new upstream release fixing multiple security issues

2015-01-09 10:54:51 +01:00 · 2015-01-09 10:54:51 +01:00 · 7e7e3f299f
commit 7e7e3f299f
parent 8c1cdfe3ab
10 changed files with 505 additions and 488 deletions
--- a/.gitignore
+++ b/.gitignore
@ -17,3 +17,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.0.1h-hobbled.tar.xz
 /openssl-1.0.1i-hobbled.tar.xz
 /openssl-1.0.1j-hobbled.tar.xz
 /openssl-1.0.1k-hobbled.tar.xz
--- a/openssl-1.0.1-beta2-dtls1-abi.patch
+++ b/openssl-1.0.1-beta2-dtls1-abi.patch
@ -1,23 +0,0 @@
 diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
 --- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi	2012-02-06 17:07:34.630336118 +0100
 +++ openssl-1.0.1-beta2/ssl/dtls1.h	2012-02-06 17:10:08.956623707 +0100
@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
 	 */
 	record_pqueue buffered_app_data;
 -	/* Is set when listening for new connections with dtls1_listen() */
 -	unsigned int listen;
 -
 	unsigned int mtu; /* max DTLS packet size */
 	struct hm_header_st w_msg_hdr;
@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
 	unsigned int retransmitting;
 	unsigned int change_cipher_spec_ok;
 +	/* Is set when listening for new connections with dtls1_listen() */
 +	unsigned int listen;
 +
 #ifndef OPENSSL_NO_SCTP
 	/* used when SSL_ST_XX_FLUSH is entered */
 	int next_state;
--- a/openssl-1.0.1k-dtls1-abi.patch
+++ b/openssl-1.0.1k-dtls1-abi.patch
@ -0,0 +1,26 @@
 diff -up openssl-1.0.1k/ssl/dtls1.h.dtls1-abi openssl-1.0.1k/ssl/dtls1.h
 --- openssl-1.0.1k/ssl/dtls1.h.dtls1-abi	2015-01-09 09:58:59.332596897 +0100
 +++ openssl-1.0.1k/ssl/dtls1.h	2015-01-09 10:02:34.908472320 +0100
@@ -231,10 +231,6 @@ typedef struct dtls1_state_st
 	 */
 	record_pqueue buffered_app_data;
 -	/* Is set when listening for new connections with dtls1_listen() */
 -	unsigned int listen;
 -
 -	unsigned int link_mtu; /* max on-the-wire DTLS packet size */
 	unsigned int mtu; /* max DTLS packet size */
 	struct hm_header_st w_msg_hdr;
@@ -262,6 +258,11 @@ typedef struct dtls1_state_st
 	 */
 	unsigned int change_cipher_spec_ok;
 +	/* Is set when listening for new connections with dtls1_listen() */
 +	unsigned int listen;
 +
 +	unsigned int link_mtu; /* max on-the-wire DTLS packet size */
 +
 #ifndef OPENSSL_NO_SCTP
 	/* used when SSL_ST_XX_FLUSH is entered */
 	int next_state;
--- a/openssl-1.0.1k-ecc-suiteb.patch
+++ b/openssl-1.0.1k-ecc-suiteb.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.1e/apps/speed.c.suiteb openssl-1.0.1e/apps/speed.c
+diff -up openssl-1.0.1k/apps/speed.c.suiteb openssl-1.0.1k/apps/speed.c
--- openssl-1.0.1e/apps/speed.c.suiteb	2013-11-08 18:02:53.815229706 +0100
+--- openssl-1.0.1k/apps/speed.c.suiteb	2015-01-09 10:03:38.406908388 +0100
-+++ openssl-1.0.1e/apps/speed.c	2013-11-08 18:04:47.016724297 +0100
+++ openssl-1.0.1k/apps/speed.c	2015-01-09 10:03:38.602912821 +0100
@@ -966,49 +966,23 @@ int MAIN(int argc, char **argv)
 		else
 #endif
@ -87,38 +87,44 @@ diff -up openssl-1.0.1e/apps/speed.c.suiteb openssl-1.0.1e/apps/speed.c
 			ecdh_doit[i]=1;
 #endif
 		}
-diff -up openssl-1.0.1e/ssl/t1_lib.c.suiteb openssl-1.0.1e/ssl/t1_lib.c
+diff -up openssl-1.0.1k/ssl/t1_lib.c.suiteb openssl-1.0.1k/ssl/t1_lib.c
--- openssl-1.0.1e/ssl/t1_lib.c.suiteb	2013-02-11 16:26:04.000000000 +0100
+--- openssl-1.0.1k/ssl/t1_lib.c.suiteb	2015-01-09 10:03:38.603912844 +0100
-+++ openssl-1.0.1e/ssl/t1_lib.c	2013-11-08 18:05:27.551617554 +0100
+++ openssl-1.0.1k/ssl/t1_lib.c	2015-01-09 10:06:35.470912834 +0100
-@@ -204,31 +204,9 @@ static int nid_list[] =
+@@ -218,29 +218,21 @@ static int pref_list[] =
- 
+ 		NID_sect283k1, /* sect283k1 (9) */
- static int pref_list[] =
+ 		NID_sect283r1, /* sect283r1 (10) */ 
- 	{
+ #endif
 -		NID_sect571r1, /* sect571r1 (14) */ 
 -		NID_sect571k1, /* sect571k1 (13) */ 
 		NID_secp521r1, /* secp521r1 (25) */	
 -		NID_sect409k1, /* sect409k1 (11) */ 
 -		NID_sect409r1, /* sect409r1 (12) */
 		NID_secp384r1, /* secp384r1 (24) */
 -		NID_sect283k1, /* sect283k1 (9) */
 -		NID_sect283r1, /* sect283r1 (10) */ 
 -		NID_secp256k1, /* secp256k1 (22) */ 
 		NID_X9_62_prime256v1, /* secp256r1 (23) */ 
-		NID_sect239k1, /* sect239k1 (8) */ 
+ #ifndef OPENSSL_NO_EC2M
-		NID_sect233k1, /* sect233k1 (6) */
+ 		NID_sect239k1, /* sect239k1 (8) */ 
-		NID_sect233r1, /* sect233r1 (7) */ 
+ 		NID_sect233k1, /* sect233k1 (6) */
 		NID_sect233r1, /* sect233r1 (7) */ 
 #endif
 -		NID_secp224k1, /* secp224k1 (20) */ 
 -		NID_secp224r1, /* secp224r1 (21) */
-		NID_sect193r1, /* sect193r1 (4) */ 
+ #ifndef OPENSSL_NO_EC2M
-		NID_sect193r2, /* sect193r2 (5) */ 
+ 		NID_sect193r1, /* sect193r1 (4) */ 
 		NID_sect193r2, /* sect193r2 (5) */ 
 #endif
 -		NID_secp192k1, /* secp192k1 (18) */
 -		NID_X9_62_prime192v1, /* secp192r1 (19) */ 
-		NID_sect163k1, /* sect163k1 (1) */
+ #ifndef OPENSSL_NO_EC2M
-		NID_sect163r1, /* sect163r1 (2) */
+ 		NID_sect163k1, /* sect163k1 (1) */
-		NID_sect163r2, /* sect163r2 (3) */
+ 		NID_sect163r1, /* sect163r1 (2) */
 		NID_sect163r2, /* sect163r2 (3) */
 #endif
 -		NID_secp160k1, /* secp160k1 (15) */
 -		NID_secp160r1, /* secp160r1 (16) */ 
 -		NID_secp160r2, /* secp160r2 (17) */ 
 	};
 int tls1_ec_curve_id2nid(int curve_id)
@@ -1820,7 +1812,6 @@ int ssl_prepare_clienthello_tlsext(SSL *
 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
 -		/* we support all named elliptic curves in RFC 4492 */
 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
--- a/openssl-1.0.1k-ephemeral-key-size.patch
+++ b/openssl-1.0.1k-ephemeral-key-size.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.1j/apps/s_apps.h.ephemeral openssl-1.0.1j/apps/s_apps.h
+diff -up openssl-1.0.1k/apps/s_apps.h.ephemeral openssl-1.0.1k/apps/s_apps.h
--- openssl-1.0.1j/apps/s_apps.h.ephemeral	2014-10-16 13:32:30.772817591 +0200
+--- openssl-1.0.1k/apps/s_apps.h.ephemeral	2015-01-09 10:22:03.289896211 +0100
-+++ openssl-1.0.1j/apps/s_apps.h	2014-10-16 13:32:30.865819691 +0200
+++ openssl-1.0.1k/apps/s_apps.h	2015-01-09 10:22:03.373898111 +0100
@@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok,
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
 int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
@ -9,9 +9,9 @@ diff -up openssl-1.0.1j/apps/s_apps.h.ephemeral openssl-1.0.1j/apps/s_apps.h
 int init_client(int *sock, char *server, char *port, int type);
 int should_retry(int i);
 int extract_host_port(char *str,char **host_ptr,char **port_ptr);
-diff -up openssl-1.0.1j/apps/s_cb.c.ephemeral openssl-1.0.1j/apps/s_cb.c
+diff -up openssl-1.0.1k/apps/s_cb.c.ephemeral openssl-1.0.1k/apps/s_cb.c
--- openssl-1.0.1j/apps/s_cb.c.ephemeral	2014-10-15 14:53:39.000000000 +0200
+--- openssl-1.0.1k/apps/s_cb.c.ephemeral	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1j/apps/s_cb.c	2014-10-16 13:32:30.865819691 +0200
+++ openssl-1.0.1k/apps/s_cb.c	2015-01-09 10:22:03.373898111 +0100
@@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback(
 		}
 	}
@ -51,10 +51,10 @@ diff -up openssl-1.0.1j/apps/s_cb.c.ephemeral openssl-1.0.1j/apps/s_cb.c
 void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
 	{
-diff -up openssl-1.0.1j/apps/s_client.c.ephemeral openssl-1.0.1j/apps/s_client.c
+diff -up openssl-1.0.1k/apps/s_client.c.ephemeral openssl-1.0.1k/apps/s_client.c
--- openssl-1.0.1j/apps/s_client.c.ephemeral	2014-10-16 13:32:30.860819578 +0200
+--- openssl-1.0.1k/apps/s_client.c.ephemeral	2015-01-09 10:22:03.367897975 +0100
-+++ openssl-1.0.1j/apps/s_client.c	2014-10-16 13:32:30.865819691 +0200
+++ openssl-1.0.1k/apps/s_client.c	2015-01-09 10:22:03.373898111 +0100
-@@ -2044,6 +2044,8 @@ static void print_stuff(BIO *bio, SSL *s
+@@ -2058,6 +2058,8 @@ static void print_stuff(BIO *bio, SSL *s
 			BIO_write(bio,"\n",1);
 			}
@ -63,18 +63,18 @@ diff -up openssl-1.0.1j/apps/s_client.c.ephemeral openssl-1.0.1j/apps/s_client.c
 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
 			BIO_number_read(SSL_get_rbio(s)),
 			BIO_number_written(SSL_get_wbio(s)));
-diff -up openssl-1.0.1j/ssl/ssl.h.ephemeral openssl-1.0.1j/ssl/ssl.h
+diff -up openssl-1.0.1k/ssl/ssl.h.ephemeral openssl-1.0.1k/ssl/ssl.h
--- openssl-1.0.1j/ssl/ssl.h.ephemeral	2014-10-16 13:32:30.851819375 +0200
+--- openssl-1.0.1k/ssl/ssl.h.ephemeral	2015-01-09 10:22:03.358897772 +0100
-+++ openssl-1.0.1j/ssl/ssl.h	2014-10-16 13:33:23.233001903 +0200
+++ openssl-1.0.1k/ssl/ssl.h	2015-01-09 10:25:08.644088146 +0100
-@@ -1585,6 +1585,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
+@@ -1593,6 +1593,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS		82
 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS	83
 +#define SSL_CTRL_GET_SERVER_TMP_KEY		109
 #define SSL_CTRL_CHECK_PROTO_VERSION		119
- 
+ #define DTLS_CTRL_SET_LINK_MTU			120
- #define DTLSv1_get_timeout(ssl, arg) \
+ #define DTLS_CTRL_GET_LINK_MIN_MTU		121
-@@ -1628,6 +1629,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
+@@ -1638,6 +1639,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTX_clear_extra_chain_certs(ctx) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
@ -84,9 +84,9 @@ diff -up openssl-1.0.1j/ssl/ssl.h.ephemeral openssl-1.0.1j/ssl/ssl.h
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
-diff -up openssl-1.0.1j/ssl/s3_lib.c.ephemeral openssl-1.0.1j/ssl/s3_lib.c
+diff -up openssl-1.0.1k/ssl/s3_lib.c.ephemeral openssl-1.0.1k/ssl/s3_lib.c
--- openssl-1.0.1j/ssl/s3_lib.c.ephemeral	2014-10-16 13:32:30.866819713 +0200
+--- openssl-1.0.1k/ssl/s3_lib.c.ephemeral	2015-01-08 15:00:56.000000000 +0100
-+++ openssl-1.0.1j/ssl/s3_lib.c	2014-10-16 13:34:08.918033262 +0200
+++ openssl-1.0.1k/ssl/s3_lib.c	2015-01-09 10:22:03.374898133 +0100
@@ -3356,6 +3356,45 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
 #endif /* !OPENSSL_NO_TLSEXT */
--- a/openssl-1.0.1k-fips.patch
+++ b/openssl-1.0.1k-fips.patch
--- a/openssl-1.0.1-beta2-padlock64.patch
+++ b/openssl-1.0.1-beta2-padlock64.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
+diff -up openssl-1.0.1k/engines/e_padlock.c.padlock64 openssl-1.0.1k/engines/e_padlock.c
--- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64	2011-06-21 18:42:15.000000000 +0200
+--- openssl-1.0.1k/engines/e_padlock.c.padlock64	2015-01-08 15:00:56.000000000 +0100
-+++ openssl-1.0.1-beta2/engines/e_padlock.c	2012-02-06 20:18:52.039537799 +0100
+++ openssl-1.0.1k/engines/e_padlock.c	2015-01-09 10:18:55.579650992 +0100
@@ -101,7 +101,10 @@
    compiler choice is limited to GCC and Microsoft C. */
 #undef COMPILE_HW_PADLOCK
@ -30,11 +30,12 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
 /*
  * As for excessive "push %ebx"/"pop %ebx" found all over.
  * When generating position-independent code GCC won't let
-@@ -383,21 +387,6 @@ padlock_available(void)
+@@ -383,23 +387,6 @@ padlock_available(void)
 	return padlock_use_ace + padlock_use_rng;
 }
 -#ifndef OPENSSL_NO_AES
 -#ifndef AES_ASM
 -/* Our own htonl()/ntohl() */
 -static inline void
 -padlock_bswapl(AES_KEY *ks)
@ -48,11 +49,12 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
 -	}
 -}
 -#endif
 -#endif
 -
 /* Force key reload from memory to the CPU microcode.
    Loading EFLAGS from the stack clears EFLAGS[30] 
    which does the trick. */
-@@ -455,12 +444,127 @@ static inline void *name(size_t cnt,		\
+@@ -457,12 +444,129 @@ static inline void *name(size_t cnt,		\
 		: "edx", "cc", "memory");	\
 	return iv;				\
 }
@ -165,6 +167,7 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")	/* rep xcryptcfb */
 PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")	/* rep xcryptofb */
 +
 +#ifndef AES_ASM
 +/* Our own htonl()/ntohl() */
 +static inline void
 +padlock_bswapl(AES_KEY *ks)
@ -177,10 +180,11 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
 +		key++;
 +	}
 +}
 +#endif
 #endif
 /* The RNG call itself */
-@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
+@@ -493,8 +597,8 @@ padlock_xstore(void *addr, unsigned int
 static inline unsigned char *
 padlock_memcpy(void *dst,const void *src,size_t n)
 {
--- a/openssl-1.0.1k-trusted-first.patch
+++ b/openssl-1.0.1k-trusted-first.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.1i/apps/apps.c.trusted-first openssl-1.0.1i/apps/apps.c
+diff -up openssl-1.0.1k/apps/apps.c.trusted-first openssl-1.0.1k/apps/apps.c
--- openssl-1.0.1i/apps/apps.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
+--- openssl-1.0.1k/apps/apps.c.trusted-first	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1i/apps/apps.c	2014-08-07 13:54:27.751103405 +0200
+++ openssl-1.0.1k/apps/apps.c	2015-01-09 10:19:45.476779456 +0100
@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
 	else if (!strcmp(arg, "-check_ss_sig"))
@ -10,9 +10,9 @@ diff -up openssl-1.0.1i/apps/apps.c.trusted-first openssl-1.0.1i/apps/apps.c
 	else
 		return 0;
-diff -up openssl-1.0.1i/apps/cms.c.trusted-first openssl-1.0.1i/apps/cms.c
+diff -up openssl-1.0.1k/apps/cms.c.trusted-first openssl-1.0.1k/apps/cms.c
--- openssl-1.0.1i/apps/cms.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
+--- openssl-1.0.1k/apps/cms.c.trusted-first	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1i/apps/cms.c	2014-08-07 13:54:27.751103405 +0200
+++ openssl-1.0.1k/apps/cms.c	2015-01-09 10:19:45.476779456 +0100
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
@ -21,20 +21,20 @@ diff -up openssl-1.0.1i/apps/cms.c.trusted-first openssl-1.0.1i/apps/cms.c
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
 #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1i/apps/ocsp.c.trusted-first openssl-1.0.1i/apps/ocsp.c
+diff -up openssl-1.0.1k/apps/ocsp.c.trusted-first openssl-1.0.1k/apps/ocsp.c
--- openssl-1.0.1i/apps/ocsp.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
+--- openssl-1.0.1k/apps/ocsp.c.trusted-first	2015-01-09 10:19:45.477779478 +0100
-+++ openssl-1.0.1i/apps/ocsp.c	2014-08-07 13:54:27.752103409 +0200
+++ openssl-1.0.1k/apps/ocsp.c	2015-01-09 10:20:57.726413440 +0100
@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
- 		BIO_printf (bio_err, "-path              path to use in OCSP request\n");
+ 		BIO_printf (bio_err, "-path                path to use in OCSP request\n");
- 		BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
+ 		BIO_printf (bio_err, "-CApath dir          trusted certificates directory\n");
- 		BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
+ 		BIO_printf (bio_err, "-CAfile file         trusted certificates file\n");
-+		BIO_printf (bio_err, "-trusted_first     use trusted certificates first when building the trust chain\n");
+		BIO_printf (bio_err, "-trusted_first       use trusted certificates first when building the trust chain\n");
- 		BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
+ 		BIO_printf (bio_err, "-VAfile file         validator certificates file\n");
- 		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
+ 		BIO_printf (bio_err, "-validity_period n   maximum validity discrepancy in seconds\n");
- 		BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
+ 		BIO_printf (bio_err, "-status_age n        maximum status age in seconds\n");
-diff -up openssl-1.0.1i/apps/s_client.c.trusted-first openssl-1.0.1i/apps/s_client.c
+diff -up openssl-1.0.1k/apps/s_client.c.trusted-first openssl-1.0.1k/apps/s_client.c
--- openssl-1.0.1i/apps/s_client.c.trusted-first	2014-08-07 13:54:27.752103409 +0200
+--- openssl-1.0.1k/apps/s_client.c.trusted-first	2015-01-09 10:19:45.438778596 +0100
-+++ openssl-1.0.1i/apps/s_client.c	2014-08-07 15:06:28.443918055 +0200
+++ openssl-1.0.1k/apps/s_client.c	2015-01-09 10:19:45.477779478 +0100
@@ -299,6 +299,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
@ -43,9 +43,9 @@ diff -up openssl-1.0.1i/apps/s_client.c.trusted-first openssl-1.0.1i/apps/s_clie
 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
 	BIO_printf(bio_err," -prexit       - print session information even on connection failure\n");
-diff -up openssl-1.0.1i/apps/smime.c.trusted-first openssl-1.0.1i/apps/smime.c
+diff -up openssl-1.0.1k/apps/smime.c.trusted-first openssl-1.0.1k/apps/smime.c
--- openssl-1.0.1i/apps/smime.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
+--- openssl-1.0.1k/apps/smime.c.trusted-first	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1i/apps/smime.c	2014-08-07 13:54:27.753103414 +0200
+++ openssl-1.0.1k/apps/smime.c	2015-01-09 10:19:45.477779478 +0100
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
@ -54,9 +54,9 @@ diff -up openssl-1.0.1i/apps/smime.c.trusted-first openssl-1.0.1i/apps/smime.c
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
 #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1i/apps/s_server.c.trusted-first openssl-1.0.1i/apps/s_server.c
+diff -up openssl-1.0.1k/apps/s_server.c.trusted-first openssl-1.0.1k/apps/s_server.c
--- openssl-1.0.1i/apps/s_server.c.trusted-first	2014-08-07 13:54:27.718103241 +0200
+--- openssl-1.0.1k/apps/s_server.c.trusted-first	2015-01-09 10:19:45.445778755 +0100
-+++ openssl-1.0.1i/apps/s_server.c	2014-08-07 13:54:27.753103414 +0200
+++ openssl-1.0.1k/apps/s_server.c	2015-01-09 10:19:45.478779501 +0100
@@ -502,6 +502,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -state        - Print the SSL states\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
@ -65,9 +65,9 @@ diff -up openssl-1.0.1i/apps/s_server.c.trusted-first openssl-1.0.1i/apps/s_serv
 	BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
 	BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");
-diff -up openssl-1.0.1i/apps/s_time.c.trusted-first openssl-1.0.1i/apps/s_time.c
+diff -up openssl-1.0.1k/apps/s_time.c.trusted-first openssl-1.0.1k/apps/s_time.c
--- openssl-1.0.1i/apps/s_time.c.trusted-first	2014-08-07 13:54:27.432101823 +0200
+--- openssl-1.0.1k/apps/s_time.c.trusted-first	2015-01-09 10:19:45.391777534 +0100
-+++ openssl-1.0.1i/apps/s_time.c	2014-08-07 13:54:27.753103414 +0200
+++ openssl-1.0.1k/apps/s_time.c	2015-01-09 10:19:45.478779501 +0100
@@ -179,6 +179,7 @@ static void s_time_usage(void)
                 file if not specified by this option\n\
 -CApath arg   - PEM format directory of CA's\n\
@ -76,9 +76,9 @@ diff -up openssl-1.0.1i/apps/s_time.c.trusted-first openssl-1.0.1i/apps/s_time.c
 -cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
 	printf( "usage: s_time <args>\n\n" );
-diff -up openssl-1.0.1i/apps/ts.c.trusted-first openssl-1.0.1i/apps/ts.c
+diff -up openssl-1.0.1k/apps/ts.c.trusted-first openssl-1.0.1k/apps/ts.c
--- openssl-1.0.1i/apps/ts.c.trusted-first	2014-08-07 13:54:27.707103186 +0200
+--- openssl-1.0.1k/apps/ts.c.trusted-first	2015-01-09 10:19:45.435778529 +0100
-+++ openssl-1.0.1i/apps/ts.c	2014-08-07 13:54:27.753103414 +0200
+++ openssl-1.0.1k/apps/ts.c	2015-01-09 10:19:45.478779501 +0100
@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
 		   "ts -verify [-data file_to_hash] [-digest digest_bytes] "
 		   "[-queryfile request.tsq] "
@ -88,9 +88,9 @@ diff -up openssl-1.0.1i/apps/ts.c.trusted-first openssl-1.0.1i/apps/ts.c
 		   "-untrusted cert_file.pem\n");
  cleanup:
 	/* Clean up. */
-diff -up openssl-1.0.1i/apps/verify.c.trusted-first openssl-1.0.1i/apps/verify.c
+diff -up openssl-1.0.1k/apps/verify.c.trusted-first openssl-1.0.1k/apps/verify.c
--- openssl-1.0.1i/apps/verify.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
+--- openssl-1.0.1k/apps/verify.c.trusted-first	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1i/apps/verify.c	2014-08-07 13:54:27.754103419 +0200
+++ openssl-1.0.1k/apps/verify.c	2015-01-09 10:19:45.478779501 +0100
@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
 end:
@ -100,9 +100,9 @@ diff -up openssl-1.0.1i/apps/verify.c.trusted-first openssl-1.0.1i/apps/verify.c
 		BIO_printf(bio_err," [-attime timestamp]");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," [-engine e]");
-diff -up openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.c
+diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1k/crypto/x509/x509_vfy.c
--- openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first	2014-08-07 13:54:27.716103231 +0200
+--- openssl-1.0.1k/crypto/x509/x509_vfy.c.trusted-first	2015-01-09 10:19:45.443778710 +0100
-+++ openssl-1.0.1i/crypto/x509/x509_vfy.c	2014-08-07 13:54:27.754103419 +0200
+++ openssl-1.0.1k/crypto/x509/x509_vfy.c	2015-01-09 10:19:45.479779524 +0100
@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		/* If we are self signed, we break */
@ -125,9 +125,9 @@ diff -up openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1i/cryp
 		/* If we were passed a cert chain, use it first */
 		if (ctx->untrusted != NULL)
-diff -up openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.h
+diff -up openssl-1.0.1k/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1k/crypto/x509/x509_vfy.h
--- openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first	2014-08-07 13:54:27.360101466 +0200
+--- openssl-1.0.1k/crypto/x509/x509_vfy.h.trusted-first	2015-01-09 10:19:45.266774706 +0100
-+++ openssl-1.0.1i/crypto/x509/x509_vfy.h	2014-08-07 13:54:27.754103419 +0200
+++ openssl-1.0.1k/crypto/x509/x509_vfy.h	2015-01-09 10:19:45.479779524 +0100
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
 #define X509_V_FLAG_USE_DELTAS			0x2000
 /* Check selfsigned CA signature */
@ -137,9 +137,9 @@ diff -up openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1i/cryp
 #define X509_VP_FLAG_DEFAULT			0x1
-diff -up openssl-1.0.1i/doc/apps/cms.pod.trusted-first openssl-1.0.1i/doc/apps/cms.pod
+diff -up openssl-1.0.1k/doc/apps/cms.pod.trusted-first openssl-1.0.1k/doc/apps/cms.pod
--- openssl-1.0.1i/doc/apps/cms.pod.trusted-first	2014-08-06 23:10:56.000000000 +0200
+--- openssl-1.0.1k/doc/apps/cms.pod.trusted-first	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1i/doc/apps/cms.pod	2014-08-07 13:54:27.754103419 +0200
+++ openssl-1.0.1k/doc/apps/cms.pod	2015-01-09 10:19:45.479779524 +0100
@@ -35,6 +35,7 @@ B<openssl> B<cms>
 [B<-print>]
 [B<-CAfile file>]
@ -161,9 +161,9 @@ diff -up openssl-1.0.1i/doc/apps/cms.pod.trusted-first openssl-1.0.1i/doc/apps/c
 =item B<-md digest>
 digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/ocsp.pod
+diff -up openssl-1.0.1k/doc/apps/ocsp.pod.trusted-first openssl-1.0.1k/doc/apps/ocsp.pod
--- openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first	2014-08-07 13:54:27.708103191 +0200
+--- openssl-1.0.1k/doc/apps/ocsp.pod.trusted-first	2015-01-09 10:19:45.436778551 +0100
-+++ openssl-1.0.1i/doc/apps/ocsp.pod	2014-08-07 13:54:27.755103424 +0200
+++ openssl-1.0.1k/doc/apps/ocsp.pod	2015-01-09 10:19:45.479779524 +0100
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
 [B<-path>]
 [B<-CApath dir>]
@ -172,7 +172,7 @@ diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/
 [B<-VAfile file>]
 [B<-validity_period n>]
 [B<-status_age n>]
-@@ -138,6 +139,13 @@ or "/" by default.
+@@ -142,6 +143,13 @@ connection timeout to the OCSP responder
 file or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
@ -186,9 +186,9 @@ diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/
 =item B<-verify_other file>
 file containing additional certificates to search when attempting to locate
-diff -up openssl-1.0.1i/doc/apps/s_client.pod.trusted-first openssl-1.0.1i/doc/apps/s_client.pod
+diff -up openssl-1.0.1k/doc/apps/s_client.pod.trusted-first openssl-1.0.1k/doc/apps/s_client.pod
--- openssl-1.0.1i/doc/apps/s_client.pod.trusted-first	2014-08-07 13:54:27.726103281 +0200
+--- openssl-1.0.1k/doc/apps/s_client.pod.trusted-first	2015-01-09 10:19:45.451778890 +0100
-+++ openssl-1.0.1i/doc/apps/s_client.pod	2014-08-07 13:54:27.755103424 +0200
+++ openssl-1.0.1k/doc/apps/s_client.pod	2015-01-09 10:19:45.479779524 +0100
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
 [B<-pass arg>]
 [B<-CApath directory>]
@ -206,9 +206,9 @@ diff -up openssl-1.0.1i/doc/apps/s_client.pod.trusted-first openssl-1.0.1i/doc/a
 Set various certificate chain valiadition option. See the
 L<B<verify>|verify(1)> manual page for details.
-diff -up openssl-1.0.1i/doc/apps/smime.pod.trusted-first openssl-1.0.1i/doc/apps/smime.pod
+diff -up openssl-1.0.1k/doc/apps/smime.pod.trusted-first openssl-1.0.1k/doc/apps/smime.pod
--- openssl-1.0.1i/doc/apps/smime.pod.trusted-first	2014-07-22 21:43:11.000000000 +0200
+--- openssl-1.0.1k/doc/apps/smime.pod.trusted-first	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1i/doc/apps/smime.pod	2014-08-07 13:54:27.755103424 +0200
+++ openssl-1.0.1k/doc/apps/smime.pod	2015-01-09 10:19:45.479779524 +0100
@@ -15,6 +15,9 @@ B<openssl> B<smime>
 [B<-pk7out>]
 [B<-[cipher]>]
@ -232,9 +232,9 @@ diff -up openssl-1.0.1i/doc/apps/smime.pod.trusted-first openssl-1.0.1i/doc/apps
 =item B<-md digest>
 digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1i/doc/apps/s_server.pod.trusted-first openssl-1.0.1i/doc/apps/s_server.pod
+diff -up openssl-1.0.1k/doc/apps/s_server.pod.trusted-first openssl-1.0.1k/doc/apps/s_server.pod
--- openssl-1.0.1i/doc/apps/s_server.pod.trusted-first	2014-08-07 13:54:27.726103281 +0200
+--- openssl-1.0.1k/doc/apps/s_server.pod.trusted-first	2015-01-09 10:19:45.451778890 +0100
-+++ openssl-1.0.1i/doc/apps/s_server.pod	2014-08-07 15:07:12.315099577 +0200
+++ openssl-1.0.1k/doc/apps/s_server.pod	2015-01-09 10:19:45.479779524 +0100
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
 [B<-state>]
 [B<-CApath directory>]
@ -256,9 +256,9 @@ diff -up openssl-1.0.1i/doc/apps/s_server.pod.trusted-first openssl-1.0.1i/doc/a
 =item B<-state>
 prints out the SSL session states.
-diff -up openssl-1.0.1i/doc/apps/s_time.pod.trusted-first openssl-1.0.1i/doc/apps/s_time.pod
+diff -up openssl-1.0.1k/doc/apps/s_time.pod.trusted-first openssl-1.0.1k/doc/apps/s_time.pod
--- openssl-1.0.1i/doc/apps/s_time.pod.trusted-first	2014-07-22 21:41:23.000000000 +0200
+--- openssl-1.0.1k/doc/apps/s_time.pod.trusted-first	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1i/doc/apps/s_time.pod	2014-08-07 13:54:27.755103424 +0200
+++ openssl-1.0.1k/doc/apps/s_time.pod	2015-01-09 10:19:45.480779546 +0100
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
 [B<-key filename>]
 [B<-CApath directory>]
@ -280,9 +280,9 @@ diff -up openssl-1.0.1i/doc/apps/s_time.pod.trusted-first openssl-1.0.1i/doc/app
 =item B<-new>
 performs the timing test using a new session ID for each connection.
-diff -up openssl-1.0.1i/doc/apps/ts.pod.trusted-first openssl-1.0.1i/doc/apps/ts.pod
+diff -up openssl-1.0.1k/doc/apps/ts.pod.trusted-first openssl-1.0.1k/doc/apps/ts.pod
--- openssl-1.0.1i/doc/apps/ts.pod.trusted-first	2014-07-22 21:41:23.000000000 +0200
+--- openssl-1.0.1k/doc/apps/ts.pod.trusted-first	2014-10-15 15:49:15.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/ts.pod	2014-08-07 13:54:27.756103429 +0200
+++ openssl-1.0.1k/doc/apps/ts.pod	2015-01-09 10:19:45.480779546 +0100
@@ -46,6 +46,7 @@ B<-verify>
 [B<-token_in>]
 [B<-CApath> trusted_cert_path]
@ -304,9 +304,9 @@ diff -up openssl-1.0.1i/doc/apps/ts.pod.trusted-first openssl-1.0.1i/doc/apps/ts
 =item B<-untrusted> cert_file.pem
 Set of additional untrusted certificates in PEM format which may be
-diff -up openssl-1.0.1i/doc/apps/verify.pod.trusted-first openssl-1.0.1i/doc/apps/verify.pod
+diff -up openssl-1.0.1k/doc/apps/verify.pod.trusted-first openssl-1.0.1k/doc/apps/verify.pod
--- openssl-1.0.1i/doc/apps/verify.pod.trusted-first	2014-08-06 23:10:56.000000000 +0200
+--- openssl-1.0.1k/doc/apps/verify.pod.trusted-first	2015-01-08 15:00:36.000000000 +0100
-+++ openssl-1.0.1i/doc/apps/verify.pod	2014-08-07 13:54:27.756103429 +0200
+++ openssl-1.0.1k/doc/apps/verify.pod	2015-01-09 10:19:45.480779546 +0100
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
 B<openssl> B<verify>
 [B<-CApath directory>]
--- a/openssl.spec
+++ b/openssl.spec
@ -22,8 +22,8 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.0.1j
+Version: 1.0.1k
-Release: 3%{?dist}
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -58,11 +58,11 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
 Patch34: openssl-0.9.6-x509.patch
 Patch35: openssl-0.9.8j-version-add-engines.patch
 Patch39: openssl-1.0.1h-ipv6-apps.patch
-Patch40: openssl-1.0.1j-fips.patch
+Patch40: openssl-1.0.1k-fips.patch
 Patch45: openssl-1.0.1e-env-zlib.patch
 Patch47: openssl-1.0.0-beta5-readme-warning.patch
 Patch49: openssl-1.0.1i-algo-doc.patch
-Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
+Patch50: openssl-1.0.1k-dtls1-abi.patch
 Patch51: openssl-1.0.1e-version.patch
 Patch56: openssl-1.0.0c-rsa-x931.patch
 Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
@ -75,7 +75,7 @@ Patch69: openssl-1.0.1c-dh-1024.patch
 Patch70: openssl-1.0.1j-fips-ec.patch
 Patch71: openssl-1.0.1i-manfix.patch
 Patch72: openssl-1.0.1e-fips-ctor.patch
-Patch73: openssl-1.0.1e-ecc-suiteb.patch
+Patch73: openssl-1.0.1k-ecc-suiteb.patch
 Patch74: openssl-1.0.1e-no-md5-verify.patch
 Patch75: openssl-1.0.1e-compat-symbols.patch
 Patch76: openssl-1.0.1i-new-fips-reqs.patch
@ -85,10 +85,10 @@ Patch92: openssl-1.0.1h-system-cipherlist.patch
 Patch93: openssl-1.0.1h-disable-sslv2v3.patch
 # Backported fixes including security fixes
 Patch80: openssl-1.0.1j-evp-wrap.patch
-Patch81: openssl-1.0.1-beta2-padlock64.patch
+Patch81: openssl-1.0.1k-padlock64.patch
-Patch84: openssl-1.0.1i-trusted-first.patch
+Patch84: openssl-1.0.1k-trusted-first.patch
 Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
-Patch89: openssl-1.0.1j-ephemeral-key-size.patch
+Patch89: openssl-1.0.1k-ephemeral-key-size.patch
 License: OpenSSL
 Group: System Environment/Libraries
@ -478,6 +478,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 %changelog
 * Fri Jan  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-1
 - new upstream release fixing multiple security issues
 * Thu Nov 20 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-3
 - disable SSLv3 by default again (mail servers and possibly
  LDAP servers should probably allow it explicitly for legacy
--- a/2
+++ b/2
@ -1 +1 @@
-d6eba044f614596f94ba27a90be2b5de  openssl-1.0.1j-hobbled.tar.xz
+c272aff85ade496e3eca96a41a49a06f  openssl-1.0.1k-hobbled.tar.xz
`@ -1 +1 @@`
	`d6eba044f614596f94ba27a90be2b5de openssl-1.0.1j-hobbled.tar.xz`	`c272aff85ade496e3eca96a41a49a06f openssl-1.0.1k-hobbled.tar.xz`