Merge git://pkgs.fedoraproject.org/mingw32-openssl

.gitignore

@@ -0,0 +1,2 @@
+openssl-1.0.0a-usa.tar.bz2
+/openssl-1.0.0d-usa.tar.bz2

Makefile.certificate

@@ -0,0 +1,74 @@
+UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
+SERIAL=0
+
+.PHONY: usage
+.SUFFIXES: .key .csr .crt .pem
+.PRECIOUS: %.key %.csr %.crt %.pem
+
+usage:
+	@echo "This makefile allows you to create:"
+	@echo "  o public/private key pairs"
+	@echo "  o SSL certificate signing requests (CSRs)"
+	@echo "  o self-signed SSL test certificates"
+	@echo
+	@echo "To create a key pair, run \"make SOMETHING.key\"."
+	@echo "To create a CSR, run \"make SOMETHING.csr\"."
+	@echo "To create a test certificate, run \"make SOMETHING.crt\"."
+	@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
+	@echo
+	@echo "To create a key for use with Apache, run \"make genkey\"."
+	@echo "To create a CSR for use with Apache, run \"make certreq\"."
+	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
+	@echo
+	@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
+	@echo
+	@echo Examples:
+	@echo "  make server.key"
+	@echo "  make server.csr"
+	@echo "  make server.crt"
+	@echo "  make stunnel.pem"
+	@echo "  make genkey"
+	@echo "  make certreq"
+	@echo "  make testcert"
+	@echo "  make server.crt SERIAL=1"
+	@echo "  make stunnel.pem SERIAL=2"
+	@echo "  make testcert SERIAL=3"
+
+%.pem:
+	umask 77 ; \
+	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+	/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+	cat $$PEM1 >  $@ ; \
+	echo ""    >> $@ ; \
+	cat $$PEM2 >> $@ ; \
+	$(RM) $$PEM1 $$PEM2
+
+%.key:
+	umask 77 ; \
+	/usr/bin/openssl genrsa -aes128 2048 > $@
+
+%.csr: %.key
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
+
+%.crt: %.key
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
+
+TLSROOT=/etc/pki/tls
+KEY=$(TLSROOT)/private/localhost.key
+CSR=$(TLSROOT)/certs/localhost.csr
+CRT=$(TLSROOT)/certs/localhost.crt
+
+genkey: $(KEY)
+certreq: $(CSR)
+testcert: $(CRT)
+
+$(CSR): $(KEY)
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
+
+$(CRT): $(KEY)
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)

hobble-openssl

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# Quit out if anything fails.
+set -e
+
+# Clean out patent-or-otherwise-encumbered code.
+# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
+# IDEA:  5,214,703 07/01/2012
+# RC5:   5,724,428 01/11/2015
+# EC:    ????????? ??/??/2020
+
+# Remove assembler portions of IDEA, MDC2, and RC5.
+(find crypto/{idea,rc5}/asm -type f | xargs -r rm -fv)
+
+# IDEA, MDC2, RC5, EC.
+for a in idea rc5 ec ecdh ecdsa; do
+  for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
+	echo Destroying $c
+	> $c
+  done
+done
+
+for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_ecdsa.c"`; do
+	echo Destroying $c
+	> $c
+done
+
+for h in `find crypto ssl apps test -name "*.h"` ; do
+	echo Removing IDEA, RC5, and EC references from $h
+	cat $h | \
+	awk    'BEGIN {ech=1;} \
+		/^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \
+                /^#[ \t]*if/ {if(ech < 1) ech--;} \
+		{if(ech>0) {;print $0};} \
+		/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
+	mv $h.hobbled $h
+done
+
+# Make the makefiles happy.
+touch crypto/rc5/asm/rc5-586.pl

make-dummy-cert

@@ -0,0 +1,28 @@
+#!/bin/sh
+umask 077
+
+answers() {
+	echo --
+	echo SomeState
+	echo SomeCity
+	echo SomeOrganization
+	echo SomeOrganizationalUnit
+	echo localhost.localdomain
+	echo root@localhost.localdomain
+}
+
+if [ $# -eq 0 ] ; then
+	echo $"Usage: `basename $0` filename [...]"
+	exit 0
+fi
+
+for target in $@ ; do
+	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
+	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
+	trap "rm -f $PEM1 $PEM2" SIGINT
+	answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+	cat $PEM1 >  ${target}
+	echo ""   >> ${target}
+	cat $PEM2 >> ${target}
+	rm -f $PEM1 $PEM2
+done

mingw32-openssl-1.0.0-beta3-libversion.patch

@@ -0,0 +1,50 @@
+diff -up openssl-1.0.0-beta3/Makefile.org.mingw-libversion openssl-1.0.0-beta3/Makefile.org
+--- openssl-1.0.0-beta3/Makefile.org.mingw-libversion	2009-08-29 22:44:10.000000000 +0300
++++ openssl-1.0.0-beta3/Makefile.org	2009-08-29 22:45:42.000000000 +0300
+@@ -542,8 +542,8 @@ install_sw:
+ 				fi ); \
+ 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+ 				(	case $$i in \
+-						*crypto*) i=libeay32.dll;; \
+-						*ssl*)    i=ssleay32.dll;; \
++						*crypto*) i=libcrypto-$(SHLIB_SONAMEVER).dll;; \
++						*ssl*)    i=libssl-$(SHLIB_SONAMEVER).dll;; \
+ 					esac; \
+ 					echo installing $$i; \
+ 	 				cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+diff -up openssl-1.0.0-beta3/Makefile.shared.mingw-libversion openssl-1.0.0-beta3/Makefile.shared
+--- openssl-1.0.0-beta3/Makefile.shared.mingw-libversion	2009-08-29 22:33:22.000000000 +0300
++++ openssl-1.0.0-beta3/Makefile.shared	2009-08-29 22:33:22.000000000 +0300
+@@ -47,7 +47,7 @@ LIBEXTRAS=
+ # LIBVERSION contains the current version of the library.
+ # For example, to build libfoo.so.1.2, you need to do the following:
+ #LIBVERSION=1.2
+-LIBVERSION=
++LIBVERSION=10
+ 
+ # LIBCOMPATVERSIONS contains the compatibility versions (a list) of
+ # the library.  They MUST be in decreasing order.
+@@ -250,7 +250,7 @@ link_o.cygwin:
+ 	base=-Wl,--enable-auto-image-base; \
+ 	deffile=; \
+ 	if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+-		SHLIB=$(LIBNAME)eay32; base=; \
++		SHLIB=lib$(LIBNAME); base=; \
+ 		if test -f $(LIBNAME)eay32.def; then \
+ 			deffile=$(LIBNAME)eay32.def; \
+ 		fi; \
+@@ -270,13 +270,7 @@ link_a.cygwin:
+ 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; extras=; \
+ 	base=-Wl,--enable-auto-image-base; \
+ 	if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+-		case $(LIBNAME) in \
+-			crypto) SHLIB=libeay;; \
+-			ssl) SHLIB=ssleay;; \
+-		esac; \
+-		SHLIB_SOVER=32; \
+-		extras="$(LIBNAME).def"; \
+-		$(PERL) util/mkdef.pl 32 $$SHLIB > $$extras; \
++		SHLIB=lib$(LIBNAME); \
+ 		base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
+ 	fi; \
+ 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \

mingw32-openssl-1.0.0d-sfx.patch

@@ -0,0 +1,15 @@
+diff -up openssl-1.0.0d/engines/Makefile.mingw-sfx openssl-1.0.0d/engines/Makefile
+--- openssl-1.0.0d/engines/Makefile.mingw-sfx	2011-04-23 13:04:15.452843560 +0300
++++ openssl-1.0.0d/engines/Makefile	2011-04-23 13:04:15.689846190 +0300
+@@ -111,7 +111,10 @@ install:
+ 		for l in $(LIBNAMES); do \
+ 			( echo installing $$l; \
+ 			  pfx=lib; \
+-			  if [ "$(PLATFORM)" != "Cygwin" ]; then \
++			  if [ "$(PLATFORM)" = "mingw" ]; then \
++				sfx=.dll; \
++				cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
++			  elif [ "$(PLATFORM)" != "Cygwin" ]; then \
+ 				case "$(CFLAGS)" in \
+ 				*DSO_BEOS*)	sfx=".so";;	\
+ 				*DSO_DLFCN*)	sfx=`expr "$(SHLIB_EXT)" : '.*\(\.[a-z][a-z]*\)' \| ".so"`;;	\

mingw32-openssl.spec

@@ -0,0 +1,444 @@
+%global __strip %{_mingw32_strip}
+%global __objdump %{_mingw32_objdump}
+%global _use_internal_dependency_generator 0
+%global __find_requires %{_mingw32_findrequires}
+%global __find_provides %{_mingw32_findprovides}
+%define __debug_install_post %{_mingw32_debug_install_post}
+
+# For the curious:
+# 0.9.5a soversion = 0
+# 0.9.6  soversion = 1
+# 0.9.6a soversion = 2
+# 0.9.6c soversion = 3
+# 0.9.7a soversion = 4
+# 0.9.7ef soversion = 5
+# 0.9.8ab soversion = 6
+# 0.9.8g soversion = 7
+# 0.9.8jk + EAP-FAST soversion = 8
+# 1.0.0 soversion = 10
+%global soversion 10
+
+# Enable the tests.
+# These only work some of the time, but fail randomly at other times
+# (although I have had them complete a few times, so I don't think
+# there is any actual problem with the binaries).
+%global run_tests 0
+
+# Number of threads to spawn when testing some threading fixes.
+%global thread_test_threads %{?threads:%{threads}}%{!?threads:1}
+
+Name:           mingw32-openssl
+Version:        1.0.0d
+Release:        3%{?dist}
+Summary:        MinGW port of the OpenSSL toolkit
+
+License:        OpenSSL
+Group:          Development/Libraries
+URL:            http://www.openssl.org/
+
+# We remove certain patented algorithms from the openssl source tarball
+# with the hobble-openssl script which is included below.
+Source0:        openssl-%{version}-usa.tar.bz2
+
+Source1:        hobble-openssl
+Source2:        Makefile.certificate
+Source6:        make-dummy-cert
+Source8:        openssl-thread-test.c
+Source9:        opensslconf-new.h
+Source10:       opensslconf-new-warning.h
+
+# Patches from Fedora native package.
+# Build changes
+Patch0:         openssl-1.0.0-beta4-redhat.patch
+Patch1:         openssl-1.0.0-beta3-defaults.patch
+Patch3:         openssl-1.0.0-beta3-soversion.patch
+Patch4:         openssl-1.0.0-beta5-enginesdir.patch
+Patch5:         openssl-0.9.8a-no-rpath.patch
+Patch6:         openssl-0.9.8b-test-use-localhost.patch
+Patch7:         openssl-1.0.0-timezone.patch
+# Bug fixes
+Patch23:        openssl-1.0.0-beta4-default-paths.patch
+Patch24:        openssl-0.9.8j-bad-mime.patch
+Patch25:        openssl-1.0.0a-manfix.patch
+# Functionality changes
+Patch32:        openssl-0.9.8g-ia64.patch
+Patch33:        openssl-1.0.0-beta4-ca-dir.patch
+Patch34:        openssl-0.9.6-x509.patch
+Patch35:        openssl-0.9.8j-version-add-engines.patch
+Patch38:        openssl-1.0.0-beta5-cipher-change.patch
+# Disabled this because it uses getaddrinfo which is lacking on Windows.
+#Patch39:        openssl-1.0.0b-ipv6-apps.patch
+Patch40:        openssl-1.0.0a-fips.patch
+Patch41:        openssl-1.0.0-beta3-fipscheck.patch
+Patch43:        openssl-1.0.0a-fipsmode.patch
+Patch44:        openssl-1.0.0-beta3-fipsrng.patch
+Patch45:        openssl-0.9.8j-env-nozlib.patch
+Patch47:        openssl-1.0.0-beta5-readme-warning.patch
+Patch49:        openssl-1.0.0-beta4-algo-doc.patch
+Patch50:        openssl-1.0.0-beta4-dtls1-abi.patch
+Patch51:        openssl-1.0.0d-version.patch
+Patch52:        openssl-1.0.0b-aesni.patch
+Patch53:        openssl-1.0.0-name-hash.patch
+Patch54:        openssl-1.0.0c-speed-fips.patch
+#Patch55:        openssl-1.0.0c-apps-ipv6listen.patch
+Patch56:        openssl-1.0.0c-rsa-x931.patch
+Patch57:        openssl-1.0.0c-fips186-3.patch
+Patch58:        openssl-1.0.0c-fips-md5-allow.patch
+Patch59:        openssl-1.0.0c-pkcs12-fips-default.patch
+Patch60:        openssl-1.0.0d-apps-dgst.patch
+# Backported fixes including security fixes
+
+# MinGW-specific patches.
+# Rename *eay32.dll to lib*.dll
+Patch101:       mingw32-openssl-1.0.0-beta3-libversion.patch
+# Fix engines/ install target after lib rename
+Patch102:       mingw32-openssl-1.0.0d-sfx.patch
+
+BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+BuildArch:      noarch
+
+BuildRequires:  mingw32-filesystem >= 52
+BuildRequires:  mingw32-gcc
+BuildRequires:  mingw32-binutils
+
+BuildRequires:  mingw32-zlib
+BuildRequires:  mingw32-pthreads
+BuildRequires:  mingw32-dlfcn
+
+BuildRequires:  mktemp
+#BuildRequires:  krb5-devel
+BuildRequires:  perl
+BuildRequires:  sed
+BuildRequires:  /usr/bin/cmp
+BuildRequires:  /usr/bin/rename
+
+# XXX Not really sure about this one.  The build script uses
+# /usr/bin/makedepend which comes from imake.
+BuildRequires:  imake
+
+%if %{run_tests}
+# Required both to build, and to run the tests.
+# XXX This needs to be fixed - cross-compilation should not
+# require running executables.
+BuildRequires:  wine
+
+# Required to run the tests.
+BuildRequires:  xorg-x11-server-Xvfb
+%endif
+
+#Requires:       ca-certificates >= 2008-5
+Requires:       pkgconfig
+
+
+%description
+The OpenSSL toolkit provides support for secure communications between
+machines. OpenSSL includes a certificate management tool and shared
+libraries which provide various cryptographic algorithms and
+protocols.
+
+This package contains Windows (MinGW) libraries and development tools.
+
+
+%package static
+Summary:        Static version of the MinGW port of the OpenSSL toolkit
+Requires:       %{name} = %{version}-%{release}
+
+%description static
+Static version of the MinGW port of the OpenSSL toolkit.
+
+
+%{?_mingw32_debug_package}
+
+
+%prep
+%setup -q -n openssl-%{version}
+
+%{SOURCE1} > /dev/null
+%patch0 -p1 -b .redhat
+%patch1 -p1 -b .defaults
+%patch3 -p1 -b .soversion
+%patch4 -p1 -b .enginesdir
+%patch5 -p1 -b .no-rpath
+%patch6 -p1 -b .use-localhost
+%patch7 -p1 -b .timezone
+
+%patch23 -p1 -b .default-paths
+%patch24 -p1 -b .bad-mime
+%patch25 -p1 -b .manfix
+
+%patch32 -p1 -b .ia64
+#patch33 is applied after make test
+%patch34 -p1 -b .x509
+%patch35 -p1 -b .version-add-engines
+%patch38 -p1 -b .cipher-change
+#patch39 -p1 -b .ipv6-apps
+%patch40 -p1 -b .fips
+%patch41 -p1 -b .fipscheck
+%patch43 -p1 -b .fipsmode
+%patch44 -p1 -b .fipsrng
+%patch45 -p1 -b .env-nozlib
+%patch47 -p1 -b .warning
+%patch49 -p1 -b .algo-doc
+%patch50 -p1 -b .dtls1-abi
+%patch51 -p1 -b .version
+%patch52 -p1 -b .aesni
+%patch53 -p1 -b .name-hash
+%patch54 -p1 -b .spfips
+#patch55 -p1 -b .ipv6listen
+%patch56 -p1 -b .x931
+%patch57 -p1 -b .fips186-3
+%patch58 -p1 -b .md5-allow
+%patch59 -p1 -b .fips-default
+%patch60 -p1 -b .dgst
+
+%patch101 -p1 -b .mingw-libversion
+%patch102 -p1 -b .mingw-sfx
+
+# Use _mingw32_cflags instead of hardcoded ones
+sed -i -e '/^"mingw"/ s/-fomit-frame-pointer -O3 -march=i486 -Wall/%{_mingw32_cflags}/' Configure
+
+# Modify the various perl scripts to reference perl in the right location.
+perl util/perlpath.pl `dirname %{__perl}`
+
+# Generate a table with the compile settings for my perusal.
+touch Makefile
+make TABLE PERL=%{__perl}
+
+%build
+# NB: 'no-hw' is vital.  MinGW cannot build the hardware drivers
+# and if you don't have this you'll get an obscure link error.
+./Configure \
+  --prefix=%{_mingw32_prefix} \
+  --openssldir=%{_mingw32_sysconfdir}/pki/tls \
+  zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
+  enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \
+  no-capieng \
+  no-hw --cross-compile-prefix=%{_mingw32_target}- \
+  --enginesdir=%{_mingw32_libdir}/openssl/engines \
+  shared mingw
+#  --with-krb5-flavor=MIT
+#  -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib}
+
+# Regenerate def files as we disabled some algorithms above
+perl util/mkdef.pl crypto ssl update
+
+make depend
+make all build-shared
+
+# Generate hashes for the included certs.
+make rehash build-shared
+
+%if %{run_tests}
+#----------------------------------------------------------------------
+# Run some tests.  I don't know why this isn't in a %-check section
+# but this is how it is in the native RPM.
+
+# This is a bit of a hack, but the test scripts look for 'openssl'
+# by name.
+pushd apps
+ln -s openssl.exe openssl
+popd
+
+# This is useful for diagnosing Wine problems.
+WINEDEBUG=+loaddll
+export WINEDEBUG
+
+# Make sure we can find the installed DLLs.
+WINEDLLPATH=%{_mingw32_bindir}
+export WINEDLLPATH
+
+# The tests run Wine and require an X server (but don't really use
+# it).  Therefore we create a virtual framebuffer for the duration of
+# the tests.
+# XXX There is no good way to choose a random, unused display.
+# XXX Setting depth to 24 bits avoids bug 458219.
+unset DISPLAY
+display=:21
+Xvfb $display -screen 0 1024x768x24 -ac -noreset & xpid=$!
+trap "kill -TERM $xpid ||:" EXIT
+sleep 3
+DISPLAY=$display
+export DISPLAY
+
+make LDCMD=%{_mingw32_cc} -C test apps tests
+
+# Disable this thread test, because we don't have pthread on Windows.
+%{_mingw32_cc} -o openssl-thread-test \
+  -I./include \
+  %-{_mingw32_cflags} \
+  %-{SOURCE8} \
+  -L. \
+  -lssl -lcrypto \
+  -lpthread -lz -ldl
+
+## `krb5-config --cflags`
+## `krb5-config --libs`
+#
+./openssl-thread-test --threads %{thread_test_threads}
+
+#----------------------------------------------------------------------
+%endif
+
+# Patch33 must be patched after tests otherwise they will fail
+patch -p1 -b -z .ca-dir < %{PATCH33}
+
+# Add generation of HMAC checksum of the final stripped library
+#%define __spec_install_post \
+#    %{?__debug_package:%{__debug_install_post}} \
+#    %{__arch_install_post} \
+#    %{__os_install_post} \
+#    fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
+#    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
+#%{nil}
+
+if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then
+  iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \
+    mv -f CHANGES.utf8 CHANGES
+fi
+
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}/openssl
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_bindir}
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_includedir}
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_mandir}
+make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared
+
+# Install the file applink.c (#499934)
+install -m644 ms/applink.c $RPM_BUILD_ROOT%{_mingw32_includedir}/openssl/applink.c
+
+# I have no idea why it installs the manpages in /etc, but
+# we remove them anyway.
+rm -r $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/man
+
+# Set permissions on lib*.dll.a so that strip works.
+chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.dll.a
+chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.dll.a
+
+# Install a makefile for generating keys and self-signed certs, and a script
+# for generating them on the fly.
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs
+install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/Makefile
+install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert
+
+# Pick a CA script.
+pushd  $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/misc
+mv CA.sh CA
+popd
+
+mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA
+mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA/private
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+
+%files
+%defattr(-,root,root,-)
+%doc LICENSE
+%{_mingw32_bindir}/openssl.exe
+%{_mingw32_bindir}/c_rehash
+%{_mingw32_bindir}/libcrypto-%{soversion}.dll
+%{_mingw32_bindir}/libssl-%{soversion}.dll
+#{_mingw32_bindir}/.libcrypto*.hmac
+%{_mingw32_libdir}/libcrypto.dll.a
+%{_mingw32_libdir}/libssl.dll.a
+%{_mingw32_libdir}/engines
+%{_mingw32_libdir}/pkgconfig/*.pc
+%{_mingw32_includedir}/openssl
+%config(noreplace) %{_mingw32_sysconfdir}/pki
+
+
+%files static
+%defattr(-,root,root,-)
+%{_mingw32_libdir}/libcrypto.a
+%{_mingw32_libdir}/libssl.a
+
+
+%changelog
+* Mon Feb 27 2012 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.0d-3
+- Rebuild against the mingw-w64 toolchain
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0d-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Sat Apr 23 2011 Kalev Lember <kalev@smartlink.ee> - 1.0.0d-1
+- Update to 1.0.0d
+- Synced patches with Fedora native openssl-1.0.0d-2
+
+* Fri Mar 04 2011 Kai Tietz <ktietz@redhat.com>
+- Fixes for CVE-2011-0014 openssl: OCSP stapling vulnerability
+
+* Thu Mar  3 2011 Kai Tietz <ktietz@redhat.com> - 1.0.0a-3
+- Bump and rebuild.
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0a-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Sat Jun 19 2010 Kalev Lember <kalev@smartlink.ee> - 1.0.0a-1
+- Updated to openssl 1.0.0a
+- Synced patches with Fedora native openssl-1.0.0a-1
+- Use sed to fix up cflags instead of unmaintainable patch
+- Rebased mingw32 specific patches
+- Disabled capieng to fix build
+- Properly regenerate def files with mkdef.pl and drop linker-fix.patch
+
+* Thu Nov 26 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.6.beta4
+- Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4)
+- Dropped the patch to fix non-fips mingw build,
+  as it's now merged into fips patch from native openssl
+
+* Sun Nov 22 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.5.beta4
+- Updated to version 1.0.0 beta 4
+- Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4)
+- Added patch to fix build with fips disabled
+
+* Fri Sep 18 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.4.beta3
+- Rebuilt to fix debuginfo
+
+* Sun Aug 30 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.3.beta3
+- Simplified the lib renaming patch
+
+* Sun Aug 30 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.0-0.2.beta3
+- Fixed invalid RPM Provides
+ 
+* Fri Aug 28 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.0-0.1.beta3
+- Update to version 1.0.0 beta 3
+- Use %%global instead of %%define
+- Automatically generate debuginfo subpackage
+- Merged various changes from the native Fedora package (up to 1.0.0-0.5.beta3)
+- Don't use the %%{_mingw32_make} macro anymore as it's ugly and causes side-effects
+- Added missing BuildRequires mingw32-dlfcn (Kalev Lember)
+- Reworked patches to rename *eay32.dll to lib*.dll (Kalev Lember)
+- Patch Configure script to use %%{_mingw32_cflags} (Kalev Lember)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.8j-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sat May  9 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 0.9.8j-6
+- Add the file include/openssl/applink.c to the package (BZ #499934)
+
+* Tue Apr 14 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 0.9.8j-5
+- Fixed %%defattr line
+- Added -static subpackage
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.8j-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Feb 20 2009 Richard W.M. Jones <rjones@redhat.com> - 0.9.8j-3
+- Rebuild for mingw32-gcc 4.4
+
+* Mon Feb  2 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-2
+- Various build fixes.
+
+* Wed Jan 28 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-1
+- update to new upstream version.
+
+* Mon Dec 29 2008 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8g-2
+- minor cleanup.
+
+* Tue Sep 30 2008 Richard W.M. Jones <rjones@redhat.com> - 0.9.8g-1
+- Initial RPM release.

openssl-0.9.6-x509.patch

@@ -0,0 +1,29 @@
+Do not treat duplicate certs as an error.
+
+--- openssl-0.9.6/crypto/x509/by_file.c	Wed Sep 27 15:09:05 2000
++++ openssl-0.9.6/crypto/x509/by_file.c	Wed Sep 27 14:21:20 2000
+@@ -163,8 +163,12 @@
+ 					}
+ 				}
+ 			i=X509_STORE_add_cert(ctx->store_ctx,x);
+-			if (!i) goto err;
+-			count++;
++			/* ignore any problems with current certificate 
++			    and continue with the next one */
++			if (i)
++			    count++;
++			else
++			    ERR_clear_error();
+ 			X509_free(x);
+ 			x=NULL;
+ 			}
+@@ -179,7 +183,8 @@
+ 			goto err;
+ 			}
+ 		i=X509_STORE_add_cert(ctx->store_ctx,x);
+-		if (!i) goto err;
++		if (!i)
++		  ERR_clear_error();
+ 		ret=i;
+ 		}
+ 	else

openssl-0.9.8a-no-rpath.patch

@@ -0,0 +1,11 @@
+--- openssl-0.9.8a/Makefile.shared.no-rpath	2005-06-23 22:47:54.000000000 +0200
++++ openssl-0.9.8a/Makefile.shared	2005-11-16 22:35:37.000000000 +0100
+@@ -153,7 +153,7 @@
+ 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+ 
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+ 
+ #This is rather special.  It's a special target with which one can link
+ #applications without bothering with any features that have anything to

openssl-0.9.8b-test-use-localhost.patch

@@ -0,0 +1,24 @@
+diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c
+--- openssl-0.9.8b/ssl/ssltest.c.use-localhost	2006-02-24 18:58:35.000000000 +0100
++++ openssl-0.9.8b/ssl/ssltest.c	2007-08-03 14:06:16.000000000 +0200
+@@ -839,19 +839,8 @@ bad:
+ #ifndef OPENSSL_NO_KRB5
+ 	if (c_ssl  &&  c_ssl->kssl_ctx)
+                 {
+-                char	localhost[MAXHOSTNAMELEN+2];
+-
+-		if (gethostname(localhost, sizeof localhost-1) == 0)
+-                        {
+-			localhost[sizeof localhost-1]='\0';
+-			if(strlen(localhost) == sizeof localhost-1)
+-				{
+-				BIO_printf(bio_err,"localhost name too long\n");
+-				goto end;
+-				}
+ 			kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
+-                                localhost);
+-			}
++                                "localhost");
+ 		}
+ #endif    /* OPENSSL_NO_KRB5  */
+ 

openssl-0.9.8g-ia64.patch

@@ -0,0 +1,19 @@
+diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h
+--- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64	2008-08-10 22:23:55.000000000 +0200
++++ openssl-0.9.8g/crypto/bn/bn_lcl.h	2008-08-10 22:23:55.000000000 +0200
+@@ -279,6 +279,15 @@ extern "C" {
+ #   define BN_UMULT_HIGH(a,b)		__umulh((a),(b))
+ #   define BN_UMULT_LOHI(low,high,a,b)	((low)=_umul128((a),(b),&(high)))
+ #  endif
++# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
++#  if defined(__GNUC__)
++#   define BN_UMULT_HIGH(a,b) ({      \
++      register BN_ULONG ret;          \
++      asm ("xmpy.hu %0 = %1, %2"      \
++           : "=f"(ret)                \
++           : "f"(a), "f"(b));         \
++      ret;                    })
++#  endif      /* compiler */
+ # endif		/* cpu */
+ #endif		/* OPENSSL_NO_ASM */
+ 

openssl-0.9.8j-bad-mime.patch

@@ -0,0 +1,14 @@
+diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c
+--- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime	2008-08-05 17:56:11.000000000 +0200
++++ openssl-0.9.8j/crypto/asn1/asn_mime.c	2009-01-14 22:08:34.000000000 +0100
+@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER
+ static int mime_hdr_cmp(const MIME_HEADER * const *a,
+ 			const MIME_HEADER * const *b)
+ {
++	if ((*a)->name == NULL || (*b)->name == NULL)
++		return (*a)->name - (*b)->name < 0 ? -1 :
++			(*a)->name - (*b)->name > 0 ? 1 : 0;
++
+ 	return(strcmp((*a)->name, (*b)->name));
+ }
+ 

openssl-0.9.8j-env-nozlib.patch

@@ -0,0 +1,13 @@
+Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set.
+diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c
+--- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib	2009-01-05 15:43:07.000000000 +0100
++++ openssl-0.9.8j/ssl/ssl_ciph.c	2009-01-14 17:47:46.000000000 +0100
+@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo
+ 
+ 			MemCheck_off();
+ 			ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+-			if (ssl_comp_methods != NULL)
++			if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
+ 				{
+ 				comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ 				if (comp != NULL)

openssl-0.9.8j-version-add-engines.patch

@@ -0,0 +1,48 @@
+diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
+--- openssl-0.9.8j/apps/version.c.version-add-engines	2008-10-20 14:53:33.000000000 +0200
++++ openssl-0.9.8j/apps/version.c	2009-01-13 23:22:03.000000000 +0100
+@@ -131,6 +131,7 @@
+ #ifndef OPENSSL_NO_BF
+ # include <openssl/blowfish.h>
+ #endif
++#include <openssl/engine.h>
+ 
+ #undef PROG
+ #define PROG	version_main
+@@ -140,7 +141,7 @@ int MAIN(int, char **);
+ int MAIN(int argc, char **argv)
+ 	{
+ 	int i,ret=0;
+-	int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
++	int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
+ 
+ 	apps_startup();
+ 
+@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
+ 		else if (strcmp(argv[i],"-d") == 0)
+ 			dir=1;
+ 		else if (strcmp(argv[i],"-a") == 0)
+-			date=version=cflags=options=platform=dir=1;
++			date=version=cflags=options=platform=dir=engines=1;
+ 		else
+ 			{
+ 			BIO_printf(bio_err,"usage:version -[avbofpd]\n");
+@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
+ 		}
+ 	if (cflags)  printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
+ 	if (dir)  printf("%s\n",SSLeay_version(SSLEAY_DIR));
++	if (engines)
++		{
++		ENGINE *e;
++		printf("engines:  ");
++		e = ENGINE_get_first();
++		while (e)
++			{
++			printf("%s ", ENGINE_get_id(e));
++			e = ENGINE_get_next(e);
++			}
++		printf("\n");
++		}
+ end:
+ 	apps_shutdown();
+ 	OPENSSL_EXIT(ret);

openssl-1.0.0-beta3-defaults.patch

@@ -0,0 +1,44 @@
+diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/openssl.cnf
+--- openssl-1.0.0-beta3/apps/openssl.cnf.defaults	2009-04-04 20:09:43.000000000 +0200
++++ openssl-1.0.0-beta3/apps/openssl.cnf	2009-08-04 22:57:16.000000000 +0200
+@@ -103,7 +103,8 @@ emailAddress		= optional
+ 
+ ####################################################################
+ [ req ]
+-default_bits		= 1024
++default_bits		= 2048
++default_md		= sha1
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+@@ -126,17 +127,18 @@ string_mask = utf8only
+ 
+ [ req_distinguished_name ]
+ countryName			= Country Name (2 letter code)
+-countryName_default		= AU
++countryName_default		= XX
+ countryName_min			= 2
+ countryName_max			= 2
+ 
+ stateOrProvinceName		= State or Province Name (full name)
+-stateOrProvinceName_default	= Some-State
++#stateOrProvinceName_default	= Default Province
+ 
+ localityName			= Locality Name (eg, city)
++localityName_default	= Default City
+ 
+ 0.organizationName		= Organization Name (eg, company)
+-0.organizationName_default	= Internet Widgits Pty Ltd
++0.organizationName_default	= Default Company Ltd
+ 
+ # we can do this but it is not needed normally :-)
+ #1.organizationName		= Second Organization Name (eg, company)
+@@ -145,7 +147,7 @@ localityName			= Locality Name (eg, city
+ organizationalUnitName		= Organizational Unit Name (eg, section)
+ #organizationalUnitName_default	=
+ 
+-commonName			= Common Name (eg, YOUR name)
++commonName			= Common Name (eg, your name or your server\'s hostname)
+ commonName_max			= 64
+ 
+ emailAddress			= Email Address

openssl-1.0.0-beta3-fipscheck.patch

@@ -0,0 +1,400 @@
+diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c
+--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck	2009-08-10 20:11:59.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/fips.c	2009-08-10 20:11:59.000000000 +0200
+@@ -47,6 +47,7 @@
+  *
+  */
+ 
++#define _GNU_SOURCE
+ 
+ #include <openssl/rand.h>
+ #include <openssl/fips_rand.h>
+@@ -56,6 +57,9 @@
+ #include <openssl/rsa.h>
+ #include <string.h>
+ #include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
+ #include "fips_locl.h"
+ 
+ #ifdef OPENSSL_FIPS
+@@ -165,6 +169,204 @@ int FIPS_selftest()
+ 	&& FIPS_selftest_dsa();
+     }
+ 
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
++{
++	Dl_info info;
++	void *dl, *sym;
++	int rv = -1;
++
++        dl = dlopen(libname, RTLD_LAZY);
++        if (dl == NULL) {
++	        return -1;
++        }       
++
++	sym = dlsym(dl, symbolname);
++
++	if (sym != NULL && dladdr(sym, &info)) {
++		strncpy(path, info.dli_fname, pathlen-1);
++		path[pathlen-1] = '\0';
++		rv = 0;
++	}
++
++	dlclose(dl);	
++	
++	return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *
++bin2hex(void *buf, size_t len)
++{
++	char *hex, *p;
++	unsigned char *src = buf;
++	
++	hex = malloc(len * 2 + 1);
++	if (hex == NULL)
++		return NULL;
++
++	p = hex;
++
++	while (len > 0) {
++		unsigned c;
++
++		c = *src;
++		src++;
++
++		*p = conv[c >> 4];
++		++p;
++		*p = conv[c & 0x0f];
++		++p;
++		--len;
++	}
++	*p = '\0';
++	return hex;
++}
++
++#define HMAC_PREFIX "." 
++#define HMAC_SUFFIX ".hmac" 
++#define READ_BUFFER_LENGTH 16384
++
++static char *
++make_hmac_path(const char *origpath)
++{
++	char *path, *p;
++	const char *fn;
++
++	path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++	if(path == NULL) {
++		return NULL;
++	}
++
++	fn = strrchr(origpath, '/');
++	if (fn == NULL) {
++		fn = origpath;
++	} else {
++		++fn;
++	}
++
++	strncpy(path, origpath, fn-origpath);
++	p = path + (fn - origpath);
++	p = stpcpy(p, HMAC_PREFIX);
++	p = stpcpy(p, fn);
++	p = stpcpy(p, HMAC_SUFFIX);
++
++	return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int
++compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++	FILE *f = NULL;
++	int rv = -1;
++	unsigned char rbuf[READ_BUFFER_LENGTH];
++	size_t len;
++	unsigned int hlen;
++	HMAC_CTX c;
++
++	HMAC_CTX_init(&c);
++
++	f = fopen(path, "r");
++
++	if (f == NULL) {
++		goto end;
++	}
++
++	HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
++
++	while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++		HMAC_Update(&c, rbuf, len);
++	}
++
++	len = sizeof(rbuf);
++	/* reuse rbuf for hmac */
++	HMAC_Final(&c, rbuf, &hlen);
++
++	*buf = malloc(hlen);
++	if (*buf == NULL) {
++		goto end;
++	}
++
++	*hmaclen = hlen;
++
++	memcpy(*buf, rbuf, hlen);
++
++	rv = 0;
++end:
++	HMAC_CTX_cleanup(&c);
++
++	if (f)
++		fclose(f);
++
++	return rv;
++}
++
++static int
++FIPSCHECK_verify(const char *libname, const char *symbolname)
++{
++	char path[PATH_MAX+1];
++	int rv;
++	FILE *hf;
++	char *hmacpath, *p;
++	char *hmac = NULL;
++	size_t n;
++	
++	rv = get_library_path(libname, symbolname, path, sizeof(path));
++
++	if (rv < 0)
++		return 0;
++
++	hmacpath = make_hmac_path(path);
++
++	hf = fopen(hmacpath, "r");
++	if (hf == NULL) {
++		free(hmacpath);
++		return 0;
++	}
++
++	if (getline(&hmac, &n, hf) > 0) {
++		void *buf;
++		size_t hmaclen;
++		char *hex;
++
++		if ((p=strchr(hmac, '\n')) != NULL)
++			*p = '\0';
++
++		if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++			rv = -4;
++			goto end;
++		}
++
++		if ((hex=bin2hex(buf, hmaclen)) == NULL) {
++			free(buf);
++			rv = -5;
++			goto end;
++		}
++
++		if (strcmp(hex, hmac) != 0) {
++			rv = -1;
++		}
++		free(buf);
++		free(hex);
++	}
++
++end:
++	free(hmac);
++	free(hmacpath);
++	fclose(hf);
++
++	if (rv < 0)
++		return 0;
++
++	/* check successful */
++	return 1;	
++}
++
+ int FIPS_mode_set(int onoff)
+     {
+     int fips_set_owning_thread();
+@@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff)
+ 	    }
+ #endif
+ 
++	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
++	    {
++	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++	    fips_selftest_fail = 1;
++	    ret = 0;
++	    goto end;
++	    }
++
++	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
++	    {
++	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++	    fips_selftest_fail = 1;
++	    ret = 0;
++	    goto end;
++	    }
++
+ 	/* Perform RNG KAT before seeding */
+ 	if (!FIPS_selftest_rng())
+ 	    {
+diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
+--- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck	2009-08-10 20:11:59.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c	2009-08-10 20:11:59.000000000 +0200
+@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
+ 
+ #ifdef OPENSSL_FIPS
+ 
+-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
++static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
+ 		      const char *key)
+     {
+     size_t len=strlen(key);
+@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
+ 
+     if (len > SHA_CBLOCK)
+ 	{
+-	SHA1_Init(md_ctx);
+-	SHA1_Update(md_ctx,key,len);
+-	SHA1_Final(keymd,md_ctx);
+-	len=20;
++	SHA256_Init(md_ctx);
++	SHA256_Update(md_ctx,key,len);
++	SHA256_Final(keymd,md_ctx);
++	len=SHA256_DIGEST_LENGTH;
+ 	}
+     else
+ 	memcpy(keymd,key,len);
+@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
+ 
+     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
+ 	pad[i]=0x36^keymd[i];
+-    SHA1_Init(md_ctx);
+-    SHA1_Update(md_ctx,pad,SHA_CBLOCK);
++    SHA256_Init(md_ctx);
++    SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
+ 
+     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
+ 	pad[i]=0x5c^keymd[i];
+-    SHA1_Init(o_ctx);
+-    SHA1_Update(o_ctx,pad,SHA_CBLOCK);
++    SHA256_Init(o_ctx);
++    SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
+     }
+ 
+-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
++static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
+     {
+-    unsigned char buf[20];
++    unsigned char buf[SHA256_DIGEST_LENGTH];
+ 
+-    SHA1_Final(buf,md_ctx);
+-    SHA1_Update(o_ctx,buf,sizeof buf);
+-    SHA1_Final(md,o_ctx);
++    SHA256_Final(buf,md_ctx);
++    SHA256_Update(o_ctx,buf,sizeof buf);
++    SHA256_Final(md,o_ctx);
+     }
+ 
+ #endif
+@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
+ int main(int argc,char **argv)
+     {
+ #ifdef OPENSSL_FIPS
+-    static char key[]="etaonrishdlcupfm";
++    static char key[]="orboDeJITITejsirpADONivirpUkvarP";
+     int n,binary=0;
+ 
+     if(argc < 2)
+@@ -125,8 +125,8 @@ int main(int argc,char **argv)
+     for(; n < argc ; ++n)
+ 	{
+ 	FILE *f=fopen(argv[n],"rb");
+-	SHA_CTX md_ctx,o_ctx;
+-	unsigned char md[20];
++	SHA256_CTX md_ctx,o_ctx;
++	unsigned char md[SHA256_DIGEST_LENGTH];
+ 	int i;
+ 
+ 	if(!f)
+@@ -151,18 +151,18 @@ int main(int argc,char **argv)
+ 		else
+ 		    break;
+ 		}
+-	    SHA1_Update(&md_ctx,buf,l);
++	    SHA256_Update(&md_ctx,buf,l);
+ 	    }
+ 	hmac_final(md,&md_ctx,&o_ctx);
+ 
+ 	if (binary)
+ 	    {
+-	    fwrite(md,20,1,stdout);
++	    fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
+ 	    break;	/* ... for single(!) file */
+ 	    }
+ 
+-	printf("HMAC-SHA1(%s)= ",argv[n]);
+-	for(i=0 ; i < 20 ; ++i)
++/*	printf("HMAC-SHA1(%s)= ",argv[n]); */
++	for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
+ 	    printf("%02x",md[i]);
+ 	printf("\n");
+ 	}
+diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile
+--- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck	2009-08-10 20:11:59.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/Makefile	2009-08-10 20:27:45.000000000 +0200
+@@ -16,6 +16,9 @@ GENERAL=Makefile
+ TEST=fips_test_suite.c fips_randtest.c
+ APPS=
+ 
++PROGRAM= fips_standalone_sha1
++EXE= $(PROGRAM)$(EXE_EXT)
++
+ LIB=$(TOP)/libcrypto.a
+ LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
+     fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c  fips_rand.c \
+@@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self
+     fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o  fips_rand.o \
+     fips_rsa_x931g.o
+ 
++LIBCRYPTO=-L.. -lcrypto
++
+ SRC= $(LIBSRC) fips_standalone_sha1.c
+ 
+ EXHEADER= fips.h fips_rand.h
+@@ -35,13 +40,15 @@ ALL=    $(GENERAL) $(SRC) $(HEADER)
+ top:
+ 	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+ 
+-all:	lib
++all:	lib exe
+ 
+ lib:	$(LIBOBJ)
+ 	$(AR) $(LIB) $(LIBOBJ)
+ 	$(RANLIB) $(LIB) || echo Never mind.
+ 	@touch lib
+ 
++exe:	$(EXE)
++
+ files:
+ 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+ 
+@@ -77,5 +84,9 @@ dclean:
+ clean:
+ 	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+ 
++$(EXE): $(PROGRAM).o
++	FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
++	$(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
++
+ # DO NOT DELETE THIS LINE -- make depend depends on it.
+ 

openssl-1.0.0-beta3-fipsrng.patch

@@ -0,0 +1,79 @@
+diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c
+--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng	2009-08-11 18:12:14.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/fips.c	2009-08-11 18:14:36.000000000 +0200
+@@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff)
+ 	    goto end;
+ 	    }
+ 
++	/* now switch the RNG into FIPS mode */
++	fips_set_rand_check(FIPS_rand_method());
++	RAND_set_rand_method(FIPS_rand_method());
++
+ 	/* automagically seed PRNG if not already seeded */
+ 	if(!FIPS_rand_status())
+ 	    {
+-	    if(RAND_bytes(buf,sizeof buf) <= 0)
++	    RAND_poll();
++	    if (!FIPS_rand_status())
+ 		{
+ 		fips_selftest_fail = 1;
+ 		ret = 0;
+ 		goto end;
+ 		}
+-	    FIPS_rand_set_key(buf,32);
+-	    FIPS_rand_seed(buf+32,16);
+ 	    }
+ 
+-	/* now switch into FIPS mode */
+-	fips_set_rand_check(FIPS_rand_method());
+-	RAND_set_rand_method(FIPS_rand_method());
+ 	if(FIPS_selftest())
+ 	    fips_set_mode(1);
+ 	else
+diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c
+--- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng	2009-08-11 18:12:14.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c	2009-08-11 18:16:48.000000000 +0200
+@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
+ 	{
+ 	int i;
+ 	if (!ctx->keyed)
+-		return 0;
++		{
++		FIPS_RAND_SIZE_T keylen = 16;
++
++		if (seedlen - keylen < AES_BLOCK_LENGTH)
++			return 0;
++		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
++			keylen += 8;
++		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
++			keylen += 8;
++		seedlen -= keylen;
++		fips_set_prng_key(ctx, seed+seedlen, keylen);
++		}
+ 	/* In test mode seed is just supplied data */
+ 	if (ctx->test_mode)
+ 		{
+@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
+ 	unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
+ 	unsigned char tmp[AES_BLOCK_LENGTH];
+ 	int i;
++	FIPS_selftest_check();
+ 	if (ctx->error)
+ 		{
+ 		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
+diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h
+--- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng	2009-08-11 18:12:13.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h	2009-08-11 18:18:13.000000000 +0200
+@@ -112,8 +112,11 @@
+ #ifndef HEADER_RAND_LCL_H
+ #define HEADER_RAND_LCL_H
+ 
++#ifndef OPENSSL_FIPS
+ #define ENTROPY_NEEDED 32  /* require 256 bits = 32 bytes of randomness */
+-
++#else
++#define ENTROPY_NEEDED 48  /* we need 48 bytes of randomness for FIPS rng */
++#endif
+ 
+ #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)

openssl-1.0.0-beta3-soversion.patch

@@ -0,0 +1,44 @@
+diff -up openssl-1.0.0-beta3/Configure.soversion openssl-1.0.0-beta3/Configure
+--- openssl-1.0.0-beta3/Configure.soversion	2009-08-04 23:06:52.000000000 +0200
++++ openssl-1.0.0-beta3/Configure	2009-08-04 23:06:52.000000000 +0200
+@@ -1514,7 +1514,7 @@ while (<IN>)
+ 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ 		{
+ 		my $sotmp = $1;
+-		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
+ 		}
+ 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ 		{
+diff -up openssl-1.0.0-beta3/Makefile.org.soversion openssl-1.0.0-beta3/Makefile.org
+--- openssl-1.0.0-beta3/Makefile.org.soversion	2009-08-04 23:06:52.000000000 +0200
++++ openssl-1.0.0-beta3/Makefile.org	2009-08-04 23:11:01.000000000 +0200
+@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=
+ SHLIB_MINOR=
+ SHLIB_EXT=
++SHLIB_SONAMEVER=10
+ PLATFORM=dist
+ OPTIONS=
+ CONFIGURE_ARGS=
+@@ -289,10 +290,9 @@ clean-shared:
+ link-shared:
+ 	@ set -e; for i in $(SHLIBDIRS); do \
+ 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+-			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ 			symlink.$(SHLIB_TARGET); \
+-		libs="$$libs -l$$i"; \
+ 	done
+ 
+ build-shared: do_$(SHLIB_TARGET) link-shared
+@@ -303,7 +303,7 @@ do_$(SHLIB_TARGET):
+ 			libs="$(LIBKRB5) $$libs"; \
+ 		fi; \
+ 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+-			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ 			LIBDEPS="$$libs $(EX_LIBS)" \
+ 			link_a.$(SHLIB_TARGET); \

openssl-1.0.0-beta4-algo-doc.patch

@@ -0,0 +1,113 @@
+diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
+--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc	2009-10-16 17:29:34.000000000 +0200
++++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod	2009-11-12 14:13:21.000000000 +0100
+@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
+ EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
+ EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
+ EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
+-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
++EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224,
++EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
+ EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
+ EVP digest routines
+ 
+@@ -51,6 +52,10 @@ EVP digest routines
+  const EVP_MD *EVP_md5(void);
+  const EVP_MD *EVP_sha(void);
+  const EVP_MD *EVP_sha1(void);
++ const EVP_MD *EVP_sha224(void);
++ const EVP_MD *EVP_sha256(void);
++ const EVP_MD *EVP_sha384(void);
++ const EVP_MD *EVP_sha512(void);
+  const EVP_MD *EVP_dss(void);
+  const EVP_MD *EVP_dss1(void);
+  const EVP_MD *EVP_mdc2(void);
+@@ -70,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
+ 
+ EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
+ B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
+-function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
++function. B<type> will typically be supplied by a function such as EVP_sha1().
+ If B<impl> is NULL then the default implementation of digest B<type> is used.
+ 
+ EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
+@@ -127,9 +132,11 @@ with this digest. For example EVP_sha1()
+ return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
+ algorithms may not be retained in future versions of OpenSSL.
+ 
+-EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
+-return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
+-algorithms respectively. The associated signature algorithm is RSA in each case.
++EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
++EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160()
++return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384,
++SHA512, MDC2 and RIPEMD160 digest algorithms respectively. The associated
++signature algorithm is RSA in each case.
+ 
+ EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
+ algorithms but using DSS (DSA) for the signature algorithm. Note: there is 
+@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
+ EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block
+ size in bytes.
+ 
+-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
++EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
++EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(),
+ EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
+ corresponding EVP_MD structures.
+ 
+diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
+--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
++++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod	2009-11-12 14:11:03.000000000 +0100
+@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher 
+  int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+  int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+ 
++ const EVP_CIPHER *EVP_des_ede3(void);
++ const EVP_CIPHER *EVP_des_ede3_ecb(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
++ const EVP_CIPHER *EVP_des_ede3_ofb(void);
++ const EVP_CIPHER *EVP_des_ede3_cbc(void);
++ const EVP_CIPHER *EVP_aes_128_ecb(void);
++ const EVP_CIPHER *EVP_aes_128_cbc(void);
++ const EVP_CIPHER *EVP_aes_128_cfb1(void);
++ const EVP_CIPHER *EVP_aes_128_cfb8(void);
++ const EVP_CIPHER *EVP_aes_128_cfb128(void);
++ const EVP_CIPHER *EVP_aes_128_ofb(void);
++ const EVP_CIPHER *EVP_aes_192_ecb(void);
++ const EVP_CIPHER *EVP_aes_192_cbc(void);
++ const EVP_CIPHER *EVP_aes_192_cfb1(void);
++ const EVP_CIPHER *EVP_aes_192_cfb8(void);
++ const EVP_CIPHER *EVP_aes_192_cfb128(void);
++ const EVP_CIPHER *EVP_aes_192_ofb(void);
++ const EVP_CIPHER *EVP_aes_256_ecb(void);
++ const EVP_CIPHER *EVP_aes_256_cbc(void);
++ const EVP_CIPHER *EVP_aes_256_cfb1(void);
++ const EVP_CIPHER *EVP_aes_256_cfb8(void);
++ const EVP_CIPHER *EVP_aes_256_cfb128(void);
++ const EVP_CIPHER *EVP_aes_256_ofb(void);
++
+ =head1 DESCRIPTION
+ 
+ The EVP cipher routines are a high level interface to certain
+@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an
+ 
+ DESX algorithm in CBC mode.
+ 
++=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void)
++
++AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
++=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void)
++
++AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
++=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void)
++
++AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
+ =item EVP_rc4(void)
+ 
+ RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.

openssl-1.0.0-beta4-ca-dir.patch

@@ -0,0 +1,36 @@
+diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in
+--- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir	2006-04-28 02:30:49.000000000 +0200
++++ openssl-1.0.0-beta4/apps/CA.pl.in	2009-11-12 12:33:13.000000000 +0100
+@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
+ $X509="$openssl x509";
+ $PKCS12="$openssl pkcs12";
+ 
+-$CATOP="./demoCA";
++$CATOP="/etc/pki/CA";
+ $CAKEY="cakey.pem";
+ $CAREQ="careq.pem";
+ $CACERT="cacert.pem";
+diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh
+--- openssl-1.0.0-beta4/apps/CA.sh.ca-dir	2009-10-15 19:27:47.000000000 +0200
++++ openssl-1.0.0-beta4/apps/CA.sh	2009-11-12 12:35:14.000000000 +0100
+@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
+ X509="$OPENSSL x509"
+ PKCS12="openssl pkcs12"
+ 
+-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
++if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
+ CAKEY=./cakey.pem
+ CAREQ=./careq.pem
+ CACERT=./cacert.pem
+diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf
+--- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir	2009-11-12 12:33:13.000000000 +0100
++++ openssl-1.0.0-beta4/apps/openssl.cnf	2009-11-12 12:33:13.000000000 +0100
+@@ -39,7 +39,7 @@ default_ca	= CA_default		# The default c
+ ####################################################################
+ [ CA_default ]
+ 
+-dir		= ./demoCA		# Where everything is kept
++dir		= /etc/pki/CA		# Where everything is kept
+ certs		= $dir/certs		# Where the issued certs are kept
+ crl_dir		= $dir/crl		# Where the issued crl are kept
+ database	= $dir/index.txt	# database index file.

openssl-1.0.0-beta4-default-paths.patch

@@ -0,0 +1,77 @@
+diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c
+--- openssl-1.0.0-beta4/apps/s_client.c.default-paths	2009-08-12 15:21:26.000000000 +0200
++++ openssl-1.0.0-beta4/apps/s_client.c	2009-11-12 12:26:32.000000000 +0100
+@@ -889,12 +889,13 @@ bad:
+ 	if (!set_cert_key_stuff(ctx,cert,key))
+ 		goto end;
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(ctx))
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 
+ #ifndef OPENSSL_NO_TLSEXT
+diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c
+--- openssl-1.0.0-beta4/apps/s_server.c.default-paths	2009-10-28 18:49:37.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_server.c	2009-11-12 12:31:23.000000000 +0100
+@@ -1408,12 +1408,13 @@ bad:
+ 		}
+ #endif
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(ctx))
+ 		{
+-		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 	if (vpm)
+ 		SSL_CTX_set1_param(ctx, vpm);
+@@ -1465,8 +1466,11 @@ bad:
+ 		else
+ 			SSL_CTX_sess_set_cache_size(ctx2,128);
+ 
+-		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
+-			(!SSL_CTX_set_default_verify_paths(ctx2)))
++		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
++		if (!SSL_CTX_set_default_verify_paths(ctx2))
+ 			{
+ 			ERR_print_errors(bio_err);
+ 			}
+diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c
+--- openssl-1.0.0-beta4/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
++++ openssl-1.0.0-beta4/apps/s_time.c	2009-11-12 12:26:32.000000000 +0100
+@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
+ 
+ 	SSL_load_error_strings();
+ 
+-	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
++	if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 
+ 	if (tm_cipher == NULL)

openssl-1.0.0-beta4-dtls1-abi.patch

@@ -0,0 +1,25 @@
+Adding struct member is ABI breaker however as the structure is always allocated by
+the library calls we just move it to the end and it should be reasonably safe.
+diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
+--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi	2009-11-12 14:34:37.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/dtls1.h	2009-11-12 14:47:57.000000000 +0100
+@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
+ 	 */
+ 	record_pqueue buffered_app_data;
+ 
+-	/* Is set when listening for new connections with dtls1_listen() */
+-	unsigned int listen;
+-
+ 	unsigned int mtu; /* max DTLS packet size */
+ 
+ 	struct hm_header_st w_msg_hdr;
+@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
+ 	unsigned int retransmitting;
+ 	unsigned int change_cipher_spec_ok;
+ 
++	/* Is set when listening for new connections with dtls1_listen() */
++	unsigned int listen;
++
+ 	} DTLS1_STATE;
+ 
+ typedef struct dtls1_record_data_st

openssl-1.0.0-beta4-redhat.patch

@@ -0,0 +1,59 @@
+diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
+--- openssl-1.0.0-beta4/Configure.redhat	2009-11-09 15:11:13.000000000 +0100
++++ openssl-1.0.0-beta4/Configure	2009-11-12 12:15:27.000000000 +0100
+@@ -336,32 +336,32 @@ my %table=(
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # It's believed that majority of ARM toolchains predefine appropriate -march.
+ # If you compiler does not, do complement config command line with one!
+-"linux-armv4",	"gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-armv4",	"gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ #### IA-32 targets...
+ "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+ ####
+-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # it's a real mess with -mcpu=ultrasparc option under Linux, but
+ # -Wa,-Av8plus should do the trick no matter what.
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # GCC 3.1 is a requirement
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### Alpha Linux with GNU C and Compaq C setups
+ # Special notes:
+ # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+@@ -375,8 +375,8 @@ my %table=(
+ #
+ #					<appro@fy.chalmers.se>
+ #
+-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ 

openssl-1.0.0-beta5-cipher-change.patch

@@ -0,0 +1,21 @@
+diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
+--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change	2010-01-20 18:12:07.000000000 +0100
++++ openssl-1.0.0-beta5/ssl/ssl.h	2010-01-20 18:13:04.000000000 +0100
+@@ -513,7 +513,7 @@ typedef struct ssl_session_st
+ #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L
+ /* Allow initial connection to servers that don't support RI */
+ #define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L
+-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
++#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L /* no effect since 1.0.0c due to CVE-2010-4180 */
+ #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
+ #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
+ #define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
+@@ -530,7 +530,7 @@ typedef struct ssl_session_st
+ 
+ /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
+  *             This used to be 0x000FFFFFL before 0.9.7. */
+-#define SSL_OP_ALL					0x80000FFFL
++#define SSL_OP_ALL					0x80000FF7L
+ 
+ /* DTLS options */
+ #define SSL_OP_NO_QUERY_MTU                 0x00001000L

openssl-1.0.0-beta5-enginesdir.patch

@@ -0,0 +1,52 @@
+diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
+--- openssl-1.0.0-beta5/Configure.enginesdir	2010-01-20 18:07:05.000000000 +0100
++++ openssl-1.0.0-beta5/Configure	2010-01-20 18:10:48.000000000 +0100
+@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -833,6 +834,10 @@ PROCESS_ARGS:
+ 				{
+ 				$openssldir=$1;
+ 				}
++			elsif (/^--enginesdir=(.*)$/)
++				{
++				$enginesdir=$1;
++				}
+ 			elsif (/^--install.prefix=(.*)$/)
+ 				{
+ 				$install_prefix=$1;
+@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
+ 
+ $openssldir=$prefix . "/ssl" if $openssldir eq "";
+ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+-
++$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
+ 
+ print "IsMK1MF=$IsMK1MF\n";
+ 
+@@ -1673,7 +1678,7 @@ while (<IN>)
+ 		}
+ 	elsif	(/^#define\s+ENGINESDIR/)
+ 		{
+-		my $foo = "$prefix/$libdir/engines";
++		my $foo = "$enginesdir";
+ 		$foo =~ s/\\/\\\\/g;
+ 		print OUT "#define ENGINESDIR \"$foo\"\n";
+ 		}
+diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
+--- openssl-1.0.0-beta5/engines/Makefile.enginesdir	2010-01-16 21:06:09.000000000 +0100
++++ openssl-1.0.0-beta5/engines/Makefile	2010-01-20 18:07:05.000000000 +0100
+@@ -124,7 +124,7 @@ install:
+ 				sfx=".so"; \
+ 				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ 			  fi; \
+-			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++			  chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ 		done; \
+ 	fi

openssl-1.0.0-beta5-readme-warning.patch

@@ -0,0 +1,39 @@
+diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
+--- openssl-1.0.0-beta5/README.warning	2010-01-20 16:00:47.000000000 +0100
++++ openssl-1.0.0-beta5/README	2010-01-21 09:06:11.000000000 +0100
+@@ -5,6 +5,35 @@
+  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+  All rights reserved.
+ 
++ WARNING
++ -------
++
++ This version of OpenSSL is built in a way that supports operation in
++ the so called FIPS mode. Note though that the library as we build it
++ is not FIPS validated and the FIPS mode is present for testing purposes
++ only.
++ 
++ This version also contains a few differences from the upstream code
++ some of which are:
++   * There are added changes forward ported from the upstream OpenSSL
++     0.9.8 FIPS branch however the FIPS integrity verification check
++     is implemented differently from the upstream FIPS validated OpenSSL
++     module. It verifies HMAC-SHA256 checksum of the whole shared
++     libraries. For this reason the changes are ported to files in the
++     crypto directory and not in a separate fips subdirectory. Also
++     note that the FIPS integrity verification check requires unmodified
++     libcrypto and libssl shared library files which means that it will
++     fail if these files are modified for example by prelink.
++   * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
++     tries to initialize the FIPS mode if it is set to 1 aborting if the
++     FIPS mode could not be initialized. It is also possible to force the
++     OpenSSL library to FIPS mode especially for debugging purposes by
++     setting the environment variable OPENSSL_FORCE_FIPS_MODE.
++   * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
++     will not automatically load the built in compression method ZLIB
++     when initialized. Applications can still explicitely ask for ZLIB
++     compression method.
++
+  DESCRIPTION
+  -----------
+ 

openssl-1.0.0-name-hash.patch

@@ -0,0 +1,22 @@
+diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
+--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash	2010-01-12 18:27:10.000000000 +0100
++++ openssl-1.0.0/crypto/x509/x509_cmp.c	2010-04-06 16:44:52.000000000 +0200
+@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
+ 	{
+ 	unsigned long ret=0;
+ 	unsigned char md[16];
++	EVP_MD_CTX ctx; 
+ 
+ 	/* Make sure X509_NAME structure contains valid cached encoding */
+ 	i2d_X509_NAME(x,NULL);
+-	EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
++
++	EVP_MD_CTX_init(&ctx);
++	EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
++        EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
++		&& EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
++		&& EVP_DigestFinal_ex(&ctx, md, NULL);
++	EVP_MD_CTX_cleanup(&ctx);
+ 
+ 	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+ 		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)

openssl-1.0.0-timezone.patch

@@ -0,0 +1,21 @@
+diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org
+--- openssl-1.0.0/Makefile.org.timezone	2010-03-30 11:08:40.000000000 +0200
++++ openssl-1.0.0/Makefile.org	2010-04-06 12:49:21.000000000 +0200
+@@ -609,7 +609,7 @@ install_docs:
+ 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
+ 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ 		(cd `$(PERL) util/dirname.pl $$i`; \
+-		sh -c "$$pod2man \
++		sh -c "TZ=UTC $$pod2man \
+ 			--section=$$sec --center=OpenSSL \
+ 			--release=$(VERSION) `basename $$i`") \
+ 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+@@ -626,7 +626,7 @@ install_docs:
+ 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
+ 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ 		(cd `$(PERL) util/dirname.pl $$i`; \
+-		sh -c "$$pod2man \
++		sh -c "TZ=UTC $$pod2man \
+ 			--section=$$sec --center=OpenSSL \
+ 			--release=$(VERSION) `basename $$i`") \
+ 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \

openssl-1.0.0a-fipsmode.patch

@@ -0,0 +1,272 @@
+diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
+--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode	2009-07-01 16:55:58.000000000 +0200
++++ openssl-1.0.0a/crypto/engine/eng_all.c	2010-06-04 13:32:13.000000000 +0200
+@@ -58,9 +58,23 @@
+ 
+ #include "cryptlib.h"
+ #include "eng_int.h"
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+ 
+ void ENGINE_load_builtin_engines(void)
+ 	{
++#ifdef OPENSSL_FIPS
++	OPENSSL_init_library();
++	if (FIPS_mode()) {
++		/* We allow loading dynamic engine as a third party
++		   engine might be FIPS validated.
++		   User is disallowed to load non-validated engines
++		   by security policy. */
++		ENGINE_load_dynamic();
++		return;
++	}
++#endif
+ #if 0
+ 	/* There's no longer any need for an "openssl" ENGINE unless, one day,
+ 	 * it is the *only* way for standard builtin implementations to be be
+diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
+--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode	2009-12-25 15:12:24.000000000 +0100
++++ openssl-1.0.0a/crypto/evp/c_allc.c	2010-06-04 13:32:13.000000000 +0200
+@@ -65,6 +65,11 @@
+ void OpenSSL_add_all_ciphers(void)
+ 	{
+ 
++#ifdef OPENSSL_FIPS
++	OPENSSL_init_library();
++	if(!FIPS_mode()) 
++		{
++#endif
+ #ifndef OPENSSL_NO_DES
+ 	EVP_add_cipher(EVP_des_cfb());
+ 	EVP_add_cipher(EVP_des_cfb1());
+@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
+ 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
+ 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
+ #endif
++#ifdef OPENSSL_FIPS
++		}
++	else
++		{
++#ifndef OPENSSL_NO_DES
++	EVP_add_cipher(EVP_des_ede_cfb());
++	EVP_add_cipher(EVP_des_ede3_cfb());
++
++	EVP_add_cipher(EVP_des_ede_ofb());
++	EVP_add_cipher(EVP_des_ede3_ofb());
++
++	EVP_add_cipher(EVP_des_ede_cbc());
++	EVP_add_cipher(EVP_des_ede3_cbc());
++	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
++	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
++
++	EVP_add_cipher(EVP_des_ede());
++	EVP_add_cipher(EVP_des_ede3());
++#endif
++
++#ifndef OPENSSL_NO_AES
++	EVP_add_cipher(EVP_aes_128_ecb());
++	EVP_add_cipher(EVP_aes_128_cbc());
++	EVP_add_cipher(EVP_aes_128_cfb());
++	EVP_add_cipher(EVP_aes_128_cfb1());
++	EVP_add_cipher(EVP_aes_128_cfb8());
++	EVP_add_cipher(EVP_aes_128_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_128_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
++	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
++	EVP_add_cipher(EVP_aes_192_ecb());
++	EVP_add_cipher(EVP_aes_192_cbc());
++	EVP_add_cipher(EVP_aes_192_cfb());
++	EVP_add_cipher(EVP_aes_192_cfb1());
++	EVP_add_cipher(EVP_aes_192_cfb8());
++	EVP_add_cipher(EVP_aes_192_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_192_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
++	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
++	EVP_add_cipher(EVP_aes_256_ecb());
++	EVP_add_cipher(EVP_aes_256_cbc());
++	EVP_add_cipher(EVP_aes_256_cfb());
++	EVP_add_cipher(EVP_aes_256_cfb1());
++	EVP_add_cipher(EVP_aes_256_cfb8());
++	EVP_add_cipher(EVP_aes_256_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_256_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
++	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
++#endif
++		}
++#endif
+ 	}
+diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
+--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode	2009-07-08 10:50:53.000000000 +0200
++++ openssl-1.0.0a/crypto/evp/c_alld.c	2010-06-04 13:32:13.000000000 +0200
+@@ -64,6 +64,11 @@
+ 
+ void OpenSSL_add_all_digests(void)
+ 	{
++#ifdef OPENSSL_FIPS
++	OPENSSL_init_library();
++	if (!FIPS_mode())
++		{
++#endif
+ #ifndef OPENSSL_NO_MD4
+ 	EVP_add_digest(EVP_md4());
+ #endif
+@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
+ #ifndef OPENSSL_NO_WHIRLPOOL
+ 	EVP_add_digest(EVP_whirlpool());
+ #endif
++#ifdef OPENSSL_FIPS
++		}
++	else
++		{
++#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
++	EVP_add_digest(EVP_sha1());
++	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
++	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
++#ifndef OPENSSL_NO_DSA
++	EVP_add_digest(EVP_dss1());
++	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
++	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
++	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
++#endif
++#ifndef OPENSSL_NO_ECDSA
++	EVP_add_digest(EVP_ecdsa());
++#endif
++#endif
++#ifndef OPENSSL_NO_SHA256
++	EVP_add_digest(EVP_sha224());
++	EVP_add_digest(EVP_sha256());
++#endif
++#ifndef OPENSSL_NO_SHA512
++	EVP_add_digest(EVP_sha384());
++	EVP_add_digest(EVP_sha512());
++#endif
++		}
++#endif
+ 	}
+diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
+--- openssl-1.0.0a/crypto/o_init.c.fipsmode	2010-06-04 13:32:13.000000000 +0200
++++ openssl-1.0.0a/crypto/o_init.c	2010-06-04 13:32:13.000000000 +0200
+@@ -59,6 +59,43 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+ 
++#ifdef OPENSSL_FIPS
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
++#include <stdlib.h>
++#include <openssl/fips.h>
++
++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++	{
++	char buf[2] = "0";
++	int fd;
++	
++	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
++		{
++		buf[0] = '1';
++		}
++	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
++		{
++		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
++		close(fd);
++		}
++	/* Failure reading the fips mode switch file means just not
++	 * switching into FIPS mode. We would break too many things
++	 * otherwise. 
++	 */
++	
++	if (buf[0] == '1')
++		{
++		FIPS_mode_set(1);
++		}
++	}
++#endif
++
+ /* Perform any essential OpenSSL initialization operations.
+  * Currently only sets FIPS callbacks
+  */
+@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
+ #ifdef CRYPTO_MDEBUG
+ 		CRYPTO_malloc_debug_init();
+ #endif
++		init_fips_mode();
+ 		done = 1;
+ 		}
+ #endif
+diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
+--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode	2010-04-07 15:18:30.000000000 +0200
++++ openssl-1.0.0a/ssl/ssl_algs.c	2010-06-04 13:32:48.000000000 +0200
+@@ -64,6 +64,12 @@
+ int SSL_library_init(void)
+ 	{
+ 
++#ifdef OPENSSL_FIPS
++	OPENSSL_init_library();
++	if (!FIPS_mode())
++		{
++#endif
++
+ #ifndef OPENSSL_NO_DES
+ 	EVP_add_cipher(EVP_des_cbc());
+ 	EVP_add_cipher(EVP_des_ede3_cbc());
+@@ -127,6 +133,48 @@ int SSL_library_init(void)
+ 	EVP_add_digest(EVP_sha());
+ 	EVP_add_digest(EVP_dss());
+ #endif
++#ifdef OPENSSL_FIPS
++		}
++	else
++		{
++#ifndef OPENSSL_NO_DES
++	EVP_add_cipher(EVP_des_ede3_cbc());
++#endif
++#ifndef OPENSSL_NO_AES
++	EVP_add_cipher(EVP_aes_128_cbc());
++	EVP_add_cipher(EVP_aes_192_cbc());
++	EVP_add_cipher(EVP_aes_256_cbc());
++#endif
++#ifndef OPENSSL_NO_MD5
++	/* needed even in the FIPS mode for TLS MAC */
++	EVP_add_digest(EVP_md5());
++	EVP_add_digest_alias(SN_md5,"ssl2-md5");
++	EVP_add_digest_alias(SN_md5,"ssl3-md5");
++#endif
++#ifndef OPENSSL_NO_SHA
++	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
++	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
++	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
++#endif
++#ifndef OPENSSL_NO_SHA256
++	EVP_add_digest(EVP_sha224());
++	EVP_add_digest(EVP_sha256());
++#endif
++#ifndef OPENSSL_NO_SHA512
++	EVP_add_digest(EVP_sha384());
++	EVP_add_digest(EVP_sha512());
++#endif
++#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
++	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
++	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
++	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
++	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
++#endif
++#ifndef OPENSSL_NO_ECDSA
++	EVP_add_digest(EVP_ecdsa());
++#endif
++		}
++#endif
+ #ifndef OPENSSL_NO_COMP
+ 	/* This will initialise the built-in compression algorithms.
+ 	   The value returned is a STACK_OF(SSL_COMP), but that can

openssl-1.0.0a-manfix.patch

@@ -0,0 +1,21 @@
+diff -up openssl-1.0.0a/doc/apps/openssl.pod.manfix openssl-1.0.0a/doc/apps/openssl.pod
+--- openssl-1.0.0a/doc/apps/openssl.pod.manfix	2010-01-21 19:46:28.000000000 +0100
++++ openssl-1.0.0a/doc/apps/openssl.pod	2010-06-30 14:24:50.000000000 +0200
+@@ -287,8 +287,6 @@ SHA Digest
+ 
+ SHA-1 Digest
+ 
+-=back
+-
+ =item B<sha224>
+ 
+ SHA-224 Digest
+@@ -305,6 +303,8 @@ SHA-384 Digest
+ 
+ SHA-512 Digest
+ 
++=back
++
+ =head2 ENCODING AND CIPHER COMMANDS
+ 
+ =over 10

openssl-1.0.0b-ipv6-apps.patch

@@ -0,0 +1,496 @@
+diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
+--- openssl-1.0.0b/apps/s_apps.h.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
++++ openssl-1.0.0b/apps/s_apps.h	2010-11-16 17:19:29.000000000 +0100
+@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
+ #define PORT_STR        "4433"
+ #define PROTOCOL        "tcp"
+ 
+-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
++int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
+ #ifdef HEADER_X509_H
+ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
+ #endif
+@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, 
+ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
+ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
+ #endif
+-int init_client(int *sock, char *server, int port, int type);
++int init_client(int *sock, char *server, char *port, int type);
+ int should_retry(int i);
+-int extract_port(char *str, short *port_ptr);
+-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
++int extract_host_port(char *str,char **host_ptr,char **port_ptr);
+ 
+ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+ 				   int argi, long argl, long ret);
+diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
+--- openssl-1.0.0b/apps/s_client.c.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
++++ openssl-1.0.0b/apps/s_client.c	2010-11-16 17:19:29.000000000 +0100
+@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
+ 	int cbuf_len,cbuf_off;
+ 	int sbuf_len,sbuf_off;
+ 	fd_set readfds,writefds;
+-	short port=PORT;
++	char *port_str = PORT_STR;
+ 	int full_log=1;
+ 	char *host=SSL_HOST_NAME;
+ 	char *cert_file=NULL,*key_file=NULL;
+@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
+ 		else if	(strcmp(*argv,"-port") == 0)
+ 			{
+ 			if (--argc < 1) goto bad;
+-			port=atoi(*(++argv));
+-			if (port == 0) goto bad;
++			port_str= *(++argv);
+ 			}
+ 		else if (strcmp(*argv,"-connect") == 0)
+ 			{
+ 			if (--argc < 1) goto bad;
+-			if (!extract_host_port(*(++argv),&host,NULL,&port))
++			if (!extract_host_port(*(++argv),&host,&port_str))
+ 				goto bad;
+ 			}
+ 		else if	(strcmp(*argv,"-verify") == 0)
+@@ -967,7 +966,7 @@ bad:
+ 
+ re_start:
+ 
+-	if (init_client(&s,host,port,socket_type) == 0)
++	if (init_client(&s,host,port_str,socket_type) == 0)
+ 		{
+ 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
+ 		SHUTDOWN(s);
+diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
+--- openssl-1.0.0b/apps/s_server.c.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
++++ openssl-1.0.0b/apps/s_server.c	2010-11-16 17:19:29.000000000 +0100
+@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
+ 	{
+ 	X509_VERIFY_PARAM *vpm = NULL;
+ 	int badarg = 0;
+-	short port=PORT;
++	char *port_str = PORT_STR;
+ 	char *CApath=NULL,*CAfile=NULL;
+ 	unsigned char *context = NULL;
+ 	char *dhfile = NULL;
+@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
+ 			 (strcmp(*argv,"-accept") == 0))
+ 			{
+ 			if (--argc < 1) goto bad;
+-			if (!extract_port(*(++argv),&port))
+-				goto bad;
++			port_str= *(++argv);
+ 			}
+ 		else if	(strcmp(*argv,"-verify") == 0)
+ 			{
+@@ -1700,9 +1699,9 @@ bad:
+ 	BIO_printf(bio_s_out,"ACCEPT\n");
+ 	(void)BIO_flush(bio_s_out);
+ 	if (www)
+-		do_server(port,socket_type,&accept_socket,www_body, context);
++		do_server(port_str,socket_type,&accept_socket,www_body, context);
+ 	else
+-		do_server(port,socket_type,&accept_socket,sv_body, context);
++		do_server(port_str,socket_type,&accept_socket,sv_body, context);
+ 	print_stats(bio_s_out,ctx);
+ 	ret=0;
+ end:
+diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
+--- openssl-1.0.0b/apps/s_socket.c.ipv6-apps	2010-07-05 13:03:22.000000000 +0200
++++ openssl-1.0.0b/apps/s_socket.c	2010-11-16 17:27:18.000000000 +0100
+@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
+ static void ssl_sock_cleanup(void);
+ #endif
+ static int ssl_sock_init(void);
+-static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
+-static int init_server(int *sock, int port, int type);
+-static int init_server_long(int *sock, int port,char *ip, int type);
++static int init_server(int *sock, char *port, int type);
+ static int do_accept(int acc_sock, int *sock, char **host);
+ static int host_ip(char *str, unsigned char ip[4]);
+ 
+@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
+ 	return(1);
+ 	}
+ 
+-int init_client(int *sock, char *host, int port, int type)
++int init_client(int *sock, char *host, char *port, int type)
+ 	{
+-	unsigned char ip[4];
+-
+-	if (!host_ip(host,&(ip[0])))
+-		{
+-		return(0);
+-		}
+-	return(init_client_ip(sock,ip,port,type));
+-	}
+-
+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
+-	{
+-	unsigned long addr;
+-	struct sockaddr_in them;
+-	int s,i;
++	struct addrinfo *res, *res0, hints;
++	char * failed_call = NULL;
++	int s;
++	int e;
+ 
+ 	if (!ssl_sock_init()) return(0);
+ 
+-	memset((char *)&them,0,sizeof(them));
+-	them.sin_family=AF_INET;
+-	them.sin_port=htons((unsigned short)port);
+-	addr=(unsigned long)
+-		((unsigned long)ip[0]<<24L)|
+-		((unsigned long)ip[1]<<16L)|
+-		((unsigned long)ip[2]<< 8L)|
+-		((unsigned long)ip[3]);
+-	them.sin_addr.s_addr=htonl(addr);
+-
+-	if (type == SOCK_STREAM)
+-		s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+-	else /* ( type == SOCK_DGRAM) */
+-		s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
+-			
+-	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
++	memset(&hints, '\0', sizeof(hints));
++	hints.ai_socktype = type;
++	hints.ai_flags = AI_ADDRCONFIG;
++
++	e = getaddrinfo(host, port, &hints, &res);
++	if (e)
++	{
++		fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
++		if (e == EAI_SYSTEM)
++			perror("getaddrinfo");
++		return (0);
++		}
+ 
++	res0 = res;
++	while (res)
++		{
++		s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++		if (s == INVALID_SOCKET)
++			{
++			failed_call = "socket";
++			goto nextres;
++			}
+ #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+ 	if (type == SOCK_STREAM)
+ 		{
+-		i=0;
+-		i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+-		if (i < 0) { perror("keepalive"); return(0); }
++			int i=0;
++			i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
++				(char *)&i,sizeof(i));
++			if (i < 0) {
++				failed_call = "keepalive";
++				goto nextres;
++				}
+ 		}
+ #endif
+-
+-	if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
+-		{ closesocket(s); perror("connect"); return(0); }
++		if (connect(s,(struct sockaddr *)res->ai_addr,
++			res->ai_addrlen) == 0)
++			{
++			freeaddrinfo(res0);
+ 	*sock=s;
+ 	return(1);
+ 	}
+ 
+-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
++		failed_call = "socket";
++nextres:
++		if (s != INVALID_SOCKET)
++			close(s);
++		res = res->ai_next;
++		}
++	freeaddrinfo(res0);
++
++	perror(failed_call);
++	return(0);
++	}
++
++int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
+ 	{
+ 	int sock;
+ 	char *name = NULL;
+@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
+ 		}
+ 	}
+ 
+-static int init_server_long(int *sock, int port, char *ip, int type)
++static int init_server(int *sock, char *port, int type)
+ 	{
+-	int ret=0;
+-	struct sockaddr_in server;
+-	int s= -1;
++	struct addrinfo *res, *res0, hints;
++	char * failed_call = NULL;
++	char port_name[8];
++	int s;
++	int e;
+ 
+ 	if (!ssl_sock_init()) return(0);
+ 
+-	memset((char *)&server,0,sizeof(server));
+-	server.sin_family=AF_INET;
+-	server.sin_port=htons((unsigned short)port);
+-	if (ip == NULL)
+-		server.sin_addr.s_addr=INADDR_ANY;
+-	else
+-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
+-#ifndef BIT_FIELD_LIMITS
+-		memcpy(&server.sin_addr.s_addr,ip,4);
+-#else
+-		memcpy(&server.sin_addr,ip,4);
+-#endif
++	memset(&hints, '\0', sizeof(hints));
++	hints.ai_socktype = type;
++	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
+ 	
+-		if (type == SOCK_STREAM)
+-			s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+-		else /* type == SOCK_DGRAM */
+-			s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
++	e = getaddrinfo(NULL, port, &hints, &res);
++	if (e)
++		{
++		fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
++		if (e == EAI_SYSTEM)
++			perror("getaddrinfo");
++		return (0);
++		}
+ 
+-	if (s == INVALID_SOCKET) goto err;
++	res0 = res;
++	while (res)
++		{
++		s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++		if (s == INVALID_SOCKET)
++			{
++			failed_call = "socket";
++			goto nextres;
++			}
+ #if defined SOL_SOCKET && defined SO_REUSEADDR
+ 		{
+ 		int j = 1;
+@@ -357,35 +372,39 @@ static int init_server_long(int *sock, i
+ 			   (void *) &j, sizeof j);
+ 		}
+ #endif
+-	if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
++
++		if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1)
+ 		{
+-#ifndef OPENSSL_SYS_WINDOWS
+-		perror("bind");
+-#endif
+-		goto err;
++			failed_call = "bind";
++			goto nextres;
+ 		}
+-	/* Make it 128 for linux */
+-	if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
+-	*sock=s;
+-	ret=1;
+-err:
+-	if ((ret == 0) && (s != -1))
++		if (type==SOCK_STREAM && listen(s,128) == -1)
+ 		{
+-		SHUTDOWN(s);
++			failed_call = "listen";
++			goto nextres;
+ 		}
+-	return(ret);
++
++		*sock=s;
++		return(1);
++
++nextres:
++		if (s != INVALID_SOCKET)
++			close(s);
++		res = res->ai_next;
+ 	}
++	freeaddrinfo(res0);
+ 
+-static int init_server(int *sock, int port, int type)
+-	{
+-	return(init_server_long(sock, port, NULL, type));
++	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
++
++	perror(failed_call);
++	return(0);
+ 	}
+ 
+ static int do_accept(int acc_sock, int *sock, char **host)
+ 	{
++	static struct sockaddr_storage from;
++	char buffer[NI_MAXHOST];
+ 	int ret;
+-	struct hostent *h1,*h2;
+-	static struct sockaddr_in from;
+ 	int len;
+ /*	struct linger ling; */
+ 
+@@ -432,135 +451,58 @@ redoit:
+ */
+ 
+ 	if (host == NULL) goto end;
+-#ifndef BIT_FIELD_LIMITS
+-	/* I should use WSAAsyncGetHostByName() under windows */
+-	h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
+-		sizeof(from.sin_addr.s_addr),AF_INET);
+-#else
+-	h1=gethostbyaddr((char *)&from.sin_addr,
+-		sizeof(struct in_addr),AF_INET);
+-#endif
+-	if (h1 == NULL)
++
++	if (getnameinfo((struct sockaddr *)&from, sizeof(from),
++		buffer, sizeof(buffer),
++		NULL, 0, 0))
+ 		{
+-		BIO_printf(bio_err,"bad gethostbyaddr\n");
++		BIO_printf(bio_err,"getnameinfo failed\n");
+ 		*host=NULL;
+ 		/* return(0); */
+ 		}
+ 	else
+ 		{
+-		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
++		if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
+ 			{
+ 			perror("OPENSSL_malloc");
+ 			return(0);
+ 			}
+-		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
+-
+-		h2=GetHostByName(*host);
+-		if (h2 == NULL)
+-			{
+-			BIO_printf(bio_err,"gethostbyname failure\n");
+-			return(0);
+-			}
+-		if (h2->h_addrtype != AF_INET)
+-			{
+-			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
+-			return(0);
+-			}
++		strcpy(*host, buffer);
+ 		}
+ end:
+ 	*sock=ret;
+ 	return(1);
+ 	}
+ 
+-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+-	     short *port_ptr)
++int extract_host_port(char *str, char **host_ptr, 
++	     char **port_ptr)
+ 	{
+-	char *h,*p;
++	char *h,*p,*x;
+ 
+-	h=str;
+-	p=strchr(str,':');
++	x=h=str;
++	if (*h == '[')
++		{
++		h++;
++		p=strchr(h,']');
+ 	if (p == NULL)
+ 		{
+-		BIO_printf(bio_err,"no port defined\n");
++			BIO_printf(bio_err,"no ending bracket for IPv6 address\n");
+ 		return(0);
+ 		}
+ 	*(p++)='\0';
+-
+-	if ((ip != NULL) && !host_ip(str,ip))
+-		goto err;
+-	if (host_ptr != NULL) *host_ptr=h;
+-
+-	if (!extract_port(p,port_ptr))
+-		goto err;
+-	return(1);
+-err:
+-	return(0);
++		x = p;
+ 	}
+-
+-static int host_ip(char *str, unsigned char ip[4])
+-	{
+-	unsigned int in[4]; 
+-	int i;
+-
+-	if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
+-		{
+-		for (i=0; i<4; i++)
+-			if (in[i] > 255)
+-				{
+-				BIO_printf(bio_err,"invalid IP address\n");
+-				goto err;
+-				}
+-		ip[0]=in[0];
+-		ip[1]=in[1];
+-		ip[2]=in[2];
+-		ip[3]=in[3];
+-		}
+-	else
+-		{ /* do a gethostbyname */
+-		struct hostent *he;
+-
+-		if (!ssl_sock_init()) return(0);
+-
+-		he=GetHostByName(str);
+-		if (he == NULL)
+-			{
+-			BIO_printf(bio_err,"gethostbyname failure\n");
+-			goto err;
+-			}
+-		/* cast to short because of win16 winsock definition */
+-		if ((short)he->h_addrtype != AF_INET)
++	p=strchr(x,':');
++	if (p == NULL)
+ 			{
+-			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
+-			return(0);
+-			}
+-		ip[0]=he->h_addr_list[0][0];
+-		ip[1]=he->h_addr_list[0][1];
+-		ip[2]=he->h_addr_list[0][2];
+-		ip[3]=he->h_addr_list[0][3];
+-		}
+-	return(1);
+-err:
++		BIO_printf(bio_err,"no port defined\n");
+ 	return(0);
+ 	}
++	*(p++)='\0';
+ 
+-int extract_port(char *str, short *port_ptr)
+-	{
+-	int i;
+-	struct servent *s;
++	if (host_ptr != NULL) *host_ptr=h;
++	if (port_ptr != NULL) *port_ptr=p;
+ 
+-	i=atoi(str);
+-	if (i != 0)
+-		*port_ptr=(unsigned short)i;
+-	else
+-		{
+-		s=getservbyname(str,"tcp");
+-		if (s == NULL)
+-			{
+-			BIO_printf(bio_err,"getservbyname failure for %s\n",str);
+-			return(0);
+-			}
+-		*port_ptr=ntohs((unsigned short)s->s_port);
+-		}
+ 	return(1);
+ 	}
+ 

openssl-1.0.0c-apps-ipv6listen.patch

@@ -0,0 +1,57 @@
+diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
+--- openssl-1.0.0c/apps/s_socket.c.ipv6listen	2011-01-24 16:44:18.000000000 +0100
++++ openssl-1.0.0c/apps/s_socket.c	2011-01-24 16:56:25.000000000 +0100
+@@ -335,15 +335,16 @@ int do_server(char *port, int type, int 
+ 
+ static int init_server(int *sock, char *port, int type)
+ 	{
+-	struct addrinfo *res, *res0, hints;
++	struct addrinfo *res, *res0 = NULL, hints;
+ 	char * failed_call = NULL;
+-	char port_name[8];
+ 	int s;
+ 	int e;
+ 
+ 	if (!ssl_sock_init()) return(0);
+ 
+ 	memset(&hints, '\0', sizeof(hints));
++        hints.ai_family = AF_INET6;
++tryipv4:
+ 	hints.ai_socktype = type;
+ 	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
+ 	
+@@ -365,6 +366,12 @@ static int init_server(int *sock, char *
+ 			failed_call = "socket";
+ 			goto nextres;
+ 			}
++		if (hints.ai_family == AF_INET6)
++			{
++			int j = 0;
++			setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
++				   (void *) &j, sizeof j);
++			}
+ #if defined SOL_SOCKET && defined SO_REUSEADDR
+ 		{
+ 		int j = 1;
+@@ -392,9 +399,19 @@ nextres:
+ 			close(s);
+ 		res = res->ai_next;
+ 	}
+-	freeaddrinfo(res0);
++	if (res0)
++		freeaddrinfo(res0);
+ 
+-	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
++	if (s == INVALID_SOCKET)
++	{
++		if (hints.ai_family == AF_INET6)
++		{
++			hints.ai_family = AF_INET;
++			goto tryipv4;
++		}
++		perror("socket");
++		return(0);
++	}
+ 
+ 	perror(failed_call);
+ 	return(0);

openssl-1.0.0c-fips-md5-allow.patch

@@ -0,0 +1,20 @@
+diff -up openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.0c/crypto/md5/md5_dgst.c
+--- openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow	2011-02-03 19:53:28.000000000 +0100
++++ openssl-1.0.0c/crypto/md5/md5_dgst.c	2011-02-03 20:33:14.000000000 +0100
+@@ -75,7 +75,15 @@ const char MD5_version[]="MD5" OPENSSL_V
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+ 
+-FIPS_NON_FIPS_MD_Init(MD5)
++int MD5_Init(MD5_CTX *c)
++#ifdef OPENSSL_FIPS
++	{
++	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++		FIPS_BAD_ALGORITHM(alg)
++	return private_MD5_Init(c);
++	}
++int private_MD5_Init(MD5_CTX *c)
++#endif
+ 	{
+ 	memset (c,0,sizeof(*c));
+ 	c->A=INIT_DATA_A;

openssl-1.0.0c-fips186-3.patch

@@ -0,0 +1,384 @@
+diff -up openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsa_gen.c
+--- openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3	2011-02-03 21:04:14.000000000 +0100
++++ openssl-1.0.0c/crypto/dsa/dsa_gen.c	2011-02-04 08:54:42.000000000 +0100
+@@ -120,11 +120,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ 	int ok=0;
+ 	unsigned char seed[SHA256_DIGEST_LENGTH];
+ 	unsigned char md[SHA256_DIGEST_LENGTH];
+-	unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
++	unsigned char buf[SHA256_DIGEST_LENGTH];
+ 	BIGNUM *r0,*W,*X,*c,*test;
+ 	BIGNUM *g=NULL,*q=NULL,*p=NULL;
+ 	BN_MONT_CTX *mont=NULL;
+-	int i, k, n=0, m=0, qsize = qbits >> 3;
++	int i, k, b, n=0, m=0, qsize = qbits >> 3;
+ 	int counter=0;
+ 	int r=0;
+ 	BN_CTX *ctx=NULL;
+@@ -138,9 +138,13 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ 	    goto err;
+ 	    }
+ 
+-	if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
++	if (FIPS_mode() &&
++	    (bits != 1024 || qbits != 160) &&
++	    (bits != 2048 || qbits != 224) &&
++	    (bits != 2048 || qbits != 256) &&
++	    (bits != 3072 || qbits != 256))
+ 		{
+-		DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++		DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
+ 		goto err;
+ 		}
+ #endif
+@@ -151,22 +155,25 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ 		return 0;
+ 
+ 	if (evpmd == NULL)
+-		/* use SHA1 as default */
+-		evpmd = EVP_sha1();
++	    {
++		if (qbits <= 160)
++			evpmd = EVP_sha1();
++		else if (qbits <= 224)
++			evpmd = EVP_sha224();
++		else
++			evpmd = EVP_sha256();
++	    }
+ 
+ 	if (bits < 512)
+ 		bits = 512;
+ 
+ 	bits = (bits+63)/64*64;
+ 
+-	/* NB: seed_len == 0 is special case: copy generated seed to
+- 	 * seed_in if it is not NULL.
+- 	 */
+ 	if (seed_len && (seed_len < (size_t)qsize))
+ 		seed_in = NULL;		/* seed buffer too small -- ignore */
+ 	if (seed_len > (size_t)qsize) 
+ 		seed_len = qsize;	/* App. 2.2 of FIPS PUB 186 allows larger SEED,
+-					 * but our internal buffers are restricted to 160 bits*/
++					 * but our internal buffers are restricted to 256 bits*/
+ 	if (seed_in != NULL)
+ 		memcpy(seed, seed_in, seed_len);
+ 
+@@ -189,13 +196,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ 	if (!BN_lshift(test,BN_value_one(),bits-1))
+ 		goto err;
+ 
++	/* step 3 n = \lceil bits / qbits \rceil - 1 */
++	n = (bits+qbits-1)/qbits - 1;
++	/* step 4 b = bits - 1 - n * qbits */
++	b = bits - 1 - n*qbits;
++
+ 	for (;;)
+ 		{
+ 		for (;;) /* find q */
+ 			{
+ 			int seed_is_random;
+ 
+-			/* step 1 */
++			/* step 5 generate seed */
+ 			if(!BN_GENCB_call(cb, 0, m++))
+ 				goto err;
+ 
+@@ -210,28 +222,17 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ 				seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
+ 				}
+ 			memcpy(buf , seed, qsize);
+-			memcpy(buf2, seed, qsize);
+-			/* precompute "SEED + 1" for step 7: */
+-			for (i = qsize-1; i >= 0; i--)
+-				{
+-				buf[i]++;
+-				if (buf[i] != 0)
+-					break;
+-				}
+ 
+-			/* step 2 */
++			/* step 6 U = hash(seed) */
+ 			EVP_Digest(seed, qsize, md,   NULL, evpmd, NULL);
+-			EVP_Digest(buf,  qsize, buf2, NULL, evpmd, NULL);
+-			for (i = 0; i < qsize; i++)
+-				md[i]^=buf2[i];
+ 
+-			/* step 3 */
++			/* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
+ 			md[0] |= 0x80;
+ 			md[qsize-1] |= 0x01;
+ 			if (!BN_bin2bn(md, qsize, q))
+ 				goto err;
+ 
+-			/* step 4 */
++			/* step 8 test for prime (64 round of Rabin-Miller) */
+ 			r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
+ 					seed_is_random, cb);
+ 			if (r > 0)
+@@ -239,27 +240,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ 			if (r != 0)
+ 				goto err;
+ 
+-			/* do a callback call */
+-			/* step 5 */
+ 			}
+ 
+ 		if(!BN_GENCB_call(cb, 2, 0)) goto err;
+ 		if(!BN_GENCB_call(cb, 3, 0)) goto err;
+ 
+-		/* step 6 */
++		/* step 11 */
+ 		counter=0;
+-		/* "offset = 2" */
+-
+-		n=(bits-1)/160;
++		/* "offset = 1" */
+ 
+ 		for (;;)
+ 			{
+ 			if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
+ 				goto err;
+ 
+-			/* step 7 */
++			/* step 11.1, 11.2 obtain W */
+ 			BN_zero(W);
+-			/* now 'buf' contains "SEED + offset - 1" */
+ 			for (k=0; k<=n; k++)
+ 				{
+ 				/* obtain "SEED + offset + k" by incrementing: */
+@@ -272,28 +268,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ 
+ 				EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
+ 
+-				/* step 8 */
+ 				if (!BN_bin2bn(md, qsize, r0))
+ 					goto err;
+-				if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
++				if (k == n)
++					BN_mask_bits(r0,b);
++				if (!BN_lshift(r0,r0,qbits*k)) goto err;
+ 				if (!BN_add(W,W,r0)) goto err;
+ 				}
+ 
+-			/* more of step 8 */
+-			if (!BN_mask_bits(W,bits-1)) goto err;
++			/* step 11.3 X = W + 2^(L-1) */
+ 			if (!BN_copy(X,W)) goto err;
+ 			if (!BN_add(X,X,test)) goto err;
+ 
+-			/* step 9 */
++			/* step 11.4 c = X mod 2*q */
+ 			if (!BN_lshift1(r0,q)) goto err;
+ 			if (!BN_mod(c,X,r0,ctx)) goto err;
++
++			/* step 11.5 p = X - (c - 1) */
+ 			if (!BN_sub(r0,c,BN_value_one())) goto err;
+ 			if (!BN_sub(p,X,r0)) goto err;
+ 
+-			/* step 10 */
++			/* step 11.6 */
+ 			if (BN_cmp(p,test) >= 0)
+ 				{
+-				/* step 11 */
++				/* step 11.7 */
+ 				r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
+ 						ctx, 1, cb);
+ 				if (r > 0)
+@@ -302,12 +300,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ 					goto err;
+ 				}
+ 
+-			/* step 13 */
++			/* step 11.9 */
+ 			counter++;
+ 			/* "offset = offset + n + 1" */
+ 
+-			/* step 14 */
+-			if (counter >= 4096) break;
++			/* step 12 */
++			if (counter >= 4*bits) break;
+ 			}
+ 		}
+ end:
+diff -up openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 openssl-1.0.0c/crypto/dsa/dsa.h
+--- openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3	2011-02-03 21:04:14.000000000 +0100
++++ openssl-1.0.0c/crypto/dsa/dsa.h	2011-02-03 21:04:14.000000000 +0100
+@@ -316,6 +316,7 @@ void ERR_load_DSA_strings(void);
+ #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE		 100
+ #define DSA_R_DECODE_ERROR				 104
+ #define DSA_R_INVALID_DIGEST_TYPE			 106
++#define DSA_R_KEY_SIZE_INVALID				 113
+ #define DSA_R_KEY_SIZE_TOO_SMALL			 110
+ #define DSA_R_MISSING_PARAMETERS			 101
+ #define DSA_R_MODULUS_TOO_LARGE				 103
+diff -up openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsatest.c
+--- openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3	2011-02-03 21:14:07.000000000 +0100
++++ openssl-1.0.0c/crypto/dsa/dsatest.c	2011-02-04 08:40:24.000000000 +0100
+@@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
+ /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
+  * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
+ static unsigned char seed[20]={
+-	0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
+-	0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
++	0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
++	0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
+ 	};
+ 
+ static unsigned char out_p[]={
+-	0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
+-	0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
+-	0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
+-	0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
+-	0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
+-	0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
+-	0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
+-	0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
++	0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
++	0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
++	0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
++	0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
++	0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
++	0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
++	0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
++	0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
++	0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
++	0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
++	0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
+ 	};
+ 
+ static unsigned char out_q[]={
+-	0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
+-	0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
+-	0xda,0xce,0x91,0x5f,
++	0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
++	0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
+ 	};
+ 
+ static unsigned char out_g[]={
+-	0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
+-	0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
+-	0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
+-	0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
+-	0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
+-	0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
+-	0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
+-	0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
++	0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
++	0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
++	0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
++	0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
++	0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
++	0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
++	0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
++	0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
++	0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
++	0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
++	0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
+ 	};
+ 
+ static const unsigned char str1[]="12345678901234567890";
+@@ -157,7 +162,7 @@ int main(int argc, char **argv)
+ 	BIO_printf(bio_err,"test generation of DSA parameters\n");
+ 
+ 	BN_GENCB_set(&cb, dsa_cb, bio_err);
+-	if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
++	if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
+ 				seed, 20, &counter, &h, &cb))
+ 		goto end;
+ 
+@@ -170,9 +175,9 @@ int main(int argc, char **argv)
+ 	BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
+ 		
+ 	DSA_print(bio_err,dsa,0);
+-	if (counter != 105) 
++	if (counter != 239) 
+ 		{
+-		BIO_printf(bio_err,"counter should be 105\n");
++		BIO_printf(bio_err,"counter should be 239\n");
+ 		goto end;
+ 		}
+ 	if (h != 2)
+diff -up openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3	2011-02-03 21:04:14.000000000 +0100
++++ openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c	2011-02-04 09:03:03.000000000 +0100
+@@ -68,44 +68,42 @@
+ 
+ #ifdef OPENSSL_FIPS
+ 
+-/* seed, out_p, out_q, out_g are taken the NIST test vectors */
+-
+ static unsigned char seed[20] = {
+-	0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34,
+-	0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a
+-  	};
++	0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
++	0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
++	};
+ 
+ static unsigned char out_p[] = {
+-	0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57,
+-	0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b,
+-	0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43,
+-	0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69,
+-	0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12,
+-	0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47,
+-	0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4,
+-	0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8,
+-	0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef,
+-	0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8,
+-	0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef
++	0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
++	0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
++	0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
++	0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
++	0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
++	0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
++	0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
++	0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
++	0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
++	0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
++	0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
+ 	};
+ 
+ static unsigned char out_q[] = {
+-	0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c,
+-	0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3
++	0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
++	0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
+ 	};
+ 
+ static unsigned char out_g[] = {
+-	0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb,
+-	0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e,
+-	0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63,
+-	0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35,
+-	0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf,
+-	0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a,
+-	0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed,
+-	0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf,
+-	0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2,
+-	0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36,
+-	0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec
++	0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
++	0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
++	0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
++	0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
++	0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
++	0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
++	0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
++	0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
++	0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
++	0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
++	0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
+ 	};
+ 
+ static const unsigned char str1[]="12345678901234567890";
+@@ -133,7 +131,7 @@ int FIPS_selftest_dsa()
+ 	goto err;
+     if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL))
+ 	goto err;
+-    if (counter != 378) 
++    if (counter != 239) 
+ 	goto err;
+     if (h != 2)
+ 	goto err;

openssl-1.0.0c-pkcs12-fips-default.patch

@@ -0,0 +1,25 @@
+diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c
+--- openssl-1.0.0c/apps/pkcs12.c.fips-default	2009-07-27 23:08:45.000000000 +0200
++++ openssl-1.0.0c/apps/pkcs12.c	2011-02-04 15:25:38.000000000 +0100
+@@ -67,6 +67,9 @@
+ #include <openssl/err.h>
+ #include <openssl/pem.h>
+ #include <openssl/pkcs12.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+ 
+ #define PROG pkcs12_main
+ 
+@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
+ 
+     apps_startup();
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode())
++	cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
++#endif
++
+     enc = EVP_des_ede3_cbc();
+     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+ 

openssl-1.0.0c-rsa-x931.patch

@@ -0,0 +1,36 @@
+diff -up openssl-1.0.0c/apps/genrsa.c.x931 openssl-1.0.0c/apps/genrsa.c
+--- openssl-1.0.0c/apps/genrsa.c.x931	2010-03-01 15:22:02.000000000 +0100
++++ openssl-1.0.0c/apps/genrsa.c	2011-02-01 18:32:05.000000000 +0100
+@@ -95,6 +95,7 @@ int MAIN(int argc, char **argv)
+ 	int ret=1;
+ 	int i,num=DEFBITS;
+ 	long l;
++	int use_x931 = 0;
+ 	const EVP_CIPHER *enc=NULL;
+ 	unsigned long f4=RSA_F4;
+ 	char *outfile=NULL;
+@@ -138,6 +139,8 @@ int MAIN(int argc, char **argv)
+ 			f4=3;
+ 		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
+ 			f4=RSA_F4;
++		else if (strcmp(*argv,"-x931") == 0)
++			use_x931 = 1;
+ #ifndef OPENSSL_NO_ENGINE
+ 		else if (strcmp(*argv,"-engine") == 0)
+ 			{
+@@ -273,7 +276,14 @@ bad:
+ 	if (!rsa)
+ 		goto err;
+ 
+-	if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
++	if (use_x931)
++		{
++		if (!BN_set_word(bn, f4))
++			goto err;
++		if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
++			goto err;
++		}
++	else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
+ 		goto err;
+ 		
+ 	app_RAND_write_file(NULL, bio_err);

openssl-1.0.0c-speed-fips.patch

@@ -0,0 +1,94 @@
+diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
+--- openssl-1.0.0c/apps/speed.c.spfips	2010-11-18 14:22:26.000000000 +0100
++++ openssl-1.0.0c/apps/speed.c	2011-01-24 17:25:32.000000000 +0100
+@@ -100,6 +100,9 @@
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+ #if !defined(OPENSSL_SYS_MSDOS)
+ #include OPENSSL_UNISTD
+ #endif
+@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
+ #ifndef OPENSSL_NO_RSA
+ 			if (strcmp(*argv,"rsa") == 0)
+ 			{
++#ifdef OPENSSL_FIPS
++				if (!FIPS_mode())
++#endif
++				{
+ 			rsa_doit[R_RSA_512]=1;
++				}
+ 			rsa_doit[R_RSA_1024]=1;
+ 			rsa_doit[R_RSA_2048]=1;
+ 			rsa_doit[R_RSA_4096]=1;
+@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
+ #ifndef OPENSSL_NO_DSA
+ 			if (strcmp(*argv,"dsa") == 0)
+ 			{
++#ifdef OPENSSL_FIPS
++				if (!FIPS_mode())
++#endif
++				{
+ 			dsa_doit[R_DSA_512]=1;
++				}
+ 			dsa_doit[R_DSA_1024]=1;
+ 			dsa_doit[R_DSA_2048]=1;
+ 			}
+@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
+ 	AES_set_encrypt_key(key32,256,&aes_ks3);
+ #endif
+ #ifndef OPENSSL_NO_CAMELLIA
++	if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
++	    {
+ 	Camellia_set_key(key16,128,&camellia_ks1);
+ 	Camellia_set_key(ckey24,192,&camellia_ks2);
+ 	Camellia_set_key(ckey32,256,&camellia_ks3);
++	    }
+ #endif
+ #ifndef OPENSSL_NO_IDEA
++	if (doit[D_CBC_IDEA])
++	    {
+ 	idea_set_encrypt_key(key16,&idea_ks);
++	    }
+ #endif
+ #ifndef OPENSSL_NO_SEED
++	if (doit[D_CBC_SEED])
++	    {
+ 	SEED_set_key(key16,&seed_ks);
++	    }
+ #endif
+ #ifndef OPENSSL_NO_RC4
++	if (doit[D_RC4])
++	    {
+ 	RC4_set_key(&rc4_ks,16,key16);
++	    }
+ #endif
+ #ifndef OPENSSL_NO_RC2
++	if (doit[D_CBC_RC2])
++	    {
+ 	RC2_set_key(&rc2_ks,16,key16,128);
++	    }
+ #endif
+ #ifndef OPENSSL_NO_RC5
++	if (doit[D_CBC_RC5])
++	    {
+ 	RC5_32_set_key(&rc5_ks,16,key16,12);
++	    }
+ #endif
+ #ifndef OPENSSL_NO_BF
++	if (doit[D_CBC_BF])
++	    {
+ 	BF_set_key(&bf_ks,16,key16);
++	    }
+ #endif
+ #ifndef OPENSSL_NO_CAST
++	if (doit[D_CBC_CAST])
++	    {
+ 	CAST_set_key(&cast_ks,16,key16);
++	    }
+ #endif
+ #ifndef OPENSSL_NO_RSA
+ 	memset(rsa_c,0,sizeof(rsa_c));

openssl-1.0.0d-apps-dgst.patch

@@ -0,0 +1,110 @@
+diff -up openssl-1.0.0d/apps/ca.c.dgst openssl-1.0.0d/apps/ca.c
+--- openssl-1.0.0d/apps/ca.c.dgst	2009-12-02 15:41:24.000000000 +0100
++++ openssl-1.0.0d/apps/ca.c	2011-04-05 21:09:42.000000000 +0200
+@@ -157,7 +157,7 @@ static const char *ca_usage[]={
+ " -startdate YYMMDDHHMMSSZ  - certificate validity notBefore\n",
+ " -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)\n",
+ " -days arg       - number of days to certify the certificate for\n",
+-" -md arg         - md to use, one of md2, md5, sha or sha1\n",
++" -md arg         - md to use, see openssl dgst -h for list\n",
+ " -policy arg     - The CA 'policy' to support\n",
+ " -keyfile arg    - private key file\n",
+ " -keyform arg    - private key file format (PEM or ENGINE)\n",
+diff -up openssl-1.0.0d/apps/enc.c.dgst openssl-1.0.0d/apps/enc.c
+--- openssl-1.0.0d/apps/enc.c.dgst	2010-06-15 19:25:02.000000000 +0200
++++ openssl-1.0.0d/apps/enc.c	2011-04-05 21:11:54.000000000 +0200
+@@ -302,7 +302,7 @@ bad:
+ 			BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
+ 			BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
+ 			BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
+-			BIO_printf(bio_err,"%-14s   from a passphrase.  One of md2, md5, sha or sha1\n","");
++			BIO_printf(bio_err,"%-14s   from a passphrase. See openssl dgst -h for list.\n","");
+ 			BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S");
+ 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
+ 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
+diff -up openssl-1.0.0d/apps/req.c.dgst openssl-1.0.0d/apps/req.c
+--- openssl-1.0.0d/apps/req.c.dgst	2010-03-10 14:48:21.000000000 +0100
++++ openssl-1.0.0d/apps/req.c	2011-04-05 21:12:33.000000000 +0200
+@@ -421,7 +421,7 @@ bad:
+ #ifndef OPENSSL_NO_ECDSA
+ 		BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
+ #endif
+-		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
++		BIO_printf(bio_err," -[digest]      Digest to sign with (see openssl dgst -h for list)\n");
+ 		BIO_printf(bio_err," -config file   request template file.\n");
+ 		BIO_printf(bio_err," -subj arg      set or modify request subject\n");
+ 		BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
+diff -up openssl-1.0.0d/apps/ts.c.dgst openssl-1.0.0d/apps/ts.c
+--- openssl-1.0.0d/apps/ts.c.dgst	2009-10-18 16:42:26.000000000 +0200
++++ openssl-1.0.0d/apps/ts.c	2011-04-05 21:16:07.000000000 +0200
+@@ -368,7 +368,7 @@ int MAIN(int argc, char **argv)
+ 	BIO_printf(bio_err, "usage:\n"
+ 		   "ts -query [-rand file%cfile%c...] [-config configfile] "
+ 		   "[-data file_to_hash] [-digest digest_bytes]"
+-		   "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
++		   "[-<hashalg>] "
+ 		   "[-policy object_id] [-no_nonce] [-cert] "
+ 		   "[-in request.tsq] [-out request.tsq] [-text]\n",
+ 		   LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+diff -up openssl-1.0.0d/apps/x509.c.dgst openssl-1.0.0d/apps/x509.c
+--- openssl-1.0.0d/apps/x509.c.dgst	2011-04-05 21:13:42.000000000 +0200
++++ openssl-1.0.0d/apps/x509.c	2011-04-05 21:13:17.000000000 +0200
+@@ -141,7 +141,7 @@ static const char *x509_usage[]={
+ " -set_serial     - serial number to use\n",
+ " -text           - print the certificate in text form\n",
+ " -C              - print out C code forms\n",
+-" -md2/-md5/-sha1/-mdc2 - digest to use\n",
++" -<dgst>         - digest to use, see openssl dgst -h output for list\n",
+ " -extfile        - configuration file with X509V3 extensions to add\n",
+ " -extensions     - section from config file with X509V3 extensions to add\n",
+ " -clrext         - delete extensions before signing and input certificate\n",
+diff -up openssl-1.0.0d/doc/apps/ca.pod.dgst openssl-1.0.0d/doc/apps/ca.pod
+--- openssl-1.0.0d/doc/apps/ca.pod.dgst	2009-04-10 13:25:53.000000000 +0200
++++ openssl-1.0.0d/doc/apps/ca.pod	2011-04-05 21:16:39.000000000 +0200
+@@ -160,7 +160,8 @@ the number of days to certify the certif
+ =item B<-md alg>
+ 
+ the message digest to use. Possible values include md5, sha1 and mdc2.
+-This option also applies to CRLs.
++For full list of digests see openssl dgst -h output. This option also
++applies to CRLs.
+ 
+ =item B<-policy arg>
+ 
+diff -up openssl-1.0.0d/doc/apps/ocsp.pod.dgst openssl-1.0.0d/doc/apps/ocsp.pod
+--- openssl-1.0.0d/doc/apps/ocsp.pod.dgst	2008-02-25 19:11:47.000000000 +0100
++++ openssl-1.0.0d/doc/apps/ocsp.pod	2011-04-05 21:18:17.000000000 +0200
+@@ -210,7 +210,8 @@ check is not performed.
+ =item B<-md5|-sha1|-sha256|-ripemod160|...>
+ 
+ this option sets digest algorithm to use for certificate identification
+-in the OCSP request. By default SHA-1 is used. 
++in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
++the list of available algorithms.
+ 
+ =back
+ 
+diff -up openssl-1.0.0d/doc/apps/req.pod.dgst openssl-1.0.0d/doc/apps/req.pod
+--- openssl-1.0.0d/doc/apps/req.pod.dgst	2009-04-10 18:42:28.000000000 +0200
++++ openssl-1.0.0d/doc/apps/req.pod	2011-04-05 21:20:47.000000000 +0200
+@@ -201,7 +201,8 @@ will not be encrypted.
+ 
+ this specifies the message digest to sign the request with (such as
+ B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
+-the configuration file.
++the configuration file. For full list of possible digests see openssl
++dgst -h output.
+ 
+ Some public key algorithms may override this choice. For instance, DSA
+ signatures always use SHA1, GOST R 34.10 signatures always use
+diff -up openssl-1.0.0d/doc/apps/x509.pod.dgst openssl-1.0.0d/doc/apps/x509.pod
+--- openssl-1.0.0d/doc/apps/x509.pod.dgst	2010-01-12 18:27:11.000000000 +0100
++++ openssl-1.0.0d/doc/apps/x509.pod	2011-04-05 21:19:56.000000000 +0200
+@@ -101,6 +101,7 @@ the digest to use. This affects any sign
+ digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
+ specified then SHA1 is used. If the key being used to sign with is a DSA key
+ then this option has no effect: SHA1 is always used with DSA keys.
++For full list of digests see openssl dgst -h output.
+ 
+ =item B<-engine id>
+ 

openssl-1.0.0d-version.patch

@@ -0,0 +1,22 @@
+diff -up openssl-1.0.0d/crypto/opensslv.h.version openssl-1.0.0d/crypto/opensslv.h
+--- openssl-1.0.0d/crypto/opensslv.h.version	2011-02-10 14:24:52.000000000 +0100
++++ openssl-1.0.0d/crypto/opensslv.h	2011-02-10 14:48:00.000000000 +0100
+@@ -25,7 +25,8 @@
+  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+  *  major minor fix final patch/beta)
+  */
+-#define OPENSSL_VERSION_NUMBER	0x1000004fL
++/* we have to keep the version number to not break the abi */
++#define OPENSSL_VERSION_NUMBER	0x10000003
+ #ifdef OPENSSL_FIPS
+ #define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0d-fips 8 Feb 2011"
+ #else
+@@ -83,7 +84,7 @@
+  * should only keep the versions that are binary compatible with the current.
+  */
+ #define SHLIB_VERSION_HISTORY ""
+-#define SHLIB_VERSION_NUMBER "1.0.0"
++#define SHLIB_VERSION_NUMBER "1.0.0d"
+ 
+ 
+ #endif /* HEADER_OPENSSLV_H */

openssl-thread-test.c

@@ -0,0 +1,400 @@
+/* Test program to verify that RSA signing is thread-safe in OpenSSL. */
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+#include <openssl/md5.h>
+#include <openssl/ssl.h>
+
+/* Just assume we want to do engine stuff if we're using 0.9.6b or
+ * higher. This assumption is only valid for versions bundled with RHL. */
+#if OPENSSL_VERSION_NUMBER  >= 0x0090602fL
+#include <openssl/engine.h>
+#define USE_ENGINE
+#endif
+
+#define MAX_THREAD_COUNT	10000
+#define ITERATION_COUNT		10
+#define MAIN_COUNT		100
+
+/* OpenSSL requires us to provide thread ID and locking primitives. */
+pthread_mutex_t *mutex_locks = NULL;
+static unsigned long
+thread_id_cb(void)
+{
+	return (unsigned long) pthread_self();
+}
+static void
+lock_cb(int mode, int n, const char *file, int line)
+{
+	if (mode & CRYPTO_LOCK) {
+		pthread_mutex_lock(&mutex_locks[n]);
+	} else {
+		pthread_mutex_unlock(&mutex_locks[n]);
+	}
+}
+
+struct thread_args {
+	RSA *rsa;
+	int digest_type;
+	unsigned char *digest;
+	unsigned int digest_len;
+	unsigned char *signature;
+	unsigned int signature_len;
+	pthread_t main_thread;
+};
+
+static int print = 0;
+
+pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER;
+static int locked_sign = 0;
+static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);}
+static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);}
+
+pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER;
+static int locked_verify = 0;
+static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);}
+static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);}
+
+pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER;
+long failure_count = 0;
+static void
+failure()
+{
+	pthread_mutex_lock(&failure_count_lock);
+	failure_count++;
+	pthread_mutex_unlock(&failure_count_lock);
+}
+
+static void *
+thread_main(void *argp)
+{
+	struct thread_args *args = argp;
+	unsigned char *signature;
+	unsigned int signature_len, signature_alloc_len;
+	int ret, i;
+
+	signature_alloc_len = args->signature_len;
+	if (RSA_size(args->rsa) > signature_alloc_len) {
+		signature_alloc_len = RSA_size(args->rsa);
+	}
+	signature = malloc(signature_alloc_len);
+	if (signature == NULL) {
+		fprintf(stderr, "Skipping checks in thread %lu -- %s.\n",
+			(unsigned long) pthread_self(), strerror(errno));
+		pthread_exit(0);
+		return NULL;
+	}
+	for (i = 0; i < ITERATION_COUNT; i++) {
+		signature_len = signature_alloc_len;
+		SIGN_LOCK();
+		ret = RSA_check_key(args->rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+			break;
+		}
+		ret = RSA_sign(args->digest_type,
+			       args->digest,
+			       args->digest_len,
+			       signature, &signature_len,
+			       args->rsa);
+		SIGN_UNLOCK();
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+			break;
+		}
+
+		VERIFY_LOCK();
+		ret = RSA_verify(args->digest_type,
+			         args->digest,
+			         args->digest_len,
+			         signature, signature_len,
+			         args->rsa);
+		VERIFY_UNLOCK();
+		if (ret != 1) {
+			fprintf(stderr,
+				"Signature from thread %lu(%d) fails "
+				"verification (passed in thread #%lu)!\n",
+				(long) pthread_self(), i,
+				(long) args->main_thread);
+			ERR_print_errors_fp(stdout);
+			failure();
+			continue;
+		}
+		if (print) {
+			fprintf(stderr, ">%d\n", i);
+		}
+	}
+	free(signature);
+
+	pthread_exit(0);
+
+	return NULL;
+}
+
+unsigned char *
+xmemdup(unsigned char *s, size_t len)
+{
+	unsigned char *r;
+	r = malloc(len);
+	if (r == NULL) {
+		fprintf(stderr, "Out of memory.\n");
+		ERR_print_errors_fp(stdout);
+		assert(r != NULL);
+	}
+	memcpy(r, s, len);
+	return r;
+}
+
+int
+main(int argc, char **argv)
+{
+	RSA *rsa;
+	MD5_CTX md5;
+	int fd, i;
+	pthread_t threads[MAX_THREAD_COUNT];
+	int thread_count = 1000;
+	unsigned char *message, *digest;
+	unsigned int message_len, digest_len;
+	unsigned char *correct_signature;
+	unsigned int correct_siglen, ret;
+	struct thread_args master_args, *args;
+	int sync = 0, seed = 0;
+	int again = 1;
+#ifdef USE_ENGINE
+	char *engine = NULL;
+	ENGINE *e = NULL;
+#endif
+
+	pthread_mutex_init(&failure_count_lock, NULL);
+
+	for (i = 1; i < argc; i++) {
+		if (strcmp(argv[i], "--seed") == 0) {
+			printf("Seeding PRNG.\n");
+			seed++;
+		} else
+		if (strcmp(argv[i], "--sync") == 0) {
+			printf("Running synchronized.\n");
+			sync++;
+		} else
+		if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) {
+			i++;
+			thread_count = atol(argv[i]);
+			if (thread_count > MAX_THREAD_COUNT) {
+				thread_count = MAX_THREAD_COUNT;
+			}
+			printf("Starting %d threads.\n", thread_count);
+			sync++;
+		} else
+		if (strcmp(argv[i], "--sign") == 0) {
+			printf("Locking signing.\n");
+			locked_sign++;
+		} else
+		if (strcmp(argv[i], "--verify") == 0) {
+			printf("Locking verifies.\n");
+			locked_verify++;
+		} else
+		if (strcmp(argv[i], "--print") == 0) {
+			printf("Tracing.\n");
+			print++;
+#ifdef USE_ENGINE
+		} else
+		if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) {
+			printf("Using engine \"%s\".\n", argv[i + 1]);
+			engine = argv[i + 1];
+			i++;
+#endif
+		} else {
+			printf("Bad argument: %s\n", argv[i]);
+			return 1;
+		}
+	}
+
+	/* Get some random data to sign. */
+	fd = open("/dev/urandom", O_RDONLY);
+	if (fd == -1) {
+		fprintf(stderr, "Error opening /dev/urandom: %s\n",
+			strerror(errno));
+	}
+
+	if (print) {
+		fprintf(stderr, "Reading random data.\n");
+	}
+	message = malloc(message_len = 9371);
+	read(fd, message, message_len);
+	close(fd);
+
+	/* Initialize the SSL library and set up thread-safe locking. */
+	ERR_load_crypto_strings();
+	SSL_library_init();
+	mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
+	for (i = 0; i < CRYPTO_num_locks(); i++) {
+		pthread_mutex_init(&mutex_locks[i], NULL);
+	}
+	CRYPTO_set_id_callback(thread_id_cb);
+	CRYPTO_set_locking_callback(lock_cb);
+	ERR_print_errors_fp(stdout);
+
+	/* Seed the PRNG if we were asked to do so. */
+	if (seed) {
+		if (print) {
+			fprintf(stderr, "Seeding PRNG.\n");
+		}
+		RAND_add(message, message_len, message_len);
+		ERR_print_errors_fp(stdout);
+	}
+
+	/* Turn on a hardware crypto device if asked to do so. */
+#ifdef USE_ENGINE
+	if (engine) {
+#if OPENSSL_VERSION_NUMBER  >= 0x0090700fL
+		ENGINE_load_builtin_engines();
+#endif
+		if (print) {
+			fprintf(stderr, "Initializing \"%s\" engine.\n",
+				engine);
+		}
+		e = ENGINE_by_id(engine);
+		ERR_print_errors_fp(stdout);
+		if (e) {
+			i = ENGINE_init(e);
+			ERR_print_errors_fp(stdout);
+			i = ENGINE_set_default_RSA(e);
+			ERR_print_errors_fp(stdout);
+		}
+	}
+#endif
+
+	/* Compute the digest for the signature. */
+	if (print) {
+		fprintf(stderr, "Computing digest.\n");
+	}
+	digest = malloc(digest_len = MD5_DIGEST_LENGTH);
+	MD5_Init(&md5);
+	MD5_Update(&md5, message, message_len);
+	MD5_Final(digest, &md5);
+
+	/* Generate a signing key. */
+	if (print) {
+		fprintf(stderr, "Generating key.\n");
+	}
+	rsa = RSA_generate_key(4096, 3, NULL, NULL);
+	ERR_print_errors_fp(stdout);
+	if (rsa == NULL) {
+		_exit(1);
+	}
+
+	/* Sign the data. */
+	correct_siglen = RSA_size(rsa);
+	correct_signature = malloc(correct_siglen);
+	for (i = 0; i < MAIN_COUNT; i++) {
+		if (print) {
+			fprintf(stderr, "Signing data (%d).\n", i);
+		}
+		ret = RSA_check_key(rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+		}
+		correct_siglen = RSA_size(rsa);
+		ret = RSA_sign(NID_md5, digest, digest_len,
+			       correct_signature, &correct_siglen,
+			       rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			_exit(2);
+		}
+		if (print) {
+			fprintf(stderr, "Verifying data (%d).\n", i);
+		}
+		ret = RSA_verify(NID_md5, digest, digest_len,
+			         correct_signature, correct_siglen,
+			         rsa);
+		if (ret != 1) {
+			_exit(2);
+		}
+	}
+
+	/* Collect up the inforamtion which other threads will need for
+	 * comparing their signature results with ours. */
+	master_args.rsa = rsa;
+	master_args.digest_type = NID_md5;
+	master_args.digest = digest;
+	master_args.digest_len = digest_len;
+	master_args.signature = correct_signature;
+	master_args.signature_len = correct_siglen;
+	master_args.main_thread = pthread_self();
+	
+	fprintf(stdout, "Performing %d signatures in each of %d threads "
+		"(%d, %d).\n", ITERATION_COUNT, thread_count,
+		digest_len, correct_siglen);
+	fflush(NULL);
+
+	/* Start up all of the threads. */
+	for (i = 0; i < thread_count; i++) {
+		args = malloc(sizeof(struct thread_args));
+		args->rsa = RSAPrivateKey_dup(master_args.rsa);
+		args->digest_type = master_args.digest_type;
+		args->digest_len = master_args.digest_len;
+		args->digest = xmemdup(master_args.digest, args->digest_len);
+		args->signature_len = master_args.signature_len;
+		args->signature = xmemdup(master_args.signature,
+					  args->signature_len);
+		args->main_thread = pthread_self();
+		ret = pthread_create(&threads[i], NULL, thread_main, args);
+		while ((ret != 0) && (errno == EAGAIN)) {
+			ret = pthread_create(&threads[i], NULL,
+					     thread_main, &args);
+			fprintf(stderr, "Thread limit hit at %d.\n", i);
+		}
+		if (ret != 0) {
+			fprintf(stderr, "Unable to create thread %d: %s.\n",
+				i, strerror(errno));
+			threads[i] = -1;
+		} else {
+			if (sync) {
+				ret = pthread_join(threads[i], NULL);
+				assert(ret == 0);
+			}
+			if (print) {
+				fprintf(stderr, "%d\n", i);
+			}
+		}
+	}
+
+	/* Wait for all threads to complete.  So long as we can find an
+	 * unjoined thread, keep joining threads. */
+	do {
+		again = 0;
+		for (i = 0; i < thread_count; i++) {
+			/* If we have an unterminated thread, join it. */
+			if (threads[i] != -1) {
+				again = 1;
+				if (print) {
+					fprintf(stderr, "Joining thread %d.\n",
+						i);
+				}
+				pthread_join(threads[i], NULL);
+				threads[i] = -1;
+				break;
+			}
+		}
+	} while (again == 1);
+
+	fprintf(stderr, "%ld failures\n", failure_count);
+
+	return (failure_count != 0);
+}

opensslconf-new-warning.h

@@ -0,0 +1,7 @@
+/* Prepended at openssl package build-time.  Don't include this file directly,
+ * use <openssl/opensslconf.h> instead. */
+
+#ifndef openssl_opensslconf_multilib_redirection_h
+#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
+#endif
+

opensslconf-new.h

@@ -0,0 +1,34 @@
+/* This file is here to prevent a file conflict on multiarch systems.  A
+ * conflict will frequently occur because arch-specific build-time
+ * configuration options are stored (and used, so they can't just be stripped
+ * out) in opensslconf.h.  The original opensslconf.h has been renamed.
+ * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
+
+#ifdef openssl_opensslconf_multilib_redirection_h
+#error "Do not define openssl_opensslconf_multilib_redirection_h!"
+#endif
+#define openssl_opensslconf_multilib_redirection_h
+
+#if defined(__i386__)
+#include "opensslconf-i386.h"
+#elif defined(__ia64__)
+#include "opensslconf-ia64.h"
+#elif defined(__powerpc64__)
+#include "opensslconf-ppc64.h"
+#elif defined(__powerpc__)
+#include "opensslconf-ppc.h"
+#elif defined(__s390x__)
+#include "opensslconf-s390x.h"
+#elif defined(__s390__)
+#include "opensslconf-s390.h"
+#elif defined(__sparc__) && defined(__arch64__)
+#include "opensslconf-sparc64.h"
+#elif defined(__sparc__)
+#include "opensslconf-sparc.h"
+#elif defined(__x86_64__)
+#include "opensslconf-x86_64.h"
+#else
+#error "This openssl-devel package does not work your architecture?"
+#endif
+
+#undef openssl_opensslconf_multilib_redirection_h

sources

@@ -0,0 +1 @@
+531c1627ff9701cb8540ee3bd03de5d7  openssl-1.0.0d-usa.tar.bz2