Added missing patches and removed unused ones

2012-11-09 16:29:44 +01:00 · 2012-11-09 16:29:44 +01:00 · 942a99b725
commit 942a99b725
parent 7ab115bd4d
40 changed files with 21706 additions and 16153 deletions
--- a/README.FIPS
+++ b/README.FIPS
@ -0,0 +1,75 @@
 User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
 =================================================================
 This package contains libraries which comprise the FIPS 140-2
 Red Hat Enterprise Linux - OPENSSL Module.
 The module files
 ================
 /usr/lib[64]/libcrypto.so.1.0.0d
 /usr/lib[64]/libssl.so.1.0.0d
 /usr/lib[64]/.libcrypto.so.1.0.0d.hmac
 /usr/lib[64]/.libssl.so.1.0.0d.hmac
 Dependencies
 ============
 The approved mode of operation requires kernel with /dev/urandom RNG running
 with properties as defined in the security policy of the module. This is
 provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
 Crytographic Module.
 Installation
 ============
 The RPM package of the module can be installed by standard tools recommended
 for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
 rpm, RHN remote management tool).
 For proper operation of the in-module integrity verification the prelink has to
 be disabled. This can be done with setting PRELINKING=no in the
 /etc/sysconfig/prelink configuration file. If the libraries were already
 prelinked the prelink should be undone on all the system files with the
 'prelink -u -a' command.
 Usage and API
 =============
 The module respects kernel command line FIPS setting. If the kernel command
 line contains option fips=1 the module will initialize in the FIPS approved
 mode of operation automatically. To allow for the automatic initialization the
 application using the module has to call one of the following API calls:
 - void OPENSSL_init_library(void) - this will do only a basic initialization
 of the library and does initialization of the FIPS approved mode without setting
 up EVP API with supported algorithms.
 - void OPENSSL_add_all_algorithms(void) - this API function calls
 OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
 in the approved mode 
 - void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
 adds algorithms which are necessary for TLS protocol support and initializes
 the SSL library.
 To explicitely put the library to the approved mode the application can call
 the following function:
 - int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
 the library from the non-approved to the approved mode. If any of the selftests
 and integrity verification tests fail, the library is put into the error state
 and 0 is returned. If they succeed the return value is 1.
 To query the module whether it is in the approved mode or not:
 - int FIPS_mode(void) - returns 1 if the module is in the approved mode,
 0 otherwise.
 To query whether the module is in the error state:
 - int FIPS_selftest_failed(void) - returns 1 if the module is in the error
 state, 0 otherwise.
 To zeroize the FIPS RNG key and internal state the application calls:
 - void RAND_cleanup(void)
--- a/mingw-openssl-fix-fips-build-failure.patch
+++ b/mingw-openssl-fix-fips-build-failure.patch
@ -0,0 +1,75 @@
 --- openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.orig	2012-11-03 18:59:03.620066556 +0100
 +++ openssl-1.0.1c/crypto/fips/fips_rand_selftest.c	2012-11-03 19:57:33.156686682 +0100
@@ -47,6 +47,8 @@
  *
  */
 +#ifdef OPENSSL_FIPS
 +
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/fips.h>
@@ -54,9 +56,6 @@
 #include <openssl/fips_rand.h>
 #include "fips_locl.h"
 -#ifdef OPENSSL_FIPS
 -
 -
 typedef struct
 	{
 --- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.orig	2012-11-03 20:03:20.546180631 +0100
 +++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c	2012-11-03 20:03:46.069328396 +0100
@@ -47,6 +47,8 @@
  *
  */
 +#ifdef OPENSSL_FIPS
 +
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/dsa.h>
@@ -56,8 +58,6 @@
 #include <openssl/bn.h>
 #include "fips_locl.h"
 -#ifdef OPENSSL_FIPS
 -
 static const unsigned char dsa_test_2048_p[] = {
 	0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08,
 	0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62,
 --- openssl-1.0.1c/crypto/fips/fips_rand.c.orig	2012-11-03 20:07:49.956891942 +0100
 +++ openssl-1.0.1c/crypto/fips/fips_rand.c	2012-11-03 20:08:14.260048118 +0100
@@ -47,6 +47,8 @@
  *
  */
 +#ifdef OPENSSL_FIPS
 +
 /*
  * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
  */
@@ -82,8 +84,6 @@
 #include <openssl/fips.h>
 #include "fips_locl.h"
 -#ifdef OPENSSL_FIPS
 -
 void *OPENSSL_stderr(void);
 #define AES_BLOCK_LENGTH	16
 --- openssl-1.0.1c/crypto/rand/md_rand.c.orig	2012-11-03 20:19:31.461754618 +0100
 +++ openssl-1.0.1c/crypto/rand/md_rand.c	2012-11-03 20:20:58.294282662 +0100
@@ -392,7 +392,11 @@
 	/* always poll for external entropy in FIPS mode, drbg provides the 
 	 * expansion
 	 */
 +#ifdef OPENSSL_FIPS
 	if (!initialized || FIPS_module_mode()) 
 +#else
 +	if (!initialized)
 +#endif
 		{
 		RAND_poll();
 		initialized = 1;
--- a/openssl-0.9.8g-ia64.patch
+++ b/openssl-0.9.8g-ia64.patch
@ -1,19 +0,0 @@
 diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h
 --- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64	2008-08-10 22:23:55.000000000 +0200
 +++ openssl-0.9.8g/crypto/bn/bn_lcl.h	2008-08-10 22:23:55.000000000 +0200
@@ -279,6 +279,15 @@ extern "C" {
 #   define BN_UMULT_HIGH(a,b)		__umulh((a),(b))
 #   define BN_UMULT_LOHI(low,high,a,b)	((low)=_umul128((a),(b),&(high)))
 #  endif
 +# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
 +#  if defined(__GNUC__)
 +#   define BN_UMULT_HIGH(a,b) ({      \
 +      register BN_ULONG ret;          \
 +      asm ("xmpy.hu %0 = %1, %2"      \
 +           : "=f"(ret)                \
 +           : "f"(a), "f"(b));         \
 +      ret;                    })
 +#  endif      /* compiler */
 # endif		/* cpu */
 #endif		/* OPENSSL_NO_ASM */
--- a/openssl-0.9.8j-bad-mime.patch
+++ b/openssl-0.9.8j-bad-mime.patch
@ -1,14 +0,0 @@
 diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c
 --- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime	2008-08-05 17:56:11.000000000 +0200
 +++ openssl-0.9.8j/crypto/asn1/asn_mime.c	2009-01-14 22:08:34.000000000 +0100
@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER
 static int mime_hdr_cmp(const MIME_HEADER * const *a,
 			const MIME_HEADER * const *b)
 {
 +	if ((*a)->name == NULL || (*b)->name == NULL)
 +		return (*a)->name - (*b)->name < 0 ? -1 :
 +			(*a)->name - (*b)->name > 0 ? 1 : 0;
 +
 	return(strcmp((*a)->name, (*b)->name));
 }
--- a/openssl-1.0.0-beta3-fipscheck.patch
+++ b/openssl-1.0.0-beta3-fipscheck.patch
@ -1,400 +0,0 @@
 diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c
 --- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck	2009-08-10 20:11:59.000000000 +0200
 +++ openssl-1.0.0-beta3/crypto/fips/fips.c	2009-08-10 20:11:59.000000000 +0200
@@ -47,6 +47,7 @@
  *
  */
 +#define _GNU_SOURCE
 #include <openssl/rand.h>
 #include <openssl/fips_rand.h>
@@ -56,6 +57,9 @@
 #include <openssl/rsa.h>
 #include <string.h>
 #include <limits.h>
 +#include <dlfcn.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 #include "fips_locl.h"
 #ifdef OPENSSL_FIPS
@@ -165,6 +169,204 @@ int FIPS_selftest()
 	&& FIPS_selftest_dsa();
     }
 +/* we implement what libfipscheck does ourselves */
 +
 +static int
 +get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
 +{
 +	Dl_info info;
 +	void *dl, *sym;
 +	int rv = -1;
 +
 +        dl = dlopen(libname, RTLD_LAZY);
 +        if (dl == NULL) {
 +	        return -1;
 +        }       
 +
 +	sym = dlsym(dl, symbolname);
 +
 +	if (sym != NULL && dladdr(sym, &info)) {
 +		strncpy(path, info.dli_fname, pathlen-1);
 +		path[pathlen-1] = '\0';
 +		rv = 0;
 +	}
 +
 +	dlclose(dl);	
 +	
 +	return rv;
 +}
 +
 +static const char conv[] = "0123456789abcdef";
 +
 +static char *
 +bin2hex(void *buf, size_t len)
 +{
 +	char *hex, *p;
 +	unsigned char *src = buf;
 +	
 +	hex = malloc(len * 2 + 1);
 +	if (hex == NULL)
 +		return NULL;
 +
 +	p = hex;
 +
 +	while (len > 0) {
 +		unsigned c;
 +
 +		c = *src;
 +		src++;
 +
 +		*p = conv[c >> 4];
 +		++p;
 +		*p = conv[c & 0x0f];
 +		++p;
 +		--len;
 +	}
 +	*p = '\0';
 +	return hex;
 +}
 +
 +#define HMAC_PREFIX "." 
 +#define HMAC_SUFFIX ".hmac" 
 +#define READ_BUFFER_LENGTH 16384
 +
 +static char *
 +make_hmac_path(const char *origpath)
 +{
 +	char *path, *p;
 +	const char *fn;
 +
 +	path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
 +	if(path == NULL) {
 +		return NULL;
 +	}
 +
 +	fn = strrchr(origpath, '/');
 +	if (fn == NULL) {
 +		fn = origpath;
 +	} else {
 +		++fn;
 +	}
 +
 +	strncpy(path, origpath, fn-origpath);
 +	p = path + (fn - origpath);
 +	p = stpcpy(p, HMAC_PREFIX);
 +	p = stpcpy(p, fn);
 +	p = stpcpy(p, HMAC_SUFFIX);
 +
 +	return path;
 +}
 +
 +static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
 +
 +static int
 +compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
 +{
 +	FILE *f = NULL;
 +	int rv = -1;
 +	unsigned char rbuf[READ_BUFFER_LENGTH];
 +	size_t len;
 +	unsigned int hlen;
 +	HMAC_CTX c;
 +
 +	HMAC_CTX_init(&c);
 +
 +	f = fopen(path, "r");
 +
 +	if (f == NULL) {
 +		goto end;
 +	}
 +
 +	HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
 +
 +	while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
 +		HMAC_Update(&c, rbuf, len);
 +	}
 +
 +	len = sizeof(rbuf);
 +	/* reuse rbuf for hmac */
 +	HMAC_Final(&c, rbuf, &hlen);
 +
 +	*buf = malloc(hlen);
 +	if (*buf == NULL) {
 +		goto end;
 +	}
 +
 +	*hmaclen = hlen;
 +
 +	memcpy(*buf, rbuf, hlen);
 +
 +	rv = 0;
 +end:
 +	HMAC_CTX_cleanup(&c);
 +
 +	if (f)
 +		fclose(f);
 +
 +	return rv;
 +}
 +
 +static int
 +FIPSCHECK_verify(const char *libname, const char *symbolname)
 +{
 +	char path[PATH_MAX+1];
 +	int rv;
 +	FILE *hf;
 +	char *hmacpath, *p;
 +	char *hmac = NULL;
 +	size_t n;
 +	
 +	rv = get_library_path(libname, symbolname, path, sizeof(path));
 +
 +	if (rv < 0)
 +		return 0;
 +
 +	hmacpath = make_hmac_path(path);
 +
 +	hf = fopen(hmacpath, "r");
 +	if (hf == NULL) {
 +		free(hmacpath);
 +		return 0;
 +	}
 +
 +	if (getline(&hmac, &n, hf) > 0) {
 +		void *buf;
 +		size_t hmaclen;
 +		char *hex;
 +
 +		if ((p=strchr(hmac, '\n')) != NULL)
 +			*p = '\0';
 +
 +		if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
 +			rv = -4;
 +			goto end;
 +		}
 +
 +		if ((hex=bin2hex(buf, hmaclen)) == NULL) {
 +			free(buf);
 +			rv = -5;
 +			goto end;
 +		}
 +
 +		if (strcmp(hex, hmac) != 0) {
 +			rv = -1;
 +		}
 +		free(buf);
 +		free(hex);
 +	}
 +
 +end:
 +	free(hmac);
 +	free(hmacpath);
 +	fclose(hf);
 +
 +	if (rv < 0)
 +		return 0;
 +
 +	/* check successful */
 +	return 1;	
 +}
 +
 int FIPS_mode_set(int onoff)
     {
     int fips_set_owning_thread();
@@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff)
 	    }
 #endif
 +	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
 +	    {
 +	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
 +	    fips_selftest_fail = 1;
 +	    ret = 0;
 +	    goto end;
 +	    }
 +
 +	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
 +	    {
 +	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
 +	    fips_selftest_fail = 1;
 +	    ret = 0;
 +	    goto end;
 +	    }
 +
 	/* Perform RNG KAT before seeding */
 	if (!FIPS_selftest_rng())
 	    {
 diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
 --- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck	2009-08-10 20:11:59.000000000 +0200
 +++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c	2009-08-10 20:11:59.000000000 +0200
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
 #ifdef OPENSSL_FIPS
 -static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
 +static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
 		      const char *key)
     {
     size_t len=strlen(key);
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
     if (len > SHA_CBLOCK)
 	{
 -	SHA1_Init(md_ctx);
 -	SHA1_Update(md_ctx,key,len);
 -	SHA1_Final(keymd,md_ctx);
 -	len=20;
 +	SHA256_Init(md_ctx);
 +	SHA256_Update(md_ctx,key,len);
 +	SHA256_Final(keymd,md_ctx);
 +	len=SHA256_DIGEST_LENGTH;
 	}
     else
 	memcpy(keymd,key,len);
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
 	pad[i]=0x36^keymd[i];
 -    SHA1_Init(md_ctx);
 -    SHA1_Update(md_ctx,pad,SHA_CBLOCK);
 +    SHA256_Init(md_ctx);
 +    SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
 	pad[i]=0x5c^keymd[i];
 -    SHA1_Init(o_ctx);
 -    SHA1_Update(o_ctx,pad,SHA_CBLOCK);
 +    SHA256_Init(o_ctx);
 +    SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
     }
 -static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
 +static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
     {
 -    unsigned char buf[20];
 +    unsigned char buf[SHA256_DIGEST_LENGTH];
 -    SHA1_Final(buf,md_ctx);
 -    SHA1_Update(o_ctx,buf,sizeof buf);
 -    SHA1_Final(md,o_ctx);
 +    SHA256_Final(buf,md_ctx);
 +    SHA256_Update(o_ctx,buf,sizeof buf);
 +    SHA256_Final(md,o_ctx);
     }
 #endif
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
 int main(int argc,char **argv)
     {
 #ifdef OPENSSL_FIPS
 -    static char key[]="etaonrishdlcupfm";
 +    static char key[]="orboDeJITITejsirpADONivirpUkvarP";
     int n,binary=0;
     if(argc < 2)
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
     for(; n < argc ; ++n)
 	{
 	FILE *f=fopen(argv[n],"rb");
 -	SHA_CTX md_ctx,o_ctx;
 -	unsigned char md[20];
 +	SHA256_CTX md_ctx,o_ctx;
 +	unsigned char md[SHA256_DIGEST_LENGTH];
 	int i;
 	if(!f)
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
 		else
 		    break;
 		}
 -	    SHA1_Update(&md_ctx,buf,l);
 +	    SHA256_Update(&md_ctx,buf,l);
 	    }
 	hmac_final(md,&md_ctx,&o_ctx);
 	if (binary)
 	    {
 -	    fwrite(md,20,1,stdout);
 +	    fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
 	    break;	/* ... for single(!) file */
 	    }
 -	printf("HMAC-SHA1(%s)= ",argv[n]);
 -	for(i=0 ; i < 20 ; ++i)
 +/*	printf("HMAC-SHA1(%s)= ",argv[n]); */
 +	for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
 	    printf("%02x",md[i]);
 	printf("\n");
 	}
 diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile
 --- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck	2009-08-10 20:11:59.000000000 +0200
 +++ openssl-1.0.0-beta3/crypto/fips/Makefile	2009-08-10 20:27:45.000000000 +0200
@@ -16,6 +16,9 @@ GENERAL=Makefile
 TEST=fips_test_suite.c fips_randtest.c
 APPS=
 +PROGRAM= fips_standalone_sha1
 +EXE= $(PROGRAM)$(EXE_EXT)
 +
 LIB=$(TOP)/libcrypto.a
 LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
     fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c  fips_rand.c \
@@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self
     fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o  fips_rand.o \
     fips_rsa_x931g.o
 +LIBCRYPTO=-L.. -lcrypto
 +
 SRC= $(LIBSRC) fips_standalone_sha1.c
 EXHEADER= fips.h fips_rand.h
@@ -35,13 +40,15 @@ ALL=    $(GENERAL) $(SRC) $(HEADER)
 top:
 	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
 -all:	lib
 +all:	lib exe
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 +exe:	$(EXE)
 +
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -77,5 +84,9 @@ dclean:
 clean:
 	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 +$(EXE): $(PROGRAM).o
 +	FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
 +	$(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
 +
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/openssl-1.0.0-beta3-fipsrng.patch
+++ b/openssl-1.0.0-beta3-fipsrng.patch
@ -1,79 +0,0 @@
 diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c
 --- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng	2009-08-11 18:12:14.000000000 +0200
 +++ openssl-1.0.0-beta3/crypto/fips/fips.c	2009-08-11 18:14:36.000000000 +0200
@@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff)
 	    goto end;
 	    }
 +	/* now switch the RNG into FIPS mode */
 +	fips_set_rand_check(FIPS_rand_method());
 +	RAND_set_rand_method(FIPS_rand_method());
 +
 	/* automagically seed PRNG if not already seeded */
 	if(!FIPS_rand_status())
 	    {
 -	    if(RAND_bytes(buf,sizeof buf) <= 0)
 +	    RAND_poll();
 +	    if (!FIPS_rand_status())
 		{
 		fips_selftest_fail = 1;
 		ret = 0;
 		goto end;
 		}
 -	    FIPS_rand_set_key(buf,32);
 -	    FIPS_rand_seed(buf+32,16);
 	    }
 -	/* now switch into FIPS mode */
 -	fips_set_rand_check(FIPS_rand_method());
 -	RAND_set_rand_method(FIPS_rand_method());
 	if(FIPS_selftest())
 	    fips_set_mode(1);
 	else
 diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c
 --- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng	2009-08-11 18:12:14.000000000 +0200
 +++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c	2009-08-11 18:16:48.000000000 +0200
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
 	{
 	int i;
 	if (!ctx->keyed)
 -		return 0;
 +		{
 +		FIPS_RAND_SIZE_T keylen = 16;
 +
 +		if (seedlen - keylen < AES_BLOCK_LENGTH)
 +			return 0;
 +		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
 +			keylen += 8;
 +		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
 +			keylen += 8;
 +		seedlen -= keylen;
 +		fips_set_prng_key(ctx, seed+seedlen, keylen);
 +		}
 	/* In test mode seed is just supplied data */
 	if (ctx->test_mode)
 		{
@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
 	unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
 	unsigned char tmp[AES_BLOCK_LENGTH];
 	int i;
 +	FIPS_selftest_check();
 	if (ctx->error)
 		{
 		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
 diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h
 --- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng	2009-08-11 18:12:13.000000000 +0200
 +++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h	2009-08-11 18:18:13.000000000 +0200
@@ -112,8 +112,11 @@
 #ifndef HEADER_RAND_LCL_H
 #define HEADER_RAND_LCL_H
 +#ifndef OPENSSL_FIPS
 #define ENTROPY_NEEDED 32  /* require 256 bits = 32 bytes of randomness */
 -
 +#else
 +#define ENTROPY_NEEDED 48  /* we need 48 bytes of randomness for FIPS rng */
 +#endif
 #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
--- a/openssl-1.0.0-beta3-soversion.patch
+++ b/openssl-1.0.0-beta3-soversion.patch
@ -1,44 +0,0 @@
 diff -up openssl-1.0.0-beta3/Configure.soversion openssl-1.0.0-beta3/Configure
 --- openssl-1.0.0-beta3/Configure.soversion	2009-08-04 23:06:52.000000000 +0200
 +++ openssl-1.0.0-beta3/Configure	2009-08-04 23:06:52.000000000 +0200
@@ -1514,7 +1514,7 @@ while (<IN>)
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
 		{
 		my $sotmp = $1;
 -		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 +		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
 		{
 diff -up openssl-1.0.0-beta3/Makefile.org.soversion openssl-1.0.0-beta3/Makefile.org
 --- openssl-1.0.0-beta3/Makefile.org.soversion	2009-08-04 23:06:52.000000000 +0200
 +++ openssl-1.0.0-beta3/Makefile.org	2009-08-04 23:11:01.000000000 +0200
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=
 SHLIB_MINOR=
 SHLIB_EXT=
 +SHLIB_SONAMEVER=10
 PLATFORM=dist
 OPTIONS=
 CONFIGURE_ARGS=
@@ -289,10 +290,9 @@ clean-shared:
 link-shared:
 	@ set -e; for i in $(SHLIBDIRS); do \
 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
 -			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 +			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			symlink.$(SHLIB_TARGET); \
 -		libs="$$libs -l$$i"; \
 	done
 build-shared: do_$(SHLIB_TARGET) link-shared
@@ -303,7 +303,7 @@ do_$(SHLIB_TARGET):
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
 -			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 +			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			LIBDEPS="$$libs $(EX_LIBS)" \
 			link_a.$(SHLIB_TARGET); \
--- a/openssl-1.0.0-beta4-dtls1-abi.patch
+++ b/openssl-1.0.0-beta4-dtls1-abi.patch
@ -1,25 +0,0 @@
 Adding struct member is ABI breaker however as the structure is always allocated by
 the library calls we just move it to the end and it should be reasonably safe.
 diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
 --- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi	2009-11-12 14:34:37.000000000 +0100
 +++ openssl-1.0.0-beta4/ssl/dtls1.h	2009-11-12 14:47:57.000000000 +0100
@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
 	 */
 	record_pqueue buffered_app_data;
 -	/* Is set when listening for new connections with dtls1_listen() */
 -	unsigned int listen;
 -
 	unsigned int mtu; /* max DTLS packet size */
 	struct hm_header_st w_msg_hdr;
@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
 	unsigned int retransmitting;
 	unsigned int change_cipher_spec_ok;
 +	/* Is set when listening for new connections with dtls1_listen() */
 +	unsigned int listen;
 +
 	} DTLS1_STATE;
 typedef struct dtls1_record_data_st
--- a/openssl-1.0.0-fips-pkcs8.patch
+++ b/openssl-1.0.0-fips-pkcs8.patch
@ -0,0 +1,189 @@
 diff -up openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 openssl-1.0.0/crypto/pem/pem_all.c
 --- openssl-1.0.0/crypto/pem/pem_all.c.pkcs8	2006-11-06 20:53:37.000000000 +0100
 +++ openssl-1.0.0/crypto/pem/pem_all.c	2012-04-26 17:17:35.765317652 +0200
@@ -147,7 +147,37 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRIN
 IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE,
 					PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE)
 +#ifdef OPENSSL_FIPS
 +static int fips_PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
 +                                               unsigned char *kstr, int klen,
 +                                               pem_password_cb *cb, void *u)
 +	{
 +		if (FIPS_mode())
 +			return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
 +						(char *)kstr, klen, cb, u);
 +		else
 +                	return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
 +                ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
 +                        bp,x,enc,kstr,klen,cb,u);
 +	}
 +
 +#ifndef OPENSSL_NO_FP_API
 +static int fips_PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
 +                                               unsigned char *kstr, int klen,
 +                                               pem_password_cb *cb, void *u)
 +	{
 +		if (FIPS_mode())
 +			return PEM_write_PKCS8PrivateKey(fp, x, enc,
 +						(char *)kstr, klen, cb, u);
 +		else
 +                	return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey,
 +                ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
 +                        fp,x,enc,kstr,klen,cb,u);
 +	}
 +#endif
 +
 +#endif
 #ifndef OPENSSL_NO_RSA
@@ -193,7 +223,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RS
 #endif
 +#ifdef OPENSSL_FIPS
 +
 +int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
 +                                               unsigned char *kstr, int klen,
 +                                               pem_password_cb *cb, void *u)
 +{
 +	EVP_PKEY *k;
 +	int ret;
 +	k = EVP_PKEY_new();
 +	if (!k)
 +		return 0;
 +	EVP_PKEY_set1_RSA(k, x);
 +
 +	ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
 +	EVP_PKEY_free(k);
 +	return ret;
 +}
 +
 +#ifndef OPENSSL_NO_FP_API
 +int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
 +                                               unsigned char *kstr, int klen,
 +                                               pem_password_cb *cb, void *u)
 +{
 +	EVP_PKEY *k;
 +	int ret;
 +	k = EVP_PKEY_new();
 +	if (!k)
 +		return 0;
 +
 +	EVP_PKEY_set1_RSA(k, x);
 +
 +	ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
 +	EVP_PKEY_free(k);
 +	return ret;
 +}
 +#endif
 +
 +#else
 +
 IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
 +
 +#endif
 +
 IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
@@ -223,7 +295,47 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp,
 	return pkey_get_dsa(pktmp, dsa);	/* will free pktmp */
 }
 +#ifdef OPENSSL_FIPS
 +
 +int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
 +                                               unsigned char *kstr, int klen,
 +                                               pem_password_cb *cb, void *u)
 +{
 +	EVP_PKEY *k;
 +	int ret;
 +	k = EVP_PKEY_new();
 +	if (!k)
 +		return 0;
 +	EVP_PKEY_set1_DSA(k, x);
 +
 +	ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
 +	EVP_PKEY_free(k);
 +	return ret;
 +}
 +
 +#ifndef OPENSSL_NO_FP_API
 +int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
 +                                               unsigned char *kstr, int klen,
 +                                               pem_password_cb *cb, void *u)
 +{
 +	EVP_PKEY *k;
 +	int ret;
 +	k = EVP_PKEY_new();
 +	if (!k)
 +		return 0;
 +	EVP_PKEY_set1_DSA(k, x);
 +	ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
 +	EVP_PKEY_free(k);
 +	return ret;
 +}
 +#endif
 +
 +#else
 +
 IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
 +
 +#endif
 +
 IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
 #ifndef OPENSSL_NO_FP_API
@@ -269,8 +381,49 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *b
 IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
 +
 +
 +#ifdef OPENSSL_FIPS
 +
 +int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
 +                                               unsigned char *kstr, int klen,
 +                                               pem_password_cb *cb, void *u)
 +{
 +	EVP_PKEY *k;
 +	int ret;
 +	k = EVP_PKEY_new();
 +	if (!k)
 +		return 0;
 +	EVP_PKEY_set1_EC_KEY(k, x);
 +
 +	ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
 +	EVP_PKEY_free(k);
 +	return ret;
 +}
 +
 +#ifndef OPENSSL_NO_FP_API
 +int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
 +                                               unsigned char *kstr, int klen,
 +                                               pem_password_cb *cb, void *u)
 +{
 +	EVP_PKEY *k;
 +	int ret;
 +	k = EVP_PKEY_new();
 +	if (!k)
 +		return 0;
 +	EVP_PKEY_set1_EC_KEY(k, x);
 +	ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
 +	EVP_PKEY_free(k);
 +	return ret;
 +}
 +#endif
 +
 +#else
 +
 IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
 +#endif
 +
 IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
 #ifndef OPENSSL_NO_FP_API
--- a/openssl-1.0.0-name-hash.patch
+++ b/openssl-1.0.0-name-hash.patch
@ -1,22 +0,0 @@
 diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
 --- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash	2010-01-12 18:27:10.000000000 +0100
 +++ openssl-1.0.0/crypto/x509/x509_cmp.c	2010-04-06 16:44:52.000000000 +0200
@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
 	{
 	unsigned long ret=0;
 	unsigned char md[16];
 +	EVP_MD_CTX ctx; 
 	/* Make sure X509_NAME structure contains valid cached encoding */
 	i2d_X509_NAME(x,NULL);
 -	EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
 +
 +	EVP_MD_CTX_init(&ctx);
 +	EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 +        EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
 +		&& EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
 +		&& EVP_DigestFinal_ex(&ctx, md, NULL);
 +	EVP_MD_CTX_cleanup(&ctx);
 	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
 		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
--- a/openssl-1.0.0a-fips.patch
+++ b/openssl-1.0.0a-fips.patch
--- a/openssl-1.0.0a-fipsmode.patch
+++ b/openssl-1.0.0a-fipsmode.patch
@ -1,272 +0,0 @@
 diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
 --- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode	2009-07-01 16:55:58.000000000 +0200
 +++ openssl-1.0.0a/crypto/engine/eng_all.c	2010-06-04 13:32:13.000000000 +0200
@@ -58,9 +58,23 @@
 #include "cryptlib.h"
 #include "eng_int.h"
 +#ifdef OPENSSL_FIPS
 +#include <openssl/fips.h>
 +#endif
 void ENGINE_load_builtin_engines(void)
 	{
 +#ifdef OPENSSL_FIPS
 +	OPENSSL_init_library();
 +	if (FIPS_mode()) {
 +		/* We allow loading dynamic engine as a third party
 +		   engine might be FIPS validated.
 +		   User is disallowed to load non-validated engines
 +		   by security policy. */
 +		ENGINE_load_dynamic();
 +		return;
 +	}
 +#endif
 #if 0
 	/* There's no longer any need for an "openssl" ENGINE unless, one day,
 	 * it is the *only* way for standard builtin implementations to be be
 diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
 --- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode	2009-12-25 15:12:24.000000000 +0100
 +++ openssl-1.0.0a/crypto/evp/c_allc.c	2010-06-04 13:32:13.000000000 +0200
@@ -65,6 +65,11 @@
 void OpenSSL_add_all_ciphers(void)
 	{
 +#ifdef OPENSSL_FIPS
 +	OPENSSL_init_library();
 +	if(!FIPS_mode()) 
 +		{
 +#endif
 #ifndef OPENSSL_NO_DES
 	EVP_add_cipher(EVP_des_cfb());
 	EVP_add_cipher(EVP_des_cfb1());
@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
 #endif
 +#ifdef OPENSSL_FIPS
 +		}
 +	else
 +		{
 +#ifndef OPENSSL_NO_DES
 +	EVP_add_cipher(EVP_des_ede_cfb());
 +	EVP_add_cipher(EVP_des_ede3_cfb());
 +
 +	EVP_add_cipher(EVP_des_ede_ofb());
 +	EVP_add_cipher(EVP_des_ede3_ofb());
 +
 +	EVP_add_cipher(EVP_des_ede_cbc());
 +	EVP_add_cipher(EVP_des_ede3_cbc());
 +	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
 +	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
 +
 +	EVP_add_cipher(EVP_des_ede());
 +	EVP_add_cipher(EVP_des_ede3());
 +#endif
 +
 +#ifndef OPENSSL_NO_AES
 +	EVP_add_cipher(EVP_aes_128_ecb());
 +	EVP_add_cipher(EVP_aes_128_cbc());
 +	EVP_add_cipher(EVP_aes_128_cfb());
 +	EVP_add_cipher(EVP_aes_128_cfb1());
 +	EVP_add_cipher(EVP_aes_128_cfb8());
 +	EVP_add_cipher(EVP_aes_128_ofb());
 +#if 0
 +	EVP_add_cipher(EVP_aes_128_ctr());
 +#endif
 +	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
 +	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
 +	EVP_add_cipher(EVP_aes_192_ecb());
 +	EVP_add_cipher(EVP_aes_192_cbc());
 +	EVP_add_cipher(EVP_aes_192_cfb());
 +	EVP_add_cipher(EVP_aes_192_cfb1());
 +	EVP_add_cipher(EVP_aes_192_cfb8());
 +	EVP_add_cipher(EVP_aes_192_ofb());
 +#if 0
 +	EVP_add_cipher(EVP_aes_192_ctr());
 +#endif
 +	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
 +	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
 +	EVP_add_cipher(EVP_aes_256_ecb());
 +	EVP_add_cipher(EVP_aes_256_cbc());
 +	EVP_add_cipher(EVP_aes_256_cfb());
 +	EVP_add_cipher(EVP_aes_256_cfb1());
 +	EVP_add_cipher(EVP_aes_256_cfb8());
 +	EVP_add_cipher(EVP_aes_256_ofb());
 +#if 0
 +	EVP_add_cipher(EVP_aes_256_ctr());
 +#endif
 +	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
 +	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
 +#endif
 +		}
 +#endif
 	}
 diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
 --- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode	2009-07-08 10:50:53.000000000 +0200
 +++ openssl-1.0.0a/crypto/evp/c_alld.c	2010-06-04 13:32:13.000000000 +0200
@@ -64,6 +64,11 @@
 void OpenSSL_add_all_digests(void)
 	{
 +#ifdef OPENSSL_FIPS
 +	OPENSSL_init_library();
 +	if (!FIPS_mode())
 +		{
 +#endif
 #ifndef OPENSSL_NO_MD4
 	EVP_add_digest(EVP_md4());
 #endif
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
 #ifndef OPENSSL_NO_WHIRLPOOL
 	EVP_add_digest(EVP_whirlpool());
 #endif
 +#ifdef OPENSSL_FIPS
 +		}
 +	else
 +		{
 +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 +	EVP_add_digest(EVP_sha1());
 +	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
 +	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
 +#ifndef OPENSSL_NO_DSA
 +	EVP_add_digest(EVP_dss1());
 +	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
 +	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
 +	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
 +#endif
 +#ifndef OPENSSL_NO_ECDSA
 +	EVP_add_digest(EVP_ecdsa());
 +#endif
 +#endif
 +#ifndef OPENSSL_NO_SHA256
 +	EVP_add_digest(EVP_sha224());
 +	EVP_add_digest(EVP_sha256());
 +#endif
 +#ifndef OPENSSL_NO_SHA512
 +	EVP_add_digest(EVP_sha384());
 +	EVP_add_digest(EVP_sha512());
 +#endif
 +		}
 +#endif
 	}
 diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
 --- openssl-1.0.0a/crypto/o_init.c.fipsmode	2010-06-04 13:32:13.000000000 +0200
 +++ openssl-1.0.0a/crypto/o_init.c	2010-06-04 13:32:13.000000000 +0200
@@ -59,6 +59,43 @@
 #include <e_os.h>
 #include <openssl/err.h>
 +#ifdef OPENSSL_FIPS
 +#include <sys/types.h>
 +#include <sys/stat.h>
 +#include <fcntl.h>
 +#include <unistd.h>
 +#include <errno.h>
 +#include <stdlib.h>
 +#include <openssl/fips.h>
 +
 +#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
 +
 +static void init_fips_mode(void)
 +	{
 +	char buf[2] = "0";
 +	int fd;
 +	
 +	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
 +		{
 +		buf[0] = '1';
 +		}
 +	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
 +		{
 +		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
 +		close(fd);
 +		}
 +	/* Failure reading the fips mode switch file means just not
 +	 * switching into FIPS mode. We would break too many things
 +	 * otherwise. 
 +	 */
 +	
 +	if (buf[0] == '1')
 +		{
 +		FIPS_mode_set(1);
 +		}
 +	}
 +#endif
 +
 /* Perform any essential OpenSSL initialization operations.
  * Currently only sets FIPS callbacks
  */
@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_malloc_debug_init();
 #endif
 +		init_fips_mode();
 		done = 1;
 		}
 #endif
 diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
 --- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode	2010-04-07 15:18:30.000000000 +0200
 +++ openssl-1.0.0a/ssl/ssl_algs.c	2010-06-04 13:32:48.000000000 +0200
@@ -64,6 +64,12 @@
 int SSL_library_init(void)
 	{
 +#ifdef OPENSSL_FIPS
 +	OPENSSL_init_library();
 +	if (!FIPS_mode())
 +		{
 +#endif
 +
 #ifndef OPENSSL_NO_DES
 	EVP_add_cipher(EVP_des_cbc());
 	EVP_add_cipher(EVP_des_ede3_cbc());
@@ -127,6 +133,48 @@ int SSL_library_init(void)
 	EVP_add_digest(EVP_sha());
 	EVP_add_digest(EVP_dss());
 #endif
 +#ifdef OPENSSL_FIPS
 +		}
 +	else
 +		{
 +#ifndef OPENSSL_NO_DES
 +	EVP_add_cipher(EVP_des_ede3_cbc());
 +#endif
 +#ifndef OPENSSL_NO_AES
 +	EVP_add_cipher(EVP_aes_128_cbc());
 +	EVP_add_cipher(EVP_aes_192_cbc());
 +	EVP_add_cipher(EVP_aes_256_cbc());
 +#endif
 +#ifndef OPENSSL_NO_MD5
 +	/* needed even in the FIPS mode for TLS MAC */
 +	EVP_add_digest(EVP_md5());
 +	EVP_add_digest_alias(SN_md5,"ssl2-md5");
 +	EVP_add_digest_alias(SN_md5,"ssl3-md5");
 +#endif
 +#ifndef OPENSSL_NO_SHA
 +	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
 +	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
 +	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
 +#endif
 +#ifndef OPENSSL_NO_SHA256
 +	EVP_add_digest(EVP_sha224());
 +	EVP_add_digest(EVP_sha256());
 +#endif
 +#ifndef OPENSSL_NO_SHA512
 +	EVP_add_digest(EVP_sha384());
 +	EVP_add_digest(EVP_sha512());
 +#endif
 +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
 +	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
 +	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
 +	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
 +	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
 +#endif
 +#ifndef OPENSSL_NO_ECDSA
 +	EVP_add_digest(EVP_ecdsa());
 +#endif
 +		}
 +#endif
 #ifndef OPENSSL_NO_COMP
 	/* This will initialise the built-in compression algorithms.
 	   The value returned is a STACK_OF(SSL_COMP), but that can
--- a/openssl-1.0.0a-manfix.patch
+++ b/openssl-1.0.0a-manfix.patch
@ -1,21 +0,0 @@
 diff -up openssl-1.0.0a/doc/apps/openssl.pod.manfix openssl-1.0.0a/doc/apps/openssl.pod
 --- openssl-1.0.0a/doc/apps/openssl.pod.manfix	2010-01-21 19:46:28.000000000 +0100
 +++ openssl-1.0.0a/doc/apps/openssl.pod	2010-06-30 14:24:50.000000000 +0200
@@ -287,8 +287,6 @@ SHA Digest
 SHA-1 Digest
 -=back
 -
 =item B<sha224>
 SHA-224 Digest
@@ -305,6 +303,8 @@ SHA-384 Digest
 SHA-512 Digest
 +=back
 +
 =head2 ENCODING AND CIPHER COMMANDS
 =over 10
--- a/openssl-1.0.0b-aesni.patch
+++ b/openssl-1.0.0b-aesni.patch
--- a/openssl-1.0.0c-apps-ipv6listen.patch
+++ b/openssl-1.0.0c-apps-ipv6listen.patch
@ -1,57 +0,0 @@
 diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
 --- openssl-1.0.0c/apps/s_socket.c.ipv6listen	2011-01-24 16:44:18.000000000 +0100
 +++ openssl-1.0.0c/apps/s_socket.c	2011-01-24 16:56:25.000000000 +0100
@@ -335,15 +335,16 @@ int do_server(char *port, int type, int 
 static int init_server(int *sock, char *port, int type)
 	{
 -	struct addrinfo *res, *res0, hints;
 +	struct addrinfo *res, *res0 = NULL, hints;
 	char * failed_call = NULL;
 -	char port_name[8];
 	int s;
 	int e;
 	if (!ssl_sock_init()) return(0);
 	memset(&hints, '\0', sizeof(hints));
 +        hints.ai_family = AF_INET6;
 +tryipv4:
 	hints.ai_socktype = type;
 	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
@@ -365,6 +366,12 @@ static int init_server(int *sock, char *
 			failed_call = "socket";
 			goto nextres;
 			}
 +		if (hints.ai_family == AF_INET6)
 +			{
 +			int j = 0;
 +			setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
 +				   (void *) &j, sizeof j);
 +			}
 #if defined SOL_SOCKET && defined SO_REUSEADDR
 		{
 		int j = 1;
@@ -392,9 +399,19 @@ nextres:
 			close(s);
 		res = res->ai_next;
 	}
 -	freeaddrinfo(res0);
 +	if (res0)
 +		freeaddrinfo(res0);
 -	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
 +	if (s == INVALID_SOCKET)
 +	{
 +		if (hints.ai_family == AF_INET6)
 +		{
 +			hints.ai_family = AF_INET;
 +			goto tryipv4;
 +		}
 +		perror("socket");
 +		return(0);
 +	}
 	perror(failed_call);
 	return(0);
--- a/openssl-1.0.0c-fips-md5-allow.patch
+++ b/openssl-1.0.0c-fips-md5-allow.patch
@ -1,20 +0,0 @@
 diff -up openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.0c/crypto/md5/md5_dgst.c
 --- openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow	2011-02-03 19:53:28.000000000 +0100
 +++ openssl-1.0.0c/crypto/md5/md5_dgst.c	2011-02-03 20:33:14.000000000 +0100
@@ -75,7 +75,15 @@ const char MD5_version[]="MD5" OPENSSL_V
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
 -FIPS_NON_FIPS_MD_Init(MD5)
 +int MD5_Init(MD5_CTX *c)
 +#ifdef OPENSSL_FIPS
 +	{
 +	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
 +		FIPS_BAD_ALGORITHM(alg)
 +	return private_MD5_Init(c);
 +	}
 +int private_MD5_Init(MD5_CTX *c)
 +#endif
 	{
 	memset (c,0,sizeof(*c));
 	c->A=INIT_DATA_A;
--- a/openssl-1.0.0c-fips186-3.patch
+++ b/openssl-1.0.0c-fips186-3.patch
@ -1,384 +0,0 @@
 diff -up openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsa_gen.c
 --- openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3	2011-02-03 21:04:14.000000000 +0100
 +++ openssl-1.0.0c/crypto/dsa/dsa_gen.c	2011-02-04 08:54:42.000000000 +0100
@@ -120,11 +120,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
 	int ok=0;
 	unsigned char seed[SHA256_DIGEST_LENGTH];
 	unsigned char md[SHA256_DIGEST_LENGTH];
 -	unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
 +	unsigned char buf[SHA256_DIGEST_LENGTH];
 	BIGNUM *r0,*W,*X,*c,*test;
 	BIGNUM *g=NULL,*q=NULL,*p=NULL;
 	BN_MONT_CTX *mont=NULL;
 -	int i, k, n=0, m=0, qsize = qbits >> 3;
 +	int i, k, b, n=0, m=0, qsize = qbits >> 3;
 	int counter=0;
 	int r=0;
 	BN_CTX *ctx=NULL;
@@ -138,9 +138,13 @@ int dsa_builtin_paramgen(DSA *ret, size_
 	    goto err;
 	    }
 -	if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
 +	if (FIPS_mode() &&
 +	    (bits != 1024 || qbits != 160) &&
 +	    (bits != 2048 || qbits != 224) &&
 +	    (bits != 2048 || qbits != 256) &&
 +	    (bits != 3072 || qbits != 256))
 		{
 -		DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
 +		DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
 		goto err;
 		}
 #endif
@@ -151,22 +155,25 @@ int dsa_builtin_paramgen(DSA *ret, size_
 		return 0;
 	if (evpmd == NULL)
 -		/* use SHA1 as default */
 -		evpmd = EVP_sha1();
 +	    {
 +		if (qbits <= 160)
 +			evpmd = EVP_sha1();
 +		else if (qbits <= 224)
 +			evpmd = EVP_sha224();
 +		else
 +			evpmd = EVP_sha256();
 +	    }
 	if (bits < 512)
 		bits = 512;
 	bits = (bits+63)/64*64;
 -	/* NB: seed_len == 0 is special case: copy generated seed to
 - 	 * seed_in if it is not NULL.
 - 	 */
 	if (seed_len && (seed_len < (size_t)qsize))
 		seed_in = NULL;		/* seed buffer too small -- ignore */
 	if (seed_len > (size_t)qsize) 
 		seed_len = qsize;	/* App. 2.2 of FIPS PUB 186 allows larger SEED,
 -					 * but our internal buffers are restricted to 160 bits*/
 +					 * but our internal buffers are restricted to 256 bits*/
 	if (seed_in != NULL)
 		memcpy(seed, seed_in, seed_len);
@@ -189,13 +196,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
 	if (!BN_lshift(test,BN_value_one(),bits-1))
 		goto err;
 +	/* step 3 n = \lceil bits / qbits \rceil - 1 */
 +	n = (bits+qbits-1)/qbits - 1;
 +	/* step 4 b = bits - 1 - n * qbits */
 +	b = bits - 1 - n*qbits;
 +
 	for (;;)
 		{
 		for (;;) /* find q */
 			{
 			int seed_is_random;
 -			/* step 1 */
 +			/* step 5 generate seed */
 			if(!BN_GENCB_call(cb, 0, m++))
 				goto err;
@@ -210,28 +222,17 @@ int dsa_builtin_paramgen(DSA *ret, size_
 				seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
 				}
 			memcpy(buf , seed, qsize);
 -			memcpy(buf2, seed, qsize);
 -			/* precompute "SEED + 1" for step 7: */
 -			for (i = qsize-1; i >= 0; i--)
 -				{
 -				buf[i]++;
 -				if (buf[i] != 0)
 -					break;
 -				}
 -			/* step 2 */
 +			/* step 6 U = hash(seed) */
 			EVP_Digest(seed, qsize, md,   NULL, evpmd, NULL);
 -			EVP_Digest(buf,  qsize, buf2, NULL, evpmd, NULL);
 -			for (i = 0; i < qsize; i++)
 -				md[i]^=buf2[i];
 -			/* step 3 */
 +			/* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
 			md[0] |= 0x80;
 			md[qsize-1] |= 0x01;
 			if (!BN_bin2bn(md, qsize, q))
 				goto err;
 -			/* step 4 */
 +			/* step 8 test for prime (64 round of Rabin-Miller) */
 			r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
 					seed_is_random, cb);
 			if (r > 0)
@@ -239,27 +240,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
 			if (r != 0)
 				goto err;
 -			/* do a callback call */
 -			/* step 5 */
 			}
 		if(!BN_GENCB_call(cb, 2, 0)) goto err;
 		if(!BN_GENCB_call(cb, 3, 0)) goto err;
 -		/* step 6 */
 +		/* step 11 */
 		counter=0;
 -		/* "offset = 2" */
 -
 -		n=(bits-1)/160;
 +		/* "offset = 1" */
 		for (;;)
 			{
 			if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
 				goto err;
 -			/* step 7 */
 +			/* step 11.1, 11.2 obtain W */
 			BN_zero(W);
 -			/* now 'buf' contains "SEED + offset - 1" */
 			for (k=0; k<=n; k++)
 				{
 				/* obtain "SEED + offset + k" by incrementing: */
@@ -272,28 +268,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
 				EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
 -				/* step 8 */
 				if (!BN_bin2bn(md, qsize, r0))
 					goto err;
 -				if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
 +				if (k == n)
 +					BN_mask_bits(r0,b);
 +				if (!BN_lshift(r0,r0,qbits*k)) goto err;
 				if (!BN_add(W,W,r0)) goto err;
 				}
 -			/* more of step 8 */
 -			if (!BN_mask_bits(W,bits-1)) goto err;
 +			/* step 11.3 X = W + 2^(L-1) */
 			if (!BN_copy(X,W)) goto err;
 			if (!BN_add(X,X,test)) goto err;
 -			/* step 9 */
 +			/* step 11.4 c = X mod 2*q */
 			if (!BN_lshift1(r0,q)) goto err;
 			if (!BN_mod(c,X,r0,ctx)) goto err;
 +
 +			/* step 11.5 p = X - (c - 1) */
 			if (!BN_sub(r0,c,BN_value_one())) goto err;
 			if (!BN_sub(p,X,r0)) goto err;
 -			/* step 10 */
 +			/* step 11.6 */
 			if (BN_cmp(p,test) >= 0)
 				{
 -				/* step 11 */
 +				/* step 11.7 */
 				r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
 						ctx, 1, cb);
 				if (r > 0)
@@ -302,12 +300,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
 					goto err;
 				}
 -			/* step 13 */
 +			/* step 11.9 */
 			counter++;
 			/* "offset = offset + n + 1" */
 -			/* step 14 */
 -			if (counter >= 4096) break;
 +			/* step 12 */
 +			if (counter >= 4*bits) break;
 			}
 		}
 end:
 diff -up openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 openssl-1.0.0c/crypto/dsa/dsa.h
 --- openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3	2011-02-03 21:04:14.000000000 +0100
 +++ openssl-1.0.0c/crypto/dsa/dsa.h	2011-02-03 21:04:14.000000000 +0100
@@ -316,6 +316,7 @@ void ERR_load_DSA_strings(void);
 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE		 100
 #define DSA_R_DECODE_ERROR				 104
 #define DSA_R_INVALID_DIGEST_TYPE			 106
 +#define DSA_R_KEY_SIZE_INVALID				 113
 #define DSA_R_KEY_SIZE_TOO_SMALL			 110
 #define DSA_R_MISSING_PARAMETERS			 101
 #define DSA_R_MODULUS_TOO_LARGE				 103
 diff -up openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsatest.c
 --- openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3	2011-02-03 21:14:07.000000000 +0100
 +++ openssl-1.0.0c/crypto/dsa/dsatest.c	2011-02-04 08:40:24.000000000 +0100
@@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
 /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
  * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
 static unsigned char seed[20]={
 -	0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
 -	0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
 +	0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
 +	0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
 	};
 static unsigned char out_p[]={
 -	0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
 -	0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
 -	0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
 -	0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
 -	0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
 -	0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
 -	0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
 -	0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
 +	0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
 +	0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
 +	0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
 +	0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
 +	0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
 +	0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
 +	0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
 +	0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
 +	0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
 +	0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
 +	0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
 	};
 static unsigned char out_q[]={
 -	0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
 -	0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
 -	0xda,0xce,0x91,0x5f,
 +	0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
 +	0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
 	};
 static unsigned char out_g[]={
 -	0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
 -	0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
 -	0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
 -	0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
 -	0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
 -	0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
 -	0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
 -	0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
 +	0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
 +	0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
 +	0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
 +	0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
 +	0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
 +	0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
 +	0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
 +	0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
 +	0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
 +	0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
 +	0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
 	};
 static const unsigned char str1[]="12345678901234567890";
@@ -157,7 +162,7 @@ int main(int argc, char **argv)
 	BIO_printf(bio_err,"test generation of DSA parameters\n");
 	BN_GENCB_set(&cb, dsa_cb, bio_err);
 -	if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
 +	if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
 				seed, 20, &counter, &h, &cb))
 		goto end;
@@ -170,9 +175,9 @@ int main(int argc, char **argv)
 	BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
 	DSA_print(bio_err,dsa,0);
 -	if (counter != 105) 
 +	if (counter != 239) 
 		{
 -		BIO_printf(bio_err,"counter should be 105\n");
 +		BIO_printf(bio_err,"counter should be 239\n");
 		goto end;
 		}
 	if (h != 2)
 diff -up openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c
 --- openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3	2011-02-03 21:04:14.000000000 +0100
 +++ openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c	2011-02-04 09:03:03.000000000 +0100
@@ -68,44 +68,42 @@
 #ifdef OPENSSL_FIPS
 -/* seed, out_p, out_q, out_g are taken the NIST test vectors */
 -
 static unsigned char seed[20] = {
 -	0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34,
 -	0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a
 -  	};
 +	0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
 +	0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
 +	};
 static unsigned char out_p[] = {
 -	0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57,
 -	0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b,
 -	0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43,
 -	0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69,
 -	0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12,
 -	0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47,
 -	0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4,
 -	0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8,
 -	0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef,
 -	0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8,
 -	0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef
 +	0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
 +	0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
 +	0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
 +	0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
 +	0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
 +	0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
 +	0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
 +	0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
 +	0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
 +	0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
 +	0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
 	};
 static unsigned char out_q[] = {
 -	0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c,
 -	0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3
 +	0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
 +	0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
 	};
 static unsigned char out_g[] = {
 -	0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb,
 -	0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e,
 -	0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63,
 -	0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35,
 -	0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf,
 -	0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a,
 -	0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed,
 -	0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf,
 -	0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2,
 -	0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36,
 -	0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec
 +	0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
 +	0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
 +	0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
 +	0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
 +	0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
 +	0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
 +	0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
 +	0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
 +	0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
 +	0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
 +	0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
 	};
 static const unsigned char str1[]="12345678901234567890";
@@ -133,7 +131,7 @@ int FIPS_selftest_dsa()
 	goto err;
     if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL))
 	goto err;
 -    if (counter != 378) 
 +    if (counter != 239) 
 	goto err;
     if (h != 2)
 	goto err;
--- a/openssl-1.0.0c-pkcs12-fips-default.patch
+++ b/openssl-1.0.0c-pkcs12-fips-default.patch
@ -1,25 +0,0 @@
 diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c
 --- openssl-1.0.0c/apps/pkcs12.c.fips-default	2009-07-27 23:08:45.000000000 +0200
 +++ openssl-1.0.0c/apps/pkcs12.c	2011-02-04 15:25:38.000000000 +0100
@@ -67,6 +67,9 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 +#ifdef OPENSSL_FIPS
 +#include <openssl/fips.h>
 +#endif
 #define PROG pkcs12_main
@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
     apps_startup();
 +#ifdef OPENSSL_FIPS
 +    if (FIPS_mode())
 +	cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
 +#endif
 +
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
--- a/openssl-1.0.0c-speed-fips.patch
+++ b/openssl-1.0.0c-speed-fips.patch
@ -1,94 +0,0 @@
 diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
 --- openssl-1.0.0c/apps/speed.c.spfips	2010-11-18 14:22:26.000000000 +0100
 +++ openssl-1.0.0c/apps/speed.c	2011-01-24 17:25:32.000000000 +0100
@@ -100,6 +100,9 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 +#ifdef OPENSSL_FIPS
 +#include <openssl/fips.h>
 +#endif
 #if !defined(OPENSSL_SYS_MSDOS)
 #include OPENSSL_UNISTD
 #endif
@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_RSA
 			if (strcmp(*argv,"rsa") == 0)
 			{
 +#ifdef OPENSSL_FIPS
 +				if (!FIPS_mode())
 +#endif
 +				{
 			rsa_doit[R_RSA_512]=1;
 +				}
 			rsa_doit[R_RSA_1024]=1;
 			rsa_doit[R_RSA_2048]=1;
 			rsa_doit[R_RSA_4096]=1;
@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_DSA
 			if (strcmp(*argv,"dsa") == 0)
 			{
 +#ifdef OPENSSL_FIPS
 +				if (!FIPS_mode())
 +#endif
 +				{
 			dsa_doit[R_DSA_512]=1;
 +				}
 			dsa_doit[R_DSA_1024]=1;
 			dsa_doit[R_DSA_2048]=1;
 			}
@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
 	AES_set_encrypt_key(key32,256,&aes_ks3);
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 +	if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
 +	    {
 	Camellia_set_key(key16,128,&camellia_ks1);
 	Camellia_set_key(ckey24,192,&camellia_ks2);
 	Camellia_set_key(ckey32,256,&camellia_ks3);
 +	    }
 #endif
 #ifndef OPENSSL_NO_IDEA
 +	if (doit[D_CBC_IDEA])
 +	    {
 	idea_set_encrypt_key(key16,&idea_ks);
 +	    }
 #endif
 #ifndef OPENSSL_NO_SEED
 +	if (doit[D_CBC_SEED])
 +	    {
 	SEED_set_key(key16,&seed_ks);
 +	    }
 #endif
 #ifndef OPENSSL_NO_RC4
 +	if (doit[D_RC4])
 +	    {
 	RC4_set_key(&rc4_ks,16,key16);
 +	    }
 #endif
 #ifndef OPENSSL_NO_RC2
 +	if (doit[D_CBC_RC2])
 +	    {
 	RC2_set_key(&rc2_ks,16,key16,128);
 +	    }
 #endif
 #ifndef OPENSSL_NO_RC5
 +	if (doit[D_CBC_RC5])
 +	    {
 	RC5_32_set_key(&rc5_ks,16,key16,12);
 +	    }
 #endif
 #ifndef OPENSSL_NO_BF
 +	if (doit[D_CBC_BF])
 +	    {
 	BF_set_key(&bf_ks,16,key16);
 +	    }
 #endif
 #ifndef OPENSSL_NO_CAST
 +	if (doit[D_CBC_CAST])
 +	    {
 	CAST_set_key(&cast_ks,16,key16);
 +	    }
 #endif
 #ifndef OPENSSL_NO_RSA
 	memset(rsa_c,0,sizeof(rsa_c));
--- a/openssl-1.0.0d-version.patch
+++ b/openssl-1.0.0d-version.patch
@ -1,22 +0,0 @@
 diff -up openssl-1.0.0d/crypto/opensslv.h.version openssl-1.0.0d/crypto/opensslv.h
 --- openssl-1.0.0d/crypto/opensslv.h.version	2011-02-10 14:24:52.000000000 +0100
 +++ openssl-1.0.0d/crypto/opensslv.h	2011-02-10 14:48:00.000000000 +0100
@@ -25,7 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
 -#define OPENSSL_VERSION_NUMBER	0x1000004fL
 +/* we have to keep the version number to not break the abi */
 +#define OPENSSL_VERSION_NUMBER	0x10000003
 #ifdef OPENSSL_FIPS
 #define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0d-fips 8 Feb 2011"
 #else
@@ -83,7 +84,7 @@
  * should only keep the versions that are binary compatible with the current.
  */
 #define SHLIB_VERSION_HISTORY ""
 -#define SHLIB_VERSION_NUMBER "1.0.0"
 +#define SHLIB_VERSION_NUMBER "1.0.0d"
 #endif /* HEADER_OPENSSLV_H */
--- a/openssl-1.0.0d-xmpp-starttls.patch
+++ b/openssl-1.0.0d-xmpp-starttls.patch
@ -0,0 +1,12 @@
 diff -ru openssl-1.0.0d.old/apps/s_client.c openssl-1.0.0d/apps/s_client.c
 --- openssl-1.0.0d.old/apps/s_client.c	2011-07-17 21:05:19.934181169 +0200
 +++ openssl-1.0.0d/apps/s_client.c	2011-07-17 21:11:42.747824990 +0200
@@ -1186,7 +1186,7 @@
 		    "xmlns='jabber:client' to='%s' version='1.0'>", host);
 		seen = BIO_read(sbio,mbuf,BUFSIZZ);
 		mbuf[seen] = 0;
 -		while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
 +		while (!strcasestr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && !strcasestr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
 			{
 			if (strstr(mbuf, "/stream:features>"))
 				goto shut;
--- a/openssl-1.0.0e-chil-fixes.patch
+++ b/openssl-1.0.0e-chil-fixes.patch
@ -0,0 +1,24 @@
 diff -up openssl-1.0.0e/engines/e_chil.c.chil openssl-1.0.0e/engines/e_chil.c
 --- openssl-1.0.0e/engines/e_chil.c.chil	2010-06-15 19:25:12.000000000 +0200
 +++ openssl-1.0.0e/engines/e_chil.c	2011-09-21 17:32:03.000000000 +0200
@@ -1261,6 +1261,11 @@ static int hwcrhk_insert_card(const char
         UI *ui;
 	void *callback_data = NULL;
         UI_METHOD *ui_method = NULL;
 +	/* Despite what the documentation says prompt_info can be
 +	 * an empty string.
 +	 */
 +	if (prompt_info && !*prompt_info)
 +		prompt_info = NULL;
         if (cactx)
                 {
@@ -1287,7 +1292,7 @@ static int hwcrhk_insert_card(const char
 	if (ui)
 		{
 -		char answer;
 +		char answer = '\0';
 		char buf[BUFSIZ];
 		/* Despite what the documentation says wrong_info can be
 	 	 * an empty string.
--- a/openssl-1.0.0e-doc-noeof.patch
+++ b/openssl-1.0.0e-doc-noeof.patch
@ -0,0 +1,23 @@
 diff -up openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof openssl-1.0.0e/doc/apps/s_client.pod
 --- openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof	2009-06-26 13:28:51.000000000 +0200
 +++ openssl-1.0.0e/doc/apps/s_client.pod	2011-11-03 08:30:35.000000000 +0100
@@ -27,6 +27,7 @@ B<openssl> B<s_client>
 [B<-nbio>]
 [B<-crlf>]
 [B<-ign_eof>]
 +[B<-no_ign_eof>]
 [B<-quiet>]
 [B<-ssl2>]
 [B<-ssl3>]
@@ -161,6 +162,11 @@ by some servers.
 inhibit shutting down the connection when end of file is reached in the
 input.
 +=item B<-no_ign_eof>
 +
 +shut down the connection when end of file is reached in the
 +input. Can be used to override the implicit B<-ign_eof> after B<-quiet>.
 +
 =item B<-quiet>
 inhibit printing of session and certificate information.  This implicitly
--- a/openssl-1.0.0-beta3-defaults.patch
+++ b/openssl-1.0.0-beta3-defaults.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/openssl.cnf
+diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
--- openssl-1.0.0-beta3/apps/openssl.cnf.defaults	2009-04-04 20:09:43.000000000 +0200
+--- openssl-1.0.0f/apps/openssl.cnf.defaults	2011-12-06 01:01:00.000000000 +0100
-+++ openssl-1.0.0-beta3/apps/openssl.cnf	2009-08-04 22:57:16.000000000 +0200
+++ openssl-1.0.0f/apps/openssl.cnf	2012-01-05 13:16:15.000000000 +0100
@@ -103,7 +103,8 @@ emailAddress		= optional
 ####################################################################
@ -37,7 +37,7 @@ diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/
 organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
-commonName			= Common Name (eg, YOUR name)
+-commonName			= Common Name (e.g. server FQDN or YOUR name)
 +commonName			= Common Name (eg, your name or your server\'s hostname)
 commonName_max			= 64
--- a/openssl-1.0.1-beta2-dtls1-abi.patch
+++ b/openssl-1.0.1-beta2-dtls1-abi.patch
@ -0,0 +1,23 @@
 diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
 --- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi	2012-02-06 17:07:34.630336118 +0100
 +++ openssl-1.0.1-beta2/ssl/dtls1.h	2012-02-06 17:10:08.956623707 +0100
@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
 	 */
 	record_pqueue buffered_app_data;
 -	/* Is set when listening for new connections with dtls1_listen() */
 -	unsigned int listen;
 -
 	unsigned int mtu; /* max DTLS packet size */
 	struct hm_header_st w_msg_hdr;
@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
 	unsigned int retransmitting;
 	unsigned int change_cipher_spec_ok;
 +	/* Is set when listening for new connections with dtls1_listen() */
 +	unsigned int listen;
 +
 #ifndef OPENSSL_NO_SCTP
 	/* used when SSL_ST_XX_FLUSH is entered */
 	int next_state;
--- a/openssl-1.0.1-beta2-fips-md5-allow.patch
+++ b/openssl-1.0.1-beta2-fips-md5-allow.patch
@ -0,0 +1,21 @@
 diff -up openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.1-beta2/crypto/md5/md5_dgst.c
 --- openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow	2012-02-06 20:09:56.000000000 +0100
 +++ openssl-1.0.1-beta2/crypto/md5/md5_dgst.c	2012-02-06 20:14:02.332117603 +0100
@@ -71,7 +71,16 @@ const char MD5_version[]="MD5" OPENSSL_V
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
 -nonfips_md_init(MD5)
 +int MD5_Init(MD5_CTX *c)
 +#ifdef OPENSSL_FIPS
 +	{
 +	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
 +		OpenSSLDie(__FILE__, __LINE__, \
 +                "Digest MD5 forbidden in FIPS mode!");
 +	return private_MD5_Init(c);
 +	}
 +int private_MD5_Init(MD5_CTX *c)
 +#endif
 	{
 	memset (c,0,sizeof(*c));
 	c->A=INIT_DATA_A;
--- a/openssl-1.0.1-beta2-padlock64.patch
+++ b/openssl-1.0.1-beta2-padlock64.patch
@ -0,0 +1,193 @@
 diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
 --- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64	2011-06-21 18:42:15.000000000 +0200
 +++ openssl-1.0.1-beta2/engines/e_padlock.c	2012-02-06 20:18:52.039537799 +0100
@@ -101,7 +101,10 @@
    compiler choice is limited to GCC and Microsoft C. */
 #undef COMPILE_HW_PADLOCK
 #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
 -# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
 +# if (defined(__GNUC__) && __GNUC__>=2 && \
 +	(defined(__i386__) || defined(__i386) || \
 +	 defined(__x86_64__) || defined(__x86_64)) \
 +     ) || \
      (defined(_MSC_VER) && defined(_M_IX86))
 #  define COMPILE_HW_PADLOCK
 # endif
@@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
 # endif
 #elif defined(__GNUC__)
 # ifndef alloca
 -#  define alloca(s) __builtin_alloca(s)
 +#  define alloca(s) __builtin_alloca((s))
 # endif
 #endif
@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
  * =======================================================
  */
 #if defined(__GNUC__) && __GNUC__>=2
 +#if defined(__i386__) || defined(__i386)
 /*
  * As for excessive "push %ebx"/"pop %ebx" found all over.
  * When generating position-independent code GCC won't let
@@ -383,21 +387,6 @@ padlock_available(void)
 	return padlock_use_ace + padlock_use_rng;
 }
 -#ifndef OPENSSL_NO_AES
 -/* Our own htonl()/ntohl() */
 -static inline void
 -padlock_bswapl(AES_KEY *ks)
 -{
 -	size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
 -	unsigned int *key = ks->rd_key;
 -
 -	while (i--) {
 -		asm volatile ("bswapl %0" : "+r"(*key));
 -		key++;
 -	}
 -}
 -#endif
 -
 /* Force key reload from memory to the CPU microcode.
    Loading EFLAGS from the stack clears EFLAGS[30] 
    which does the trick. */
@@ -455,12 +444,127 @@ static inline void *name(size_t cnt,		\
 		: "edx", "cc", "memory");	\
 	return iv;				\
 }
 +#endif
 +
 +#elif defined(__x86_64__) || defined(__x86_64)
 +
 +/* Load supported features of the CPU to see if
 +   the PadLock is available. */
 +static int
 +padlock_available(void)
 +{
 +	char vendor_string[16];
 +	unsigned int eax, edx;
 +	/* Are we running on the Centaur (VIA) CPU? */
 +	eax = 0x00000000;
 +	vendor_string[12] = 0;
 +	asm volatile (
 +		"cpuid\n"
 +		"movl	%%ebx,(%1)\n"
 +		"movl	%%edx,4(%1)\n"
 +		"movl	%%ecx,8(%1)\n"
 +		: "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
 +	if (strcmp(vendor_string, "CentaurHauls") != 0)
 +		return 0;
 +
 +	/* Check for Centaur Extended Feature Flags presence */
 +	eax = 0xC0000000;
 +	asm volatile ("cpuid"
 +		: "+a"(eax) : : "rbx", "rcx", "rdx");
 +	if (eax < 0xC0000001)
 +		return 0;
 +
 +	/* Read the Centaur Extended Feature Flags */
 +	eax = 0xC0000001;
 +	asm volatile ("cpuid"
 +		: "+a"(eax), "=d"(edx) : : "rbx", "rcx");
 +
 +	/* Fill up some flags */
 +	padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
 +	padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
 +
 +	return padlock_use_ace + padlock_use_rng;
 +}
 +
 +/* Force key reload from memory to the CPU microcode.
 +   Loading EFLAGS from the stack clears EFLAGS[30] 
 +   which does the trick. */
 +static inline void
 +padlock_reload_key(void)
 +{
 +	asm volatile ("pushfq; popfq");
 +}
 +
 +#ifndef OPENSSL_NO_AES
 +/*
 + * This is heuristic key context tracing. At first one
 + * believes that one should use atomic swap instructions,
 + * but it's not actually necessary. Point is that if
 + * padlock_saved_context was changed by another thread
 + * after we've read it and before we compare it with cdata,
 + * our key *shall* be reloaded upon thread context switch
 + * and we are therefore set in either case...
 + */
 +static inline void
 +padlock_verify_context(struct padlock_cipher_data *cdata)
 +{
 +	asm volatile (
 +	"pushfq\n"
 +"	btl	$30,(%%rsp)\n"
 +"	jnc	1f\n"
 +"	cmpq	%2,%1\n"
 +"	je	1f\n"
 +"	popfq\n"
 +"	subq	$8,%%rsp\n"
 +"1:	addq	$8,%%rsp\n"
 +"	movq	%2,%0"
 +	:"+m"(padlock_saved_context)
 +	: "r"(padlock_saved_context), "r"(cdata) : "cc");
 +}
 +
 +/* Template for padlock_xcrypt_* modes */
 +/* BIG FAT WARNING: 
 + * 	The offsets used with 'leal' instructions
 + * 	describe items of the 'padlock_cipher_data'
 + * 	structure.
 + */
 +#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt)	\
 +static inline void *name(size_t cnt,		\
 +	struct padlock_cipher_data *cdata,	\
 +	void *out, const void *inp) 		\
 +{	void *iv; 				\
 +	asm volatile ( "leaq	16(%0),%%rdx\n"	\
 +		"	leaq	32(%0),%%rbx\n"	\
 +			rep_xcrypt "\n"		\
 +		: "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
 +		: "0"(cdata), "1"(cnt), "2"(out), "3"(inp)  \
 +		: "rbx", "rdx", "cc", "memory");	\
 +	return iv;				\
 +}
 +#endif
 +
 +#endif	/* cpu */
 +
 +#ifndef OPENSSL_NO_AES
 /* Generate all functions with appropriate opcodes */
 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8")	/* rep xcryptecb */
 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0")	/* rep xcryptcbc */
 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")	/* rep xcryptcfb */
 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")	/* rep xcryptofb */
 +
 +/* Our own htonl()/ntohl() */
 +static inline void
 +padlock_bswapl(AES_KEY *ks)
 +{
 +	size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
 +	unsigned int *key = ks->rd_key;
 +
 +	while (i--) {
 +		asm volatile ("bswapl %0" : "+r"(*key));
 +		key++;
 +	}
 +}
 #endif
 /* The RNG call itself */
@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
 static inline unsigned char *
 padlock_memcpy(void *dst,const void *src,size_t n)
 {
 -	long       *d=dst;
 -	const long *s=src;
 +	size_t       *d=dst;
 +	const size_t *s=src;
 	n /= sizeof(*d);
 	do { *d++ = *s++; } while (--n);
--- a/openssl-1.0.1-beta2-rpmbuild.patch
+++ b/openssl-1.0.1-beta2-rpmbuild.patch
@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
+diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
--- openssl-1.0.0-beta4/Configure.redhat	2009-11-09 15:11:13.000000000 +0100
+--- openssl-1.0.1-beta2/Configure.rpmbuild	2012-01-05 01:07:34.000000000 +0100
-+++ openssl-1.0.0-beta4/Configure	2009-11-12 12:15:27.000000000 +0100
+++ openssl-1.0.1-beta2/Configure	2012-02-02 12:43:56.547409325 +0100
-@@ -336,32 +336,32 @@ my %table=(
+@@ -343,23 +343,23 @@ my %table=(
 ####
 # *-generic* is endian-neutral target, but ./config is free to
 # throw in -D[BL]_ENDIAN, whichever appropriate...
@ -27,10 +27,19 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
 +"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 #### So called "highgprs" target for z/Architecture CPUs
 # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
 # /proc/cpuinfo. The idea is to preserve most significant bits of
@@ -373,16 +373,16 @@ my %table=(
 # ldconfig and run-time linker to autodiscover. Unfortunately it
 # doesn't work just yet, because of couple of bugs in glibc
 # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
 -"linux32-s390x",	"gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
 +"linux32-s390x",	"gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
 #### SPARC Linux setups
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
@ -46,7 +55,7 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
 #### Alpha Linux with GNU C and Compaq C setups
 # Special notes:
 # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -375,8 +375,8 @@ my %table=(
+@@ -396,8 +396,8 @@ my %table=(
 #
 #					<appro@fy.chalmers.se>
 #
@ -57,3 +66,44 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
 "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
 "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
@@ -1678,7 +1678,7 @@ while (<IN>)
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
 		{
 		my $sotmp = $1;
 -		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 +		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
 		{
 diff -up openssl-1.0.1-beta2/Makefile.org.rpmbuild openssl-1.0.1-beta2/Makefile.org
 --- openssl-1.0.1-beta2/Makefile.org.rpmbuild	2011-12-27 16:17:50.000000000 +0100
 +++ openssl-1.0.1-beta2/Makefile.org	2012-02-02 12:30:23.652495435 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=
 SHLIB_MINOR=
 SHLIB_EXT=
 +SHLIB_SONAMEVER=10
 PLATFORM=dist
 OPTIONS=
 CONFIGURE_ARGS=
@@ -333,10 +334,9 @@ clean-shared:
 link-shared:
 	@ set -e; for i in $(SHLIBDIRS); do \
 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
 -			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 +			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			symlink.$(SHLIB_TARGET); \
 -		libs="$$libs -l$$i"; \
 	done
 build-shared: do_$(SHLIB_TARGET) link-shared
@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
 -			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 +			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			LIBDEPS="$$libs $(EX_LIBS)" \
 			link_a.$(SHLIB_TARGET); \
--- a/openssl-1.0.0-beta5-cipher-change.patch
+++ b/openssl-1.0.0-beta5-cipher-change.patch
@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
+diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h
--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change	2010-01-20 18:12:07.000000000 +0100
+--- openssl-1.0.1-beta2/ssl/ssl.h.op-all	2012-02-02 12:49:00.828035916 +0100
-+++ openssl-1.0.0-beta5/ssl/ssl.h	2010-01-20 18:13:04.000000000 +0100
+++ openssl-1.0.1-beta2/ssl/ssl.h	2012-02-02 12:52:27.297818182 +0100
-@@ -513,7 +513,7 @@ typedef struct ssl_session_st
+@@ -540,7 +540,7 @@ struct ssl_session_st
 #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L
@ -10,12 +10,12 @@ diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
 #define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
-@@ -530,7 +530,7 @@ typedef struct ssl_session_st
+@@ -558,7 +558,7 @@ struct ssl_session_st
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
  *             This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL					0x80000FFFL
+-#define SSL_OP_ALL					0x80000BFFL
-+#define SSL_OP_ALL					0x80000FF7L
+#define SSL_OP_ALL					0x80000BF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
 /* DTLS options */
 #define SSL_OP_NO_QUERY_MTU                 0x00001000L
--- a/openssl-1.0.1-pkgconfig-krb5.patch
+++ b/openssl-1.0.1-pkgconfig-krb5.patch
@ -0,0 +1,30 @@
 diff -up openssl-1.0.1/Makefile.org.krb5 openssl-1.0.1/Makefile.org
 --- openssl-1.0.1/Makefile.org.krb5	2012-03-14 21:15:04.000000000 +0100
 +++ openssl-1.0.1/Makefile.org	2012-04-11 16:28:31.254725422 +0200
@@ -370,7 +370,7 @@ libcrypto.pc: Makefile
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lcrypto'; \
 	    echo 'Libs.private: $(EX_LIBS)'; \
 -	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
 +	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
 libssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -383,7 +383,7 @@ libssl.pc: Makefile
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
 -	    echo 'Libs.private: $(EX_LIBS)'; \
 +	    echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
 openssl.pc: Makefile
@@ -397,7 +397,7 @@ openssl.pc: Makefile
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
 -	    echo 'Libs.private: $(EX_LIBS)'; \
 +	    echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 Makefile: Makefile.org Configure config
--- a/openssl-1.0.1-version.patch
+++ b/openssl-1.0.1-version.patch
@ -0,0 +1,55 @@
 diff -up openssl-1.0.1/crypto/cversion.c.version openssl-1.0.1/crypto/cversion.c
 --- openssl-1.0.1/crypto/cversion.c.version	2004-04-19 20:09:22.000000000 +0200
 +++ openssl-1.0.1/crypto/cversion.c	2012-03-14 20:58:20.630352536 +0100
@@ -110,8 +110,15 @@ const char *SSLeay_version(int t)
 	return("not available");
 	}
 -unsigned long SSLeay(void)
 +unsigned long _original_SSLeay(void)
 +	{
 +	return(0x10000003);
 +	}
 +
 +unsigned long _current_SSLeay(void)
 	{
 	return(SSLEAY_VERSION_NUMBER);
 	}
 +__asm__(".symver _original_SSLeay,SSLeay@");
 +__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
 diff -up openssl-1.0.1/crypto/opensslv.h.version openssl-1.0.1/crypto/opensslv.h
 --- openssl-1.0.1/crypto/opensslv.h.version	2012-03-14 20:58:19.914337879 +0100
 +++ openssl-1.0.1/crypto/opensslv.h	2012-03-14 20:58:20.630352536 +0100
@@ -83,7 +83,7 @@
  * should only keep the versions that are binary compatible with the current.
  */
 #define SHLIB_VERSION_HISTORY ""
 -#define SHLIB_VERSION_NUMBER "1.0.0"
 +#define SHLIB_VERSION_NUMBER "1.0.1c"
 #endif /* HEADER_OPENSSLV_H */
 diff -up openssl-1.0.1/Makefile.shared.version openssl-1.0.1/Makefile.shared
 --- openssl-1.0.1/Makefile.shared.version	2012-03-14 20:58:20.553350959 +0100
 +++ openssl-1.0.1/Makefile.shared	2012-03-14 20:58:20.631352556 +0100
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
 	SHLIB_SUFFIX=; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
 -	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
 +	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
 DO_GNU_APP=LDFLAGS="$(CFLAGS)"
 diff -up openssl-1.0.1/version.map.version openssl-1.0.1/version.map
 --- openssl-1.0.1/version.map.version	2012-03-14 20:58:20.631352556 +0100
 +++ openssl-1.0.1/version.map	2012-03-14 20:58:20.631352556 +0100
@@ -0,0 +1,7 @@
 +OPENSSL_1.0.1 {
 +    global:
 +	    SSLeay;
 +    local:
 +	    _original*;
 +	    _current*;
 +};
--- a/openssl-1.0.0-beta4-algo-doc.patch
+++ b/openssl-1.0.0-beta4-algo-doc.patch
@ -1,28 +1,7 @@
-diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
+diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc	2009-10-16 17:29:34.000000000 +0200
+--- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc	2012-04-11 00:28:22.000000000 +0200
-+++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod	2009-11-12 14:13:21.000000000 +0100
+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod	2012-04-20 09:14:01.865167011 +0200
-@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
+@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
 EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
 EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
 EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
 -EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
 +EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224,
 +EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
 EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
 EVP digest routines
@@ -51,6 +52,10 @@ EVP digest routines
  const EVP_MD *EVP_md5(void);
  const EVP_MD *EVP_sha(void);
  const EVP_MD *EVP_sha1(void);
 + const EVP_MD *EVP_sha224(void);
 + const EVP_MD *EVP_sha256(void);
 + const EVP_MD *EVP_sha384(void);
 + const EVP_MD *EVP_sha512(void);
  const EVP_MD *EVP_dss(void);
  const EVP_MD *EVP_dss1(void);
  const EVP_MD *EVP_mdc2(void);
@@ -70,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
 EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
 B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
@ -31,22 +10,7 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
 If B<impl> is NULL then the default implementation of digest B<type> is used.
 EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
-@@ -127,9 +132,11 @@ with this digest. For example EVP_sha1()
+@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
 return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
 algorithms may not be retained in future versions of OpenSSL.
 -EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
 -return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
 -algorithms respectively. The associated signature algorithm is RSA in each case.
 +EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
 +EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160()
 +return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384,
 +SHA512, MDC2 and RIPEMD160 digest algorithms respectively. The associated
 +signature algorithm is RSA in each case.
 EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
 algorithms but using DSS (DSA) for the signature algorithm. Note: there is 
@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
 EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block
 size in bytes.
@ -56,10 +20,10 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
 EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
 corresponding EVP_MD structures.
-diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
+diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
+--- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
-+++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod	2009-11-12 14:11:03.000000000 +0100
+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod	2012-04-20 09:10:59.114736465 +0200
-@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher 
+@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
  int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
  int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
--- a/openssl-1.0.1c-aliasing.patch
+++ b/openssl-1.0.1c-aliasing.patch
@ -0,0 +1,12 @@
 diff -up openssl-1.0.1c/crypto/modes/Makefile.aliasing openssl-1.0.1c/crypto/modes/Makefile
 --- openssl-1.0.1c/crypto/modes/Makefile.aliasing	2011-08-12 00:36:17.000000000 +0200
 +++ openssl-1.0.1c/crypto/modes/Makefile	2012-07-13 11:32:10.767829077 +0200
@@ -12,7 +12,7 @@ AR=		ar r
 MODES_ASM_OBJ=
 -CFLAGS= $(INCLUDES) $(CFLAG)
 +CFLAGS= $(INCLUDES) $(CFLAG) -fno-strict-aliasing
 ASFLAGS= $(INCLUDES) $(ASFLAG)
 AFLAGS= $(ASFLAGS)
--- a/openssl-1.0.1c-backports.patch
+++ b/openssl-1.0.1c-backports.patch
@ -0,0 +1,106 @@
 diff -up openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports openssl-1.0.1c/crypto/asn1/x_pubkey.c
 --- openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports	2012-02-28 15:47:16.000000000 +0100
 +++ openssl-1.0.1c/crypto/asn1/x_pubkey.c	2012-05-15 17:44:14.584128501 +0200
@@ -175,12 +175,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *k
 	CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
 	if (key->pkey)
 		{
 +		CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
 		EVP_PKEY_free(ret);
 		ret = key->pkey;
 		}
 	else
 +		{
 		key->pkey = ret;
 -	CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
 +		CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
 +		}
 	CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
 	return ret;
 diff -up openssl-1.0.1c/ssl/s3_lib.c.backports openssl-1.0.1c/ssl/s3_lib.c
 --- openssl-1.0.1c/ssl/s3_lib.c.backports	2012-04-17 17:20:17.000000000 +0200
 +++ openssl-1.0.1c/ssl/s3_lib.c	2012-05-15 17:42:43.880139566 +0200
@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 	0, /* not implemented (non-ephemeral DH) */
 	TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
 -	SSL_kDHr,
 +	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES128,
 	SSL_SHA256,
@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 	0, /* not implemented (non-ephemeral DH) */
 	TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
 -	SSL_kDHr,
 +	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES256,
 	SSL_SHA256,
@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 	0,
 	TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
 -	SSL_kDHr,
 +	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES128GCM,
 	SSL_AEAD,
@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 	0,
 	TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
 	TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
 -	SSL_kDHr,
 +	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES256GCM,
 	SSL_AEAD,
@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
 	TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
 -	SSL_kECDHe,
 +	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES128,
 	SSL_SHA256,
@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
 	TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
 -	SSL_kECDHe,
 +	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES256,
 	SSL_SHA384,
@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
 	TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
 -	SSL_kECDHe,
 +	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES128GCM,
 	SSL_AEAD,
@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
 	TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
 -	SSL_kECDHe,
 +	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES256GCM,
 	SSL_AEAD,
 diff -up openssl-1.0.1c/ssl/s3_pkt.c.backports openssl-1.0.1c/ssl/s3_pkt.c
 --- openssl-1.0.1c/ssl/s3_pkt.c.backports	2012-04-17 15:20:19.000000000 +0200
 +++ openssl-1.0.1c/ssl/s3_pkt.c	2012-05-15 17:43:48.470555889 +0200
@@ -744,6 +744,7 @@ static int do_ssl3_write(SSL *s, int typ
 	 * bytes and record version number > TLS 1.0
 	 */
 	if (s->state == SSL3_ST_CW_CLNT_HELLO_B
 +				&& !s->renegotiate
 				&& TLS1_get_version(s) > TLS1_VERSION)
 		*(p++) = 0x1;
 	else
--- a/openssl-1.0.1c-backports2.patch
+++ b/openssl-1.0.1c-backports2.patch
@ -0,0 +1,103 @@
 diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c
 --- openssl-1.0.1c/apps/cms.c.backports2	2012-01-05 14:46:27.000000000 +0100
 +++ openssl-1.0.1c/apps/cms.c	2012-09-07 10:34:42.000000000 +0200
@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
 		else if (!strcmp(*args,"-camellia256"))
 				cipher = EVP_camellia_256_cbc();
 #endif
 +		else if (!strcmp (*args, "-debug_decrypt")) 
 +				flags |= CMS_DEBUG_DECRYPT;
 		else if (!strcmp (*args, "-text")) 
 				flags |= CMS_TEXT;
 		else if (!strcmp (*args, "-nointern")) 
@@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv)
 	ret = 4;
 	if (operation == SMIME_DECRYPT)
 		{
 +		if (flags & CMS_DEBUG_DECRYPT)
 +			CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
 		if (secret_key)
 			{
 diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h
 --- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2	2012-09-06 17:25:22.000000000 +0200
 +++ openssl-1.0.1c/crypto/bn/bn_lcl.h	2012-09-07 10:22:43.000000000 +0200
@@ -282,16 +282,23 @@ extern "C" {
 #  endif
 # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
 #  if defined(__GNUC__) && __GNUC__>=2
 -#   define BN_UMULT_HIGH(a,b)	({	\
 +#   if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */
 +#     define BN_UMULT_HIGH(a,b)		 (((__uint128_t)(a)*(b))>>64)
 +#     define BN_UMULT_LOHI(low,high,a,b) ({	\
 +	__uint128_t ret=(__uint128_t)(a)*(b);	\
 +	(high)=ret>>64; (low)=ret;	 })
 +#   else
 +#     define BN_UMULT_HIGH(a,b)	({	\
 	register BN_ULONG ret;		\
 	asm ("dmultu	%1,%2"		\
 	     : "=h"(ret)		\
 	     : "r"(a), "r"(b) : "l");	\
 	ret;			})
 -#   define BN_UMULT_LOHI(low,high,a,b)	\
 +#     define BN_UMULT_LOHI(low,high,a,b)\
 	asm ("dmultu	%2,%3"		\
 	     : "=l"(low),"=h"(high)	\
 	     : "r"(a), "r"(b));
 +#    endif
 #  endif
 # endif		/* cpu */
 #endif		/* OPENSSL_NO_ASM */
 diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c
 --- openssl-1.0.1c/crypto/modes/gcm128.c.backports2	2012-01-25 18:56:24.000000000 +0100
 +++ openssl-1.0.1c/crypto/modes/gcm128.c	2012-09-07 10:24:56.000000000 +0200
@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT
 	void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16])	= ctx->gmult;
 #endif
 -	if (ctx->mres)
 +	if (ctx->mres || ctx->ares)
 		GCM_MUL(ctx,Xi);
 	if (is_endian.little) {
 diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c
 --- openssl-1.0.1c/ssl/ssl_cert.c.backports2	2011-05-11 15:37:52.000000000 +0200
 +++ openssl-1.0.1c/ssl/ssl_cert.c	2012-09-07 10:33:54.000000000 +0200
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT
 	{
 	/* Set digest values to defaults */
 #ifndef OPENSSL_NO_DSA
 -	cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
 +	cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_RSA
 	cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
 	cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 -	cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
 +	cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
 #endif
 	}
 diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c
 --- openssl-1.0.1c/ssl/t1_lib.c.backports2	2012-03-21 22:32:57.000000000 +0100
 +++ openssl-1.0.1c/ssl/t1_lib.c	2012-09-07 10:33:54.000000000 +0200
@@ -2414,7 +2414,7 @@ int tls1_process_sigalgs(SSL *s, const u
 	 */
 #ifndef OPENSSL_NO_DSA
 	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
 -		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
 +		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_RSA
 	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
@@ -2425,7 +2425,7 @@ int tls1_process_sigalgs(SSL *s, const u
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (!c->pkeys[SSL_PKEY_ECC].digest)
 -		c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
 +		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
 #endif
 	return 1;
 	}
--- a/openssl-1.0.1c-ccm-init-str.patch
+++ b/openssl-1.0.1c-ccm-init-str.patch
@ -0,0 +1,11 @@
 diff -up openssl-1.0.1c/crypto/evp/e_aes.c.init-str openssl-1.0.1c/crypto/evp/e_aes.c
 --- openssl-1.0.1c/crypto/evp/e_aes.c.init-str	2012-09-06 17:20:45.000000000 +0200
 +++ openssl-1.0.1c/crypto/evp/e_aes.c	2012-09-06 17:18:30.000000000 +0200
@@ -1216,6 +1216,7 @@ static int aes_ccm_init_key(EVP_CIPHER_C
 			vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
 			CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
 					&cctx->ks, (block128_f)vpaes_encrypt);
 +			cctx->str = NULL;
 			cctx->key_set = 1;
 			break;
 			}
--- a/openssl-1.0.1c-fips.patch
+++ b/openssl-1.0.1c-fips.patch
--- a/openssl-1.0.1c-ipv6-apps.patch
+++ b/openssl-1.0.1c-ipv6-apps.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
+diff -up openssl-1.0.1c/apps/s_apps.h.ipv6-apps openssl-1.0.1c/apps/s_apps.h
--- openssl-1.0.0b/apps/s_apps.h.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
+--- openssl-1.0.1c/apps/s_apps.h.ipv6-apps	2012-07-11 22:46:02.409221206 +0200
-+++ openssl-1.0.0b/apps/s_apps.h	2010-11-16 17:19:29.000000000 +0100
+++ openssl-1.0.1c/apps/s_apps.h	2012-07-11 22:46:02.451222165 +0200
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
@ -10,7 +10,7 @@ diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
 #ifdef HEADER_X509_H
 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
-@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, 
+@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
 int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
 #endif
@ -23,10 +23,10 @@ diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
 long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
 				   int argi, long argl, long ret);
-diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
+diff -up openssl-1.0.1c/apps/s_client.c.ipv6-apps openssl-1.0.1c/apps/s_client.c
--- openssl-1.0.0b/apps/s_client.c.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
+--- openssl-1.0.1c/apps/s_client.c.ipv6-apps	2012-07-11 22:46:02.433221754 +0200
-+++ openssl-1.0.0b/apps/s_client.c	2010-11-16 17:19:29.000000000 +0100
+++ openssl-1.0.1c/apps/s_client.c	2012-07-11 22:46:02.452222187 +0200
-@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
+@@ -563,7 +563,7 @@ int MAIN(int argc, char **argv)
 	int cbuf_len,cbuf_off;
 	int sbuf_len,sbuf_off;
 	fd_set readfds,writefds;
@ -35,7 +35,7 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
 	int full_log=1;
 	char *host=SSL_HOST_NAME;
 	char *cert_file=NULL,*key_file=NULL;
-@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
+@@ -664,13 +664,12 @@ int MAIN(int argc, char **argv)
 		else if	(strcmp(*argv,"-port") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -51,7 +51,7 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
 				goto bad;
 			}
 		else if	(strcmp(*argv,"-verify") == 0)
-@@ -967,7 +966,7 @@ bad:
+@@ -1253,7 +1252,7 @@ bad:
 re_start:
@ -60,10 +60,10 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
 		{
 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
 		SHUTDOWN(s);
-diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
+diff -up openssl-1.0.1c/apps/s_server.c.ipv6-apps openssl-1.0.1c/apps/s_server.c
--- openssl-1.0.0b/apps/s_server.c.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
+--- openssl-1.0.1c/apps/s_server.c.ipv6-apps	2012-07-11 22:46:02.434221777 +0200
-+++ openssl-1.0.0b/apps/s_server.c	2010-11-16 17:19:29.000000000 +0100
+++ openssl-1.0.1c/apps/s_server.c	2012-07-11 22:46:02.453222210 +0200
-@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
+@@ -929,7 +929,7 @@ int MAIN(int argc, char *argv[])
 	{
 	X509_VERIFY_PARAM *vpm = NULL;
 	int badarg = 0;
@ -72,7 +72,7 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
 	char *CApath=NULL,*CAfile=NULL;
 	unsigned char *context = NULL;
 	char *dhfile = NULL;
-@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
+@@ -1000,8 +1000,7 @@ int MAIN(int argc, char *argv[])
 			 (strcmp(*argv,"-accept") == 0))
 			{
 			if (--argc < 1) goto bad;
@ -82,7 +82,7 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
 			}
 		else if	(strcmp(*argv,"-verify") == 0)
 			{
-@@ -1700,9 +1699,9 @@ bad:
+@@ -1878,9 +1877,9 @@ bad:
 	BIO_printf(bio_s_out,"ACCEPT\n");
 	(void)BIO_flush(bio_s_out);
 	if (www)
@ -94,9 +94,9 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
 	print_stats(bio_s_out,ctx);
 	ret=0;
 end:
-diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
+diff -up openssl-1.0.1c/apps/s_socket.c.ipv6-apps openssl-1.0.1c/apps/s_socket.c
--- openssl-1.0.0b/apps/s_socket.c.ipv6-apps	2010-07-05 13:03:22.000000000 +0200
+--- openssl-1.0.1c/apps/s_socket.c.ipv6-apps	2011-12-02 15:39:40.000000000 +0100
-+++ openssl-1.0.0b/apps/s_socket.c	2010-11-16 17:27:18.000000000 +0100
+++ openssl-1.0.1c/apps/s_socket.c	2012-07-11 22:49:05.411400450 +0200
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
 static void ssl_sock_cleanup(void);
 #endif
@ -108,7 +108,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 static int do_accept(int acc_sock, int *sock, char **host);
 static int host_ip(char *str, unsigned char ip[4]);
-@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
+@@ -234,57 +232,70 @@ static int ssl_sock_init(void)
 	return(1);
 	}
@ -117,11 +117,10 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 	{
 -	unsigned char ip[4];
 -
 -	memset(ip, '\0', sizeof ip);
 -	if (!host_ip(host,&(ip[0])))
-		{
+-		return 0;
-		return(0);
+-	return init_client_ip(sock,ip,port,type);
 -		}
 -	return(init_client_ip(sock,ip,port,type));
 -	}
 -
 -static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
@ -217,7 +216,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 	{
 	int sock;
 	char *name = NULL;
-@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
+@@ -322,33 +333,50 @@ int do_server(int port, int type, int *r
 		}
 	}
@ -227,10 +226,9 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 -	int ret=0;
 -	struct sockaddr_in server;
 -	int s= -1;
-+	struct addrinfo *res, *res0, hints;
+	struct addrinfo *res, *res0 = NULL, hints;
 +	char * failed_call = NULL;
-+	char port_name[8];
+	int s = INVALID_SOCKET;
 +	int s;
 +	int e;
 	if (!ssl_sock_init()) return(0);
@ -248,8 +246,10 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 -		memcpy(&server.sin_addr,ip,4);
 -#endif
 +	memset(&hints, '\0', sizeof(hints));
 +	hints.ai_family = AF_INET6;
 +tryipv4:
 +	hints.ai_socktype = type;
-+	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
+	hints.ai_flags = AI_PASSIVE;
 -		if (type == SOCK_STREAM)
 -			s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
@ -258,10 +258,15 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 +	e = getaddrinfo(NULL, port, &hints, &res);
 +	if (e)
 +		{
-+		fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+		if (hints.ai_family == AF_INET)
-+		if (e == EAI_SYSTEM)
+			{
-+			perror("getaddrinfo");
+			fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+		return (0);
+			if (e == EAI_SYSTEM)
 +				perror("getaddrinfo");
 +			return (0);
 +			}
 +			else
 +				res = NULL;
 +		}
 -	if (s == INVALID_SOCKET) goto err;
@ -273,11 +278,17 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 +			{
 +			failed_call = "socket";
 +			goto nextres;
 +			}
 +		if (hints.ai_family == AF_INET6)
 +			{
 +			int j = 0;
 +			setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
 +				   (void *) &j, sizeof j);
 +			}
 #if defined SOL_SOCKET && defined SO_REUSEADDR
 		{
 		int j = 1;
-@@ -357,35 +372,39 @@ static int init_server_long(int *sock, i
+@@ -356,35 +384,49 @@ static int init_server_long(int *sock, i
 			   (void *) &j, sizeof j);
 		}
 #endif
@ -314,12 +325,21 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 +			close(s);
 +		res = res->ai_next;
 	}
-+	freeaddrinfo(res0);
+	if (res0)
 +		freeaddrinfo(res0);
 -static int init_server(int *sock, int port, int type)
-	{
+	if (s == INVALID_SOCKET)
 	{
 -	return(init_server_long(sock, port, NULL, type));
-+	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+		if (hints.ai_family == AF_INET6)
 +		{
 +			hints.ai_family = AF_INET;
 +			goto tryipv4;
 +		}
 +		perror("socket");
 +		return(0);
 +	}
 +
 +	perror(failed_call);
 +	return(0);
@ -335,7 +355,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 	int len;
 /*	struct linger ling; */
-@@ -432,135 +451,58 @@ redoit:
+@@ -431,135 +473,58 @@ redoit:
 */
 	if (host == NULL) goto end;
--- a/openssl-1.0.1c-perlfind.patch
+++ b/openssl-1.0.1c-perlfind.patch
@ -0,0 +1,16 @@
 diff -up openssl-1.0.1c/util/perlpath.pl.perlfind openssl-1.0.1c/util/perlpath.pl
 --- openssl-1.0.1c/util/perlpath.pl.perlfind	2012-07-11 22:57:33.000000000 +0200
 +++ openssl-1.0.1c/util/perlpath.pl	2012-07-12 00:31:12.102156275 +0200
@@ -4,10 +4,10 @@
 # line in all scripts that rely on perl.
 #
 -require "find.pl";
 +use File::Find;
 $#ARGV == 0 || print STDERR "usage: perlpath newpath  (eg /usr/bin)\n";
 -&find(".");
 +find(\&wanted, ".");
 sub wanted
 	{
--- a/openssl-1.0.1c-secure-getenv.patch
+++ b/openssl-1.0.1c-secure-getenv.patch
@ -0,0 +1,244 @@
 diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c
 --- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv	2011-09-02 13:20:32.000000000 +0200
 +++ openssl-1.0.1c/crypto/conf/conf_api.c	2012-09-10 20:20:24.803968961 +0200
@@ -63,6 +63,8 @@
 # define NDEBUG
 #endif
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
@@ -142,7 +144,7 @@ char *_CONF_get_string(const CONF *conf,
 			if (v != NULL) return(v->value);
 			if (strcmp(section,"ENV") == 0)
 				{
 -				p=getenv(name);
 +				p=secure_getenv(name);
 				if (p != NULL) return(p);
 				}
 			}
@@ -155,7 +157,7 @@ char *_CONF_get_string(const CONF *conf,
 			return(NULL);
 		}
 	else
 -		return(getenv(name));
 +		return (secure_getenv(name));
 	}
 #if 0 /* There's no way to provide error checking with this function, so
 diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c
 --- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv	2008-11-05 19:38:55.000000000 +0100
 +++ openssl-1.0.1c/crypto/conf/conf_mod.c	2012-09-10 20:22:46.228970661 +0200
@@ -56,6 +56,8 @@
  *
  */
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <stdio.h>
 #include <ctype.h>
 #include <openssl/crypto.h>
@@ -548,8 +550,8 @@ char *CONF_get1_default_config_file(void
 	char *file;
 	int len;
 -	file = getenv("OPENSSL_CONF");
 -	if (file) 
 +	file = secure_getenv("OPENSSL_CONF");
 +	if (file)
 		return BUF_strdup(file);
 	len = strlen(X509_get_default_cert_area());
 diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c
 --- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv	2010-03-27 19:28:13.000000000 +0100
 +++ openssl-1.0.1c/crypto/engine/eng_list.c	2012-09-10 20:20:46.106452027 +0200
@@ -61,6 +61,8 @@
  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
  */
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include "eng_int.h"
 /* The linked-list of pointers to engine types. engine_list_head
@@ -399,9 +401,9 @@ ENGINE *ENGINE_by_id(const char *id)
 	if (strcmp(id, "dynamic"))
 		{
 #ifdef OPENSSL_SYS_VMS
 -		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
 +		if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
 #else
 -		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
 +		if((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
 #endif
 		iterator = ENGINE_by_id("dynamic");
 		if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
 diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c
 --- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv	2012-09-10 20:10:26.079391932 +0200
 +++ openssl-1.0.1c/crypto/md5/md5_dgst.c	2012-09-10 20:20:31.383118153 +0200
@@ -56,6 +56,8 @@
  * [including the GNU Public Licence.]
  */
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <stdio.h>
 #include "md5_locl.h"
 #include <openssl/opensslv.h>
@@ -74,7 +76,7 @@ const char MD5_version[]="MD5" OPENSSL_V
 int MD5_Init(MD5_CTX *c)
 #ifdef OPENSSL_FIPS
 	{
 -	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
 +	if (FIPS_mode() && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
 		OpenSSLDie(__FILE__, __LINE__, \
                 "Digest MD5 forbidden in FIPS mode!");
 	return private_MD5_Init(c);
 diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c
 --- openssl-1.0.1c/crypto/o_init.c.secure-getenv	2012-09-10 20:10:26.066391638 +0200
 +++ openssl-1.0.1c/crypto/o_init.c	2012-09-10 20:23:27.634908822 +0200
@@ -52,6 +52,8 @@
  *
  */
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <e_os.h>
 #include <openssl/err.h>
 #ifdef OPENSSL_FIPS
@@ -71,7 +73,7 @@ static void init_fips_mode(void)
 	char buf[2] = "0";
 	int fd;
 -	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
 +	if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
 		{
 		buf[0] = '1';
 		}
 diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c
 --- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv	2012-01-15 14:40:21.000000000 +0100
 +++ openssl-1.0.1c/crypto/rand/randfile.c	2012-09-10 20:20:40.708329617 +0200
@@ -58,6 +58,8 @@
 /* We need to define this to get macros like S_IFBLK and S_IFCHR */
 #define _XOPEN_SOURCE 500
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <errno.h>
 #include <stdio.h>
@@ -275,8 +277,7 @@ const char *RAND_file_name(char *buf, si
 	struct stat sb;
 #endif
 -	if (OPENSSL_issetugid() == 0)
 -		s=getenv("RANDFILE");
 +	s=secure_getenv("RANDFILE");
 	if (s != NULL && *s && strlen(s) + 1 < size)
 		{
 		if (BUF_strlcpy(buf,s,size) >= size)
@@ -284,8 +285,7 @@ const char *RAND_file_name(char *buf, si
 		}
 	else
 		{
 -		if (OPENSSL_issetugid() == 0)
 -			s=getenv("HOME");
 +		s=secure_getenv("HOME");
 #ifdef DEFAULT_HOME
 		if (s == NULL)
 			{
 diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c
 --- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv	2010-02-19 19:26:23.000000000 +0100
 +++ openssl-1.0.1c/crypto/x509/by_dir.c	2012-09-10 20:21:16.641144451 +0200
@@ -56,6 +56,8 @@
  * [including the GNU Public Licence.]
  */
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
@@ -135,7 +137,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
 	case X509_L_ADD_DIR:
 		if (argl == X509_FILETYPE_DEFAULT)
 			{
 -			dir=(char *)getenv(X509_get_default_cert_dir_env());
 +			dir=(char *)secure_getenv(X509_get_default_cert_dir_env());
 			if (dir)
 				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
 			else
 diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c
 --- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv	2012-09-10 20:10:26.016390503 +0200
 +++ openssl-1.0.1c/crypto/x509/by_file.c	2012-09-10 20:21:07.748942806 +0200
@@ -56,6 +56,8 @@
  * [including the GNU Public Licence.]
  */
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
@@ -100,7 +102,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
 	case X509_L_FILE_LOAD:
 		if (argl == X509_FILETYPE_DEFAULT)
 			{
 -			file = (char *)getenv(X509_get_default_cert_file_env());
 +			file = (char *)secure_getenv(X509_get_default_cert_file_env());
 			if (file)
 				ok = (X509_load_cert_crl_file(ctx,file,
 					      X509_FILETYPE_PEM) != 0);
 diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c
 --- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv	2011-09-23 15:39:35.000000000 +0200
 +++ openssl-1.0.1c/crypto/x509/x509_vfy.c	2012-09-10 20:20:55.951675283 +0200
@@ -56,6 +56,8 @@
  * [including the GNU Public Licence.]
  */
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
@@ -481,7 +483,7 @@ static int check_chain_extensions(X509_S
 			!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
 		/* A hack to keep people who don't want to modify their
 		   software happy */
 -		if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 +		if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 			allow_proxy_certs = 1;
 		purpose = ctx->param->purpose;
 		}
 diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c
 --- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv	2008-03-16 22:05:44.000000000 +0100
 +++ openssl-1.0.1c/engines/ccgost/gost_ctl.c	2012-09-10 20:21:26.759373897 +0200
@@ -6,6 +6,8 @@
  *        Implementation of control commands for GOST engine          *
  *            OpenSSL 0.9.9 libraries required                        *
  **********************************************************************/            
 +/* for secure_getenv */
 +#define _GNU_SOURCE
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/crypto.h>
@@ -65,7 +67,7 @@ const char *get_gost_engine_param(int pa
 		{
 		return gost_params[param];
 		}
 -	tmp = getenv(gost_envnames[param]);
 +	tmp = secure_getenv(gost_envnames[param]);
 	if (tmp) 
 		{
 		if (gost_params[param]) OPENSSL_free(gost_params[param]);
@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
 	{
 	const char *tmp;
 	if (param <0 || param >GOST_PARAM_MAX) return 0;
 -	tmp = getenv(gost_envnames[param]);
 +	tmp = secure_getenv(gost_envnames[param]);
 	/* if there is value in the environment, use it, else -passed string * */
 	if (!tmp) tmp=value;
 	if (gost_params[param]) OPENSSL_free(gost_params[param]);