signature, correct_siglen,
+			         rsa);
+		if (ret != 1) {
+			_exit(2);
+		}
+	}
+
+	/* Collect up the inforamtion which other threads will need for
+	 * comparing their signature results with ours. */
+	master_args.rsa = rsa;
+	master_args.digest_type = NID_md5;
+	master_args.digest = digest;
+	master_args.digest_len = digest_len;
+	master_args.signature = correct_signature;
+	master_args.signature_len = correct_siglen;
+	master_args.main_thread = pthread_self();
+	
+	fprintf(stdout, "Performing %d signatures in each of %d threads "
+		"(%d, %d).\n", ITERATION_COUNT, thread_count,
+		digest_len, correct_siglen);
+	fflush(NULL);
+
+	/* Start up all of the threads. */
+	for (i = 0; i < thread_count; i++) {
+		args = malloc(sizeof(struct thread_args));
+		args->rsa = RSAPrivateKey_dup(master_args.rsa);
+		args->digest_type = master_args.digest_type;
+		args->digest_len = master_args.digest_len;
+		args->digest = xmemdup(master_args.digest, args->digest_len);
+		args->signature_len = master_args.signature_len;
+		args->signature = xmemdup(master_args.signature,
+					  args->signature_len);
+		args->main_thread = pthread_self();
+		ret = pthread_create(&threads[i], NULL, thread_main, args);
+		while ((ret != 0) && (errno == EAGAIN)) {
+			ret = pthread_create(&threads[i], NULL,
+					     thread_main, &args);
+			fprintf(stderr, "Thread limit hit at %d.\n", i);
+		}
+		if (ret != 0) {
+			fprintf(stderr, "Unable to create thread %d: %s.\n",
+				i, strerror(errno));
+			threads[i] = -1;
+		} else {
+			if (sync) {
+				ret = pthread_join(threads[i], NULL);
+				assert(ret == 0);
+			}
+			if (print) {
+				fprintf(stderr, "%d\n", i);
+			}
+		}
+	}
+
+	/* Wait for all threads to complete.  So long as we can find an
+	 * unjoined thread, keep joining threads. */
+	do {
+		again = 0;
+		for (i = 0; i < thread_count; i++) {
+			/* If we have an unterminated thread, join it. */
+			if (threads[i] != -1) {
+				again = 1;
+				if (print) {
+					fprintf(stderr, "Joining thread %d.\n",
+						i);
+				}
+				pthread_join(threads[i], NULL);
+				threads[i] = -1;
+				break;
+			}
+		}
+	} while (again == 1);
+
+	fprintf(stderr, "%ld failures\n", failure_count);
+
+	return (failure_count != 0);
+}

opensslconf-new-warning.h

@@ -0,0 +1,7 @@
+/* Prepended at openssl package build-time.  Don't include this file directly,
+ * use <openssl/opensslconf.h> instead. */
+
+#ifndef openssl_opensslconf_multilib_redirection_h
+#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
+#endif
+

opensslconf-new.h

@@ -0,0 +1,34 @@
+/* This file is here to prevent a file conflict on multiarch systems.  A
+ * conflict will frequently occur because arch-specific build-time
+ * configuration options are stored (and used, so they can't just be stripped
+ * out) in opensslconf.h.  The original opensslconf.h has been renamed.
+ * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
+
+#ifdef openssl_opensslconf_multilib_redirection_h
+#error "Do not define openssl_opensslconf_multilib_redirection_h!"
+#endif
+#define openssl_opensslconf_multilib_redirection_h
+
+#if defined(__i386__)
+#include "opensslconf-i386.h"
+#elif defined(__ia64__)
+#include "opensslconf-ia64.h"
+#elif defined(__powerpc64__)
+#include "opensslconf-ppc64.h"
+#elif defined(__powerpc__)
+#include "opensslconf-ppc.h"
+#elif defined(__s390x__)
+#include "opensslconf-s390x.h"
+#elif defined(__s390__)
+#include "opensslconf-s390.h"
+#elif defined(__sparc__) && defined(__arch64__)
+#include "opensslconf-sparc64.h"
+#elif defined(__sparc__)
+#include "opensslconf-sparc.h"
+#elif defined(__x86_64__)
+#include "opensslconf-x86_64.h"
+#else
+#error "This openssl-devel package does not work your architecture?"
+#endif
+
+#undef openssl_opensslconf_multilib_redirection_h

sources

@@ -0,0 +1 @@
+573353d8cb4330b71e9985cea4785d61  openssl-0.9.8j-usa.tar.bz2