- Updated to version 1.0.0 beta 4

- Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4)
- Added patch to fix build with fips disabled

.cvsignore

@@ -1 +1 @@
-openssl-1.0.0-beta3-usa.tar.bz2
+openssl-1.0.0-beta4-usa.tar.bz2

Makefile.certificate

@@ -38,7 +38,7 @@ usage:
 	umask 77 ; \
 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
-	/usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+	/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
 	cat $$PEM1 >  $@ ; \
 	echo ""    >> $@ ; \
 	cat $$PEM2 >> $@ ; \
@@ -46,7 +46,7 @@ usage:
 
 %.key:
 	umask 77 ; \
-	/usr/bin/openssl genrsa -des3 1024 > $@
+	/usr/bin/openssl genrsa -aes128 2048 > $@
 
 %.csr: %.key
 	umask 77 ; \

make-dummy-cert

@@ -20,7 +20,7 @@ for target in $@ ; do
 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
 	trap "rm -f $PEM1 $PEM2" SIGINT
-	answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+	answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
 	cat $PEM1 >  ${target}
 	echo ""   >> ${target}
 	cat $PEM2 >> ${target}

mingw32-openssl-1.0.0-beta4-nofips.patch

@@ -0,0 +1,130 @@
+diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.mingw-nofips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c
+--- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c	2009-11-22 19:07:58.000000000 +0200
+@@ -65,7 +65,9 @@
+ #include <openssl/rand.h>
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include "fips_locl.h"
+ 
+ static int dsa_builtin_keygen(DSA *dsa);
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c	2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+ 
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/evp.h>
+ 
+ #ifdef OPENSSL_FIPS
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c	2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+ 
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/evp.h>
+ #include <openssl/opensslconf.h>
+ 
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c	2009-11-22 19:07:58.000000000 +0200
+@@ -59,7 +59,9 @@
+ #include <string.h>
+ #include <openssl/crypto.h>
+ #include <openssl/dsa.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
+ #include <openssl/bn.h>
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c	2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+ 
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/hmac.h>
+ 
+ #ifdef OPENSSL_FIPS
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_rand.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rand.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_rand.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c	2009-11-22 19:07:58.000000000 +0200
+@@ -76,7 +76,9 @@
+ # endif
+ #endif
+ #include <string.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include "fips_locl.h"
+ 
+ #ifdef OPENSSL_FIPS
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c	2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+ 
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/rand.h>
+ #include <openssl/fips_rand.h>
+ 
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c	2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+ 
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/rsa.h>
+ #include <openssl/evp.h>
+ #include <openssl/bn.h>
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c	2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+ 
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/evp.h>
+ #include <openssl/sha.h>
+ 
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.mingw-nofips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c
+--- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.mingw-nofips	2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c	2009-11-22 19:07:58.000000000 +0200
+@@ -115,7 +115,9 @@
+ #include <openssl/rsa.h>
+ #include <openssl/rand.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ 
+ #ifndef RSA_NULL
+ 

mingw32-openssl.spec

@@ -18,7 +18,7 @@
 # 1.0.0 soversion = 10
 %global soversion 10
 
-%global beta beta3
+%global beta beta4
 
 # Enable the tests.
 # These only work some of the time, but fail randomly at other times
@@ -31,7 +31,7 @@
 
 Name:           mingw32-openssl
 Version:        1.0.0
-Release:        0.4.%{beta}%{?dist}
+Release:        0.5.%{beta}%{?dist}
 Summary:        MinGW port of the OpenSSL toolkit
 
 License:        OpenSSL
@@ -50,37 +50,39 @@ Source10:       opensslconf-new-warning.h
 
 # Patches from Fedora native package.
 # Build changes
-Patch0:         openssl-1.0.0-beta3-redhat.patch
+Patch0:         openssl-1.0.0-beta4-redhat.patch
 Patch1:         openssl-1.0.0-beta3-defaults.patch
-Patch2:         openssl-1.0.0-beta3-krb5.patch
 Patch3:         openssl-1.0.0-beta3-soversion.patch
-Patch4:         openssl-1.0.0-beta3-enginesdir.patch
+Patch4:         openssl-1.0.0-beta4-enginesdir.patch
 Patch5:         openssl-0.9.8a-no-rpath.patch
 Patch6:         openssl-0.9.8b-test-use-localhost.patch
 # Bug fixes
-Patch21:        openssl-0.9.8b-aliasing-bug.patch
-Patch23:        openssl-1.0.0-beta3-default-paths.patch
+Patch23:        openssl-1.0.0-beta4-default-paths.patch
+Patch24:        openssl-1.0.0-beta4-binutils.patch
 # Functionality changes
 Patch32:        openssl-0.9.8g-ia64.patch
-Patch33:        openssl-0.9.8j-ca-dir.patch
+Patch33:        openssl-1.0.0-beta4-ca-dir.patch
 Patch34:        openssl-0.9.6-x509.patch
 Patch35:        openssl-0.9.8j-version-add-engines.patch
 Patch38:        openssl-1.0.0-beta3-cipher-change.patch
 # Disabled this because it uses getaddrinfo which is lacking on Windows.
 #Patch39:        openssl-1.0.0-beta3-ipv6-apps.patch
-Patch40:        openssl-1.0.0-beta3-fips.patch
+Patch40:        openssl-1.0.0-beta4-fips.patch
 Patch41:        openssl-1.0.0-beta3-fipscheck.patch
 Patch43:        openssl-1.0.0-beta3-fipsmode.patch
 Patch44:        openssl-1.0.0-beta3-fipsrng.patch
 Patch45:        openssl-0.9.8j-env-nozlib.patch
 Patch47:        openssl-0.9.8j-readme-warning.patch
 Patch48:        openssl-0.9.8j-bad-mime.patch
-Patch49:        openssl-0.9.8k-algo-doc.patch
-Patch50:        openssl-1.0.0-beta3-curl.patch
-Patch51:        openssl-1.0.0-beta3-const.patch
+Patch49:        openssl-1.0.0-beta4-algo-doc.patch
+Patch50:        openssl-1.0.0-beta4-dtls1-abi.patch
+Patch51:        openssl-1.0.0-beta4-version.patch
 # Backported fixes including security fixes
-Patch60:        openssl-1.0.0-beta3-namingstr.patch
-Patch61:        openssl-1.0.0-beta3-namingblk.patch
+Patch60:        openssl-1.0.0-beta4-reneg.patch
+# This one is not backported but has to be applied after reneg patch
+Patch61:        openssl-1.0.0-beta4-client-reneg.patch
+Patch62:        openssl-1.0.0-beta4-backports.patch
+Patch63:        openssl-1.0.0-beta4-reneg-err.patch
 
 # MinGW-specific patches.
 # Use MINGW32_CFLAGS (set below) in Configure script
@@ -92,6 +94,8 @@ Patch102:       mingw32-openssl-1.0.0-beta3-sfx.patch
 # Ugly patch to fix a compilation error (the linker can't find
 # some symbols mentioned in an autogenerated .def file)
 Patch105:       mingw32-openssl-1.0.0-beta3-linker-fix.patch
+# Fix build without fips
+Patch106:       mingw32-openssl-1.0.0-beta4-nofips.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -156,15 +160,13 @@ Static version of the MinGW port of the OpenSSL toolkit.
 %{SOURCE1} > /dev/null
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .defaults
-# Fix link line for libssl (bug #111154).
-%patch2 -p1 -b .krb5
 %patch3 -p1 -b .soversion
 %patch4 -p1 -b .enginesdir
 %patch5 -p1 -b .no-rpath
 %patch6 -p1 -b .use-localhost
 
-%patch21 -p1 -b .aliasing-bug
 %patch23 -p1 -b .default-paths
+%patch24 -p1 -b .binutils
 
 %patch32 -p1 -b .ia64
 #patch33 is applied after make test
@@ -180,15 +182,19 @@ Static version of the MinGW port of the OpenSSL toolkit.
 %patch47 -p1 -b .warning
 %patch48 -p1 -b .bad-mime
 %patch49 -p1 -b .algo-doc
-%patch50 -p1 -b .curl
-%patch51 -p1 -b .const
-%patch60 -p1 -b .namingstr
-%patch61 -p1 -b .namingblk
+%patch50 -p1 -b .dtls1-abi
+%patch51 -p1 -b .version
+
+%patch60 -p1 -b .reneg
+%patch61 -p1 -b .client-reneg
+%patch62 -p1 -b .backports
+%patch63 -p1 -b .reneg-err
 
 %patch100 -p1 -b .mingw-configure
 %patch101 -p1 -b .mingw-libversion
 %patch102 -p1 -b .mingw-sfx
 %patch105 -p0 -b .mingw-linker-fix
+%patch106 -p1 -b .mingw-nofips
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -206,9 +212,9 @@ export MINGW32_CFLAGS="%{_mingw32_cflags}"; \
   --openssldir=%{_mingw32_sysconfdir}/pki/tls \
   zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
   enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \
-  no-hw shared --cross-compile-prefix=%{_mingw32_target}- \
+  no-hw --cross-compile-prefix=%{_mingw32_target}- \
   --enginesdir=%{_mingw32_libdir}/openssl/engines \
-  mingw
+  shared mingw
 #  --with-krb5-flavor=MIT
 #  -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib}
 make depend
@@ -347,6 +353,11 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Sun Nov 22 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.5.beta4
+- Updated to version 1.0.0 beta 4
+- Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4)
+- Added patch to fix build with fips disabled
+
 * Fri Sep 18 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.4.beta3
 - Rebuilt to fix debuginfo
 

openssl-0.9.8b-aliasing-bug.patch

@@ -1,24 +0,0 @@
-
-This patch fixes a violation of the C aliasing rules that can cause
-miscompilation with some compiler versions.
-
---- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig	2006-10-30 18:21:35.000000000 +0100
-+++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c	2006-10-30 18:21:37.000000000 +0100
-@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co
- static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
- 	{
- 	void *ptr;
--	DSO_FUNC_TYPE sym, *tsym = &sym;
-+	DSO_FUNC_TYPE sym;
- 
- 	if((dso == NULL) || (symname == NULL))
- 		{
-@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO
- 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
- 		return(NULL);
- 		}
--	*(void **)(tsym) = dlsym(ptr, symname);
-+	sym = dlsym(ptr, symname);
- 	if(sym == NULL)
- 		{
- 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);

openssl-0.9.8j-ca-dir.patch

@@ -1,36 +0,0 @@
-diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
---- openssl-0.9.8j/apps/openssl.cnf.ca-dir	2009-01-13 23:20:10.000000000 +0100
-+++ openssl-0.9.8j/apps/openssl.cnf	2009-01-13 23:20:10.000000000 +0100
-@@ -34,7 +34,7 @@ default_ca	= CA_default		# The default c
- ####################################################################
- [ CA_default ]
- 
--dir		= ./demoCA		# Where everything is kept
-+dir		= ../../CA		# Where everything is kept
- certs		= $dir/certs		# Where the issued certs are kept
- crl_dir		= $dir/crl		# Where the issued crl are kept
- database	= $dir/index.txt	# database index file.
-diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
---- openssl-0.9.8j/apps/CA.sh.ca-dir	2005-07-04 23:44:22.000000000 +0200
-+++ openssl-0.9.8j/apps/CA.sh	2009-01-13 23:20:10.000000000 +0100
-@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
- VERIFY="$OPENSSL verify"
- X509="$OPENSSL x509"
- 
--CATOP=./demoCA
-+CATOP=../../CA
- CAKEY=./cakey.pem
- CAREQ=./careq.pem
- CACERT=./cacert.pem
-diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
---- openssl-0.9.8j/apps/CA.pl.in.ca-dir	2006-04-28 02:28:51.000000000 +0200
-+++ openssl-0.9.8j/apps/CA.pl.in	2009-01-13 23:20:10.000000000 +0100
-@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
- $X509="$openssl x509";
- $PKCS12="$openssl pkcs12";
- 
--$CATOP="./demoCA";
-+$CATOP="../../CA";
- $CAKEY="cakey.pem";
- $CAREQ="careq.pem";
- $CACERT="cacert.pem";

openssl-1.0.0-beta3-const.patch

@@ -1,36 +0,0 @@
-diff -up openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod
---- openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const	2009-02-14 22:49:37.000000000 +0100
-+++ openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod	2009-08-22 16:15:32.000000000 +0200
-@@ -11,7 +11,7 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits
-  const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
-  int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
-  char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
-- char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
-+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);
- 
- =head1 DESCRIPTION
- 
-diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.const openssl-1.0.0-beta3/ssl/ssl_ciph.c
---- openssl-1.0.0-beta3/ssl/ssl_ciph.c.const	2009-08-22 15:56:12.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/ssl_ciph.c	2009-08-22 15:56:12.000000000 +0200
-@@ -1458,7 +1458,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- 	return(cipherstack);
- 	}
- 
--char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
-+char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
- 	{
- 	int is_export,pkl,kl;
- 	const char *ver,*exp_str;
-diff -up openssl-1.0.0-beta3/ssl/ssl.h.const openssl-1.0.0-beta3/ssl/ssl.h
---- openssl-1.0.0-beta3/ssl/ssl.h.const	2009-08-22 15:56:11.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/ssl.h	2009-08-22 15:56:12.000000000 +0200
-@@ -1638,7 +1638,7 @@ long SSL_get_default_timeout(const SSL *
- 
- int SSL_library_init(void );
- 
--char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
-+char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size);
- STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
- 
- SSL *SSL_dup(SSL *ssl);

openssl-1.0.0-beta3-curl.patch

@@ -1,27 +0,0 @@
-diff -up openssl-1.0.0-beta3/apps/tsget.curl openssl-1.0.0-beta3/apps/tsget
---- openssl-1.0.0-beta3/apps/tsget.curl	2006-02-13 00:11:21.000000000 +0100
-+++ openssl-1.0.0-beta3/apps/tsget	2009-08-21 15:37:24.000000000 +0200
-@@ -7,7 +7,7 @@ use strict;
- use IO::Handle;
- use Getopt::Std;
- use File::Basename;
--use WWW::Curl::easy;
-+use WWW::Curl::Easy;
- 
- use vars qw(%options);
- 
-@@ -37,7 +37,7 @@ sub create_curl {
-     my $url = shift;
- 
-     # Create Curl object.
--    my $curl = WWW::Curl::easy::new();
-+    my $curl = WWW::Curl::Easy::new();
- 
-     # Error-handling related options.
-     $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
-@@ -192,4 +192,4 @@ REQUEST: foreach (@ARGV) {
-     STDERR->printflush(", $output written.\n") if $options{v};
- }
- $curl->cleanup();
--WWW::Curl::easy::global_cleanup();
-+WWW::Curl::Easy::global_cleanup();

openssl-1.0.0-beta3-enginesdir.patch

@@ -1,52 +0,0 @@
-diff -up openssl-1.0.0-beta3/Configure.enginesdir openssl-1.0.0-beta3/Configure
---- openssl-1.0.0-beta3/Configure.enginesdir	2009-08-10 19:46:32.000000000 +0200
-+++ openssl-1.0.0-beta3/Configure	2009-08-10 19:46:32.000000000 +0200
-@@ -616,6 +616,7 @@ my $idx_multilib = $idx++;
- 
- my $prefix="";
- my $openssldir="";
-+my $enginesdir="";
- my $exe_ext="";
- my $install_prefix="";
- my $cross_compile_prefix="";
-@@ -820,6 +821,10 @@ PROCESS_ARGS:
- 				{
- 				$openssldir=$1;
- 				}
-+			elsif (/^--enginesdir=(.*)$/)
-+				{
-+				$enginesdir=$1;
-+				}
- 			elsif (/^--install.prefix=(.*)$/)
- 				{
- 				$install_prefix=$1;
-@@ -1037,7 +1042,7 @@ chop $prefix if $prefix =~ /.\/$/;
- 
- $openssldir=$prefix . "/ssl" if $openssldir eq "";
- $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
--
-+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
- 
- print "IsMK1MF=$IsMK1MF\n";
- 
-@@ -1645,7 +1650,7 @@ while (<IN>)
- 		# $foo is to become "$prefix/lib$multilib/engines";
- 		# as Makefile.org and engines/Makefile are adapted for
- 		# $multilib suffix.
--		my $foo = "$prefix/lib/engines";
-+		my $foo = "$enginesdir";
- 		$foo =~ s/\\/\\\\/g;
- 		print OUT "#define ENGINESDIR \"$foo\"\n";
- 		}
-diff -up openssl-1.0.0-beta3/engines/Makefile.enginesdir openssl-1.0.0-beta3/engines/Makefile
---- openssl-1.0.0-beta3/engines/Makefile.enginesdir	2009-06-14 04:37:22.000000000 +0200
-+++ openssl-1.0.0-beta3/engines/Makefile	2009-08-10 19:46:48.000000000 +0200
-@@ -123,7 +123,7 @@ install:
- 				sfx=".so"; \
- 				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
- 			  fi; \
--			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
-+			  chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
- 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi

openssl-1.0.0-beta3-fipsmode.patch

@@ -222,7 +222,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
  #ifndef OPENSSL_NO_DES
  	EVP_add_cipher(EVP_des_cbc());
  	EVP_add_cipher(EVP_des_ede3_cbc());
-@@ -115,6 +121,38 @@ int SSL_library_init(void)
+@@ -115,6 +121,40 @@ int SSL_library_init(void)
  	EVP_add_digest(EVP_sha());
  	EVP_add_digest(EVP_dss());
  #endif
@@ -241,6 +241,8 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
 +#ifndef OPENSSL_NO_MD5
 +	/* needed even in the FIPS mode for TLS MAC */
 +	EVP_add_digest(EVP_md5());
++	EVP_add_digest_alias(SN_md5,"ssl2-md5");
++	EVP_add_digest_alias(SN_md5,"ssl3-md5");
 +#endif
 +#ifndef OPENSSL_NO_SHA
 +	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */

openssl-1.0.0-beta3-krb5.patch

@@ -1,12 +0,0 @@
-diff -up openssl-1.0.0-beta3/Makefile.org.krb5 openssl-1.0.0-beta3/Makefile.org
---- openssl-1.0.0-beta3/Makefile.org.krb5	2009-04-23 18:12:09.000000000 +0200
-+++ openssl-1.0.0-beta3/Makefile.org	2009-08-04 23:01:16.000000000 +0200
-@@ -299,7 +299,7 @@ build-shared: do_$(SHLIB_TARGET) link-sh
- 
- do_$(SHLIB_TARGET):
- 	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
--		if [ "$(SHLIBDIRS)" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-+		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
- 			libs="$(LIBKRB5) $$libs"; \
- 		fi; \
- 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \

openssl-1.0.0-beta3-namingblk.patch

@@ -1,253 +0,0 @@
-Index: openssl/crypto/asn1/a_set.c
-RCS File: /v/openssl/cvs/openssl/crypto/asn1/a_set.c,v
-rcsdiff -q -kk '-r1.20' '-r1.20.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/a_set.c,v' 2>/dev/null
---- openssl/crypto/asn1/a_set.c 2009/01/01 18:30:50 1.20
-+++ openssl/crypto/asn1/a_set.c 2009/07/27 21:21:25 1.20.2.1
-@@ -85,7 +85,7 @@
-     }
- 
- /* int is_set:  if TRUE, then sort the contents (i.e. it isn't a SEQUENCE)    */
--int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
-+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
- 		 i2d_of_void *i2d, int ex_tag, int ex_class,
- 		 int is_set)
- 	{
-@@ -97,8 +97,8 @@
-         int totSize;
- 
- 	if (a == NULL) return(0);
--	for (i=sk_BLOCK_num(a)-1; i>=0; i--)
--		ret+=i2d(sk_BLOCK_value(a,i),NULL);
-+	for (i=sk_OPENSSL_BLOCK_num(a)-1; i>=0; i--)
-+		ret+=i2d(sk_OPENSSL_BLOCK_value(a,i),NULL);
- 	r=ASN1_object_size(1,ret,ex_tag);
- 	if (pp == NULL) return(r);
- 
-@@ -109,10 +109,10 @@
- 	/* And then again by Ben */
- 	/* And again by Steve */
- 
--	if(!is_set || (sk_BLOCK_num(a) < 2))
-+	if(!is_set || (sk_OPENSSL_BLOCK_num(a) < 2))
- 		{
--		for (i=0; i<sk_BLOCK_num(a); i++)
--                	i2d(sk_BLOCK_value(a,i),&p);
-+		for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
-+                	i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
- 
- 		*pp=p;
- 		return(r);
-@@ -120,17 +120,17 @@
- 
-         pStart  = p; /* Catch the beg of Setblobs*/
- 		/* In this array we will store the SET blobs */
--		rgSetBlob = OPENSSL_malloc(sk_BLOCK_num(a) * sizeof(MYBLOB));
-+		rgSetBlob = OPENSSL_malloc(sk_OPENSSL_BLOCK_num(a) * sizeof(MYBLOB));
- 		if (rgSetBlob == NULL)
- 			{
- 			ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
- 			return(0);
- 			}
- 
--        for (i=0; i<sk_BLOCK_num(a); i++)
-+        for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
- 	        {
-                 rgSetBlob[i].pbData = p;  /* catch each set encode blob */
--                i2d(sk_BLOCK_value(a,i),&p);
-+                i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
-                 rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; /* Length of this
- SetBlob
- */
-@@ -140,7 +140,7 @@
- 
-  /* Now we have to sort the blobs. I am using a simple algo.
-     *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
--        qsort( rgSetBlob, sk_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
-+        qsort( rgSetBlob, sk_OPENSSL_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
- 		if (!(pTempMem = OPENSSL_malloc(totSize)))
- 			{
- 			ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
-@@ -149,7 +149,7 @@
- 
- /* Copy to temp mem */
-         p = pTempMem;
--        for(i=0; i<sk_BLOCK_num(a); ++i)
-+        for(i=0; i<sk_OPENSSL_BLOCK_num(a); ++i)
- 		{
-                 memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData);
-                 p += rgSetBlob[i].cbData;
-@@ -163,17 +163,18 @@
-         return(r);
-         }
- 
--STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
-+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
-+			      const unsigned char **pp,
- 			      long length, d2i_of_void *d2i,
--			      void (*free_func)(BLOCK), int ex_tag,
-+			      void (*free_func)(OPENSSL_BLOCK), int ex_tag,
- 			      int ex_class)
- 	{
- 	ASN1_const_CTX c;
--	STACK_OF(BLOCK) *ret=NULL;
-+	STACK_OF(OPENSSL_BLOCK) *ret=NULL;
- 
- 	if ((a == NULL) || ((*a) == NULL))
- 		{
--		if ((ret=sk_BLOCK_new_null()) == NULL)
-+		if ((ret=sk_OPENSSL_BLOCK_new_null()) == NULL)
- 			{
- 			ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
- 			goto err;
-@@ -221,7 +222,7 @@
- 			asn1_add_error(*pp,(int)(c.p- *pp));
- 			goto err;
- 			}
--		if (!sk_BLOCK_push(ret,s)) goto err;
-+		if (!sk_OPENSSL_BLOCK_push(ret,s)) goto err;
- 		}
- 	if (a != NULL) (*a)=ret;
- 	*pp=c.p;
-@@ -230,9 +231,9 @@
- 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
- 		{
- 		if (free_func != NULL)
--			sk_BLOCK_pop_free(ret,free_func);
-+			sk_OPENSSL_BLOCK_pop_free(ret,free_func);
- 		else
--			sk_BLOCK_free(ret);
-+			sk_OPENSSL_BLOCK_free(ret);
- 		}
- 	return(NULL);
- 	}
-Index: openssl/crypto/asn1/asn1.h
-RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn1.h,v
-rcsdiff -q -kk '-r1.166.2.3' '-r1.166.2.4' -u '/v/openssl/cvs/openssl/crypto/asn1/asn1.h,v' 2>/dev/null
---- openssl/crypto/asn1/asn1.h 2009/07/24 11:15:55 1.166.2.3
-+++ openssl/crypto/asn1/asn1.h 2009/07/27 21:21:25 1.166.2.4
-@@ -887,12 +887,13 @@
- ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
- int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
- 
--int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
-+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
- 		 i2d_of_void *i2d, int ex_tag, int ex_class,
- 		 int is_set);
--STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
-+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
-+			      const unsigned char **pp,
- 			      long length, d2i_of_void *d2i,
--			      void (*free_func)(BLOCK), int ex_tag,
-+			      void (*free_func)(OPENSSL_BLOCK), int ex_tag,
- 			      int ex_class);
- 
- #ifndef OPENSSL_NO_BIO
-@@ -1045,9 +1046,9 @@
- int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
- 	unsigned char *data, int max_len);
- 
--STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
--				 d2i_of_void *d2i, void (*free_func)(BLOCK));
--unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
-+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
-+				 d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK));
-+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
- 			     unsigned char **buf, int *len );
- void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i);
- void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it);
-Index: openssl/crypto/asn1/asn_pack.c
-RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v
-rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v' 2>/dev/null
---- openssl/crypto/asn1/asn_pack.c 2008/11/12 03:57:49 1.19
-+++ openssl/crypto/asn1/asn_pack.c 2009/07/27 21:21:25 1.19.2.1
-@@ -66,10 +66,10 @@
- 
- /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
- 
--STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
--				 d2i_of_void *d2i, void (*free_func)(BLOCK))
-+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
-+			 d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK))
- {
--    STACK_OF(BLOCK) *sk;
-+    STACK_OF(OPENSSL_BLOCK) *sk;
-     const unsigned char *pbuf;
-     pbuf =  buf;
-     if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
-@@ -82,7 +82,7 @@
-  * OPENSSL_malloc'ed buffer
-  */
- 
--unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
-+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
- 			     unsigned char **buf, int *len)
- {
- 	int safelen;
-Index: openssl/crypto/stack/safestack.h
-RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v
-rcsdiff -q -kk '-r1.72.2.4' '-r1.72.2.5' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null
---- openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4
-+++ openssl/crypto/stack/safestack.h 2009/07/27 21:21:25 1.72.2.5
-@@ -128,8 +128,8 @@
-  * nul-terminated. These should also be distinguished from "normal"
-  * stacks. */
- 
--typedef void *BLOCK;
--DECLARE_SPECIAL_STACK_OF(BLOCK, void)
-+typedef void *OPENSSL_BLOCK;
-+DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
- 
- /* SKM_sk_... stack macros are internal to safestack.h:
-  * never use them directly, use sk_<type>_... instead */
-@@ -2055,29 +2055,29 @@
- #define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
- 
- 
--#define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
--#define sk_BLOCK_new_null() ((STACK_OF(BLOCK) *)sk_new_null())
--#define sk_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
--#define sk_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
--#define sk_BLOCK_value(st, i) ((BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(BLOCK), st), i))
--#define sk_BLOCK_num(st) SKM_sk_num(BLOCK, st)
--#define sk_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_FREE_FUNC2(BLOCK, free_func))
--#define sk_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val), i)
--#define sk_BLOCK_free(st) SKM_sk_free(BLOCK, st)
--#define sk_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), i, CHECKED_PTR_OF(void, val))
--#define sk_BLOCK_zero(st) SKM_sk_zero(BLOCK, (st))
--#define sk_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
--#define sk_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
--#define sk_BLOCK_delete(st, i) SKM_sk_delete(BLOCK, (st), (i))
--#define sk_BLOCK_delete_ptr(st, ptr) (BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, ptr))
--#define sk_BLOCK_set_cmp_func(st, cmp)  \
-+#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
-+#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
-+#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-+#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-+#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i))
-+#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
-+#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
-+#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i)
-+#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
-+#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val))
-+#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
-+#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-+#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
-+#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
-+#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr))
-+#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp)  \
- 	((int (*)(const void * const *,const void * const *)) \
--	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
--#define sk_BLOCK_dup(st) SKM_sk_dup(BLOCK, st)
--#define sk_BLOCK_shift(st) SKM_sk_shift(BLOCK, (st))
--#define sk_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st))
--#define sk_BLOCK_sort(st) SKM_sk_sort(BLOCK, (st))
--#define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st))
-+	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
-+#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
-+#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
-+#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st))
-+#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
-+#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
- 
- 
- #define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))

openssl-1.0.0-beta4-algo-doc.patch

@@ -1,6 +1,6 @@
-diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod
---- openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc	2004-05-20 23:39:50.000000000 +0200
-+++ openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod	2009-06-30 12:04:47.000000000 +0200
+diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
+--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc	2009-10-16 17:29:34.000000000 +0200
++++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod	2009-11-12 14:13:21.000000000 +0100
 @@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
  EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
  EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
@@ -45,8 +45,8 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
 +signature algorithm is RSA in each case.
  
  EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
- algorithms but using DSS (DSA) for the signature algorithm.
-@@ -156,7 +163,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
+ algorithms but using DSS (DSA) for the signature algorithm. Note: there is 
+@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
  EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block
  size in bytes.
  
@@ -56,9 +56,9 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
  EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
  corresponding EVP_MD structures.
  
-diff -up openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod
---- openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
-+++ openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod	2009-06-30 12:04:47.000000000 +0200
+diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
+--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
++++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod	2009-11-12 14:11:03.000000000 +0100
 @@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher 
   int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
   int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);

openssl-1.0.0-beta4-backports.patch

@@ -0,0 +1,45 @@
+diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c
+--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports	2008-11-12 04:57:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c	2009-11-18 14:11:14.000000000 +0100
+@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK
+ 		}
+ 	else	ret= *a;
+ 
+-	ret->save_type=type;
+-	ret->type=EVP_PKEY_type(type);
+-	switch (ret->type)
++	if (!EVP_PKEY_set_type(ret, type))
++		{
++		ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
++		goto err;
++		}
++
++	switch (EVP_PKEY_id(ret))
+ 		{
+ #ifndef OPENSSL_NO_RSA
+ 	case EVP_PKEY_RSA:
+diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c
+--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports	2006-07-04 22:27:44.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/p_lib.c	2009-11-18 14:11:26.000000000 +0100
+@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey,
+ #ifndef OPENSSL_NO_ENGINE
+ 		/* If we have an ENGINE release it */
+ 		if (pkey->engine)
++			{
+ 			ENGINE_finish(pkey->engine);
++			pkey->engine = NULL;
++			}
+ #endif
+ 		}
+ 	if (str)
+diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c
+--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports	2009-10-31 20:21:47.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c	2009-11-18 14:11:31.000000000 +0100
+@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, 
+ 			offset= -offset;
+ 		}
+ 	atm.type=ctm->type;
++	atm.flags = 0;
+ 	atm.length=sizeof(buff2);
+ 	atm.data=(unsigned char *)buff2;
+ 

openssl-1.0.0-beta4-binutils.patch

@@ -0,0 +1,56 @@
+diff -up openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl
+--- openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils	2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl	2009-11-12 17:26:08.000000000 +0100
+@@ -19,6 +19,7 @@ my $code;
+ sub round1_step
+ {
+     my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
++    $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
+     $code .= " mov	0*4(%rsi),	%r10d		/* (NEXT STEP) X[0] */\n" if ($pos == -1);
+     $code .= " mov	%edx,		%r11d		/* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
+     $code .= <<EOF;
+@@ -43,6 +44,7 @@ EOF
+ sub round2_step
+ {
+     my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
++    $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
+     $code .= " mov	1*4(%rsi),	%r10d		/* (NEXT STEP) X[1] */\n" if ($pos == -1);
+     $code .= " mov	%edx,		%r11d		/* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
+     $code .= " mov	%edx,		%r12d		/* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
+@@ -69,6 +71,7 @@ EOF
+ sub round3_step
+ {
+     my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
++    $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
+     $code .= " mov	5*4(%rsi),	%r10d		/* (NEXT STEP) X[5] */\n" if ($pos == -1);
+     $code .= " mov	%ecx,		%r11d		/* (NEXT STEP) y' = %ecx */\n" if ($pos == -1);
+     $code .= <<EOF;
+@@ -91,6 +94,7 @@ EOF
+ sub round4_step
+ {
+     my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
++    $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
+     $code .= " mov	0*4(%rsi),	%r10d		/* (NEXT STEP) X[0] */\n" if ($pos == -1);
+     $code .= " mov	\$0xffffffff,	%r11d\n" if ($pos == -1);
+     $code .= " xor	%edx,		%r11d		/* (NEXT STEP) not z' = not %edx*/\n"
+diff -up openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl
+--- openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils	2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl	2009-11-12 17:24:18.000000000 +0100
+@@ -150,7 +150,7 @@ ___
+ sub BODY_20_39 {
+ my ($i,$a,$b,$c,$d,$e,$f)=@_;
+ my $j=$i+1;
+-my $K=($i<40)?0x6ed9eba1:0xca62c1d6;
++my $K=($i<40)?0x6ed9eba1:-0x359d3e2a;
+ $code.=<<___ if ($i<79);
+ 	lea	$K($xi,$e),$f
+ 	mov	`4*($j%16)`(%rsp),$xi
+@@ -187,7 +187,7 @@ sub BODY_40_59 {
+ my ($i,$a,$b,$c,$d,$e,$f)=@_;
+ my $j=$i+1;
+ $code.=<<___;
+-	lea	0x8f1bbcdc($xi,$e),$f
++	lea	-0x70e44324($xi,$e),$f
+ 	mov	`4*($j%16)`(%rsp),$xi
+ 	mov	$b,$t0
+ 	mov	$b,$t1

openssl-1.0.0-beta4-ca-dir.patch

@@ -0,0 +1,36 @@
+diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in
+--- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir	2006-04-28 02:30:49.000000000 +0200
++++ openssl-1.0.0-beta4/apps/CA.pl.in	2009-11-12 12:33:13.000000000 +0100
+@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
+ $X509="$openssl x509";
+ $PKCS12="$openssl pkcs12";
+ 
+-$CATOP="./demoCA";
++$CATOP="/etc/pki/CA";
+ $CAKEY="cakey.pem";
+ $CAREQ="careq.pem";
+ $CACERT="cacert.pem";
+diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh
+--- openssl-1.0.0-beta4/apps/CA.sh.ca-dir	2009-10-15 19:27:47.000000000 +0200
++++ openssl-1.0.0-beta4/apps/CA.sh	2009-11-12 12:35:14.000000000 +0100
+@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
+ X509="$OPENSSL x509"
+ PKCS12="openssl pkcs12"
+ 
+-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
++if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
+ CAKEY=./cakey.pem
+ CAREQ=./careq.pem
+ CACERT=./cacert.pem
+diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf
+--- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir	2009-11-12 12:33:13.000000000 +0100
++++ openssl-1.0.0-beta4/apps/openssl.cnf	2009-11-12 12:33:13.000000000 +0100
+@@ -39,7 +39,7 @@ default_ca	= CA_default		# The default c
+ ####################################################################
+ [ CA_default ]
+ 
+-dir		= ./demoCA		# Where everything is kept
++dir		= /etc/pki/CA		# Where everything is kept
+ certs		= $dir/certs		# Where the issued certs are kept
+ crl_dir		= $dir/crl		# Where the issued crl are kept
+ database	= $dir/index.txt	# database index file.

openssl-1.0.0-beta4-client-reneg.patch

@@ -0,0 +1,35 @@
+Do not enforce the renegotiation extension on the client - too many broken servers remain.
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg	2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c	2009-11-18 14:04:19.000000000 +0100
+@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 
+ 	if (data >= (d+n-2))
+ 		{
++#if 0
+ 		/* Because the client does not see any renegotiation during an
+ 		   attack, we must enforce this on all server hellos, even the
+ 		   first */
+@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ 			return 0;
+ 			}
++#endif
+ 		return 1;
+ 		}
+ 
+@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 		return 0;
+ 		}
+ 
++#if 0
+ 	if (!renegotiate_seen
+ 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ 		{
+ 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ 		return 0;
+ 		}
++#endif
+ 
+ 	if (!s->hit && tlsext_servername == 1)
+ 		{

openssl-1.0.0-beta4-default-paths.patch

@@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/apps/s_client.c
---- openssl-1.0.0-beta3/apps/s_client.c.default-paths	2009-06-30 18:10:24.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_client.c	2009-08-05 18:17:52.000000000 +0200
-@@ -888,12 +888,13 @@ bad:
+diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c
+--- openssl-1.0.0-beta4/apps/s_client.c.default-paths	2009-08-12 15:21:26.000000000 +0200
++++ openssl-1.0.0-beta4/apps/s_client.c	2009-11-12 12:26:32.000000000 +0100
+@@ -889,12 +889,13 @@ bad:
  	if (!set_cert_key_stuff(ctx,cert,key))
  		goto end;
  
@@ -19,10 +19,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/a
  		}
  
  #ifndef OPENSSL_NO_TLSEXT
-diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/apps/s_server.c
---- openssl-1.0.0-beta3/apps/s_server.c.default-paths	2009-06-30 18:10:24.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_server.c	2009-08-05 18:18:40.000000000 +0200
-@@ -1403,12 +1403,13 @@ bad:
+diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c
+--- openssl-1.0.0-beta4/apps/s_server.c.default-paths	2009-10-28 18:49:37.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_server.c	2009-11-12 12:31:23.000000000 +0100
+@@ -1408,12 +1408,13 @@ bad:
  		}
  #endif
  
@@ -40,8 +40,8 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
  		}
  	if (vpm)
  		SSL_CTX_set1_param(ctx, vpm);
-@@ -1457,8 +1458,11 @@ bad:
- 
+@@ -1465,8 +1466,11 @@ bad:
+ 		else
  			SSL_CTX_sess_set_cache_size(ctx2,128);
  
 -		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
@@ -54,9 +54,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
  			{
  			ERR_print_errors(bio_err);
  			}
-diff -up openssl-1.0.0-beta3/apps/s_time.c.default-paths openssl-1.0.0-beta3/apps/s_time.c
---- openssl-1.0.0-beta3/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_time.c	2009-08-05 18:00:35.000000000 +0200
+diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c
+--- openssl-1.0.0-beta4/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
++++ openssl-1.0.0-beta4/apps/s_time.c	2009-11-12 12:26:32.000000000 +0100
 @@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
  
  	SSL_load_error_strings();

openssl-1.0.0-beta4-dtls1-abi.patch

@@ -0,0 +1,25 @@
+Adding struct member is ABI breaker however as the structure is always allocated by
+the library calls we just move it to the end and it should be reasonably safe.
+diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
+--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi	2009-11-12 14:34:37.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/dtls1.h	2009-11-12 14:47:57.000000000 +0100
+@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
+ 	 */
+ 	record_pqueue buffered_app_data;
+ 
+-	/* Is set when listening for new connections with dtls1_listen() */
+-	unsigned int listen;
+-
+ 	unsigned int mtu; /* max DTLS packet size */
+ 
+ 	struct hm_header_st w_msg_hdr;
+@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
+ 	unsigned int retransmitting;
+ 	unsigned int change_cipher_spec_ok;
+ 
++	/* Is set when listening for new connections with dtls1_listen() */
++	unsigned int listen;
++
+ 	} DTLS1_STATE;
+ 
+ typedef struct dtls1_record_data_st

openssl-1.0.0-beta4-enginesdir.patch

@@ -0,0 +1,52 @@
+diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
+--- openssl-1.0.0-beta4/Configure.enginesdir	2009-11-12 12:17:59.000000000 +0100
++++ openssl-1.0.0-beta4/Configure	2009-11-12 12:19:45.000000000 +0100
+@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -833,6 +834,10 @@ PROCESS_ARGS:
+ 				{
+ 				$openssldir=$1;
+ 				}
++			elsif (/^--enginesdir=(.*)$/)
++				{
++				$enginesdir=$1;
++				}
+ 			elsif (/^--install.prefix=(.*)$/)
+ 				{
+ 				$install_prefix=$1;
+@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/;
+ 
+ $openssldir=$prefix . "/ssl" if $openssldir eq "";
+ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+-
++$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
+ 
+ print "IsMK1MF=$IsMK1MF\n";
+ 
+@@ -1676,7 +1681,7 @@ while (<IN>)
+ 		# $foo is to become "$prefix/lib$multilib/engines";
+ 		# as Makefile.org and engines/Makefile are adapted for
+ 		# $multilib suffix.
+-		my $foo = "$prefix/lib/engines";
++		my $foo = "$enginesdir";
+ 		$foo =~ s/\\/\\\\/g;
+ 		print OUT "#define ENGINESDIR \"$foo\"\n";
+ 		}
+diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile
+--- openssl-1.0.0-beta4/engines/Makefile.enginesdir	2009-11-10 02:52:52.000000000 +0100
++++ openssl-1.0.0-beta4/engines/Makefile	2009-11-12 12:23:06.000000000 +0100
+@@ -124,7 +124,7 @@ install:
+ 				sfx=".so"; \
+ 				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ 			  fi; \
+-			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++			  chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ 		done; \
+ 	fi

openssl-1.0.0-beta4-redhat.patch

@@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
---- openssl-1.0.0-beta3/Configure.redhat	2009-07-08 10:50:52.000000000 +0200
-+++ openssl-1.0.0-beta3/Configure	2009-08-04 22:46:59.000000000 +0200
-@@ -331,32 +331,32 @@ my %table=(
+diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
+--- openssl-1.0.0-beta4/Configure.redhat	2009-11-09 15:11:13.000000000 +0100
++++ openssl-1.0.0-beta4/Configure	2009-11-12 12:15:27.000000000 +0100
+@@ -336,32 +336,32 @@ my %table=(
  ####
  # *-generic* is endian-neutral target, but ./config is free to
  # throw in -D[BL]_ENDIAN, whichever appropriate...
@@ -22,14 +22,14 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
 -"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 -"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 -"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):\$(SHLIB_SONAMEVER)",
++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 +"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 +"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
  "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 -"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 +"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
  #### SPARC Linux setups
  # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
@@ -46,7 +46,7 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
  #### Alpha Linux with GNU C and Compaq C setups
  # Special notes:
  # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -370,8 +370,8 @@ my %table=(
+@@ -375,8 +375,8 @@ my %table=(
  #
  #					<appro@fy.chalmers.se>
  #

openssl-1.0.0-beta4-reneg-err.patch

@@ -0,0 +1,93 @@
+Better error reporting for unsafe renegotiation.
+diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
+--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err	2009-11-09 19:45:42.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl_err.c	2009-11-20 17:56:57.000000000 +0100
+@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),	"SSL_load_client_CA_file"},
+ {ERR_FUNC(SSL_F_SSL_NEW),	"SSL_new"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
++{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT),	"SSL_PARSE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
++{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT),	"SSL_PARSE_SERVERHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PEEK),	"SSL_peek"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),	"SSL_PREPARE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),	"SSL_PREPARE_SERVERHELLO_TLSEXT"},
+@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
+ {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
+ {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
++{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
+diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
+--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err	2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl.h	2009-11-20 17:56:57.000000000 +0100
+@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
+ #define SSL_F_SSL_NEW					 186
+ #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT	 300
++#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT		 302
+ #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT	 301
++#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT		 303
+ #define SSL_F_SSL_PEEK					 270
+ #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT		 281
+ #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT		 282
+@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253
+ #define SSL_R_UNKNOWN_SSL_VERSION			 254
+ #define SSL_R_UNKNOWN_STATE				 255
++#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED	 338
+ #define SSL_R_UNSUPPORTED_CIPHER			 256
+ #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
+ #define SSL_R_UNSUPPORTED_DIGEST_TYPE			 326
+diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
+--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err	2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s23_srvr.c	2009-11-20 17:57:23.000000000 +0100
+@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
+ 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ 		goto err;
+ #else
++		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++			{
++			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
++			goto err;
++			}
+ 		/* we are talking sslv2 */
+ 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
+ 		 * sslv2 stuff. */
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err	2009-11-18 14:04:19.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c	2009-11-20 17:56:57.000000000 +0100
+@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 			{
+ 			/* We should always see one extension: the renegotiate extension */
+ 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++			SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 			return 0;
+ 			}
+ 		return 1;
+@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+  	if (s->new_session && !renegotiate_seen
+  		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+  		{
++		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+  		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+  		return 0;
+  		}
+@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 			{
+ 			/* We should always see one extension: the renegotiate extension */
+ 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++			SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 			return 0;
+ 			}
+ #endif
+@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ 		{
+ 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 		return 0;
+ 		}
+ #endif

openssl-1.0.0-beta4-reneg.patch

@@ -0,0 +1,237 @@
+diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c
+--- openssl-1.0.0-beta4/apps/s_cb.c.reneg	2009-10-15 20:48:47.000000000 +0200
++++ openssl-1.0.0-beta4/apps/s_cb.c	2009-11-12 15:02:30.000000000 +0100
+@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c
+ 		extname = "server ticket";
+ 		break;
+ 
++		case TLSEXT_TYPE_renegotiate:
++		extname = "renegotiate";
++		break;
++
+ #ifdef TLSEXT_TYPE_opaque_prf_input
+ 		case TLSEXT_TYPE_opaque_prf_input:
+ 		extname = "opaque PRF input";
+diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c
+--- openssl-1.0.0-beta4/apps/s_client.c.reneg	2009-11-12 14:57:48.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_client.c	2009-11-12 15:01:48.000000000 +0100
+@@ -343,6 +343,7 @@ static void sc_usage(void)
+ 	BIO_printf(bio_err," -status           - request certificate status from server\n");
+ 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
+ #endif
++	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+ 	}
+ 
+ #ifndef OPENSSL_NO_TLSEXT
+@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv)
+ #endif
+ 		else if (strcmp(*argv,"-serverpref") == 0)
+ 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
++		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
++			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ 		else if	(strcmp(*argv,"-cipher") == 0)
+ 			{
+ 			if (--argc < 1) goto bad;
+diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c
+--- openssl-1.0.0-beta4/apps/s_server.c.reneg	2009-11-12 14:57:48.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_server.c	2009-11-12 15:01:48.000000000 +0100
+@@ -491,6 +491,7 @@ static void sv_usage(void)
+ 	BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
+ 	BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
+ 	BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
++	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+ #endif
+ 	}
+ 
+@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[])
+ 			verify_return_error = 1;
+ 		else if	(strcmp(*argv,"-serverpref") == 0)
+ 			{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
++		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
++			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ 		else if	(strcmp(*argv,"-cipher") == 0)
+ 			{
+ 			if (--argc < 1) goto bad;
+diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h
+--- openssl-1.0.0-beta4/ssl/tls1.h.reneg	2009-11-12 14:57:47.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/tls1.h	2009-11-12 15:02:30.000000000 +0100
+@@ -201,6 +201,9 @@ extern "C" {
+ # define TLSEXT_TYPE_opaque_prf_input		?? */
+ #endif
+ 
++/* Temporary extension type */
++#define TLSEXT_TYPE_renegotiate                 0xff01
++
+ /* NameType value from RFC 3546 */
+ #define TLSEXT_NAMETYPE_host_name 0
+ /* status request value from RFC 3546 */
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg	2009-11-08 15:36:32.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c	2009-11-12 15:02:30.000000000 +0100
+@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex
+ 		ret+=size_str;
+ 		}
+ 
++        /* Add the renegotiation option: TODOEKR switch */
++        {
++          int el;
++          
++          if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
++              {
++              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
++              return NULL;
++              }
++
++          if((limit - p - 4 - el) < 0) return NULL;
++          
++          s2n(TLSEXT_TYPE_renegotiate,ret);
++          s2n(el,ret);
++
++          if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
++              {
++              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
++              return NULL;
++              }
++
++          ret += el;
++        }
++
+ #ifndef OPENSSL_NO_EC
+ 	if (s->tlsext_ecpointformatlist != NULL)
+ 		{
+@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex
+ 		s2n(TLSEXT_TYPE_server_name,ret);
+ 		s2n(0,ret);
+ 		}
++
++        if(s->s3->send_connection_binding)
++        {
++          int el;
++          
++          if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
++              {
++              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
++              return NULL;
++              }
++
++          if((limit - p - 4 - el) < 0) return NULL;
++          
++          s2n(TLSEXT_TYPE_renegotiate,ret);
++          s2n(el,ret);
++
++          if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
++              {
++              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
++              return NULL;
++              }
++
++          ret += el;
++        }
++
+ #ifndef OPENSSL_NO_EC
+ 	if (s->tlsext_ecpointformatlist != NULL)
+ 		{
+@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 	unsigned short size;
+ 	unsigned short len;
+ 	unsigned char *data = *p;
++	int renegotiate_seen = 0;
++
+ 	s->servername_done = 0;
+ 	s->tlsext_status_type = -1;
++	s->s3->send_connection_binding = 0;
+ 
+ 	if (data >= (d+n-2))
++		{
++		if (s->new_session
++			&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++			{
++			/* We should always see one extension: the renegotiate extension */
++			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++			return 0;
++			}
+ 		return 1;
++		}
+ 	n2s(data,len);
+ 
+ 	if (data > (d+n-len)) 
+@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 				return 0;
+ 				}
+ 			}
++		else if (type == TLSEXT_TYPE_renegotiate)
++			{
++			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
++				return 0;
++			renegotiate_seen = 1;
++			}
+ 		else if (type == TLSEXT_TYPE_status_request
+ 						&& s->ctx->tlsext_status_cb)
+ 			{
+@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 		/* session ticket processed earlier */
+ 		data+=size;
+ 		}
++  
++ 	if (s->new_session && !renegotiate_seen
++ 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ 		{
++ 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ 		return 0;
++ 		}
++ 
+ 				
+ 	*p = data;
+ 	return 1;
+@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 	unsigned short size;
+ 	unsigned short len;  
+ 	unsigned char *data = *p;
+-
+ 	int tlsext_servername = 0;
++	int renegotiate_seen = 0;
+ 
+ 	if (data >= (d+n-2))
++		{
++		/* Because the client does not see any renegotiation during an
++		   attack, we must enforce this on all server hellos, even the
++		   first */
++		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++			{
++			/* We should always see one extension: the renegotiate extension */
++			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++			return 0;
++			}
+ 		return 1;
++		}
+ 
+ 	n2s(data,len);
+ 
+@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 			/* Set flag to expect CertificateStatus message */
+ 			s->tlsext_status_expected = 1;
+ 			}
+-
++		else if (type == TLSEXT_TYPE_renegotiate)
++			{
++			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
++				return 0;
++			renegotiate_seen = 1;
++			}
+ 		data+=size;		
+ 		}
+ 
+@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 		return 0;
+ 		}
+ 
++	if (!renegotiate_seen
++		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++		{
++		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++		return 0;
++		}
++
+ 	if (!s->hit && tlsext_servername == 1)
+ 		{
+  		if (s->tlsext_hostname)

openssl-1.0.0-beta4-version.patch

@@ -0,0 +1,14 @@
+We have to keep the beta status on 3 as some applications (OpenSSH) incorrectly insist
+on having the same beta status of OpenSSL library as they were built against.
+diff -up openssl-1.0.0-beta4/crypto/opensslv.h.version openssl-1.0.0-beta4/crypto/opensslv.h
+--- openssl-1.0.0-beta4/crypto/opensslv.h.version	2009-11-12 15:17:28.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/opensslv.h	2009-11-13 12:39:08.000000000 +0100
+@@ -25,7 +25,7 @@
+  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+  *  major minor fix final patch/beta)
+  */
+-#define OPENSSL_VERSION_NUMBER	0x10000004L
++#define OPENSSL_VERSION_NUMBER	0x10000003L
+ #ifdef OPENSSL_FIPS
+ #define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0-fips-beta4 10 Nov 2009"
+ #else

sources

@@ -1 +1 @@
-9926dcf78e797a12d8e3ffd7a018824b  openssl-1.0.0-beta3-usa.tar.bz2
+1fc0e41c230d0698f834413dfba864ad  openssl-1.0.0-beta4-usa.tar.bz2