merge import_cooker branch

2025-02-23 08:12:50 +00:00 · 2012-08-15 14:08:29 +04:00 · 2012-08-15 14:08:29 +04:00 · 11f3dbb10e
commit 11f3dbb10e
parent 69b60e8591 83df1c8bac
13 changed files with 158 additions and 12920 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -1,2 +1,3 @@
 sources:
  "openssl-1.0.0i.tar.gz": b7aa11cbd7d264c2b1f44e3d55b334fb33f7b674
  "openssl-1.0.1c.tar.gz": 91b684de947cb021ac61b8c51027cc4b63d894ce
--- a/README.pkcs11
+++ b/README.pkcs11
@ -1,242 +0,0 @@
 PKCS#11 engine support for OpenSSL 0.9.8l
 =========================================
 [Nov 19, 2009]
 Contents:
 Overview
 Revisions of the patch for 0.9.8 branch
 FAQs
 Feedback
 Overview
 ========
 This patch containing code available in OpenSolaris adds support for PKCS#11
 engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
 OpenSSL 0.9.8l source code distribution as shipped by OpenSSL.Org. Your system
 must provide PKCS#11 backend otherwise the patch is useless. You provide the
 PKCS#11 library name during the build configuration phase, see below.
 Patch can be applied like this:
 	# NOTE: use gtar if on Solaris
 	tar xfzv openssl-0.9.8l.tar.gz
 	# now download the patch to the current directory
 	# ...
 	cd openssl-0.9.8l
 	# NOTE: must use gpatch if on Solaris (is part of the system)
 	patch -p1 < path-to/pkcs11_engine-0.9.8l.patch.2009-11-19
 It is designed to support pure acceleration for RSA, DSA, DH and all the
 symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
 except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
 According to the PKCS#11 providers installed on your machine, it can support
 following mechanisms:
 	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
 	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
 	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
 	SHA256, SHA384, SHA512
 Note that for AES counter mode the application must provide their own EVP
 functions since OpenSSL doesn't support counter mode through EVP yet. You may
 see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
 example of code that uses the PKCS#11 engine and deals with the fork-safety
 problem (see engine.c and packet.c files if interested).
 You must provide the location of PKCS#11 library in your system to the
 configure script. You will be instructed to do that when you try to run the
 config script:
 	$ ./config 
 	Operating system: i86pc-whatever-solaris2
 	Configuring for solaris-x86-cc
 	You must set --pk11-libname for PKCS#11 library.
 	See README.pkcs11 for more information.
 Taking openCryptoki project on Linux AMD64 box as an example, you would run
 configure script like this:
 	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
 To check whether newly built openssl really supports PKCS#11 it's enough to run
 "apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
 output. If you see no PKCS#11 engine support check that the built openssl binary
 and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
 The patch, during various phases of development, was tested on Solaris against
 PKCS#11 engine available from Solaris Cryptographic Framework (Solaris 10 and
 OpenSolaris) and also on Linux using PKCS#11 libraries from openCryptoki project
 (see openCryptoki website http://sourceforge.net/projects/opencryptoki for more
 information). Some Linux distributions even ship those libraries with the
 system. The patch should work on any system that is supported by OpenSSL itself
 and has functional PKCS#11 library.
 The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
 (Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
 copyrighted by RSA Security Inc., see pkcs11.h for more information.
 Other added/modified code in this patch is copyrighted by Sun Microsystems,
 Inc. and is released under the OpenSSL license (see LICENSE file for more
 information).
 Revisions of the patch for 0.9.8 branch
 =======================================
 2009-11-19
 - adjusted for OpenSSL version 0.9.8l
 - bugs and RFEs:
 	6479874 OpenSSL should support RSA key by reference/hardware keystores
 	6896677 PKCS#11 engine's hw_pk11_err.h needs to be split
 	6732677 make check to trigger Solaris specific code automatic in the
 		PKCS#11 engine
 2009-03-11
 - adjusted for OpenSSL version 0.9.8j 
 - README.pkcs11 moved out of the patch, and is shipped together with it in a
  tarball instead so that it can be read before the patch is applied.
 - fixed bugs:
 	6804216 pkcs#11 engine should support a key length range for RC4
 	6734038 Apache SSL web server using the pkcs11 engine fails to start if
 		meta slot is disabled
 2008-12-02
 - fixed bugs and RFEs (most of the work done by Vladimir Kotal)
 	6723504 more granular locking in PKCS#11 engine
 	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
 	6710420 PKCS#11 engine source should be lint clean
 	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
 		it seriously
 	6746712 PKCS#11 engine source code should be cstyle clean
 	6731380 return codes of several functions are not checked in the PKCS#11
 		engine code
 	6746735 PKCS#11 engine should use extended FILE space API
 	6734038 Apache SSL web server using the pkcs11 engine fails to start if
 		meta slot is disabled
 2008-08-01
 - fixed bug
 	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
 		and digests
 - Solaris specific code for slot selection made automatic
 2008-07-29
 - update the patch to OpenSSL 0.9.8h version
 - pkcs11t.h updated to the latest version:
 	6545665 make CKM_AES_CTR available to non-kernel users
 - fixed bugs in the engine code:
 	6602801 PK11_SESSION cache has to employ reference counting scheme for
 		asymmetric key operations
 	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
 		atomically
 	6607307 pkcs#11 engine can't read RSA private keys
 	6652362 pk11_RSA_finish() is cutting corners
 	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
 		suboptimal way
 	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
 		resilient to destroy failures
 	6667273 OpenSSL engine should not use free() but OPENSSL_free()
 	6670363 PKCS#11 engine fails to reuse existing symmetric keys
 	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
 	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
 		of big numbers leading to failures
 	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
 		-1
 	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
 	6707129 return values from BN_new() in pk11_DH_generate_key() are not
 		checked
 	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
 		structure reuse
 	6707782 OpenSSL PKCS#11 engine pretends to be aware of
 		OPENSSL_NO_{RSA,DSA,DH}
 	defines but fails miserably
 	6709966 make check_new_*() to return values to indicate cache hit/miss
 	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
 		generate_params parameter
 	6709513 PKCS#11 engine sets IV length even for ECB modes
 	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
 		PKCS#11 engine
 	6728871 PKCS#11 engine must reset global_session in pk11_finish()
 - new features and enhancements:
 	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
 	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
 	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
 		ciphers and digests
 2007-10-15
 - update for 0.9.8f version
 - update for "6607670 teach pkcs#11 engine how to use keys be reference"
 2007-10-02
 - draft for "6607670 teach pkcs#11 engine how to use keys be reference"
 - draft for "6607307 pkcs#11 engine can't read RSA private keys"
 2007-09-26
 - 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
 	  significant performance drop
 - 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
 2007-05-25
 - 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
 2007-05-19
 - initial patch for 0.9.8e using latest OpenSolaris code
 FAQs
 ====
 (1) my build failed on Linux distro with this error:
 ../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
 hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
 Answer:
 	- don't use "no-threads" when configuring
 	- if you didn't then OpenSSL failed to create a threaded library by
 	  default. You may manually edit Configure and try again. Look for the
 	  architecture that Configure printed, for example:
 Configured for linux-elf.
 	- then edit Configure, find string "linux-elf" (inluding the quotes),
 	  and add flags to support threads to the 4th column of the 2nd string.
 	  If you build with GCC then adding "-pthread" should be enough. With
 	  "linux-elf" as an example, you would add " -pthread" right after
 	  "-D_REENTRANT", like this:
 ....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
 (2) I'm using MinGW/MSYS environment and get undeclared reference error for
 pthread_atfork() function when trying to build OpenSSL with the patch.
 Answer:
 	Sorry, pthread_atfork() is not implemented in the current pthread-win32
 	(as of Nov 2009). You can not use the patch there.
 Feedback
 ========
 Please send feedback to security-discuss@opensolaris.org. The patch was
 created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
 Latest version should be always available on http://blogs.sun.com/janp.
--- a/openssl-0.9.6b-mdkconfig.patch
+++ b/openssl-0.9.6b-mdkconfig.patch
@ -1,116 +0,0 @@
 --- openssl-0.9.6b/ssl/s3_lib.c.mdkconfig	Fri Mar  9 11:08:04 2001
 +++ openssl-0.9.6b/ssl/s3_lib.c	Tue Dec  4 17:44:27 2001
@@ -204,6 +204,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 1B */
 +#if 0
 	{
 	1,
 	SSL3_TXT_ADH_DES_192_CBC_SHA,
@@ -216,6 +217,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
 +#endif
 /* RSA again */
 /* Cipher 03 */
@@ -310,6 +312,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 0A */
 +#if 0
 	{
 	1,
 	SSL3_TXT_RSA_DES_192_CBC3_SHA,
@@ -322,6 +325,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
 +#endif
 /*  The DH ciphers */
 /* Cipher 0B */
@@ -351,6 +355,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 0D */
 +#if 0
 	{
 	0,
 	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
@@ -363,6 +368,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
 +#endif
 /* Cipher 0E */
 	{
 	0,
@@ -390,6 +396,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 10 */
 +#if 0
 	{
 	0,
 	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
@@ -402,6 +409,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
 +#endif
 /* The Ephemeral DH ciphers */
 /* Cipher 11 */
@@ -431,6 +439,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 13 */
 +#if 0
 	{
 	1,
 	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
@@ -443,6 +452,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
 +#endif
 /* Cipher 14 */
 	{
 	1,
@@ -470,6 +480,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 16 */
 +#if 0
 	{
 	1,
 	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
@@ -482,6 +493,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
 +#endif
 /* Fortezza */
 /* Cipher 1C */
 --- openssl-0.9.6b/ssl/s2_lib.c.mdkconfig	Tue Dec 26 13:06:47 2000
 +++ openssl-0.9.6b/ssl/s2_lib.c	Tue Dec  4 17:54:13 2001
@@ -162,6 +162,7 @@
 	SSL_ALL_STRENGTHS,
 	},
 /* DES_192_EDE3_CBC_WITH_MD5 */
 +#if 0
 	{
 	1,
 	SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
@@ -174,6 +175,7 @@
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
 +#endif
 /* RC4_64_WITH_MD5 */
 #if 1
 	{
--- a/openssl-0.9.7-beta6-ia64.patch
+++ b/openssl-0.9.7-beta6-ia64.patch
@ -1,8 +1,8 @@
--- crypto/bn/bn_lcl.h	2008-12-16 19:02:02.000000000 +0100
+--- crypto/bn/bn_lcl.h	2012-01-18 02:40:36.000000000 +0100
-+++ crypto/bn/bn_lcl.h.oden	2008-12-16 19:02:17.000000000 +0100
+++ crypto/bn/bn_lcl.h.oden	2012-03-14 17:36:07.034007529 +0100
-@@ -288,6 +288,15 @@ extern "C" {
+@@ -293,6 +293,15 @@ extern "C" {
- #   define BN_UMULT_HIGH(a,b)		__umulh((a),(b))
+ 	     : "=l"(low),"=h"(high)	\
- #   define BN_UMULT_LOHI(low,high,a,b)	((low)=_umul128((a),(b),&(high)))
+ 	     : "r"(a), "r"(b));
 #  endif
 +# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
 +#  if defined(__GNUC__)
--- a/openssl-0.9.8a-no-rpath.patch
+++ b/openssl-0.9.8a-no-rpath.patch
@ -0,0 +1,11 @@
 --- openssl-0.9.8a/Makefile.shared.no-rpath	2005-06-23 22:47:54.000000000 +0200
 +++ openssl-0.9.8a/Makefile.shared	2005-11-16 22:35:37.000000000 +0100
@@ -153,7 +153,7 @@
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
 -DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
 +DO_GNU_APP=LDFLAGS="$(CFLAGS)"
 #This is rather special.  It's a special target with which one can link
 #applications without bothering with any features that have anything to
--- a/openssl-1.0.0-arm.patch
+++ b/openssl-1.0.0-arm.patch
@ -1,10 +1,9 @@
-diff -p -up openssl-1.0.0/Configure.arm openssl-1.0.0/Configure
+--- Configure	2012-03-14 17:53:00.551959027 +0100
--- openssl-1.0.0/Configure.arm	2010-03-30 12:11:24.000000000 -0300
+++ Configure.oden	2012-03-14 17:54:12.239955596 +0100
-+++ openssl-1.0.0/Configure	2010-03-30 12:12:03.000000000 -0300
+@@ -374,6 +374,9 @@
-@@ -356,6 +356,9 @@ my %table=(
+ # doesn't work just yet, because of couple of bugs in glibc
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
- "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux32-s390x",	"gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
 "linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 +#### Arm Linux setups
 +"linux-arm",   "gcc:\$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"linux-armel",   "gcc:\$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- a/openssl-1.0.0-defaults.patch
+++ b/openssl-1.0.0-defaults.patch
@ -32,12 +32,3 @@
 # we can do this but it is not needed normally :-)
 #1.organizationName		= Second Organization Name (eg, company)
@@ -145,7 +147,7 @@
 organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
 -commonName			= Common Name (e.g. server FQDN or YOUR name)
 +commonName			= Common Name (eg, your name or your server\'s hostname)
 commonName_max			= 64
 emailAddress			= Email Address
--- a/openssl-1.0.0-mips.patch
+++ b/openssl-1.0.0-mips.patch
@ -1,10 +1,9 @@
-diff -p -up openssl-1.0.0/Configure.mips openssl-1.0.0/Configure
+--- Configure	2012-03-14 17:48:43.000000000 +0100
--- openssl-1.0.0/Configure.mips	2010-03-30 12:09:16.000000000 -0300
+++ Configure.oden	2012-03-14 17:50:22.879966572 +0100
-+++ openssl-1.0.0/Configure	2010-03-30 12:10:12.000000000 -0300
+@@ -374,6 +374,11 @@
-@@ -356,6 +356,11 @@ my %table=(
+ # doesn't work just yet, because of couple of bugs in glibc
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
- "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux32-s390x",	"gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
 "linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 +#### Mips Linux setups
 +"linux-mips",   "gcc:-mabi=32 \$(RPM_OPT_FLAGS) -DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"linux-mipsel",   "gcc:-mabi=32 \$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- a/openssl-1.0.1-test-use-localhost.diff
+++ b/openssl-1.0.1-test-use-localhost.diff
@ -0,0 +1,23 @@
 --- ssl/ssltest.c	2011-12-14 17:18:03.000000000 -0500
 +++ ssl/ssltest.c.oden	2012-03-15 06:11:11.577157097 -0400
@@ -1070,19 +1070,8 @@ bad:
 #ifndef OPENSSL_NO_KRB5
 	if (c_ssl  &&  c_ssl->kssl_ctx)
                 {
 -                char	localhost[MAXHOSTNAMELEN+2];
 -
 -		if (gethostname(localhost, sizeof localhost-1) == 0)
 -                        {
 -			localhost[sizeof localhost-1]='\0';
 -			if(strlen(localhost) == sizeof localhost-1)
 -				{
 -				BIO_printf(bio_err,"localhost name too long\n");
 -				goto end;
 -				}
 			kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
 -                                localhost);
 -			}
 +                                "localhost");
 		}
 #endif    /* OPENSSL_NO_KRB5  */
--- a/openssl-1.0.1c.tar.gz.asc
+++ b/openssl-1.0.1c.tar.gz.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 iQEVAwUAT6vcSqLSm3vylcdZAQLlbgf/ZLcvRLHoZh1yHKxC1ucBSw+yYFutOmGq
 SpZBfUU5y7DIA2VK6sgILBx8OCyOYA1s+6dgeCxny+Cdh/fW6RbBSo7K3efRUhdo
 gOlQm+t9Ns5+FsdgUMZLnYdQ81mMYbZfndO4nEZnkqQ0qKkdaYVz12yHkwLtn+6A
 IW2sUTXUESHOdzEIzAyF08RsFVsQbzrLvqgcHWxY1494OhaxEJP5JvcjWAgMC2hw
 kDoQbrEsOoleX/IodDydXGHspdez9BVzgSsg0QPUwk6TxB6+9/VUSHxrqaj9Pys0
 2ddXYj4SlohsunHmXhKsFSyxf31lvMyn2gGAf44nuD7Mmt8U3OVqLQ==
 =4PCl
 -----END PGP SIGNATURE-----
--- a/openssl-optflags.diff
+++ b/openssl-optflags.diff
@ -1,38 +1,48 @@
-diff -p -up openssl-1.0.0/Configure.optflags openssl-1.0.0/Configure
+--- Configure	2012-03-03 14:18:06.000000000 +0100
--- openssl-1.0.0/Configure.optflags	2010-01-19 19:40:54.000000000 -0200
+++ Configure.oden	2012-03-14 17:33:34.726014818 +0100
-+++ openssl-1.0.0/Configure	2010-03-30 11:34:00.000000000 -0300
+@@ -343,23 +343,23 @@
@@ -336,32 +336,32 @@ my %table=(
 ####
 # *-generic* is endian-neutral target, but ./config is free to
 # throw in -D[BL]_ENDIAN, whichever appropriate...
 -"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 -"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic32","gcc:-DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-generic32","gcc:-DTERMIO \$(RPM_OPT_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # It's believed that majority of ARM toolchains predefine appropriate -march.
 # If you compiler does not, do complement config command line with one!
- "linux-armv4",	"gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-armv4",	"gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"linux-armv4",	"gcc:-DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### IA-32 targets...
 -"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 -"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 -"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
 +"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
 ####
 -"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 -"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 -"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 -"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 -"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 -"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 +"linux-generic64","gcc:-DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 +"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- "linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### So called "highgprs" target for z/Architecture CPUs
 # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
 # /proc/cpuinfo. The idea is to preserve most significant bits of
@@ -373,16 +373,16 @@
 # ldconfig and run-time linker to autodiscover. Unfortunately it
 # doesn't work just yet, because of couple of bugs in glibc
 # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
 -"linux32-s390x",	"gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
 +"linux32-s390x",	"gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
 #### SPARC Linux setups
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
@ -41,21 +51,21 @@ diff -p -up openssl-1.0.0/Configure.optflags openssl-1.0.0/Configure
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
 -"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # GCC 3.1 is a requirement
 -"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### Alpha Linux with GNU C and Compaq C setups
 # Special notes:
 # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -375,8 +375,8 @@ my %table=(
+@@ -396,8 +396,8 @@
 #
 #					<appro@fy.chalmers.se>
 #
 -"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 -"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-alpha-gcc","gcc:$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha-gcc","gcc:\$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-alpha+bwx-gcc","gcc:$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha+bwx-gcc","gcc:\$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
 "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
--- a/openssl.spec
+++ b/openssl.spec
@ -4,21 +4,17 @@
 %define develname %mklibname openssl -d
 %define staticname %mklibname openssl -s -d
 %define conflict1 %mklibname openssl 0.9.7
 %define conflict2 %mklibname openssl 0.9.8
 # Number of threads to spawn when testing some threading fixes.
 #define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
 # French policy is to not use ciphers stronger than 128 bits
 %define french_policy 0
 %define with_krb5 %{?_with_krb5:1}%{!?_with_krb5:0}
 Summary:	Secure Sockets Layer communications libs & utils
 Name:		openssl
-Version:	%{maj}i
+Version:	1.0.1c
-Release:	%mkrel 2
+Release:	1
 License:	BSD-like
 Group:		System/Libraries
 URL:		http://www.openssl.org/
@ -27,9 +23,6 @@ Source1:	ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz.asc
 Source2:	Makefile.certificate
 Source3:	make-dummy-cert
 Source4:	openssl-thread-test.c
 Source5:	README.pkcs11
 # (gb) 0.9.6b-5mdk: Limit available SSL ciphers to 128 bits
 Patch0:		openssl-0.9.6b-mdkconfig.patch
 # (gb) 0.9.7b-4mdk: Handle RPM_OPT_FLAGS in Configure
 Patch2:		openssl-optflags.diff
 # (oe) support Brazilian Government OTHERNAME X509v3 field (#14158)
@ -42,23 +35,21 @@ Patch12:	openssl-0.9.6-x509.patch
 Patch13:	openssl-0.9.7-beta5-version-add-engines.patch
 # http://qa.mandriva.com/show_bug.cgi?id=32621
 Patch15:        openssl-0.9.8e-crt.patch
 # http://blogs.sun.com/janp/
 Patch16:	pkcs11_engine-1.0.0.diff
 # MIPS and ARM support
 Patch300:	openssl-1.0.0-mips.patch
 Patch301:	openssl-1.0.0-arm.patch
 Patch302:	openssl-1.0.0-enginesdir.patch
-Patch400:	openssl-1.0.0d-CVE-2012-2333.diff
+Patch303:	openssl-0.9.8a-no-rpath.patch
-Requires:	%{libname} = %{version}-%{release}
+Patch304:	openssl-1.0.1-test-use-localhost.diff
 Requires:	%{engines_name} = %{version}-%{release}
 Requires:	perl-base
 Requires:	rootcerts
 Provides:	/usr/bin/openssl
 %{?_with_krb5:BuildRequires: krb5-devel}
 BuildRequires:	chrpath
 BuildRequires:	zlib-devel
 # (tv) for test suite:
 BuildRequires:	bc
-BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-buildroot
+BuildRequires:	sctp-devel
 %description
 The openssl certificate management tool and the shared libraries that provide
@ -77,9 +68,7 @@ This package provides engines for openssl.
 %package -n	%{libname}
 Summary:	Secure Sockets Layer communications libs
 Group:		System/Libraries
 Requires:	%{engines_name} >= %{version}-%{release}
 Provides:	%{libname} = %{version}-%{release}
 Conflicts:	openssh < 3.5p1-4mdk
 %description -n	%{libname}
 The libraries files are needed for various cryptographic algorithms
@ -92,9 +81,6 @@ Requires:	%{libname} = %{version}-%{release}
 Provides:	libopenssl-devel
 Provides:	openssl-devel = %{version}-%{release}
 Obsoletes:	openssl-devel
 # temporary opsolete, will be a conflict later. a compat package
 # with openssl-0.9.7 devel libs will be provided soon
 Obsoletes:	%{conflict1}-devel
 Obsoletes:	%{conflict2}-devel
 Obsoletes:	%{mklibname openssl 1.0.0}-devel
 Provides:	%{name}-devel = %{version}-%{release}
@ -110,9 +96,6 @@ Group:		Development/Other
 Requires:	%{develname} = %{version}-%{release}
 Provides:	libopenssl-static-devel
 Provides:	openssl-static-devel = %{version}-%{release}
 # temporary opsolete, will be a conflict later. a compat package
 # with openssl-0.9.7 static-devel libs will be provided soon
 Obsoletes:	%{conflict1}-static-devel
 Obsoletes:	%{conflict2}-static-devel
 Obsoletes:	%{mklibname openssl 1.0.0}-static-devel
 Provides:	%{name}-static-devel = %{version}-%{release}
@ -124,10 +107,7 @@ cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.
 %prep
 %setup -q -n %{name}-%{version}
-%if %{french_policy}
+%patch2 -p0 -b .optflags
 %patch0 -p1 -b .frenchpolicy
 %endif
 %patch2 -p1 -b .optflags
 %patch6 -p0 -b .icpbrasil
 %patch7 -p1 -b .defaults
 %{?_with_krb5:%patch8 -p1 -b .krb5}
@ -135,11 +115,12 @@ cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.
 %patch12 -p1 -b .x509
 %patch13 -p1 -b .version-add-engines
 %patch15 -p1 -b .crt
 %patch16 -p1 -b .pkcs11_engine
-%patch300 -p1 -b .mips
+%patch300 -p0 -b .mips
-%patch301 -p1 -b .arm
+%patch301 -p0 -b .arm
 %patch302 -p1 -b .engines
 %patch303 -p1 -b .no-rpath
 %patch304 -p0 -b .test-use-localhost
 %patch400 -p0
@ -151,7 +132,6 @@ perl util/perlpath.pl %{_bindir}/perl
 cp %{SOURCE2} Makefile.certificate
 cp %{SOURCE3} make-dummy-cert
 cp %{SOURCE4} openssl-thread-test.c
 cp %{SOURCE5} README.pkcs11
 %build 
 %serverbuild
@ -177,6 +157,9 @@ sslarch="linux-generic32 -DB_ENDIAN -DNO_ASM"
 %ifarch s390x
 sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM"
 %endif
 %ifarch %{arm}
 sslarch=linux-generic32
 %endif
 # ia64, x86_64, ppc, ppc64 are OK by default
@ -187,9 +170,7 @@ sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM"
    --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
    --enginesdir=%{_libdir}/openssl-%{version}/engines \
    --prefix=%{_prefix} --libdir=%{_lib}/ %{?_with_krb5:--with-krb5-flavor=MIT -I%{_prefix}/kerberos/include -L%{_prefix}/kerberos/%{_lib}} \
-     no-idea no-rc5 enable-camellia shared enable-tlsext ${sslarch} --pk11-libname=%{_libdir}/pkcs11/PKCS11_API.so
+    zlib no-idea no-rc5 enable-camellia enable-seed enable-tlsext enable-rfc3779 enable-cms sctp shared ${sslarch}
 #    zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa shared ${sslarch}
 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
 # marked as not requiring an executable stack.
@ -219,7 +200,6 @@ gcc -o openssl-thread-test \
 ./openssl-thread-test --threads %{thread_test_threads}
 %install
 rm -fr %{buildroot}
 %makeinstall \
    INSTALL_PREFIX=%{buildroot} \
@ -251,11 +231,11 @@ ln -snf openssl %{buildroot}%{_bindir}/ssleay
 # The man pages rand.3 and passwd.1 conflict with other packages
 # Rename them to ssl-* and also make a symlink from openssl-* to ssl-*
 mv %{buildroot}%{_mandir}/man1/passwd.1 %{buildroot}%{_mandir}/man1/ssl-passwd.1
-ln -sf ssl-passwd.1.bz2 %{buildroot}%{_mandir}/man1/openssl-passwd.1.bz2
+ln -sf ssl-passwd.1%{_extension} %{buildroot}%{_mandir}/man1/openssl-passwd.1%{_extension}
 for i in rand err; do
    mv %{buildroot}%{_mandir}/man3/$i.3 %{buildroot}%{_mandir}/man3/ssl-$i.3
-    ln -snf ssl-$i.3.bz2 %{buildroot}%{_mandir}/man3/openssl-$i.3.bz2
+    ln -snf ssl-$i.3%{_extension} %{buildroot}%{_mandir}/man3/openssl-$i.3%{_extension}
 done
 rm -rf {main,devel}-doc-info
@ -286,9 +266,6 @@ chmod 755 %{buildroot}%{_bindir}/*
 # nuke a mistake
 rm -f %{buildroot}%{_mandir}/man3/.3
 # nuke rpath
 chrpath -d %{buildroot}%{_bindir}/openssl
 # Fix libdir.
 pushd %{buildroot}%{_libdir}/pkgconfig
    for i in *.pc ; do
@ -304,21 +281,9 @@ perl -pi -e "s|^CATOP=.*|CATOP=%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfd
 perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.pl
 perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf
 %if %mdkversion < 200900
 %post -n %{libname} -p /sbin/ldconfig
 %endif
 %if %mdkversion < 200900
 %postun -n %{libname} -p /sbin/ldconfig
 %endif
 %clean
 rm -fr %{buildroot}
 %files 
 %defattr(-,root,root)
 %doc FAQ INSTALL LICENSE NEWS PROBLEMS main-doc-info/README*
-%doc README README.ASN1 README.ENGINE README.pkcs11
+%doc README README.ASN1 README.ENGINE
 %dir %{_sysconfdir}/pki
 %dir %{_sysconfdir}/pki/CA
 %dir %{_sysconfdir}/pki/CA/private
@ -335,17 +300,14 @@ rm -fr %{buildroot}
 %attr(0644,root,root) %{_mandir}/man[157]/*
 %files -n %{libname}
 %defattr(-,root,root)
 %doc FAQ INSTALL LICENSE NEWS PROBLEMS README*
 %attr(0755,root,root) %{_libdir}/lib*.so.*
 %files -n %{engines_name}
 %defattr(-,root,root)
 %attr(0755,root,root) %dir %{_libdir}/openssl-%{version}/engines
 %attr(0755,root,root) %{_libdir}/openssl-%{version}/engines/*.so
 %files -n %{develname}
 %defattr(-,root,root)
 %doc CHANGES doc/* devel-doc-info/README*
 %attr(0755,root,root) %dir %{_includedir}/openssl
 %{multiarch_includedir}/openssl/opensslconf.h
@ -355,33 +317,64 @@ rm -fr %{buildroot}
 %attr(0644,root,root) %{_libdir}/pkgconfig/*
 %files -n %{staticname}
 %defattr(-,root,root)
 %attr(0644,root,root) %{_libdir}/lib*.a
 %changelog
-* Wed May 30 2012 Danil Leontiev <danila.leontiev@rosalab.ru> 1.0.0d-2.5
+* Fri May 11 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.1c-1
- P27: security fix for CVE-2012-2333
+ Revision: 798177
 - 1.0.1c
-* Mon Mar 26 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2.4
+* Thu Apr 26 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.1b-1
- P25: security fix for CVE-2006-7250_CVE-2012-1165 (upstream)
+ Revision: 793590
- P26: security fix for CVE-2012-0884 (upstream)
+- 1.0.1b
-* Sun Jan 29 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2.3
+* Thu Apr 19 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.1a-1
- P24: security fix for CVE-2012-0050 (upstream)
+ Revision: 792130
 - 1.0.1a
-* Mon Jan 09 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2.2
+* Fri Mar 16 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.1-1
- P20: security fix for CVE-2011-4108 (upstream)
+ Revision: 785271
- P21: security fix for CVE-2011-4576 (upstream)
+- fix deps; sctp-devel for the new SCTP support in openssl
- P22: security fix for CVE-2011-4619 (upstream)
+- 1.0.1
- P23: security fix for CVE-2012-0027 (upstream)
+- drop the pkcs11_engine patch by sun (now oracle), it's nowhere to be found...
 - rediffed some patches
 - added 2 patches from fedora
-* Fri Sep 23 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2.1
+* Tue Mar 13 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0h-1
- P17: security fix for CVE-2011-1945 (upstream)
+ Revision: 784664
- P18: security fix for CVE-2011-3207 (upstream)
+- 1.0.0h
 - P19: security fix for CVE-2011-3210 (upstream)
-* Mon May 02 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2mdv2011.0
+* Thu Jan 19 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0g-1
 + Revision: 762530
 - 1.0.0g
 * Mon Jan 09 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0f-1
 + Revision: 758821
 - 1.0.0f
 - enable some new'ish features per default (enable-seed enable-rfc3779 enable-cms)
 * Thu Dec 01 2011 Matthew Dawkins <mattydaw@mandriva.org> 1.0.0e-3
 + Revision: 735862
 - rebuild for openssl
 - solves dep LOOP problems
 - removed clean section, mkrel
 * Tue Nov 29 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0e-2
 + Revision: 735413
 - bump release
 - more fixes to make sure rpm -Fvh works better
 - drop the french fixes patch, it has never been used
 - applied some fixes by Matthew Dawkins
 * Tue Sep 06 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0e-1
 + Revision: 698456
 - 1.0.0e (fixes CVE-2011-3207, CVE-2011-3210)
  + Matthew Dawkins <mattydaw@mandriva.org>
    - fix arm build
 * Mon May 02 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2
 + Revision: 661710
 - multiarch fixes
@ -470,7 +463,7 @@ rm -fr %{buildroot}
 + Revision: 455585
 - P22: fixes a regression with CVE-2009-2409 (#54349)
-* Sun Sep 27 2009 Olivier Blin <oblin@mandriva.com> 0.9.8k-4mdv2010.0
+* Sun Sep 27 2009 Olivier Blin <blino@mandriva.org> 0.9.8k-4mdv2010.0
 + Revision: 450189
 - mips and arm support (from Arnaud Patard)
@ -569,7 +562,7 @@ rm -fr %{buildroot}
 + Revision: 176044
 - fix #38237 (Please include SNI support patch)
-  + Olivier Blin <oblin@mandriva.com>
+  + Olivier Blin <blino@mandriva.org>
    - restore BuildRoot
  + Thierry Vignaud <tv@mandriva.org>
--- a/pkcs11_engine-1.0.0.diff
+++ b/pkcs11_engine-1.0.0.diff