###############################################################################
name = openssl
-version = 1.0.1h
-release = 2
+version = 1.0.2c
+release = 1
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = System/Libraries
# Rename man pages so that they don't conflict with other system man pages.
pushd %{BUILDROOT}%{mandir}
- for manpage in man*/*; do
- if [ -L ${manpage} ]; then
- TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
- ln -snf ${TARGET}ssl ${manpage}ssl
- rm -f ${manpage}
- else
- mv ${manpage} ${manpage}ssl
- fi
+ for m in $(find . -type f | xargs grep -L '#include'); do
+ d="${m%/*}"
+ d="${d#./}"
+ m="${m##*/}"
+ [[ ${m} == openssl.1* ]] && continue
+ [[ -n "$(find -L "${d}" -type l)" ]] && exit 1
+ mv ${d}/{,ssl-}${m}
+
+ # fix up references to renamed man pages
+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' "${d}/ssl-${m}"
+ ln -s "ssl-${m}" "${d}/openssl-${m}"
+
+ # locate any symlinks that point to this man page ... we assume
+ # that any broken links are due to the above renaming
+ for s in $(find -L "${d}" -type l); do
+ s="${s##*/}"
+ rm -f "${d}/${s}"
+ ln -s "ssl-${m}" "${d}/ssl-${s}"
+ ln -s "ssl-${s}" "${d}/openssl-${s}"
+ done
done
+
+ [[ -n "$(find -L "${d}" -type l)" ]] && exit 1 # "broken manpage links found :("
popd
+
+ #pushd %{BUILDROOT}%{mandir}
+ #for manpage in man*/*; do
+ # if [ -L "${manpage}" ]; then
+ # TARGET="$(ls -l "${manpage}" | awk '{ print $NF }')"
+ # ln -snf "${TARGET}ssl" "${manpage}ssl"
+ # rm -f "${manpage}"
+ # else
+ # mv "${manpage}" "${manpage}ssl"
+ # fi
+ #done
+ #popd
end
end
+++ /dev/null
-Do not treat duplicate certs as an error.
-
---- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000
-+++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000
-@@ -163,8 +163,12 @@
- }
- }
- i=X509_STORE_add_cert(ctx->store_ctx,x);
-- if (!i) goto err;
-- count++;
-+ /* ignore any problems with current certificate
-+ and continue with the next one */
-+ if (i)
-+ count++;
-+ else
-+ ERR_clear_error();
- X509_free(x);
- x=NULL;
- }
-@@ -179,7 +183,8 @@
- goto err;
- }
- i=X509_STORE_add_cert(ctx->store_ctx,x);
-- if (!i) goto err;
-+ if (!i)
-+ ERR_clear_error();
- ret=i;
- }
- else
+++ /dev/null
-diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c
---- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100
-+++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200
-@@ -839,19 +839,8 @@ bad:
- #ifndef OPENSSL_NO_KRB5
- if (c_ssl && c_ssl->kssl_ctx)
- {
-- char localhost[MAXHOSTNAMELEN+2];
--
-- if (gethostname(localhost, sizeof localhost-1) == 0)
-- {
-- localhost[sizeof localhost-1]='\0';
-- if(strlen(localhost) == sizeof localhost-1)
-- {
-- BIO_printf(bio_err,"localhost name too long\n");
-- goto end;
-- }
- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
-- localhost);
-- }
-+ "localhost");
- }
- #endif /* OPENSSL_NO_KRB5 */
-
+++ /dev/null
-diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
---- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200
-+++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100
-@@ -131,6 +131,7 @@
- #ifndef OPENSSL_NO_BF
- # include <openssl/blowfish.h>
- #endif
-+#include <openssl/engine.h>
-
- #undef PROG
- #define PROG version_main
-@@ -140,7 +141,7 @@ int MAIN(int, char **);
- int MAIN(int argc, char **argv)
- {
- int i,ret=0;
-- int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
-+ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
-
- apps_startup();
-
-@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
- else if (strcmp(argv[i],"-d") == 0)
- dir=1;
- else if (strcmp(argv[i],"-a") == 0)
-- date=version=cflags=options=platform=dir=1;
-+ date=version=cflags=options=platform=dir=engines=1;
- else
- {
- BIO_printf(bio_err,"usage:version -[avbofpd]\n");
-@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
- }
- if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
- if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR));
-+ if (engines)
-+ {
-+ ENGINE *e;
-+ printf("engines: ");
-+ e = ENGINE_get_first();
-+ while (e)
-+ {
-+ printf("%s ", ENGINE_get_id(e));
-+ e = ENGINE_get_next(e);
-+ }
-+ printf("\n");
-+ }
- end:
- apps_shutdown();
- OPENSSL_EXIT(ret);
+++ /dev/null
-diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c
---- openssl-1.0.0-beta4/apps/s_client.c.default-paths 2009-08-12 15:21:26.000000000 +0200
-+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 12:26:32.000000000 +0100
-@@ -889,12 +889,13 @@ bad:
- if (!set_cert_key_stuff(ctx,cert,key))
- goto end;
-
-- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx)))
-+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx))
- {
-- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
- ERR_print_errors(bio_err);
-- /* goto end; */
- }
-
- #ifndef OPENSSL_NO_TLSEXT
-diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c
---- openssl-1.0.0-beta4/apps/s_server.c.default-paths 2009-10-28 18:49:37.000000000 +0100
-+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 12:31:23.000000000 +0100
-@@ -1408,12 +1408,13 @@ bad:
- }
- #endif
-
-- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx)))
-+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx))
- {
-- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
-- /* goto end; */
- }
- if (vpm)
- SSL_CTX_set1_param(ctx, vpm);
-@@ -1465,8 +1466,11 @@ bad:
- else
- SSL_CTX_sess_set_cache_size(ctx2,128);
-
-- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx2)))
-+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx2))
- {
- ERR_print_errors(bio_err);
- }
-diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c
---- openssl-1.0.0-beta4/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
-+++ openssl-1.0.0-beta4/apps/s_time.c 2009-11-12 12:26:32.000000000 +0100
-@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
-
- SSL_load_error_strings();
-
-- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
-+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
- {
-- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
- ERR_print_errors(bio_err);
-- /* goto end; */
- }
-
- if (tm_cipher == NULL)
+++ /dev/null
-diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
---- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
-+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
-@@ -5,6 +5,35 @@
- Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
- All rights reserved.
-
-+ WARNING
-+ -------
-+
-+ This version of OpenSSL is built in a way that supports operation in
-+ the so called FIPS mode. Note though that the library as we build it
-+ is not FIPS validated and the FIPS mode is present for testing purposes
-+ only.
-+
-+ This version also contains a few differences from the upstream code
-+ some of which are:
-+ * There are added changes forward ported from the upstream OpenSSL
-+ 0.9.8 FIPS branch however the FIPS integrity verification check
-+ is implemented differently from the upstream FIPS validated OpenSSL
-+ module. It verifies HMAC-SHA256 checksum of the whole shared
-+ libraries. For this reason the changes are ported to files in the
-+ crypto directory and not in a separate fips subdirectory. Also
-+ note that the FIPS integrity verification check requires unmodified
-+ libcrypto and libssl shared library files which means that it will
-+ fail if these files are modified for example by prelink.
-+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
-+ tries to initialize the FIPS mode if it is set to 1 aborting if the
-+ FIPS mode could not be initialized. It is also possible to force the
-+ OpenSSL library to FIPS mode especially for debugging purposes by
-+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
-+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
-+ will not automatically load the built in compression method ZLIB
-+ when initialized. Applications can still explicitely ask for ZLIB
-+ compression method.
-+
- DESCRIPTION
- -----------
-
+++ /dev/null
-diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org
---- openssl-1.0.0/Makefile.org.timezone 2010-03-30 11:08:40.000000000 +0200
-+++ openssl-1.0.0/Makefile.org 2010-04-06 12:49:21.000000000 +0200
-@@ -609,7 +609,7 @@ install_docs:
- sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
- echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
- (cd `$(PERL) util/dirname.pl $$i`; \
-- sh -c "$$pod2man \
-+ sh -c "TZ=UTC $$pod2man \
- --section=$$sec --center=OpenSSL \
- --release=$(VERSION) `basename $$i`") \
- > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-@@ -626,7 +626,7 @@ install_docs:
- sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
- echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
- (cd `$(PERL) util/dirname.pl $$i`; \
-- sh -c "$$pod2man \
-+ sh -c "TZ=UTC $$pod2man \
- --section=$$sec --center=OpenSSL \
- --release=$(VERSION) `basename $$i`") \
- > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+++ /dev/null
-diff -up openssl-1.0.0d/apps/ca.c.dgst openssl-1.0.0d/apps/ca.c
---- openssl-1.0.0d/apps/ca.c.dgst 2009-12-02 15:41:24.000000000 +0100
-+++ openssl-1.0.0d/apps/ca.c 2011-04-05 21:09:42.000000000 +0200
-@@ -157,7 +157,7 @@ static const char *ca_usage[]={
- " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
- " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
- " -days arg - number of days to certify the certificate for\n",
--" -md arg - md to use, one of md2, md5, sha or sha1\n",
-+" -md arg - md to use, see openssl dgst -h for list\n",
- " -policy arg - The CA 'policy' to support\n",
- " -keyfile arg - private key file\n",
- " -keyform arg - private key file format (PEM or ENGINE)\n",
-diff -up openssl-1.0.0d/apps/enc.c.dgst openssl-1.0.0d/apps/enc.c
---- openssl-1.0.0d/apps/enc.c.dgst 2010-06-15 19:25:02.000000000 +0200
-+++ openssl-1.0.0d/apps/enc.c 2011-04-05 21:11:54.000000000 +0200
-@@ -302,7 +302,7 @@ bad:
- BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
- BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
- BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
-- BIO_printf(bio_err,"%-14s from a passphrase. One of md2, md5, sha or sha1\n","");
-+ BIO_printf(bio_err,"%-14s from a passphrase. See openssl dgst -h for list.\n","");
- BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S");
- BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
- BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
-diff -up openssl-1.0.0d/apps/req.c.dgst openssl-1.0.0d/apps/req.c
---- openssl-1.0.0d/apps/req.c.dgst 2010-03-10 14:48:21.000000000 +0100
-+++ openssl-1.0.0d/apps/req.c 2011-04-05 21:12:33.000000000 +0200
-@@ -421,7 +421,7 @@ bad:
- #ifndef OPENSSL_NO_ECDSA
- BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
- #endif
-- BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
-+ BIO_printf(bio_err," -[digest] Digest to sign with (see openssl dgst -h for list)\n");
- BIO_printf(bio_err," -config file request template file.\n");
- BIO_printf(bio_err," -subj arg set or modify request subject\n");
- BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
-diff -up openssl-1.0.0d/apps/ts.c.dgst openssl-1.0.0d/apps/ts.c
---- openssl-1.0.0d/apps/ts.c.dgst 2009-10-18 16:42:26.000000000 +0200
-+++ openssl-1.0.0d/apps/ts.c 2011-04-05 21:16:07.000000000 +0200
-@@ -368,7 +368,7 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err, "usage:\n"
- "ts -query [-rand file%cfile%c...] [-config configfile] "
- "[-data file_to_hash] [-digest digest_bytes]"
-- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
-+ "[-<hashalg>] "
- "[-policy object_id] [-no_nonce] [-cert] "
- "[-in request.tsq] [-out request.tsq] [-text]\n",
- LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-diff -up openssl-1.0.0d/apps/x509.c.dgst openssl-1.0.0d/apps/x509.c
---- openssl-1.0.0d/apps/x509.c.dgst 2011-04-05 21:13:42.000000000 +0200
-+++ openssl-1.0.0d/apps/x509.c 2011-04-05 21:13:17.000000000 +0200
-@@ -141,7 +141,7 @@ static const char *x509_usage[]={
- " -set_serial - serial number to use\n",
- " -text - print the certificate in text form\n",
- " -C - print out C code forms\n",
--" -md2/-md5/-sha1/-mdc2 - digest to use\n",
-+" -<dgst> - digest to use, see openssl dgst -h output for list\n",
- " -extfile - configuration file with X509V3 extensions to add\n",
- " -extensions - section from config file with X509V3 extensions to add\n",
- " -clrext - delete extensions before signing and input certificate\n",
-diff -up openssl-1.0.0d/doc/apps/ca.pod.dgst openssl-1.0.0d/doc/apps/ca.pod
---- openssl-1.0.0d/doc/apps/ca.pod.dgst 2009-04-10 13:25:53.000000000 +0200
-+++ openssl-1.0.0d/doc/apps/ca.pod 2011-04-05 21:16:39.000000000 +0200
-@@ -160,7 +160,8 @@ the number of days to certify the certif
- =item B<-md alg>
-
- the message digest to use. Possible values include md5, sha1 and mdc2.
--This option also applies to CRLs.
-+For full list of digests see openssl dgst -h output. This option also
-+applies to CRLs.
-
- =item B<-policy arg>
-
-diff -up openssl-1.0.0d/doc/apps/ocsp.pod.dgst openssl-1.0.0d/doc/apps/ocsp.pod
---- openssl-1.0.0d/doc/apps/ocsp.pod.dgst 2008-02-25 19:11:47.000000000 +0100
-+++ openssl-1.0.0d/doc/apps/ocsp.pod 2011-04-05 21:18:17.000000000 +0200
-@@ -210,7 +210,8 @@ check is not performed.
- =item B<-md5|-sha1|-sha256|-ripemod160|...>
-
- this option sets digest algorithm to use for certificate identification
--in the OCSP request. By default SHA-1 is used.
-+in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
-+the list of available algorithms.
-
- =back
-
-diff -up openssl-1.0.0d/doc/apps/req.pod.dgst openssl-1.0.0d/doc/apps/req.pod
---- openssl-1.0.0d/doc/apps/req.pod.dgst 2009-04-10 18:42:28.000000000 +0200
-+++ openssl-1.0.0d/doc/apps/req.pod 2011-04-05 21:20:47.000000000 +0200
-@@ -201,7 +201,8 @@ will not be encrypted.
-
- this specifies the message digest to sign the request with (such as
- B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
--the configuration file.
-+the configuration file. For full list of possible digests see openssl
-+dgst -h output.
-
- Some public key algorithms may override this choice. For instance, DSA
- signatures always use SHA1, GOST R 34.10 signatures always use
-diff -up openssl-1.0.0d/doc/apps/x509.pod.dgst openssl-1.0.0d/doc/apps/x509.pod
---- openssl-1.0.0d/doc/apps/x509.pod.dgst 2010-01-12 18:27:11.000000000 +0100
-+++ openssl-1.0.0d/doc/apps/x509.pod 2011-04-05 21:19:56.000000000 +0200
-@@ -101,6 +101,7 @@ the digest to use. This affects any sign
- digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
- specified then SHA1 is used. If the key being used to sign with is a DSA key
- then this option has no effect: SHA1 is always used with DSA keys.
-+For full list of digests see openssl dgst -h output.
-
- =item B<-engine id>
-
+++ /dev/null
-diff -ru openssl-1.0.0d.old/apps/s_client.c openssl-1.0.0d/apps/s_client.c
---- openssl-1.0.0d.old/apps/s_client.c 2011-07-17 21:05:19.934181169 +0200
-+++ openssl-1.0.0d/apps/s_client.c 2011-07-17 21:11:42.747824990 +0200
-@@ -1186,7 +1186,7 @@
- "xmlns='jabber:client' to='%s' version='1.0'>", host);
- seen = BIO_read(sbio,mbuf,BUFSIZZ);
- mbuf[seen] = 0;
-- while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
-+ while (!strcasestr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && !strcasestr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
- {
- if (strstr(mbuf, "/stream:features>"))
- goto shut;
+++ /dev/null
-diff -up openssl-1.0.0e/engines/e_chil.c.chil openssl-1.0.0e/engines/e_chil.c
---- openssl-1.0.0e/engines/e_chil.c.chil 2010-06-15 19:25:12.000000000 +0200
-+++ openssl-1.0.0e/engines/e_chil.c 2011-09-21 17:32:03.000000000 +0200
-@@ -1261,6 +1261,11 @@ static int hwcrhk_insert_card(const char
- UI *ui;
- void *callback_data = NULL;
- UI_METHOD *ui_method = NULL;
-+ /* Despite what the documentation says prompt_info can be
-+ * an empty string.
-+ */
-+ if (prompt_info && !*prompt_info)
-+ prompt_info = NULL;
-
- if (cactx)
- {
-@@ -1287,7 +1292,7 @@ static int hwcrhk_insert_card(const char
-
- if (ui)
- {
-- char answer;
-+ char answer = '\0';
- char buf[BUFSIZ];
- /* Despite what the documentation says wrong_info can be
- * an empty string.
+++ /dev/null
-diff -up openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof openssl-1.0.0e/doc/apps/s_client.pod
---- openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof 2009-06-26 13:28:51.000000000 +0200
-+++ openssl-1.0.0e/doc/apps/s_client.pod 2011-11-03 08:30:35.000000000 +0100
-@@ -27,6 +27,7 @@ B<openssl> B<s_client>
- [B<-nbio>]
- [B<-crlf>]
- [B<-ign_eof>]
-+[B<-no_ign_eof>]
- [B<-quiet>]
- [B<-ssl2>]
- [B<-ssl3>]
-@@ -161,6 +162,11 @@ by some servers.
- inhibit shutting down the connection when end of file is reached in the
- input.
-
-+=item B<-no_ign_eof>
-+
-+shut down the connection when end of file is reached in the
-+input. Can be used to override the implicit B<-ign_eof> after B<-quiet>.
-+
- =item B<-quiet>
-
- inhibit printing of session and certificate information. This implicitly
+++ /dev/null
-diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
---- openssl-1.0.0f/apps/openssl.cnf.defaults 2011-12-06 01:01:00.000000000 +0100
-+++ openssl-1.0.0f/apps/openssl.cnf 2012-01-05 13:16:15.000000000 +0100
-@@ -103,7 +103,8 @@ emailAddress = optional
-
- ####################################################################
- [ req ]
--default_bits = 1024
-+default_bits = 2048
-+default_md = sha1
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
-@@ -126,17 +127,18 @@ string_mask = utf8only
-
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
--countryName_default = AU
-+countryName_default = XX
- countryName_min = 2
- countryName_max = 2
-
- stateOrProvinceName = State or Province Name (full name)
--stateOrProvinceName_default = Some-State
-+#stateOrProvinceName_default = Default Province
-
- localityName = Locality Name (eg, city)
-+localityName_default = Default City
-
- 0.organizationName = Organization Name (eg, company)
--0.organizationName_default = Internet Widgits Pty Ltd
-+0.organizationName_default = Default Company Ltd
-
- # we can do this but it is not needed normally :-)
- #1.organizationName = Second Organization Name (eg, company)
-@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
- organizationalUnitName = Organizational Unit Name (eg, section)
- #organizationalUnitName_default =
-
--commonName = Common Name (e.g. server FQDN or YOUR name)
-+commonName = Common Name (eg, your name or your server\'s hostname)
- commonName_max = 64
-
- emailAddress = Email Address
+++ /dev/null
-diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
---- openssl-1.0.1-beta2/Configure.rpmbuild 2012-01-05 01:07:34.000000000 +0100
-+++ openssl-1.0.1-beta2/Configure 2012-02-02 12:43:56.547409325 +0100
-@@ -343,23 +343,23 @@ my %table=(
- ####
- # *-generic* is endian-neutral target, but ./config is free to
- # throw in -D[BL]_ENDIAN, whichever appropriate...
--"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # It's believed that majority of ARM toolchains predefine appropriate -march.
- # If you compiler does not, do complement config command line with one!
--"linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-armv4", "gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- #### IA-32 targets...
- "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
- ####
--"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
--"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
--"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### So called "highgprs" target for z/Architecture CPUs
- # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
- # /proc/cpuinfo. The idea is to preserve most significant bits of
-@@ -373,16 +373,16 @@ my %table=(
- # ldconfig and run-time linker to autodiscover. Unfortunately it
- # doesn't work just yet, because of couple of bugs in glibc
- # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
--"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
-+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
- #### SPARC Linux setups
- # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
- # assisted with debugging of following two configs.
--"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # it's a real mess with -mcpu=ultrasparc option under Linux, but
- # -Wa,-Av8plus should do the trick no matter what.
--"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # GCC 3.1 is a requirement
--"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### Alpha Linux with GNU C and Compaq C setups
- # Special notes:
- # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -396,8 +396,8 @@ my %table=(
- #
- # <appro@fy.chalmers.se>
- #
--"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-
-@@ -1678,7 +1678,7 @@ while (<IN>)
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
- {
- my $sotmp = $1;
-- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
- }
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
- {
-diff -up openssl-1.0.1-beta2/Makefile.org.rpmbuild openssl-1.0.1-beta2/Makefile.org
---- openssl-1.0.1-beta2/Makefile.org.rpmbuild 2011-12-27 16:17:50.000000000 +0100
-+++ openssl-1.0.1-beta2/Makefile.org 2012-02-02 12:30:23.652495435 +0100
-@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
- SHLIB_MAJOR=
- SHLIB_MINOR=
- SHLIB_EXT=
-+SHLIB_SONAMEVER=10
- PLATFORM=dist
- OPTIONS=
- CONFIGURE_ARGS=
-@@ -333,10 +334,9 @@ clean-shared:
- link-shared:
- @ set -e; for i in $(SHLIBDIRS); do \
- $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- symlink.$(SHLIB_TARGET); \
-- libs="$$libs -l$$i"; \
- done
-
- build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
- libs="$(LIBKRB5) $$libs"; \
- fi; \
- $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- LIBDEPS="$$libs $(EX_LIBS)" \
- link_a.$(SHLIB_TARGET); \
+++ /dev/null
-diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
---- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi 2012-02-06 17:07:34.630336118 +0100
-+++ openssl-1.0.1-beta2/ssl/dtls1.h 2012-02-06 17:10:08.956623707 +0100
-@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
- */
- record_pqueue buffered_app_data;
-
-- /* Is set when listening for new connections with dtls1_listen() */
-- unsigned int listen;
--
- unsigned int mtu; /* max DTLS packet size */
-
- struct hm_header_st w_msg_hdr;
-@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
- unsigned int retransmitting;
- unsigned int change_cipher_spec_ok;
-
-+ /* Is set when listening for new connections with dtls1_listen() */
-+ unsigned int listen;
-+
- #ifndef OPENSSL_NO_SCTP
- /* used when SSL_ST_XX_FLUSH is entered */
- int next_state;
+++ /dev/null
-diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
---- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 2011-06-21 18:42:15.000000000 +0200
-+++ openssl-1.0.1-beta2/engines/e_padlock.c 2012-02-06 20:18:52.039537799 +0100
-@@ -101,7 +101,10 @@
- compiler choice is limited to GCC and Microsoft C. */
- #undef COMPILE_HW_PADLOCK
- #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
--# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
-+# if (defined(__GNUC__) && __GNUC__>=2 && \
-+ (defined(__i386__) || defined(__i386) || \
-+ defined(__x86_64__) || defined(__x86_64)) \
-+ ) || \
- (defined(_MSC_VER) && defined(_M_IX86))
- # define COMPILE_HW_PADLOCK
- # endif
-@@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
- # endif
- #elif defined(__GNUC__)
- # ifndef alloca
--# define alloca(s) __builtin_alloca(s)
-+# define alloca(s) __builtin_alloca((s))
- # endif
- #endif
-
-@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
- * =======================================================
- */
- #if defined(__GNUC__) && __GNUC__>=2
-+#if defined(__i386__) || defined(__i386)
- /*
- * As for excessive "push %ebx"/"pop %ebx" found all over.
- * When generating position-independent code GCC won't let
-@@ -383,21 +387,6 @@ padlock_available(void)
- return padlock_use_ace + padlock_use_rng;
- }
-
--#ifndef OPENSSL_NO_AES
--/* Our own htonl()/ntohl() */
--static inline void
--padlock_bswapl(AES_KEY *ks)
--{
-- size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
-- unsigned int *key = ks->rd_key;
--
-- while (i--) {
-- asm volatile ("bswapl %0" : "+r"(*key));
-- key++;
-- }
--}
--#endif
--
- /* Force key reload from memory to the CPU microcode.
- Loading EFLAGS from the stack clears EFLAGS[30]
- which does the trick. */
-@@ -455,12 +444,127 @@ static inline void *name(size_t cnt, \
- : "edx", "cc", "memory"); \
- return iv; \
- }
-+#endif
-+
-+#elif defined(__x86_64__) || defined(__x86_64)
-+
-+/* Load supported features of the CPU to see if
-+ the PadLock is available. */
-+static int
-+padlock_available(void)
-+{
-+ char vendor_string[16];
-+ unsigned int eax, edx;
-
-+ /* Are we running on the Centaur (VIA) CPU? */
-+ eax = 0x00000000;
-+ vendor_string[12] = 0;
-+ asm volatile (
-+ "cpuid\n"
-+ "movl %%ebx,(%1)\n"
-+ "movl %%edx,4(%1)\n"
-+ "movl %%ecx,8(%1)\n"
-+ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
-+ if (strcmp(vendor_string, "CentaurHauls") != 0)
-+ return 0;
-+
-+ /* Check for Centaur Extended Feature Flags presence */
-+ eax = 0xC0000000;
-+ asm volatile ("cpuid"
-+ : "+a"(eax) : : "rbx", "rcx", "rdx");
-+ if (eax < 0xC0000001)
-+ return 0;
-+
-+ /* Read the Centaur Extended Feature Flags */
-+ eax = 0xC0000001;
-+ asm volatile ("cpuid"
-+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
-+
-+ /* Fill up some flags */
-+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
-+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
-+
-+ return padlock_use_ace + padlock_use_rng;
-+}
-+
-+/* Force key reload from memory to the CPU microcode.
-+ Loading EFLAGS from the stack clears EFLAGS[30]
-+ which does the trick. */
-+static inline void
-+padlock_reload_key(void)
-+{
-+ asm volatile ("pushfq; popfq");
-+}
-+
-+#ifndef OPENSSL_NO_AES
-+/*
-+ * This is heuristic key context tracing. At first one
-+ * believes that one should use atomic swap instructions,
-+ * but it's not actually necessary. Point is that if
-+ * padlock_saved_context was changed by another thread
-+ * after we've read it and before we compare it with cdata,
-+ * our key *shall* be reloaded upon thread context switch
-+ * and we are therefore set in either case...
-+ */
-+static inline void
-+padlock_verify_context(struct padlock_cipher_data *cdata)
-+{
-+ asm volatile (
-+ "pushfq\n"
-+" btl $30,(%%rsp)\n"
-+" jnc 1f\n"
-+" cmpq %2,%1\n"
-+" je 1f\n"
-+" popfq\n"
-+" subq $8,%%rsp\n"
-+"1: addq $8,%%rsp\n"
-+" movq %2,%0"
-+ :"+m"(padlock_saved_context)
-+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
-+}
-+
-+/* Template for padlock_xcrypt_* modes */
-+/* BIG FAT WARNING:
-+ * The offsets used with 'leal' instructions
-+ * describe items of the 'padlock_cipher_data'
-+ * structure.
-+ */
-+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
-+static inline void *name(size_t cnt, \
-+ struct padlock_cipher_data *cdata, \
-+ void *out, const void *inp) \
-+{ void *iv; \
-+ asm volatile ( "leaq 16(%0),%%rdx\n" \
-+ " leaq 32(%0),%%rbx\n" \
-+ rep_xcrypt "\n" \
-+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
-+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
-+ : "rbx", "rdx", "cc", "memory"); \
-+ return iv; \
-+}
-+#endif
-+
-+#endif /* cpu */
-+
-+#ifndef OPENSSL_NO_AES
- /* Generate all functions with appropriate opcodes */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
-+
-+/* Our own htonl()/ntohl() */
-+static inline void
-+padlock_bswapl(AES_KEY *ks)
-+{
-+ size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
-+ unsigned int *key = ks->rd_key;
-+
-+ while (i--) {
-+ asm volatile ("bswapl %0" : "+r"(*key));
-+ key++;
-+ }
-+}
- #endif
-
- /* The RNG call itself */
-@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
- static inline unsigned char *
- padlock_memcpy(void *dst,const void *src,size_t n)
- {
-- long *d=dst;
-- const long *s=src;
-+ size_t *d=dst;
-+ const size_t *s=src;
-
- n /= sizeof(*d);
- do { *d++ = *s++; } while (--n);
+++ /dev/null
-diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
---- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200
-+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200
-@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
-
- EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
- B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
--function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
-+function. B<type> will typically be supplied by a function such as EVP_sha1().
- If B<impl> is NULL then the default implementation of digest B<type> is used.
-
- EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
-@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
- EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
- size in bytes.
-
--EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
-+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
-+EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(),
- EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
- corresponding EVP_MD structures.
-
-diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
---- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
-+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200
-@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
- int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
- int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
-
-+ const EVP_CIPHER *EVP_des_ede3(void);
-+ const EVP_CIPHER *EVP_des_ede3_ecb(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
-+ const EVP_CIPHER *EVP_des_ede3_ofb(void);
-+ const EVP_CIPHER *EVP_des_ede3_cbc(void);
-+ const EVP_CIPHER *EVP_aes_128_ecb(void);
-+ const EVP_CIPHER *EVP_aes_128_cbc(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_128_ofb(void);
-+ const EVP_CIPHER *EVP_aes_192_ecb(void);
-+ const EVP_CIPHER *EVP_aes_192_cbc(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_192_ofb(void);
-+ const EVP_CIPHER *EVP_aes_256_ecb(void);
-+ const EVP_CIPHER *EVP_aes_256_cbc(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_256_ofb(void);
-+
- =head1 DESCRIPTION
-
- The EVP cipher routines are a high level interface to certain
-@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an
-
- DESX algorithm in CBC mode.
-
-+=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void)
-+
-+AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively.
-+
-+=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void)
-+
-+AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively.
-+
-+=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void)
-+
-+AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively.
-+
- =item EVP_rc4(void)
-
- RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
+++ /dev/null
-diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
---- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-19 16:32:51.000000000 +0100
-@@ -47,6 +47,13 @@ Once the identities of the compression m
- been standardized, the compression API will most likely be changed. Using
- it in the current state is not recommended.
-
-+It is also not recommended to use compression if data transfered contain
-+untrusted parts that can be manipulated by an attacker as he could then
-+get information about the encrypted data. See the CRIME attack. For
-+that reason the default loading of the zlib compression method is
-+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
-+is present during the library initialization.
-+
- =head1 RETURN VALUES
-
- SSL_COMP_add_compression_method() may return the following values:
-diff -up openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib openssl-1.0.1e/ssl/ssl_ciph.c
---- openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-02-19 16:37:36.163545085 +0100
-@@ -140,6 +140,8 @@
- * OTHERWISE.
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <openssl/objects.h>
- #ifndef OPENSSL_NO_COMP
-@@ -455,7 +457,7 @@ static void load_builtin_compressions(vo
-
- MemCheck_off();
- ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-- if (ssl_comp_methods != NULL)
-+ if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
- {
- comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
- if (comp != NULL)
+++ /dev/null
-diff -up openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1e/crypto/x509/x509_cmp.c
---- openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/x509_cmp.c 2013-02-19 12:46:11.315788592 +0100
-@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
- char *f;
-
- EVP_MD_CTX_init(&ctx);
-+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
- if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
- goto err;
+++ /dev/null
-diff -up openssl-1.0.1e/ssl/s23_lib.c.ssl2noec openssl-1.0.1e/ssl/s23_lib.c
---- openssl-1.0.1e/ssl/s23_lib.c.ssl2noec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s23_lib.c 2014-05-06 15:51:54.053293674 +0200
-@@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_C
- long l;
-
- /* We can write SSLv2 and SSLv3 ciphers */
-+ /* but no ECC ciphers */
-+ if (c->algorithm_mkey == SSL_kECDHr ||
-+ c->algorithm_mkey == SSL_kECDHe ||
-+ c->algorithm_mkey == SSL_kEECDH ||
-+ c->algorithm_auth == SSL_aECDH ||
-+ c->algorithm_auth == SSL_aECDSA)
-+ return 0;
- if (p != NULL)
- {
- l=c->id;
+++ /dev/null
-diff -up openssl-1.0.1e/crypto/cversion.c.version openssl-1.0.1e/crypto/cversion.c
---- openssl-1.0.1e/crypto/cversion.c.version 2013-02-11 16:02:47.000000000 +0100
-+++ openssl-1.0.1e/crypto/cversion.c 2013-07-26 12:28:12.739161925 +0200
-@@ -62,7 +62,7 @@
- #include "buildinf.h"
- #endif
-
--const char *SSLeay_version(int t)
-+const char *_current_SSLeay_version(int t)
- {
- if (t == SSLEAY_VERSION)
- return OPENSSL_VERSION_TEXT;
-@@ -110,8 +110,25 @@ const char *SSLeay_version(int t)
- return("not available");
- }
-
--unsigned long SSLeay(void)
-+const char *_original_SSLeay_version(int t)
-+ {
-+ if (t == SSLEAY_VERSION)
-+ return "OpenSSL 1.0.0-fips 29 Mar 2010";
-+ else
-+ return _current_SSLeay_version(t);
-+ }
-+
-+unsigned long _original_SSLeay(void)
-+ {
-+ return(0x10000003);
-+ }
-+
-+unsigned long _current_SSLeay(void)
- {
- return(SSLEAY_VERSION_NUMBER);
- }
-
-+__asm__(".symver _original_SSLeay,SSLeay@");
-+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
-+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
-+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.1");
-diff -up openssl-1.0.1e/Makefile.shared.version openssl-1.0.1e/Makefile.shared
---- openssl-1.0.1e/Makefile.shared.version 2013-07-26 12:23:43.615545603 +0200
-+++ openssl-1.0.1e/Makefile.shared 2013-07-26 12:23:43.701547398 +0200
-@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
- SHLIB_SUFFIX=; \
- ALLSYMSFLAGS='-Wl,--whole-archive'; \
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
- DO_GNU_APP=LDFLAGS="$(CFLAGS)"
-
-diff -up openssl-1.0.1e/version.map.version openssl-1.0.1e/version.map
---- openssl-1.0.1e/version.map.version 2013-07-26 12:23:43.701547398 +0200
-+++ openssl-1.0.1e/version.map 2013-07-26 12:29:10.698371472 +0200
-@@ -0,0 +1,8 @@
-+OPENSSL_1.0.1 {
-+ global:
-+ SSLeay;
-+ SSLeay_version;
-+ local:
-+ _original*;
-+ _current*;
-+};
+++ /dev/null
-diff -up openssl-1.0.1g/ssl/s2_lib.c.3des-strength openssl-1.0.1g/ssl/s2_lib.c
---- openssl-1.0.1g/ssl/s2_lib.c.3des-strength 2014-03-17 17:14:20.000000000 +0100
-+++ openssl-1.0.1g/ssl/s2_lib.c 2014-05-06 16:33:45.646358418 +0200
-@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_HIGH,
- 0,
-- 168,
-+ 128,
- 168,
- },
-
-diff -up openssl-1.0.1g/ssl/s3_lib.c.3des-strength openssl-1.0.1g/ssl/s3_lib.c
---- openssl-1.0.1g/ssl/s3_lib.c.3des-strength 2014-03-17 17:14:20.000000000 +0100
-+++ openssl-1.0.1g/ssl/s3_lib.c 2014-05-06 16:38:05.887374872 +0200
-@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -377,7 +377,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -474,7 +474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -687,7 +687,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -2432,7 +2432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -2448,7 +2448,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
-@@ -2464,7 +2464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 128,
- 168,
- },
-
+++ /dev/null
-diff -up openssl-1.0.1h/apps/s_apps.h.ipv6-apps openssl-1.0.1h/apps/s_apps.h
---- openssl-1.0.1h/apps/s_apps.h.ipv6-apps 2014-06-05 14:33:38.515668750 +0200
-+++ openssl-1.0.1h/apps/s_apps.h 2014-06-05 14:33:38.540669335 +0200
-@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
- #define PORT_STR "4433"
- #define PROTOCOL "tcp"
-
--int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
-+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
- #ifdef HEADER_X509_H
- int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
- #endif
-@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
- int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
- int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
- #endif
--int init_client(int *sock, char *server, int port, int type);
-+int init_client(int *sock, char *server, char *port, int type);
- int should_retry(int i);
--int extract_port(char *str, short *port_ptr);
--int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
-+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
-
- long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
- int argi, long argl, long ret);
-diff -up openssl-1.0.1h/apps/s_client.c.ipv6-apps openssl-1.0.1h/apps/s_client.c
---- openssl-1.0.1h/apps/s_client.c.ipv6-apps 2014-06-05 14:33:38.533669171 +0200
-+++ openssl-1.0.1h/apps/s_client.c 2014-06-05 14:33:38.540669335 +0200
-@@ -567,7 +567,7 @@ int MAIN(int argc, char **argv)
- int cbuf_len,cbuf_off;
- int sbuf_len,sbuf_off;
- fd_set readfds,writefds;
-- short port=PORT;
-+ char *port_str = PORT_STR;
- int full_log=1;
- char *host=SSL_HOST_NAME;
- char *cert_file=NULL,*key_file=NULL;
-@@ -668,13 +668,12 @@ int MAIN(int argc, char **argv)
- else if (strcmp(*argv,"-port") == 0)
- {
- if (--argc < 1) goto bad;
-- port=atoi(*(++argv));
-- if (port == 0) goto bad;
-+ port_str= *(++argv);
- }
- else if (strcmp(*argv,"-connect") == 0)
- {
- if (--argc < 1) goto bad;
-- if (!extract_host_port(*(++argv),&host,NULL,&port))
-+ if (!extract_host_port(*(++argv),&host,&port_str))
- goto bad;
- }
- else if (strcmp(*argv,"-verify") == 0)
-@@ -1267,7 +1266,7 @@ bad:
-
- re_start:
-
-- if (init_client(&s,host,port,socket_type) == 0)
-+ if (init_client(&s,host,port_str,socket_type) == 0)
- {
- BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
- SHUTDOWN(s);
-diff -up openssl-1.0.1h/apps/s_server.c.ipv6-apps openssl-1.0.1h/apps/s_server.c
---- openssl-1.0.1h/apps/s_server.c.ipv6-apps 2014-06-05 14:33:38.533669171 +0200
-+++ openssl-1.0.1h/apps/s_server.c 2014-06-05 14:33:38.541669358 +0200
-@@ -933,7 +933,7 @@ int MAIN(int argc, char *argv[])
- {
- X509_VERIFY_PARAM *vpm = NULL;
- int badarg = 0;
-- short port=PORT;
-+ char *port_str = PORT_STR;
- char *CApath=NULL,*CAfile=NULL;
- unsigned char *context = NULL;
- char *dhfile = NULL;
-@@ -1004,8 +1004,7 @@ int MAIN(int argc, char *argv[])
- (strcmp(*argv,"-accept") == 0))
- {
- if (--argc < 1) goto bad;
-- if (!extract_port(*(++argv),&port))
-- goto bad;
-+ port_str= *(++argv);
- }
- else if (strcmp(*argv,"-verify") == 0)
- {
-@@ -1892,9 +1891,9 @@ bad:
- BIO_printf(bio_s_out,"ACCEPT\n");
- (void)BIO_flush(bio_s_out);
- if (www)
-- do_server(port,socket_type,&accept_socket,www_body, context);
-+ do_server(port_str,socket_type,&accept_socket,www_body, context);
- else
-- do_server(port,socket_type,&accept_socket,sv_body, context);
-+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
- print_stats(bio_s_out,ctx);
- ret=0;
- end:
-diff -up openssl-1.0.1h/apps/s_socket.c.ipv6-apps openssl-1.0.1h/apps/s_socket.c
---- openssl-1.0.1h/apps/s_socket.c.ipv6-apps 2014-06-05 11:44:33.000000000 +0200
-+++ openssl-1.0.1h/apps/s_socket.c 2014-06-05 14:39:53.226442195 +0200
-@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
- static void ssl_sock_cleanup(void);
- #endif
- static int ssl_sock_init(void);
--static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
--static int init_server(int *sock, int port, int type);
--static int init_server_long(int *sock, int port,char *ip, int type);
-+static int init_server(int *sock, char *port, int type);
- static int do_accept(int acc_sock, int *sock, char **host);
- static int host_ip(char *str, unsigned char ip[4]);
-
-@@ -234,57 +232,71 @@ static int ssl_sock_init(void)
- return(1);
- }
-
--int init_client(int *sock, char *host, int port, int type)
-+int init_client(int *sock, char *host, char *port, int type)
- {
-- unsigned char ip[4];
--
-- memset(ip, '\0', sizeof ip);
-- if (!host_ip(host,&(ip[0])))
-- return 0;
-- return init_client_ip(sock,ip,port,type);
-- }
--
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
-- {
-- unsigned long addr;
-- struct sockaddr_in them;
-- int s,i;
-+ struct addrinfo *res, *res0, hints;
-+ char * failed_call = NULL;
-+ int s;
-+ int e;
-
- if (!ssl_sock_init()) return(0);
-
-- memset((char *)&them,0,sizeof(them));
-- them.sin_family=AF_INET;
-- them.sin_port=htons((unsigned short)port);
-- addr=(unsigned long)
-- ((unsigned long)ip[0]<<24L)|
-- ((unsigned long)ip[1]<<16L)|
-- ((unsigned long)ip[2]<< 8L)|
-- ((unsigned long)ip[3]);
-- them.sin_addr.s_addr=htonl(addr);
--
-- if (type == SOCK_STREAM)
-- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-- else /* ( type == SOCK_DGRAM) */
-- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
--
-- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
-+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_socktype = type;
-+ hints.ai_flags = AI_ADDRCONFIG;
-+
-+ e = getaddrinfo(host, port, &hints, &res);
-+ if (e)
-+ {
-+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+ if (e == EAI_SYSTEM)
-+ perror("getaddrinfo");
-+ return (0);
-+ }
-
-+ res0 = res;
-+ while (res)
-+ {
-+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+ if (s == INVALID_SOCKET)
-+ {
-+ failed_call = "socket";
-+ goto nextres;
-+ }
- #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
- if (type == SOCK_STREAM)
- {
-- i=0;
-- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-- if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
-+ int i=0;
-+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
-+ (char *)&i,sizeof(i));
-+ if (i < 0) {
-+ failed_call = "keepalive";
-+ goto nextres;
-+ }
- }
- #endif
--
-- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
-- { closesocket(s); perror("connect"); return(0); }
-+ if (connect(s,(struct sockaddr *)res->ai_addr,
-+ res->ai_addrlen) == 0)
-+ {
-+ freeaddrinfo(res0);
- *sock=s;
- return(1);
- }
-
--int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
-+ failed_call = "socket";
-+nextres:
-+ if (s != INVALID_SOCKET)
-+ close(s);
-+ res = res->ai_next;
-+ }
-+ freeaddrinfo(res0);
-+ closesocket(s);
-+
-+ perror(failed_call);
-+ return(0);
-+ }
-+
-+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
- {
- int sock;
- char *name = NULL;
-@@ -322,33 +334,50 @@ int do_server(int port, int type, int *r
- }
- }
-
--static int init_server_long(int *sock, int port, char *ip, int type)
-+static int init_server(int *sock, char *port, int type)
- {
-- int ret=0;
-- struct sockaddr_in server;
-- int s= -1;
-+ struct addrinfo *res, *res0 = NULL, hints;
-+ char * failed_call = NULL;
-+ int s = INVALID_SOCKET;
-+ int e;
-
- if (!ssl_sock_init()) return(0);
-
-- memset((char *)&server,0,sizeof(server));
-- server.sin_family=AF_INET;
-- server.sin_port=htons((unsigned short)port);
-- if (ip == NULL)
-- server.sin_addr.s_addr=INADDR_ANY;
-- else
--/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
--#ifndef BIT_FIELD_LIMITS
-- memcpy(&server.sin_addr.s_addr,ip,4);
--#else
-- memcpy(&server.sin_addr,ip,4);
--#endif
-+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_family = AF_INET6;
-+tryipv4:
-+ hints.ai_socktype = type;
-+ hints.ai_flags = AI_PASSIVE;
-
-- if (type == SOCK_STREAM)
-- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-- else /* type == SOCK_DGRAM */
-- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
-+ e = getaddrinfo(NULL, port, &hints, &res);
-+ if (e)
-+ {
-+ if (hints.ai_family == AF_INET)
-+ {
-+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+ if (e == EAI_SYSTEM)
-+ perror("getaddrinfo");
-+ return (0);
-+ }
-+ else
-+ res = NULL;
-+ }
-
-- if (s == INVALID_SOCKET) goto err;
-+ res0 = res;
-+ while (res)
-+ {
-+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+ if (s == INVALID_SOCKET)
-+ {
-+ failed_call = "socket";
-+ goto nextres;
-+ }
-+ if (hints.ai_family == AF_INET6)
-+ {
-+ int j = 0;
-+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-+ (void *) &j, sizeof j);
-+ }
- #if defined SOL_SOCKET && defined SO_REUSEADDR
- {
- int j = 1;
-@@ -356,35 +385,49 @@ static int init_server_long(int *sock, i
- (void *) &j, sizeof j);
- }
- #endif
-- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
-+
-+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1)
- {
--#ifndef OPENSSL_SYS_WINDOWS
-- perror("bind");
--#endif
-- goto err;
-+ failed_call = "bind";
-+ goto nextres;
- }
-- /* Make it 128 for linux */
-- if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
-- *sock=s;
-- ret=1;
--err:
-- if ((ret == 0) && (s != -1))
-+ if (type==SOCK_STREAM && listen(s,128) == -1)
- {
-- SHUTDOWN(s);
-+ failed_call = "listen";
-+ goto nextres;
- }
-- return(ret);
-+
-+ *sock=s;
-+ return(1);
-+
-+nextres:
-+ if (s != INVALID_SOCKET)
-+ close(s);
-+ res = res->ai_next;
- }
-+ if (res0)
-+ freeaddrinfo(res0);
-
--static int init_server(int *sock, int port, int type)
-+ if (s == INVALID_SOCKET)
- {
-- return(init_server_long(sock, port, NULL, type));
-+ if (hints.ai_family == AF_INET6)
-+ {
-+ hints.ai_family = AF_INET;
-+ goto tryipv4;
-+ }
-+ perror("socket");
-+ return(0);
-+ }
-+
-+ perror(failed_call);
-+ return(0);
- }
-
- static int do_accept(int acc_sock, int *sock, char **host)
- {
-+ static struct sockaddr_storage from;
-+ char buffer[NI_MAXHOST];
- int ret;
-- struct hostent *h1,*h2;
-- static struct sockaddr_in from;
- int len;
- /* struct linger ling; */
-
-@@ -424,145 +467,66 @@ redoit:
- ling.l_onoff=1;
- ling.l_linger=0;
- i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
-- if (i < 0) { perror("linger"); return(0); }
-+ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
- i=0;
- i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-- if (i < 0) { perror("keepalive"); return(0); }
-+ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
- */
-
- if (host == NULL) goto end;
--#ifndef BIT_FIELD_LIMITS
-- /* I should use WSAAsyncGetHostByName() under windows */
-- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
-- sizeof(from.sin_addr.s_addr),AF_INET);
--#else
-- h1=gethostbyaddr((char *)&from.sin_addr,
-- sizeof(struct in_addr),AF_INET);
--#endif
-- if (h1 == NULL)
-+
-+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
-+ buffer, sizeof(buffer),
-+ NULL, 0, 0))
- {
-- BIO_printf(bio_err,"bad gethostbyaddr\n");
-+ BIO_printf(bio_err,"getnameinfo failed\n");
- *host=NULL;
- /* return(0); */
- }
- else
- {
-- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
-+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
- {
- perror("OPENSSL_malloc");
- closesocket(ret);
- return(0);
- }
-- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
--
-- h2=GetHostByName(*host);
-- if (h2 == NULL)
-- {
-- BIO_printf(bio_err,"gethostbyname failure\n");
-- closesocket(ret);
-- return(0);
-- }
-- if (h2->h_addrtype != AF_INET)
-- {
-- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-- closesocket(ret);
-- return(0);
-- }
-+ strcpy(*host, buffer);
- }
- end:
- *sock=ret;
- return(1);
- }
-
--int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-- short *port_ptr)
-+int extract_host_port(char *str, char **host_ptr,
-+ char **port_ptr)
- {
-- char *h,*p;
-+ char *h,*p,*x;
-
-- h=str;
-- p=strchr(str,':');
-+ x=h=str;
-+ if (*h == '[')
-+ {
-+ h++;
-+ p=strchr(h,']');
- if (p == NULL)
- {
-- BIO_printf(bio_err,"no port defined\n");
-+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n");
- return(0);
- }
- *(p++)='\0';
--
-- if ((ip != NULL) && !host_ip(str,ip))
-- goto err;
-- if (host_ptr != NULL) *host_ptr=h;
--
-- if (!extract_port(p,port_ptr))
-- goto err;
-- return(1);
--err:
-- return(0);
-+ x = p;
- }
--
--static int host_ip(char *str, unsigned char ip[4])
-- {
-- unsigned int in[4];
-- int i;
--
-- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
-- {
-- for (i=0; i<4; i++)
-- if (in[i] > 255)
-- {
-- BIO_printf(bio_err,"invalid IP address\n");
-- goto err;
-- }
-- ip[0]=in[0];
-- ip[1]=in[1];
-- ip[2]=in[2];
-- ip[3]=in[3];
-- }
-- else
-- { /* do a gethostbyname */
-- struct hostent *he;
--
-- if (!ssl_sock_init()) return(0);
--
-- he=GetHostByName(str);
-- if (he == NULL)
-- {
-- BIO_printf(bio_err,"gethostbyname failure\n");
-- goto err;
-- }
-- /* cast to short because of win16 winsock definition */
-- if ((short)he->h_addrtype != AF_INET)
-+ p=strchr(x,':');
-+ if (p == NULL)
- {
-- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-- return(0);
-- }
-- ip[0]=he->h_addr_list[0][0];
-- ip[1]=he->h_addr_list[0][1];
-- ip[2]=he->h_addr_list[0][2];
-- ip[3]=he->h_addr_list[0][3];
-- }
-- return(1);
--err:
-+ BIO_printf(bio_err,"no port defined\n");
- return(0);
- }
-+ *(p++)='\0';
-
--int extract_port(char *str, short *port_ptr)
-- {
-- int i;
-- struct servent *s;
-+ if (host_ptr != NULL) *host_ptr=h;
-+ if (port_ptr != NULL) *port_ptr=p;
-
-- i=atoi(str);
-- if (i != 0)
-- *port_ptr=(unsigned short)i;
-- else
-- {
-- s=getservbyname(str,"tcp");
-- if (s == NULL)
-- {
-- BIO_printf(bio_err,"getservbyname failure for %s\n",str);
-- return(0);
-- }
-- *port_ptr=ntohs((unsigned short)s->s_port);
-- }
- return(1);
- }
-
+++ /dev/null
-diff -up openssl-1.0.1h/doc/apps/ec.pod.manfix openssl-1.0.1h/doc/apps/ec.pod
---- openssl-1.0.1h/doc/apps/ec.pod.manfix 2014-06-05 11:41:31.000000000 +0200
-+++ openssl-1.0.1h/doc/apps/ec.pod 2014-06-05 14:41:11.501274915 +0200
-@@ -93,10 +93,6 @@ prints out the public, private key compo
-
- this option prevents output of the encoded version of the key.
-
--=item B<-modulus>
--
--this option prints out the value of the public key component of the key.
--
- =item B<-pubin>
-
- by default a private key is read from the input file: with this option a
-diff -up openssl-1.0.1h/doc/apps/openssl.pod.manfix openssl-1.0.1h/doc/apps/openssl.pod
---- openssl-1.0.1h/doc/apps/openssl.pod.manfix 2014-06-05 11:41:31.000000000 +0200
-+++ openssl-1.0.1h/doc/apps/openssl.pod 2014-06-05 14:41:11.501274915 +0200
-@@ -163,7 +163,7 @@ Create or examine a netscape certificate
-
- Online Certificate Status Protocol utility.
-
--=item L<B<passwd>|passwd(1)>
-+=item L<B<passwd>|sslpasswd(1)>
-
- Generation of hashed passwords.
-
-@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
-
- Public key algorithm cryptographic operation utility.
-
--=item L<B<rand>|rand(1)>
-+=item L<B<rand>|sslrand(1)>
-
- Generate pseudo-random bytes.
-
-@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
- L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
- L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
- L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
--L<passwd(1)|passwd(1)>,
-+L<sslpasswd(1)|sslpasswd(1)>,
- L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
--L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
-+L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
- L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
- L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
- L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
-diff -up openssl-1.0.1h/doc/apps/s_client.pod.manfix openssl-1.0.1h/doc/apps/s_client.pod
---- openssl-1.0.1h/doc/apps/s_client.pod.manfix 2014-06-05 14:41:11.445273605 +0200
-+++ openssl-1.0.1h/doc/apps/s_client.pod 2014-06-05 14:41:11.501274915 +0200
-@@ -33,9 +33,14 @@ B<openssl> B<s_client>
- [B<-ssl2>]
- [B<-ssl3>]
- [B<-tls1>]
-+[B<-tls1_1>]
-+[B<-tls1_2>]
-+[B<-dtls1>]
- [B<-no_ssl2>]
- [B<-no_ssl3>]
- [B<-no_tls1>]
-+[B<-no_tls1_1>]
-+[B<-no_tls1_2>]
- [B<-bugs>]
- [B<-cipher cipherlist>]
- [B<-starttls protocol>]
-@@ -45,6 +50,7 @@ B<openssl> B<s_client>
- [B<-sess_out filename>]
- [B<-sess_in filename>]
- [B<-rand file(s)>]
-+[B<-nextprotoneg protocols>]
-
- =head1 DESCRIPTION
-
-@@ -188,7 +194,7 @@ Use the PSK key B<key> when using a PSK
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
-
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
-@@ -249,6 +255,17 @@ Multiple files can be specified separate
- The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
- all others.
-
-+=item B<-nextprotoneg protocols>
-+
-+enable Next Protocol Negotiation TLS extension and provide a list of
-+comma-separated protocol names that the client should advertise
-+support for. The list should contain most wanted protocols first.
-+Protocol names are printable ASCII strings, for example "http/1.1" or
-+"spdy/3".
-+Empty list of protocols is treated specially and will cause the client to
-+advertise support for the TLS extension but disconnect just after
-+reciving ServerHello with a list of server supported protocols.
-+
- =back
-
- =head1 CONNECTED COMMANDS
-diff -up openssl-1.0.1h/doc/apps/s_server.pod.manfix openssl-1.0.1h/doc/apps/s_server.pod
---- openssl-1.0.1h/doc/apps/s_server.pod.manfix 2014-06-05 11:41:31.000000000 +0200
-+++ openssl-1.0.1h/doc/apps/s_server.pod 2014-06-05 14:41:11.502274939 +0200
-@@ -55,6 +55,7 @@ B<openssl> B<s_server>
- [B<-no_ticket>]
- [B<-id_prefix arg>]
- [B<-rand file(s)>]
-+[B<-nextprotoneg protocols>]
-
- =head1 DESCRIPTION
-
-@@ -207,7 +208,7 @@ Use the PSK key B<key> when using a PSK
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
-
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
-@@ -282,6 +283,14 @@ Multiple files can be specified separate
- The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
- all others.
-
-+=item B<-nextprotoneg protocols>
-+
-+enable Next Protocol Negotiation TLS extension and provide a
-+comma-separated list of supported protocol names.
-+The list should contain most wanted protocols first.
-+Protocol names are printable ASCII strings, for example "http/1.1" or
-+"spdy/3".
-+
- =back
-
- =head1 CONNECTED COMMANDS
--- /dev/null
+diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c
+--- openssl-1.0.2a/crypto/cversion.c.version 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/cversion.c 2015-04-21 16:48:56.285535316 +0200
+@@ -62,7 +62,7 @@
+ # include "buildinf.h"
+ #endif
+
+-const char *SSLeay_version(int t)
++const char *_current_SSLeay_version(int t)
+ {
+ if (t == SSLEAY_VERSION)
+ return OPENSSL_VERSION_TEXT;
+@@ -101,7 +101,40 @@ const char *SSLeay_version(int t)
+ return ("not available");
+ }
+
+-unsigned long SSLeay(void)
++const char *_original_SSLeay_version(int t)
++{
++ if (t == SSLEAY_VERSION)
++ return "OpenSSL 1.0.0-fips 29 Mar 2010";
++ else
++ return _current_SSLeay_version(t);
++}
++
++const char *_original101_SSLeay_version(int t)
++{
++ if (t == SSLEAY_VERSION)
++ return "OpenSSL 1.0.1e-fips 11 Feb 2013";
++ else
++ return _current_SSLeay_version(t);
++}
++
++unsigned long _original_SSLeay(void)
++{
++ return (0x10000003L);
++}
++
++unsigned long _original101_SSLeay(void)
++{
++ return (0x1000105fL);
++}
++
++unsigned long _current_SSLeay(void)
+ {
+ return (SSLEAY_VERSION_NUMBER);
+ }
++
++__asm__(".symver _original_SSLeay,SSLeay@");
++__asm__(".symver _original_SSLeay_version,SSLeay_version@");
++__asm__(".symver _original101_SSLeay,SSLeay@OPENSSL_1.0.1");
++__asm__(".symver _original101_SSLeay_version,SSLeay_version@OPENSSL_1.0.1");
++__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2");
++__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2");
+diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared
+--- openssl-1.0.2a/Makefile.shared.version 2015-04-21 16:43:02.624170648 +0200
++++ openssl-1.0.2a/Makefile.shared 2015-04-21 16:43:02.676171879 +0200
+@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ SHLIB_SUFFIX=; \
+ ALLSYMSFLAGS='-Wl,--whole-archive'; \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+ DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map
+--- openssl-1.0.2a/version.map.version 2015-04-21 16:43:02.676171879 +0200
++++ openssl-1.0.2a/version.map 2015-04-21 16:51:49.621630589 +0200
+@@ -0,0 +1,13 @@
++OPENSSL_1.0.1 {
++ global:
++ SSLeay;
++ SSLeay_version;
++ local:
++ _original*;
++ _current*;
++};
++OPENSSL_1.0.2 {
++ global:
++ SSLeay;
++ SSLeay_version;
++} OPENSSL_1.0.1;
--- /dev/null
+diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
+--- openssl-1.0.2c/Configure.rpmbuild 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/Configure 2015-06-15 17:22:52.598496680 +0200
+@@ -365,8 +365,8 @@ my %table=(
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+
+ #######################################################################
+ # Note that -march is not among compiler options in below linux-armv4
+@@ -395,30 +395,30 @@ my %table=(
+ #
+ # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
+ #
+-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # Configure script adds minimally required -march for assembly support,
+ # if no -march was specified at command line. mips32 and mips64 below
+ # refer to contemporary MIPS Architecture specifications, MIPS32 and
+ # MIPS64, rather than to kernel bitness.
+-"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
+-"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32",
++"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### IA-32 targets...
+ "linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+ ####
+-"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
+-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
+-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### So called "highgprs" target for z/Architecture CPUs
+ # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
+ # /proc/cpuinfo. The idea is to preserve most significant bits of
+@@ -436,12 +436,12 @@ my %table=(
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+-"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # it's a real mess with -mcpu=ultrasparc option under Linux, but
+ # -Wa,-Av8plus should do the trick no matter what.
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # GCC 3.1 is a requirement
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### Alpha Linux with GNU C and Compaq C setups
+ # Special notes:
+ # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+@@ -1764,7 +1764,7 @@ while (<IN>)
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ {
+ my $sotmp = $1;
+- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
+ }
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ {
+diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
+--- openssl-1.0.2c/Makefile.org.rpmbuild 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/Makefile.org 2015-06-15 17:19:14.874510995 +0200
+@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=
+ SHLIB_MINOR=
+ SHLIB_EXT=
++SHLIB_SONAMEVER=10
+ PLATFORM=dist
+ OPTIONS=
+ CONFIGURE_ARGS=
+@@ -338,10 +339,9 @@ clean-shared:
+ link-shared:
+ @ set -e; for i in $(SHLIBDIRS); do \
+ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ symlink.$(SHLIB_TARGET); \
+- libs="$$libs -l$$i"; \
+ done
+
+ build-shared: do_$(SHLIB_TARGET) link-shared
+@@ -352,7 +352,7 @@ do_$(SHLIB_TARGET):
+ libs="$(LIBKRB5) $$libs"; \
+ fi; \
+ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ LIBDEPS="$$libs $(EX_LIBS)" \
+ link_a.$(SHLIB_TARGET); \