Automatic import for version 1.0.0d

.abf.yml

@@ -0,0 +1,2 @@
+sources:
+  "openssl-1.0.0d.tar.gz": 32ca934f380a547061ddab7221b1a34e4e07e8d5

Makefile.certificate

@@ -0,0 +1,74 @@
+UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
+SERIAL=0
+
+.PHONY: usage
+.SUFFIXES: .key .csr .crt .pem
+.PRECIOUS: %.key %.csr %.crt %.pem
+
+usage:
+	@echo "This makefile allows you to create:"
+	@echo "  o public/private key pairs"
+	@echo "  o SSL certificate signing requests (CSRs)"
+	@echo "  o self-signed SSL test certificates"
+	@echo
+	@echo "To create a key pair, run \"make SOMETHING.key\"."
+	@echo "To create a CSR, run \"make SOMETHING.csr\"."
+	@echo "To create a test certificate, run \"make SOMETHING.crt\"."
+	@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
+	@echo
+	@echo "To create a key for use with Apache, run \"make genkey\"."
+	@echo "To create a CSR for use with Apache, run \"make certreq\"."
+	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
+	@echo
+	@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
+	@echo
+	@echo Examples:
+	@echo "  make server.key"
+	@echo "  make server.csr"
+	@echo "  make server.crt"
+	@echo "  make stunnel.pem"
+	@echo "  make genkey"
+	@echo "  make certreq"
+	@echo "  make testcert"
+	@echo "  make server.crt SERIAL=1"
+	@echo "  make stunnel.pem SERIAL=2"
+	@echo "  make testcert SERIAL=3"
+
+%.pem:
+	umask 77 ; \
+	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+	/usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+	cat $$PEM1 >  $@ ; \
+	echo ""    >> $@ ; \
+	cat $$PEM2 >> $@ ; \
+	$(RM) $$PEM1 $$PEM2
+
+%.key:
+	umask 77 ; \
+	/usr/bin/openssl genrsa -des3 1024 > $@
+
+%.csr: %.key
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
+
+%.crt: %.key
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
+
+TLSROOT=/etc/pki/tls
+KEY=$(TLSROOT)/private/localhost.key
+CSR=$(TLSROOT)/certs/localhost.csr
+CRT=$(TLSROOT)/certs/localhost.crt
+
+genkey: $(KEY)
+certreq: $(CSR)
+testcert: $(CRT)
+
+$(CSR): $(KEY)
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
+
+$(CRT): $(KEY)
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)

README.pkcs11

@@ -0,0 +1,242 @@
+PKCS#11 engine support for OpenSSL 0.9.8l
+=========================================
+
+[Nov 19, 2009]
+
+Contents:
+
+Overview
+Revisions of the patch for 0.9.8 branch
+FAQs
+Feedback
+
+Overview
+========
+
+This patch containing code available in OpenSolaris adds support for PKCS#11
+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
+OpenSSL 0.9.8l source code distribution as shipped by OpenSSL.Org. Your system
+must provide PKCS#11 backend otherwise the patch is useless. You provide the
+PKCS#11 library name during the build configuration phase, see below.
+
+Patch can be applied like this:
+
+	# NOTE: use gtar if on Solaris
+	tar xfzv openssl-0.9.8l.tar.gz
+	# now download the patch to the current directory
+	# ...
+	cd openssl-0.9.8l
+	# NOTE: must use gpatch if on Solaris (is part of the system)
+	patch -p1 < path-to/pkcs11_engine-0.9.8l.patch.2009-11-19
+
+It is designed to support pure acceleration for RSA, DSA, DH and all the
+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
+
+According to the PKCS#11 providers installed on your machine, it can support
+following mechanisms:
+
+	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
+	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
+	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
+	SHA256, SHA384, SHA512
+
+Note that for AES counter mode the application must provide their own EVP
+functions since OpenSSL doesn't support counter mode through EVP yet. You may
+see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
+example of code that uses the PKCS#11 engine and deals with the fork-safety
+problem (see engine.c and packet.c files if interested).
+
+You must provide the location of PKCS#11 library in your system to the
+configure script. You will be instructed to do that when you try to run the
+config script:
+
+	$ ./config 
+	Operating system: i86pc-whatever-solaris2
+	Configuring for solaris-x86-cc
+	You must set --pk11-libname for PKCS#11 library.
+	See README.pkcs11 for more information.
+
+Taking openCryptoki project on Linux AMD64 box as an example, you would run
+configure script like this:
+
+	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
+
+To check whether newly built openssl really supports PKCS#11 it's enough to run
+"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
+output. If you see no PKCS#11 engine support check that the built openssl binary
+and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
+
+The patch, during various phases of development, was tested on Solaris against
+PKCS#11 engine available from Solaris Cryptographic Framework (Solaris 10 and
+OpenSolaris) and also on Linux using PKCS#11 libraries from openCryptoki project
+(see openCryptoki website http://sourceforge.net/projects/opencryptoki for more
+information). Some Linux distributions even ship those libraries with the
+system. The patch should work on any system that is supported by OpenSSL itself
+and has functional PKCS#11 library.
+
+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
+copyrighted by RSA Security Inc., see pkcs11.h for more information.
+
+Other added/modified code in this patch is copyrighted by Sun Microsystems,
+Inc. and is released under the OpenSSL license (see LICENSE file for more
+information).
+
+Revisions of the patch for 0.9.8 branch
+=======================================
+
+2009-11-19
+- adjusted for OpenSSL version 0.9.8l
+
+- bugs and RFEs:
+
+	6479874 OpenSSL should support RSA key by reference/hardware keystores
+	6896677 PKCS#11 engine's hw_pk11_err.h needs to be split
+	6732677 make check to trigger Solaris specific code automatic in the
+		PKCS#11 engine
+
+2009-03-11
+- adjusted for OpenSSL version 0.9.8j 
+
+- README.pkcs11 moved out of the patch, and is shipped together with it in a
+  tarball instead so that it can be read before the patch is applied.
+
+- fixed bugs:
+
+	6804216 pkcs#11 engine should support a key length range for RC4
+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
+		meta slot is disabled
+
+2008-12-02
+- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
+
+	6723504 more granular locking in PKCS#11 engine
+	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
+	6710420 PKCS#11 engine source should be lint clean
+	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
+		it seriously
+	6746712 PKCS#11 engine source code should be cstyle clean
+	6731380 return codes of several functions are not checked in the PKCS#11
+		engine code
+	6746735 PKCS#11 engine should use extended FILE space API
+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
+		meta slot is disabled
+
+2008-08-01
+- fixed bug
+
+	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
+		and digests
+
+- Solaris specific code for slot selection made automatic
+
+2008-07-29
+- update the patch to OpenSSL 0.9.8h version
+- pkcs11t.h updated to the latest version:
+
+	6545665 make CKM_AES_CTR available to non-kernel users
+
+- fixed bugs in the engine code:
+
+	6602801 PK11_SESSION cache has to employ reference counting scheme for
+		asymmetric key operations
+	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
+		atomically
+	6607307 pkcs#11 engine can't read RSA private keys
+	6652362 pk11_RSA_finish() is cutting corners
+	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
+		suboptimal way
+	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
+		resilient to destroy failures
+	6667273 OpenSSL engine should not use free() but OPENSSL_free()
+	6670363 PKCS#11 engine fails to reuse existing symmetric keys
+	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
+	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
+		of big numbers leading to failures
+	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
+		-1
+	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
+	6707129 return values from BN_new() in pk11_DH_generate_key() are not
+		checked
+	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
+		structure reuse
+	6707782 OpenSSL PKCS#11 engine pretends to be aware of
+		OPENSSL_NO_{RSA,DSA,DH}
+	defines but fails miserably
+	6709966 make check_new_*() to return values to indicate cache hit/miss
+	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
+		generate_params parameter
+	6709513 PKCS#11 engine sets IV length even for ECB modes
+	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
+		PKCS#11 engine
+	6728871 PKCS#11 engine must reset global_session in pk11_finish()
+
+- new features and enhancements:
+
+	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
+	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
+	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
+		ciphers and digests
+
+2007-10-15
+- update for 0.9.8f version
+- update for "6607670 teach pkcs#11 engine how to use keys be reference"
+
+2007-10-02
+- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
+- draft for "6607307 pkcs#11 engine can't read RSA private keys"
+
+2007-09-26
+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
+	  significant performance drop
+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
+
+2007-05-25
+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
+
+2007-05-19
+- initial patch for 0.9.8e using latest OpenSolaris code
+
+FAQs
+====
+
+(1) my build failed on Linux distro with this error:
+
+../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
+hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
+
+Answer:
+
+	- don't use "no-threads" when configuring
+	- if you didn't then OpenSSL failed to create a threaded library by
+	  default. You may manually edit Configure and try again. Look for the
+	  architecture that Configure printed, for example:
+
+Configured for linux-elf.
+
+	- then edit Configure, find string "linux-elf" (inluding the quotes),
+	  and add flags to support threads to the 4th column of the 2nd string.
+	  If you build with GCC then adding "-pthread" should be enough. With
+	  "linux-elf" as an example, you would add " -pthread" right after
+	  "-D_REENTRANT", like this:
+
+....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
+
+(2) I'm using MinGW/MSYS environment and get undeclared reference error for
+pthread_atfork() function when trying to build OpenSSL with the patch.
+
+Answer:
+
+	Sorry, pthread_atfork() is not implemented in the current pthread-win32
+	(as of Nov 2009). You can not use the patch there.
+
+
+Feedback
+========
+
+Please send feedback to security-discuss@opensolaris.org. The patch was
+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
+
+Latest version should be always available on http://blogs.sun.com/janp.
+

make-dummy-cert

@@ -0,0 +1,28 @@
+#!/bin/sh
+umask 077
+
+answers() {
+	echo --
+	echo SomeState
+	echo SomeCity
+	echo SomeOrganization
+	echo SomeOrganizationalUnit
+	echo localhost.localdomain
+	echo root@localhost.localdomain
+}
+
+if [ $# -eq 0 ] ; then
+	echo $"Usage: `basename $0` filename [...]"
+	exit 0
+fi
+
+for target in $@ ; do
+	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
+	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
+	trap "rm -f $PEM1 $PEM2" SIGINT
+	answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+	cat $PEM1 >  ${target}
+	echo ""   >> ${target}
+	cat $PEM2 >> ${target}
+	rm -f $PEM1 $PEM2
+done

openssl-0.9.6-x509.patch

@@ -0,0 +1,29 @@
+Do not treat duplicate certs as an error.
+
+--- openssl-0.9.6/crypto/x509/by_file.c	Wed Sep 27 15:09:05 2000
++++ openssl-0.9.6/crypto/x509/by_file.c	Wed Sep 27 14:21:20 2000
+@@ -163,8 +163,12 @@
+ 					}
+ 				}
+ 			i=X509_STORE_add_cert(ctx->store_ctx,x);
+-			if (!i) goto err;
+-			count++;
++			/* ignore any problems with current certificate 
++			    and continue with the next one */
++			if (i)
++			    count++;
++			else
++			    ERR_clear_error();
+ 			X509_free(x);
+ 			x=NULL;
+ 			}
+@@ -179,7 +183,8 @@
+ 			goto err;
+ 			}
+ 		i=X509_STORE_add_cert(ctx->store_ctx,x);
+-		if (!i) goto err;
++		if (!i)
++		  ERR_clear_error();
+ 		ret=i;
+ 		}
+ 	else

openssl-0.9.6b-mdkconfig.patch

@@ -0,0 +1,116 @@
+--- openssl-0.9.6b/ssl/s3_lib.c.mdkconfig	Fri Mar  9 11:08:04 2001
++++ openssl-0.9.6b/ssl/s3_lib.c	Tue Dec  4 17:44:27 2001
+@@ -204,6 +204,7 @@
+ 	SSL_ALL_STRENGTHS,
+ 	},
+ /* Cipher 1B */
++#if 0
+ 	{
+ 	1,
+ 	SSL3_TXT_ADH_DES_192_CBC_SHA,
+@@ -216,6 +217,7 @@
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ 
+ /* RSA again */
+ /* Cipher 03 */
+@@ -310,6 +312,7 @@
+ 	SSL_ALL_STRENGTHS,
+ 	},
+ /* Cipher 0A */
++#if 0
+ 	{
+ 	1,
+ 	SSL3_TXT_RSA_DES_192_CBC3_SHA,
+@@ -322,6 +325,7 @@
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ 
+ /*  The DH ciphers */
+ /* Cipher 0B */
+@@ -351,6 +355,7 @@
+ 	SSL_ALL_STRENGTHS,
+ 	},
+ /* Cipher 0D */
++#if 0
+ 	{
+ 	0,
+ 	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
+@@ -363,6 +368,7 @@
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ /* Cipher 0E */
+ 	{
+ 	0,
+@@ -390,6 +396,7 @@
+ 	SSL_ALL_STRENGTHS,
+ 	},
+ /* Cipher 10 */
++#if 0
+ 	{
+ 	0,
+ 	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
+@@ -402,6 +409,7 @@
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ 
+ /* The Ephemeral DH ciphers */
+ /* Cipher 11 */
+@@ -431,6 +439,7 @@
+ 	SSL_ALL_STRENGTHS,
+ 	},
+ /* Cipher 13 */
++#if 0
+ 	{
+ 	1,
+ 	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
+@@ -443,6 +452,7 @@
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ /* Cipher 14 */
+ 	{
+ 	1,
+@@ -470,6 +480,7 @@
+ 	SSL_ALL_STRENGTHS,
+ 	},
+ /* Cipher 16 */
++#if 0
+ 	{
+ 	1,
+ 	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
+@@ -482,6 +493,7 @@
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ 
+ /* Fortezza */
+ /* Cipher 1C */
+--- openssl-0.9.6b/ssl/s2_lib.c.mdkconfig	Tue Dec 26 13:06:47 2000
++++ openssl-0.9.6b/ssl/s2_lib.c	Tue Dec  4 17:54:13 2001
+@@ -162,6 +162,7 @@
+ 	SSL_ALL_STRENGTHS,
+ 	},
+ /* DES_192_EDE3_CBC_WITH_MD5 */
++#if 0
+ 	{
+ 	1,
+ 	SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
+@@ -174,6 +175,7 @@
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ /* RC4_64_WITH_MD5 */
+ #if 1
+ 	{

openssl-0.9.7-beta5-version-add-engines.patch

@@ -0,0 +1,49 @@
+List the compiled-in hardware support when passed the -a flag.
+
+--- openssl-0.9.7-beta5/apps/version.c	2002-12-03 11:34:28.000000000 -0500
++++ openssl-0.9.7-beta5/apps/version.c	2002-12-11 19:29:10.000000000 -0500
+@@ -130,6 +130,7 @@
+ #ifndef OPENSSL_NO_BF
+ # include <openssl/blowfish.h>
+ #endif
++#include <openssl/engine.h>
+ 
+ #undef PROG
+ #define PROG	version_main
+@@ -139,7 +140,7 @@
+ int MAIN(int argc, char **argv)
+ 	{
+ 	int i,ret=0;
+-	int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
++	int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
+ 
+ 	apps_startup();
+ 
+@@ -163,7 +164,7 @@
+ 		else if (strcmp(argv[i],"-d") == 0)
+ 			dir=1;
+ 		else if (strcmp(argv[i],"-a") == 0)
+-			date=version=cflags=options=platform=dir=1;
++			date=version=cflags=options=platform=dir=engines=1;
+ 		else
+ 			{
+ 			BIO_printf(bio_err,"usage:version -[avbofpd]\n");
+@@ -198,6 +199,18 @@
+ 		}
+ 	if (cflags)  printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
+ 	if (dir)  printf("%s\n",SSLeay_version(SSLEAY_DIR));
++	if (engines)
++		{
++		ENGINE *e;
++		printf("engines:  ");
++		e = ENGINE_get_first();
++		while (e)
++			{
++			printf("%s ", ENGINE_get_id(e));
++			e = ENGINE_get_next(e);
++			}
++		printf("\n");
++		}
+ end:
+ 	apps_shutdown();
+ 	OPENSSL_EXIT(ret);

openssl-0.9.7-beta6-ia64.patch

@@ -0,0 +1,18 @@
+--- crypto/bn/bn_lcl.h	2008-12-16 19:02:02.000000000 +0100
++++ crypto/bn/bn_lcl.h.oden	2008-12-16 19:02:17.000000000 +0100
+@@ -288,6 +288,15 @@ extern "C" {
+ #   define BN_UMULT_HIGH(a,b)		__umulh((a),(b))
+ #   define BN_UMULT_LOHI(low,high,a,b)	((low)=_umul128((a),(b),&(high)))
+ #  endif
++# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
++#  if defined(__GNUC__)
++#   define BN_UMULT_HIGH(a,b) ({      \
++      register BN_ULONG ret;          \
++      asm ("xmpy.hu %0 = %1, %2"      \
++           : "=f"(ret)                \
++           : "f"(a), "f"(b));         \
++      ret;                    })
++#  endif      /* compiler */
+ # endif		/* cpu */
+ #endif		/* OPENSSL_NO_ASM */
+ 

openssl-0.9.8-beta6-icpbrasil.diff

@@ -0,0 +1,59 @@
+--- crypto/x509v3/v3_alt.c	2005-05-11 05:45:36.000000000 +0200
++++ crypto/x509v3/v3_alt.c.oden	2005-07-05 15:13:32.285682900 +0200
+@@ -102,11 +102,55 @@
+ {
+ 	unsigned char *p;
+ 	char oline[256], htmp[5];
++
++	int rc = 0;
++	
++	/* see http://www.iti.gov.br/resolucoes/RESOLU__O_13_DE_26_04_2002.PDF
++	 * for the OID definitions and more details
++	 * All content is ASN.1 OCTET STRING
++	 */
++	/* person related */
++	const char oid_id_pf[] = "2.16.76.1.3.1"; /* person identification data as follows:
++						   * birth date: ddmmyyyy (8)
++						   * CPF number: (11)
++						   * PIS/PASEP number: (11)
++						   * RG number: (11)
++						   * RG emmitter and state: (6)
++						   */
++	const char oid_el_pf[] = "2.16.76.1.3.5"; /* Electoral data:
++						   * card number: (11)
++						   * electoral zone: (3)
++						   * electoral section: (4)
++						   * city and state: (22)
++						   */
++	/* company related */
++	const char oid_pj_id1[] = "2.16.76.1.3.4"; /* info about the person responsible for the company's certificate:
++						    * birth date: ddmmyyyy (8)
++						    * CPF number: (11)
++						    * PIS/PASEP number: (11)
++						    * RG number: (11)
++						    * RG emitter and state: (6)
++						    */
++	const char oid_pj_name[] = "2.16.76.1.3.2"; /* Name of the person responsible for the company's certificate */
++	const char oid_pj_cnpj[] = "2.16.76.1.3.3"; /* CNPJ number of the company*/
++
+ 	int i;
+ 	switch (gen->type)
+ 	{
+ 		case GEN_OTHERNAME:
+-		X509V3_add_value("othername","<unsupported>", &ret);
++		rc = OBJ_obj2txt(oline, sizeof(oline), gen->d.otherName->type_id, 1);
++		if (rc)
++			if ((!strncmp(oline, oid_id_pf, sizeof(oid_id_pf)))   ||
++			    (!strncmp(oline, oid_el_pf, sizeof(oid_el_pf)))   ||
++			    (!strncmp(oline, oid_pj_id1, sizeof(oid_pj_id1))) ||
++			    (!strncmp(oline, oid_pj_name, sizeof(oid_pj_name))) ||
++			    (!strncmp(oline, oid_pj_cnpj, sizeof(oid_pj_cnpj))))
++				/* FIXME: is that string always null terminated? */
++				X509V3_add_value("othername", gen->d.otherName->value->value.octet_string->data, &ret);
++			else
++				X509V3_add_value("othername","<unsupported>", &ret);
++		else
++			X509V3_add_value("othername","<unsupported>", &ret);
+ 		break;
+ 
+ 		case GEN_X400:

openssl-0.9.8a-link-krb5.patch

@@ -0,0 +1,11 @@
+--- openssl-0.9.8a/Makefile.org.link-krb5	2005-07-05 07:14:21.000000000 +0200
++++ openssl-0.9.8a/Makefile.org	2005-11-07 18:00:08.000000000 +0100
+@@ -266,7 +266,7 @@
+ 
+ do_$(SHLIB_TARGET):
+ 	@ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
++		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+ 			libs="$(LIBKRB5) $$libs"; \
+ 		fi; \
+ 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \

openssl-0.9.8e-crt.patch

@@ -0,0 +1,11 @@
+--- openssl-0.9.8e/tools/c_rehash.in.orig	2007-08-27 15:10:34.000000000 -0300
++++ openssl-0.9.8e/tools/c_rehash.in	2007-08-27 15:12:41.000000000 -0300
+@@ -59,7 +59,7 @@
+ 		}
+ 	}
+ 	closedir DIR;
+-	FILE: foreach $fname (grep {/\.pem$/} @flist) {
++	FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) {
+ 		# Check to see if certificates and/or CRLs present.
+ 		my ($cert, $crl) = check_file($fname);
+ 		if(!$cert && !$crl) {

openssl-1.0.0-arm.patch

@@ -0,0 +1,13 @@
+diff -p -up openssl-1.0.0/Configure.arm openssl-1.0.0/Configure
+--- openssl-1.0.0/Configure.arm	2010-03-30 12:11:24.000000000 -0300
++++ openssl-1.0.0/Configure	2010-03-30 12:12:03.000000000 -0300
+@@ -356,6 +356,9 @@ my %table=(
+ "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++#### Arm Linux setups
++"linux-arm",   "gcc:\$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-armel",   "gcc:\$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ #### Mips Linux setups
+ "linux-mips",   "gcc:-mabi=32 \$(RPM_OPT_FLAGS) -DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-mipsel",   "gcc:-mabi=32 \$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

openssl-1.0.0-defaults.patch

@@ -0,0 +1,44 @@
+diff -p -up openssl-1.0.0/apps/openssl.cnf.defaults openssl-1.0.0/apps/openssl.cnf
+--- openssl-1.0.0/apps/openssl.cnf.defaults	2009-04-04 15:09:43.000000000 -0300
++++ openssl-1.0.0/apps/openssl.cnf	2010-03-30 11:47:32.000000000 -0300
+@@ -103,7 +103,8 @@ emailAddress		= optional
+ 
+ ####################################################################
+ [ req ]
+-default_bits		= 1024
++default_bits		= 2048
++default_md		= sha1
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+@@ -126,17 +127,18 @@ string_mask = utf8only
+ 
+ [ req_distinguished_name ]
+ countryName			= Country Name (2 letter code)
+-countryName_default		= AU
++countryName_default		= XX
+ countryName_min			= 2
+ countryName_max			= 2
+ 
+ stateOrProvinceName		= State or Province Name (full name)
+-stateOrProvinceName_default	= Some-State
++stateOrProvinceName_default	= Default Province
+ 
+ localityName			= Locality Name (eg, city)
++localityName_default		= Default City
+ 
+ 0.organizationName		= Organization Name (eg, company)
+-0.organizationName_default	= Internet Widgits Pty Ltd
++0.organizationName_default	= Default Company Ltd
+ 
+ # we can do this but it is not needed normally :-)
+ #1.organizationName		= Second Organization Name (eg, company)
+@@ -145,7 +147,7 @@ localityName			= Locality Name (eg, city
+ organizationalUnitName		= Organizational Unit Name (eg, section)
+ #organizationalUnitName_default	=
+ 
+-commonName			= Common Name (eg, YOUR name)
++commonName			= Common Name (eg, your name or your server\'s hostname)
+ commonName_max			= 64
+ 
+ emailAddress			= Email Address

openssl-1.0.0-enginesdir.patch

@@ -0,0 +1,52 @@
+diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
+--- openssl-1.0.0-beta5/Configure.enginesdir	2010-01-20 18:07:05.000000000 +0100
++++ openssl-1.0.0-beta5/Configure	2010-01-20 18:10:48.000000000 +0100
+@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -833,6 +834,10 @@ PROCESS_ARGS:
+ 				{
+ 				$openssldir=$1;
+ 				}
++			elsif (/^--enginesdir=(.*)$/)
++				{
++				$enginesdir=$1;
++				}
+ 			elsif (/^--install.prefix=(.*)$/)
+ 				{
+ 				$install_prefix=$1;
+@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
+ 
+ $openssldir=$prefix . "/ssl" if $openssldir eq "";
+ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+-
++$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
+ 
+ print "IsMK1MF=$IsMK1MF\n";
+ 
+@@ -1673,7 +1678,7 @@ while (<IN>)
+ 		}
+ 	elsif	(/^#define\s+ENGINESDIR/)
+ 		{
+-		my $foo = "$prefix/$libdir/engines";
++		my $foo = "$enginesdir";
+ 		$foo =~ s/\\/\\\\/g;
+ 		print OUT "#define ENGINESDIR \"$foo\"\n";
+ 		}
+diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
+--- openssl-1.0.0-beta5/engines/Makefile.enginesdir	2010-01-16 21:06:09.000000000 +0100
++++ openssl-1.0.0-beta5/engines/Makefile	2010-01-20 18:07:05.000000000 +0100
+@@ -124,7 +124,7 @@ install:
+ 				sfx=".so"; \
+ 				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ 			  fi; \
+-			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++			  chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ 		done; \
+ 	fi

openssl-1.0.0-mips.patch

@@ -0,0 +1,15 @@
+diff -p -up openssl-1.0.0/Configure.mips openssl-1.0.0/Configure
+--- openssl-1.0.0/Configure.mips	2010-03-30 12:09:16.000000000 -0300
++++ openssl-1.0.0/Configure	2010-03-30 12:10:12.000000000 -0300
+@@ -356,6 +356,11 @@ my %table=(
+ "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++#### Mips Linux setups
++"linux-mips",   "gcc:-mabi=32 \$(RPM_OPT_FLAGS) -DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-mipsel",   "gcc:-mabi=32 \$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-mips64",   "gcc:-mabi=64 \$(RPM_OPT_FLAGS) -DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-mips64el",   "gcc:-mabi=64 \$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.

openssl-1.0.0d.tar.gz.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQCVAgUATVF6RKpYnaxaapuFAQIIGAP8CpLzaSqIylsrllK6YJwcma+4LHWgt22R
+m0qjHpBUBrVYRvvs05ybLFgyoSfiV5pZ8D0p89bkF/dI8BT8L+gTwAodle6dnple
+6gqZj6kKDzOV8NXAKnyqgtd8G8USj4lOO1bF4s32pdw+qeOuGQ8Zl9nNDUlFbHN+
+NVpKctUbWi4=
+=wNaz
+-----END PGP SIGNATURE-----

openssl-optflags.diff

@@ -0,0 +1,61 @@
+diff -p -up openssl-1.0.0/Configure.optflags openssl-1.0.0/Configure
+--- openssl-1.0.0/Configure.optflags	2010-01-19 19:40:54.000000000 -0200
++++ openssl-1.0.0/Configure	2010-03-30 11:34:00.000000000 -0300
+@@ -336,32 +336,32 @@ my %table=(
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:-DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ # It's believed that majority of ARM toolchains predefine appropriate -march.
+ # If you compiler does not, do complement config command line with one!
+ "linux-armv4",	"gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ #### IA-32 targets...
+-"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
++"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+ ####
+-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-generic64","gcc:-DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ # it's a real mess with -mcpu=ultrasparc option under Linux, but
+ # -Wa,-Av8plus should do the trick no matter what.
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ # GCC 3.1 is a requirement
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO \$(RPM_OPT_FLAGS) -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ #### Alpha Linux with GNU C and Compaq C setups
+ # Special notes:
+ # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+@@ -375,8 +375,8 @@ my %table=(
+ #
+ #					<appro@fy.chalmers.se>
+ #
+-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-alpha-gcc","gcc:$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-alpha+bwx-gcc","gcc:$(RPM_OPT_FLAGS) -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ 

openssl-thread-test.c

@@ -0,0 +1,400 @@
+/* Test program to verify that RSA signing is thread-safe in OpenSSL. */
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+#include <openssl/md5.h>
+#include <openssl/ssl.h>
+
+/* Just assume we want to do engine stuff if we're using 0.9.6b or
+ * higher. This assumption is only valid for versions bundled with RHL. */
+#if OPENSSL_VERSION_NUMBER  >= 0x0090602fL
+#include <openssl/engine.h>
+#define USE_ENGINE
+#endif
+
+#define MAX_THREAD_COUNT	10000
+#define ITERATION_COUNT		10
+#define MAIN_COUNT		100
+
+/* OpenSSL requires us to provide thread ID and locking primitives. */
+pthread_mutex_t *mutex_locks = NULL;
+static unsigned long
+thread_id_cb(void)
+{
+	return (unsigned long) pthread_self();
+}
+static void
+lock_cb(int mode, int n, const char *file, int line)
+{
+	if (mode & CRYPTO_LOCK) {
+		pthread_mutex_lock(&mutex_locks[n]);
+	} else {
+		pthread_mutex_unlock(&mutex_locks[n]);
+	}
+}
+
+struct thread_args {
+	RSA *rsa;
+	int digest_type;
+	unsigned char *digest;
+	unsigned int digest_len;
+	unsigned char *signature;
+	unsigned int signature_len;
+	pthread_t main_thread;
+};
+
+static int print = 0;
+
+pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER;
+static int locked_sign = 0;
+static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);}
+static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);}
+
+pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER;
+static int locked_verify = 0;
+static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);}
+static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);}
+
+pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER;
+long failure_count = 0;
+static void
+failure()
+{
+	pthread_mutex_lock(&failure_count_lock);
+	failure_count++;
+	pthread_mutex_unlock(&failure_count_lock);
+}
+
+static void *
+thread_main(void *argp)
+{
+	struct thread_args *args = argp;
+	unsigned char *signature;
+	unsigned int signature_len, signature_alloc_len;
+	int ret, i;
+
+	signature_alloc_len = args->signature_len;
+	if (RSA_size(args->rsa) > signature_alloc_len) {
+		signature_alloc_len = RSA_size(args->rsa);
+	}
+	signature = malloc(signature_alloc_len);
+	if (signature == NULL) {
+		fprintf(stderr, "Skipping checks in thread %lu -- %s.\n",
+			(unsigned long) pthread_self(), strerror(errno));
+		pthread_exit(0);
+		return NULL;
+	}
+	for (i = 0; i < ITERATION_COUNT; i++) {
+		signature_len = signature_alloc_len;
+		SIGN_LOCK();
+		ret = RSA_check_key(args->rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+			break;
+		}
+		ret = RSA_sign(args->digest_type,
+			       args->digest,
+			       args->digest_len,
+			       signature, &signature_len,
+			       args->rsa);
+		SIGN_UNLOCK();
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+			break;
+		}
+
+		VERIFY_LOCK();
+		ret = RSA_verify(args->digest_type,
+			         args->digest,
+			         args->digest_len,
+			         signature, signature_len,
+			         args->rsa);
+		VERIFY_UNLOCK();
+		if (ret != 1) {
+			fprintf(stderr,
+				"Signature from thread %lu(%d) fails "
+				"verification (passed in thread #%lu)!\n",
+				(long) pthread_self(), i,
+				(long) args->main_thread);
+			ERR_print_errors_fp(stdout);
+			failure();
+			continue;
+		}
+		if (print) {
+			fprintf(stderr, ">%d\n", i);
+		}
+	}
+	free(signature);
+
+	pthread_exit(0);
+
+	return NULL;
+}
+
+unsigned char *
+xmemdup(unsigned char *s, size_t len)
+{
+	unsigned char *r;
+	r = malloc(len);
+	if (r == NULL) {
+		fprintf(stderr, "Out of memory.\n");
+		ERR_print_errors_fp(stdout);
+		assert(r != NULL);
+	}
+	memcpy(r, s, len);
+	return r;
+}
+
+int
+main(int argc, char **argv)
+{
+	RSA *rsa;
+	MD5_CTX md5;
+	int fd, i;
+	pthread_t threads[MAX_THREAD_COUNT];
+	int thread_count = 1000;
+	unsigned char *message, *digest;
+	unsigned int message_len, digest_len;
+	unsigned char *correct_signature;
+	unsigned int correct_siglen, ret;
+	struct thread_args master_args, *args;
+	int sync = 0, seed = 0;
+	int again = 1;
+#ifdef USE_ENGINE
+	char *engine = NULL;
+	ENGINE *e = NULL;
+#endif
+
+	pthread_mutex_init(&failure_count_lock, NULL);
+
+	for (i = 1; i < argc; i++) {
+		if (strcmp(argv[i], "--seed") == 0) {
+			printf("Seeding PRNG.\n");
+			seed++;
+		} else
+		if (strcmp(argv[i], "--sync") == 0) {
+			printf("Running synchronized.\n");
+			sync++;
+		} else
+		if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) {
+			i++;
+			thread_count = atol(argv[i]);
+			if (thread_count > MAX_THREAD_COUNT) {
+				thread_count = MAX_THREAD_COUNT;
+			}
+			printf("Starting %d threads.\n", thread_count);
+			sync++;
+		} else
+		if (strcmp(argv[i], "--sign") == 0) {
+			printf("Locking signing.\n");
+			locked_sign++;
+		} else
+		if (strcmp(argv[i], "--verify") == 0) {
+			printf("Locking verifies.\n");
+			locked_verify++;
+		} else
+		if (strcmp(argv[i], "--print") == 0) {
+			printf("Tracing.\n");
+			print++;
+#ifdef USE_ENGINE
+		} else
+		if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) {
+			printf("Using engine \"%s\".\n", argv[i + 1]);
+			engine = argv[i + 1];
+			i++;
+#endif
+		} else {
+			printf("Bad argument: %s\n", argv[i]);
+			return 1;
+		}
+	}
+
+	/* Get some random data to sign. */
+	fd = open("/dev/urandom", O_RDONLY);
+	if (fd == -1) {
+		fprintf(stderr, "Error opening /dev/urandom: %s\n",
+			strerror(errno));
+	}
+
+	if (print) {
+		fprintf(stderr, "Reading random data.\n");
+	}
+	message = malloc(message_len = 9371);
+	read(fd, message, message_len);
+	close(fd);
+
+	/* Initialize the SSL library and set up thread-safe locking. */
+	ERR_load_crypto_strings();
+	SSL_library_init();
+	mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
+	for (i = 0; i < CRYPTO_num_locks(); i++) {
+		pthread_mutex_init(&mutex_locks[i], NULL);
+	}
+	CRYPTO_set_id_callback(thread_id_cb);
+	CRYPTO_set_locking_callback(lock_cb);
+	ERR_print_errors_fp(stdout);
+
+	/* Seed the PRNG if we were asked to do so. */
+	if (seed) {
+		if (print) {
+			fprintf(stderr, "Seeding PRNG.\n");
+		}
+		RAND_add(message, message_len, message_len);
+		ERR_print_errors_fp(stdout);
+	}
+
+	/* Turn on a hardware crypto device if asked to do so. */
+#ifdef USE_ENGINE
+	if (engine) {
+#if OPENSSL_VERSION_NUMBER  >= 0x0090700fL
+		ENGINE_load_builtin_engines();
+#endif
+		if (print) {
+			fprintf(stderr, "Initializing \"%s\" engine.\n",
+				engine);
+		}
+		e = ENGINE_by_id(engine);
+		ERR_print_errors_fp(stdout);
+		if (e) {
+			i = ENGINE_init(e);
+			ERR_print_errors_fp(stdout);
+			i = ENGINE_set_default_RSA(e);
+			ERR_print_errors_fp(stdout);
+		}
+	}
+#endif
+
+	/* Compute the digest for the signature. */
+	if (print) {
+		fprintf(stderr, "Computing digest.\n");
+	}
+	digest = malloc(digest_len = MD5_DIGEST_LENGTH);
+	MD5_Init(&md5);
+	MD5_Update(&md5, message, message_len);
+	MD5_Final(digest, &md5);
+
+	/* Generate a signing key. */
+	if (print) {
+		fprintf(stderr, "Generating key.\n");
+	}
+	rsa = RSA_generate_key(4096, 3, NULL, NULL);
+	ERR_print_errors_fp(stdout);
+	if (rsa == NULL) {
+		_exit(1);
+	}
+
+	/* Sign the data. */
+	correct_siglen = RSA_size(rsa);
+	correct_signature = malloc(correct_siglen);
+	for (i = 0; i < MAIN_COUNT; i++) {
+		if (print) {
+			fprintf(stderr, "Signing data (%d).\n", i);
+		}
+		ret = RSA_check_key(rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			failure();
+		}
+		correct_siglen = RSA_size(rsa);
+		ret = RSA_sign(NID_md5, digest, digest_len,
+			       correct_signature, &correct_siglen,
+			       rsa);
+		ERR_print_errors_fp(stdout);
+		if (ret != 1) {
+			_exit(2);
+		}
+		if (print) {
+			fprintf(stderr, "Verifying data (%d).\n", i);
+		}
+		ret = RSA_verify(NID_md5, digest, digest_len,
+			         correct_signature, correct_siglen,
+			         rsa);
+		if (ret != 1) {
+			_exit(2);
+		}
+	}
+
+	/* Collect up the inforamtion which other threads will need for
+	 * comparing their signature results with ours. */
+	master_args.rsa = rsa;
+	master_args.digest_type = NID_md5;
+	master_args.digest = digest;
+	master_args.digest_len = digest_len;
+	master_args.signature = correct_signature;
+	master_args.signature_len = correct_siglen;
+	master_args.main_thread = pthread_self();
+	
+	fprintf(stdout, "Performing %d signatures in each of %d threads "
+		"(%d, %d).\n", ITERATION_COUNT, thread_count,
+		digest_len, correct_siglen);
+	fflush(NULL);
+
+	/* Start up all of the threads. */
+	for (i = 0; i < thread_count; i++) {
+		args = malloc(sizeof(struct thread_args));
+		args->rsa = RSAPrivateKey_dup(master_args.rsa);
+		args->digest_type = master_args.digest_type;
+		args->digest_len = master_args.digest_len;
+		args->digest = xmemdup(master_args.digest, args->digest_len);
+		args->signature_len = master_args.signature_len;
+		args->signature = xmemdup(master_args.signature,
+					  args->signature_len);
+		args->main_thread = pthread_self();
+		ret = pthread_create(&threads[i], NULL, thread_main, args);
+		while ((ret != 0) && (errno == EAGAIN)) {
+			ret = pthread_create(&threads[i], NULL,
+					     thread_main, &args);
+			fprintf(stderr, "Thread limit hit at %d.\n", i);
+		}
+		if (ret != 0) {
+			fprintf(stderr, "Unable to create thread %d: %s.\n",
+				i, strerror(errno));
+			threads[i] = -1;
+		} else {
+			if (sync) {
+				ret = pthread_join(threads[i], NULL);
+				assert(ret == 0);
+			}
+			if (print) {
+				fprintf(stderr, "%d\n", i);
+			}
+		}
+	}
+
+	/* Wait for all threads to complete.  So long as we can find an
+	 * unjoined thread, keep joining threads. */
+	do {
+		again = 0;
+		for (i = 0; i < thread_count; i++) {
+			/* If we have an unterminated thread, join it. */
+			if (threads[i] != -1) {
+				again = 1;
+				if (print) {
+					fprintf(stderr, "Joining thread %d.\n",
+						i);
+				}
+				pthread_join(threads[i], NULL);
+				threads[i] = -1;
+				break;
+			}
+		}
+	} while (again == 1);
+
+	fprintf(stderr, "%ld failures\n", failure_count);
+
+	return (failure_count != 0);
+}

openssl.spec

@@ -0,0 +1,718 @@
+%define maj 1.0.0
+%define engines_name %mklibname openssl-engines %{maj}
+%define libname %mklibname openssl %{maj}
+%define develname %mklibname openssl -d
+%define staticname %mklibname openssl -s -d
+
+%define conflict1 %mklibname openssl 0.9.7
+%define conflict2 %mklibname openssl 0.9.8
+
+# Number of threads to spawn when testing some threading fixes.
+#define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
+
+# French policy is to not use ciphers stronger than 128 bits
+%define french_policy 0
+
+%define with_krb5 %{?_with_krb5:1}%{!?_with_krb5:0}
+
+Summary:	Secure Sockets Layer communications libs & utils
+Name:		openssl
+Version:	%{maj}d
+Release:	%mkrel 2
+License:	BSD-like
+Group:		System/Libraries
+URL:		http://www.openssl.org/
+Source0:	ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
+Source1:	ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz.asc
+Source2:	Makefile.certificate
+Source3:	make-dummy-cert
+Source4:	openssl-thread-test.c
+Source5:	README.pkcs11
+# (gb) 0.9.6b-5mdk: Limit available SSL ciphers to 128 bits
+Patch0:		openssl-0.9.6b-mdkconfig.patch
+# (gb) 0.9.7b-4mdk: Handle RPM_OPT_FLAGS in Configure
+Patch2:		openssl-optflags.diff
+# (oe) support Brazilian Government OTHERNAME X509v3 field (#14158)
+# http://www.iti.gov.br/resolucoes/RESOLU__O_13_DE_26_04_2002.PDF
+Patch6:		openssl-0.9.8-beta6-icpbrasil.diff
+Patch7:		openssl-1.0.0-defaults.patch
+Patch8:		openssl-0.9.8a-link-krb5.patch
+Patch10:	openssl-0.9.7-beta6-ia64.patch
+Patch12:	openssl-0.9.6-x509.patch
+Patch13:	openssl-0.9.7-beta5-version-add-engines.patch
+# http://qa.mandriva.com/show_bug.cgi?id=32621
+Patch15:        openssl-0.9.8e-crt.patch
+# http://blogs.sun.com/janp/
+Patch16:	pkcs11_engine-1.0.0.diff
+# MIPS and ARM support
+Patch300:	openssl-1.0.0-mips.patch
+Patch301:	openssl-1.0.0-arm.patch
+Patch302:	openssl-1.0.0-enginesdir.patch
+Requires:	%{libname} = %{version}-%{release}
+Requires:	perl-base
+Requires:	rootcerts
+%{?_with_krb5:BuildRequires: krb5-devel}
+BuildRequires:	chrpath
+BuildRequires:	zlib-devel
+# (tv) for test suite:
+BuildRequires:	bc
+BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-buildroot
+
+%description
+The openssl certificate management tool and the shared libraries that provide
+various encryption and decription algorithms and protocols, including DES, RC4,
+RSA and SSL.
+
+%package -n	%{engines_name}
+Summary:	Engines for openssl
+Group:		System/Libraries
+Obsoletes:	openssl-engines < 1.0.0a-5
+Provides:	openssl-engines = %{version}-%{release}
+
+%description -n	%{engines_name}
+This package provides engines for openssl.
+
+%package -n	%{libname}
+Summary:	Secure Sockets Layer communications libs
+Group:		System/Libraries
+Requires:	%{engines_name} >= %{version}-%{release}
+Provides:	%{libname} = %{version}-%{release}
+Conflicts:	openssh < 3.5p1-4mdk
+
+%description -n	%{libname}
+The libraries files are needed for various cryptographic algorithms
+and protocols, including DES, RC4, RSA and SSL.
+
+%package -n	%{develname}
+Summary:	Secure Sockets Layer communications libs & headers & utils
+Group:		Development/Other
+Requires:	%{libname} = %{version}-%{release}
+Provides:	libopenssl-devel
+Provides:	openssl-devel = %{version}-%{release}
+Obsoletes:	openssl-devel
+# temporary opsolete, will be a conflict later. a compat package
+# with openssl-0.9.7 devel libs will be provided soon
+Obsoletes:	%{conflict1}-devel
+Obsoletes:	%{conflict2}-devel
+Obsoletes:	%{mklibname openssl 1.0.0}-devel
+Provides:	%{name}-devel = %{version}-%{release}
+
+%description -n	%{develname}
+The libraries and include files needed to compile apps with support
+for various cryptographic algorithms and protocols, including DES, RC4, RSA
+and SSL.
+
+%package -n	%{staticname}
+Summary:	Secure Sockets Layer communications static libs
+Group:		Development/Other
+Requires:	%{develname} = %{version}-%{release}
+Provides:	libopenssl-static-devel
+Provides:	openssl-static-devel = %{version}-%{release}
+# temporary opsolete, will be a conflict later. a compat package
+# with openssl-0.9.7 static-devel libs will be provided soon
+Obsoletes:	%{conflict1}-static-devel
+Obsoletes:	%{conflict2}-static-devel
+Obsoletes:	%{mklibname openssl 1.0.0}-static-devel
+Provides:	%{name}-static-devel = %{version}-%{release}
+
+%description -n	%{staticname}
+The static libraries needed to compile apps with support for various
+cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.
+
+%prep
+
+%setup -q -n %{name}-%{version}
+%if %{french_policy}
+%patch0 -p1 -b .frenchpolicy
+%endif
+%patch2 -p1 -b .optflags
+%patch6 -p0 -b .icpbrasil
+%patch7 -p1 -b .defaults
+%{?_with_krb5:%patch8 -p1 -b .krb5}
+%patch10 -p0 -b .ia64
+%patch12 -p1 -b .x509
+%patch13 -p1 -b .version-add-engines
+%patch15 -p1 -b .crt
+%patch16 -p1 -b .pkcs11_engine
+
+%patch300 -p1 -b .mips
+%patch301 -p1 -b .arm
+%patch302 -p1 -b .engines
+
+perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile
+
+# fix perl path
+perl util/perlpath.pl %{_bindir}/perl
+
+cp %{SOURCE2} Makefile.certificate
+cp %{SOURCE3} make-dummy-cert
+cp %{SOURCE4} openssl-thread-test.c
+cp %{SOURCE5} README.pkcs11
+
+%build 
+%serverbuild
+
+# Figure out which flags we want to use.
+# default
+sslarch=%{_os}-%{_arch}
+%ifarch %ix86
+sslarch=linux-elf
+if ! echo %{_target} | grep -q i[56]86 ; then
+    sslflags="no-asm"
+fi
+%endif
+%ifarch sparcv9
+sslarch=linux-sparcv9
+%endif
+%ifarch alpha
+sslarch=linux-alpha-gcc
+%endif
+%ifarch s390
+sslarch="linux-generic32 -DB_ENDIAN -DNO_ASM"
+%endif
+%ifarch s390x
+sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM"
+%endif
+
+# ia64, x86_64, ppc, ppc64 are OK by default
+# Configure the build tree.  Override OpenSSL defaults with known-good defaults
+# usable on all platforms.  The Configure script already knows to use -fPIC and
+# RPM_OPT_FLAGS, so we can skip specifiying them here.
+./Configure \
+    --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
+    --enginesdir=%{_libdir}/openssl-%{version}/engines \
+    --prefix=%{_prefix} --libdir=%{_lib}/ %{?_with_krb5:--with-krb5-flavor=MIT -I%{_prefix}/kerberos/include -L%{_prefix}/kerberos/%{_lib}} \
+     no-idea no-rc5 enable-camellia shared enable-tlsext ${sslarch} --pk11-libname=%{_libdir}/pkcs11/PKCS11_API.so
+
+#    zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa shared ${sslarch}
+
+# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
+# marked as not requiring an executable stack.
+RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack"
+make depend
+make all build-shared
+
+# Generate hashes for the included certs.
+make rehash build-shared
+
+%check
+# Verify that what was compiled actually works.
+export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
+
+make -C test apps tests
+
+gcc -o openssl-thread-test \
+    %{?_with_krb5:`krb5-config --cflags`} \
+    -I./include \
+    %{optflags} \
+    openssl-thread-test.c \
+    -L. -lssl -lcrypto \
+    %{?_with_krb5:`krb5-config --libs`} \
+    -lpthread -lz -ldl
+
+./openssl-thread-test --threads %{thread_test_threads}
+
+%install
+rm -fr %{buildroot}
+
+%makeinstall \
+    INSTALL_PREFIX=%{buildroot} \
+    MANDIR=%{_mandir} \
+    build-shared
+
+# the makefiles is too borked...
+install -d %{buildroot}%{_libdir}/openssl-%{version}
+mv %{buildroot}%{_libdir}/engines %{buildroot}%{_libdir}/openssl-%{version}/engines
+
+# make the rootcerts dir
+install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts
+
+# Install a makefile for generating keys and self-signed certs, and a script
+# for generating them on the fly.
+install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
+install -m0644 Makefile.certificate %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile
+install -m0755 make-dummy-cert %{buildroot}%{_sysconfdir}/pki/tls/certs/make-dummy-cert
+
+# Pick a CA script.
+mv %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.sh %{buildroot}%{_sysconfdir}/pki/tls/misc/CA
+
+install -d %{buildroot}%{_sysconfdir}/pki/CA
+install -d %{buildroot}%{_sysconfdir}/pki/CA/private
+
+# openssl was named ssleay in "ancient" times.
+ln -snf openssl %{buildroot}%{_bindir}/ssleay
+
+# The man pages rand.3 and passwd.1 conflict with other packages
+# Rename them to ssl-* and also make a symlink from openssl-* to ssl-*
+mv %{buildroot}%{_mandir}/man1/passwd.1 %{buildroot}%{_mandir}/man1/ssl-passwd.1
+ln -sf ssl-passwd.1.bz2 %{buildroot}%{_mandir}/man1/openssl-passwd.1.bz2
+
+for i in rand err; do
+    mv %{buildroot}%{_mandir}/man3/$i.3 %{buildroot}%{_mandir}/man3/ssl-$i.3
+    ln -snf ssl-$i.3.bz2 %{buildroot}%{_mandir}/man3/openssl-$i.3.bz2
+done
+
+rm -rf {main,devel}-doc-info
+mkdir -p {main,devel}-doc-info
+cat - << EOF > main-doc-info/README.Mandriva-manpage
+Warning:
+The man page of passwd, passwd.1, has been renamed to ssl-passwd.1
+to avoid a conflict with passwd.1 man page from the package passwd.
+EOF
+
+cat - << EOF > devel-doc-info/README.Mandriva-manpage
+Warning:
+The man page of rand, rand.3, has been renamed to ssl-rand.3
+to avoid a conflict with rand.3 from the package man-pages
+The man page of err, err.3, has been renamed to ssl-err.3
+to avoid a conflict with err.3 from the package man-pages
+EOF
+
+chmod 755 %{buildroot}%{_libdir}/pkgconfig
+
+%multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h
+
+# strip cannot touch these unless 755
+chmod 755 %{buildroot}%{_libdir}/openssl-%{version}/engines/*.so*
+chmod 755 %{buildroot}%{_libdir}/*.so*
+chmod 755 %{buildroot}%{_bindir}/*
+
+# nuke a mistake
+rm -f %{buildroot}%{_mandir}/man3/.3
+
+# nuke rpath
+chrpath -d %{buildroot}%{_bindir}/openssl
+
+# Fix libdir.
+pushd %{buildroot}%{_libdir}/pkgconfig
+    for i in *.pc ; do
+	sed 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' \
+	    $i >$i.tmp && \
+	    cat $i.tmp >$i && \
+	    rm -f $i.tmp
+    done
+popd
+
+# adjust ssldir
+perl -pi -e "s|^CATOP=.*|CATOP=%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA
+perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.pl
+perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf
+
+%if %mdkversion < 200900
+%post -n %{libname} -p /sbin/ldconfig
+%endif
+
+%if %mdkversion < 200900
+%postun -n %{libname} -p /sbin/ldconfig
+%endif
+
+%clean
+rm -fr %{buildroot}
+
+%files 
+%defattr(-,root,root)
+%doc FAQ INSTALL LICENSE NEWS PROBLEMS main-doc-info/README*
+%doc README README.ASN1 README.ENGINE README.pkcs11
+%dir %{_sysconfdir}/pki
+%dir %{_sysconfdir}/pki/CA
+%dir %{_sysconfdir}/pki/CA/private
+%dir %{_sysconfdir}/pki/tls
+%dir %{_sysconfdir}/pki/tls/certs
+%dir %{_sysconfdir}/pki/tls/misc
+%dir %{_sysconfdir}/pki/tls/private
+%dir %{_sysconfdir}/pki/tls/rootcerts
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
+%attr(0755,root,root) %{_sysconfdir}/pki/tls/certs/make-dummy-cert
+%attr(0644,root,root) %{_sysconfdir}/pki/tls/certs/Makefile
+%attr(0755,root,root) %{_sysconfdir}/pki/tls/misc/*
+%attr(0755,root,root) %{_bindir}/*
+%attr(0644,root,root) %{_mandir}/man[157]/*
+
+%files -n %{libname}
+%defattr(-,root,root)
+%doc FAQ INSTALL LICENSE NEWS PROBLEMS README*
+%attr(0755,root,root) %{_libdir}/lib*.so.*
+
+%files -n %{engines_name}
+%defattr(-,root,root)
+%attr(0755,root,root) %dir %{_libdir}/openssl-%{version}/engines
+%attr(0755,root,root) %{_libdir}/openssl-%{version}/engines/*.so
+
+%files -n %{develname}
+%defattr(-,root,root)
+%doc CHANGES doc/* devel-doc-info/README*
+%attr(0755,root,root) %dir %{_includedir}/openssl
+%{multiarch_includedir}/openssl/opensslconf.h
+%attr(0644,root,root) %{_includedir}/openssl/*
+%attr(0755,root,root) %{_libdir}/lib*.so
+%attr(0644,root,root) %{_mandir}/man3/*
+%attr(0644,root,root) %{_libdir}/pkgconfig/*
+
+%files -n %{staticname}
+%defattr(-,root,root)
+%attr(0644,root,root) %{_libdir}/lib*.a
+
+
+%changelog
+* Mon May 02 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2mdv2011.0
++ Revision: 661710
+- multiarch fixes
+
+* Wed Feb 09 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-1
++ Revision: 636986
+- 1.0.0d
+
+* Fri Dec 03 2010 Oden Eriksson <oeriksson@mandriva.com> 1.0.0c-1mdv2011.0
++ Revision: 606171
+- 1.0.0b
+
+* Wed Nov 17 2010 Oden Eriksson <oeriksson@mandriva.com> 1.0.0b-1mdv2011.0
++ Revision: 598376
+- 1.0.0b (fixes CVE-2010-3864)
+- P17: post 1.0.0b fix to make the test suite work after upstream CVE-2010-3864 fixes
+- fix small borkiness
+
+* Sat Oct 02 2010 Anssi Hannula <anssi@mandriva.org> 1.0.0a-7mdv2011.0
++ Revision: 582540
+- fix versioned obsoletes of openssl-engines (the package was renamed
+  in 1.0.0a-5, not 1.0.0a-1.4)
+
+* Mon Sep 20 2010 Oden Eriksson <oeriksson@mandriva.com> 1.0.0a-6mdv2011.0
++ Revision: 579973
+- bump release
+- fix a dep problem which prevented openssl-engines to be upgraded if both
+  x86_64 and i586 urpmi repos were configured.
+
+* Tue Sep 14 2010 Eugeni Dodonov <eugeni@mandriva.com> 1.0.0a-4mdv2011.0
++ Revision: 578251
+- Fixed typo in openssl.cnf (#61019)
+
+* Sat Sep 04 2010 Oden Eriksson <oeriksson@mandriva.com> 1.0.0a-3mdv2011.0
++ Revision: 575832
+- sync with MDVSA-2010:168
+
+* Wed Jul 14 2010 Matthew Dawkins <mattydaw@mandriva.org> 1.0.0a-2mdv2011.0
++ Revision: 553412
+- dropped major for devel & static packages
+
+* Wed Jun 02 2010 Eugeni Dodonov <eugeni@mandriva.com> 1.0.0a-1mdv2010.1
++ Revision: 546943
+- Updated to 1.0.0a.
+
+* Tue Apr 06 2010 Eugeni Dodonov <eugeni@mandriva.com> 1.0.0-4mdv2010.1
++ Revision: 532146
+- Disable md2 again because it really should not have been enabled.
+
+* Tue Apr 06 2010 Funda Wang <fwang@mandriva.org> 1.0.0-3mdv2010.1
++ Revision: 532115
+- enable md2
+
+* Tue Apr 06 2010 Funda Wang <fwang@mandriva.org> 1.0.0-2mdv2010.1
++ Revision: 531959
+- obsoletes 0.9.8-static-devel
+
+* Mon Apr 05 2010 Eugeni Dodonov <eugeni@mandriva.com> 1.0.0-1mdv2010.1
++ Revision: 531697
+- Updated optflags patches.
+- Updated to 1.0.0.
+  Rediffed patches.
+  Updated pkcs11 patch.
+
+* Fri Mar 26 2010 Eugeni Dodonov <eugeni@mandriva.com> 0.9.8n-1mdv2010.1
++ Revision: 527842
+- Updated to 0.9.8n.
+
+* Thu Feb 25 2010 Eugeni Dodonov <eugeni@mandriva.com> 0.9.8m-1mdv2010.1
++ Revision: 511325
+- Drop P3 and P9 (no longer needed).
+- Updated to 0.9.8m.
+  Drop P3, P17-24 (merged upstream).
+  Rediff P2, P9, P16.
+
+* Thu Jan 21 2010 Oden Eriksson <oeriksson@mandriva.com> 0.9.8l-2mdv2010.1
++ Revision: 494502
+- P24: fix build with binutils-2.20.51.0.x
+- P23: security fix for CVE-2009-4355 (upstream)
+
+* Fri Nov 06 2009 Eugeni Dodonov <eugeni@mandriva.com> 0.9.8l-1mdv2010.1
++ Revision: 461230
+- Updated to 0.9.8l.
+  Fixed static package summary.
+
+* Wed Oct 07 2009 Oden Eriksson <oeriksson@mandriva.com> 0.9.8k-5mdv2010.0
++ Revision: 455585
+- P22: fixes a regression with CVE-2009-2409 (#54349)
+
+* Sun Sep 27 2009 Olivier Blin <oblin@mandriva.com> 0.9.8k-4mdv2010.0
++ Revision: 450189
+- mips and arm support (from Arnaud Patard)
+
+* Tue Sep 22 2009 Oden Eriksson <oeriksson@mandriva.com> 0.9.8k-3mdv2010.0
++ Revision: 447234
+- P19: security fix for CVE-2009-1379
+- P20: security fix for CVE-2009-1387
+- P21: security fix for CVE-2009-2409
+
+* Thu May 21 2009 Oden Eriksson <oeriksson@mandriva.com> 0.9.8k-2mdv2010.0
++ Revision: 378365
+- P17: security fix for CVE-2009-1377
+- P18: security fix for CVE-2009-1378
+
+* Thu Mar 26 2009 Eugeni Dodonov <eugeni@mandriva.com> 0.9.8k-1mdv2009.1
++ Revision: 361433
+- Updated to 0.9.8k.
+  Rediffed P9, P13, P16.
+  Dropped P17 (no longer needed) and P18 (merged upstream).
+
+* Tue Feb 03 2009 Guillaume Rousse <guillomovitch@mandriva.org> 0.9.8i-5mdv2009.1
++ Revision: 337119
+- keep bash completion in its own package
+
+* Mon Jan 12 2009 Guillaume Rousse <guillomovitch@mandriva.org> 0.9.8i-4mdv2009.1
++ Revision: 328609
+- no need to rename man page, we don't ship rsbac anymore
+- uncompress additional sources
+- bash completion
+
+* Thu Jan 08 2009 Eugeni Dodonov <eugeni@mandriva.com> 0.9.8i-3mdv2009.1
++ Revision: 327021
+- P18: security fix for CVE-2008-5077
+
+* Tue Dec 16 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8i-2mdv2009.1
++ Revision: 314928
+- rediffed fuzzy patches
+- fix build with P17 (-Werror=format-security)
+
+* Fri Oct 10 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8i-1mdv2009.1
++ Revision: 291331
+- 0.9.8i
+- dropped the mbstring_flag patch (P4), it's implemented upstream
+- added pkcs11 engine support P16
+
+* Thu Aug 07 2008 Thierry Vignaud <tv@mandriva.org> 0.9.8h-3mdv2009.0
++ Revision: 265275
+- rebuild early 2009.0 package (before pixel changes)
+
+* Wed Jun 11 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8h-2mdv2009.0
++ Revision: 217952
+- fix "#%%define is forbidden"
+- added P4 to fix borkiness in the apache test suites
+
+  + Pixel <pixel@mandriva.com>
+    - do not call ldconfig in %%post/%%postun, it is now handled by filetriggers
+
+* Fri May 30 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8h-1mdv2009.0
++ Revision: 213381
+- 0.9.8h (fixes CVE-2008-1672, CVE-2008-0891)
+- rediffed P2
+
+* Thu May 29 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8g-9mdv2009.0
++ Revision: 212968
+- P16: security fix for CVE-2008-0891
+- P17: security fix for CVE-2008-1672
+
+* Tue May 27 2008 Thierry Vignaud <tv@mandriva.org> 0.9.8g-8mdv2009.0
++ Revision: 211562
+- fix duplicated descriptions between devel packages (as showed by latest commits)
+- descriptions are not license tags
+- remove URLs & emails from descriptions
+
+* Sat May 24 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8g-7mdv2009.0
++ Revision: 210856
+- rebuild
+
+* Tue May 20 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8g-6mdv2009.0
++ Revision: 209328
+- rebuilt with gcc43
+
+* Mon Apr 14 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8g-5mdv2009.0
++ Revision: 192694
+- rebuild
+- fix #39792 (openssl-thread-test does not use proper .so file)
+
+* Thu Feb 28 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8g-4mdv2008.1
++ Revision: 176382
+- rebuild (take 2)
+
+* Thu Feb 28 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8g-3mdv2008.1
++ Revision: 176250
+- rebuild
+
+* Thu Feb 28 2008 Oden Eriksson <oeriksson@mandriva.com> 0.9.8g-2mdv2008.1
++ Revision: 176044
+- fix #38237 (Please include SNI support patch)
+
+  + Olivier Blin <oblin@mandriva.com>
+    - restore BuildRoot
+
+  + Thierry Vignaud <tv@mandriva.org>
+    - kill re-definition of %%buildroot on Pixel's request
+
+* Thu Dec 06 2007 Oden Eriksson <oeriksson@mandriva.com> 0.9.8g-1mdv2008.1
++ Revision: 115942
+- bump release
+- 0.9.8g
+
+* Fri Oct 19 2007 Oden Eriksson <oeriksson@mandriva.com> 0.9.8f-1mdv2008.1
++ Revision: 100300
+- 0.9.8f
+- rediffed P2
+- drop upstream implemented fixes for CVE-2007-3108, CVE-2007-5135
+- drop upstream implemented fixes; P4, P14, P16, P17, P18
+
+* Fri Oct 05 2007 Anne Nicolas <ennael@mandriva.org> 0.9.8e-8mdv2008.0
++ Revision: 95537
+- bump release
+
+* Thu Oct 04 2007 Andreas Hasenack <andreas@mandriva.com> 0.9.8e-7mdv2008.0
++ Revision: 95496
+- patch to fix security issues CVE-2007-5135 and
+  CVE-2007-3108 (#34405 and #32376 respectively)
+
+* Fri Sep 21 2007 Andreas Hasenack <andreas@mandriva.com> 0.9.8e-6mdv2008.0
++ Revision: 91695
+- fix sigill during make test (#32769)
+- make c_rehash handle .crt extensions (#32621)
+
+  + Thierry Vignaud <tv@mandriva.org>
+    - add missing buildrequires for test suite
+    - kill file require on perl-base
+
+* Tue Jun 26 2007 Thierry Vignaud <tv@mandriva.org> 0.9.8e-4mdv2008.0
++ Revision: 44488
+- rebuild with -fstack-protector
+
+* Tue Apr 24 2007 Andreas Hasenack <andreas@mandriva.com> 0.9.8e-3mdv2008.0
++ Revision: 17927
+- fixed 3des cipher bug in openssl (#30431)
+
+
+* Mon Mar 19 2007 Thierry Vignaud <tvignaud@mandriva.com> 0.9.8e-2mdv2007.1
++ Revision: 146607
+- move big doc in -devel
+
+* Mon Feb 26 2007 Andreas Hasenack <andreas@mandriva.com> 0.9.8e-1mdv2007.1
++ Revision: 125816
+- updated to version 0.9.8e
+
+* Wed Dec 20 2006 Per Øyvind Karlsen <pkarlsen@mandriva.com> 0.9.8d-3mdv2007.1
++ Revision: 100705
+- bump re?\195?\184lease
+- fix sparcv9 build
+  do not disable asm on sparc
+  move checks to %%check
+
+* Mon Dec 11 2006 Gwenole Beauchesne <gbeauchesne@mandriva.com> 0.9.8d-2mdv2007.1
++ Revision: 94733
+- 0.9.8d-2mdv
+- merge from 2007.0-branch: fix build on ppc64
+
+* Mon Nov 06 2006 Andreas Hasenack <andreas@mandriva.com> 0.9.8d-1mdv2007.1
++ Revision: 77025
+- updated to version 0.9.8d
+- dropped poll patch, it's already being used upstream
+- added new cipher: camellia
+- dropped security patches that were already applied
+
+* Tue Oct 31 2006 Oden Eriksson <oeriksson@mandriva.com> 0.9.8b-4mdv2007.1
++ Revision: 74810
+- add another patch, phew!
+- commit one more patch (duh!)
+- commit the patches too...
+- bunzip patches
+
+  + Andreas Hasenack <andreas@mandriva.com>
+    - added security patches for CVE-2006-2940 (two patches),
+      CVE-2006-4343, CVE-2006-3738 and CVE-2006-2937 (#26197)
+    - Import openssl
+
+* Thu Sep 07 2006 Oden Eriksson <oeriksson@mandriva.com> 0.9.8b-2
+- plug CVE-2006-4339 (#25234)
+
+* Fri May 05 2006 Oden Eriksson <oeriksson@mandriva.com> 0.9.8b-1mdk
+- 0.9.8a
+- rediffed P3
+
+* Mon Jan 30 2006 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-10mdk
+- fix one conflicting manpage (buffer.3) with rsbac-admin (#20875)
+
+* Fri Jan 27 2006 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-9mdk
+- fix deps (rootcerts)
+
+* Wed Jan 04 2006 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-8mdk
+- fix the /usr/lib6464 error (duh!)
+
+* Wed Jan 04 2006 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-7mdk
+- fix deps
+
+* Mon Dec 05 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-6mdk
+- fix file attribs on certain files in /etc/pki/tls/ (thanks ahasenack)
+- fix one missing ";" in the /etc/pki/tls/misc/CA.pl file (thanks ahasenack)
+- for the record, 0.9.8a-4mdk fixed #19882
+
+* Wed Nov 23 2005 Christiaan Welvaart <cjw@daneel.dyndns.org> 0.9.8a-5mdk
+- add BuildRequires: chrpath
+
+* Mon Nov 21 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-4mdk
+- don't ship a crippled package
+
+* Sat Nov 12 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-3mdk
+- rebuilt due package loss
+
+* Fri Nov 11 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-2mdk
+- added patches and changes from fedora
+- OPENSSLDIR is now %%{_sysconfdir}/pki/tls
+
+* Thu Nov 10 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.8a-1mdk
+- merge with the openssl0.9.8 package:
+  - 0.9.8a
+  - new major
+  - rediff P2, P3 and P6
+
+* Mon Oct 17 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.7i-1mdk
+- 0.9.7i (compatibility fix)
+
+* Fri Oct 14 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.7h-2mdk
+- security update for CAN-2005-2946 (P7)
+
+* Wed Oct 12 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.7h-1mdk
+- 0.9.7h (addresses CAN-2005-2969)
+- rediff P2,P3
+
+* Fri May 06 2005 Oden Eriksson <oeriksson@mandriva.com> 0.9.7g-2mdk
+- rebuilt with gcc4
+
+* Sat Apr 16 2005 Oden Eriksson <oeriksson@mandrakesoft.com> 0.9.7g-1mdk
+- 0.9.7g
+- rediffed P2
+
+* Fri Apr 01 2005 Oden Eriksson <oeriksson@mandrakesoft.com> 0.9.7f-1mdk
+- 0.9.7f
+- use the %%mkrel macro
+- drop the libfips patch (P5), it's implemented upstream
+- drop the CAN-2004-0975 patch (P4) as the code is gone
+- rediffed P2
+
+* Wed Mar 02 2005 Oden Eriksson <oeriksson@mandrakesoft.com> 0.9.7e-5mdk
+- added P6 to support Brazilian Government OTHERNAME X509v3 field (#14158)
+
+* Mon Jan 31 2005 Oden Eriksson <oeriksson@mandrakesoft.com> 0.9.7e-4mdk
+- fix deps and conditional %%multiarch
+- added P5 as there's no libfips
+
+* Mon Jan 10 2005 Frederic Lepied <flepied@mandrakesoft.com> 0.9.7e-3mdk
+- build in parallel
+
+* Tue Dec 07 2004 Oden Eriksson <oeriksson@mandrakesoft.com> 0.9.7e-2mdk
+- apply the CAN-2004-0975 patch (P4) from 0.9.7d-1.1.101mdk
+
+* Mon Nov 08 2004 Oden Eriksson <oeriksson@mandrakesoft.com> 0.9.7e-1mdk
+- 0.9.7e
+- rediffed P2 & P3
+- misc spec file fixes
+
+* Sat Jun 19 2004 Jean-Michel Dault <jmdault@mandrakesoft.com> 0.9.7d-1mdk
+- new version
+- rediff P3
+- remove P4/P5 since they're included in the release
+