From 181a9b12af17570c2ee59ccd140172f9ae3aaf771155c751866caa66825454e0 Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Mon, 18 Dec 2006 23:17:18 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=1

---
 .gitattributes                               |  23 +
 .gitignore                                   |   1 +
 Equifax-root1.pem                            |  19 +
 ICP-Brasil.pem                               |  28 +
 README.SuSE                                  |   9 +
 bswap.diff                                   |  11 +
 non-exec-stack.diff                          |  10 +
 openssl-0.9.6g-alpha.diff                    |  12 +
 openssl-0.9.7f-ppc64.diff                    |  12 +
 openssl-0.9.8-flags-priority.dif             |  11 +
 openssl-0.9.8-sparc.dif                      |  17 +
 openssl-0.9.8a.ca-app-segfault.bug128655.dif |  12 +
 openssl-0.9.8d.tar.bz2                       |   3 +
 openssl-CVE-2006-2940-fixup.patch            |  18 +
 openssl-hppa-config.diff                     |  15 +
 openssl-s390-config.diff                     |  12 +
 openssl.changes                              | 846 +++++++++++++++++
 openssl.spec                                 | 900 +++++++++++++++++++
 openssl.test                                 |   3 +
 ready                                        |   0
 20 files changed, 1962 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 Equifax-root1.pem
 create mode 100644 ICP-Brasil.pem
 create mode 100644 README.SuSE
 create mode 100644 bswap.diff
 create mode 100644 non-exec-stack.diff
 create mode 100644 openssl-0.9.6g-alpha.diff
 create mode 100644 openssl-0.9.7f-ppc64.diff
 create mode 100644 openssl-0.9.8-flags-priority.dif
 create mode 100644 openssl-0.9.8-sparc.dif
 create mode 100644 openssl-0.9.8a.ca-app-segfault.bug128655.dif
 create mode 100644 openssl-0.9.8d.tar.bz2
 create mode 100644 openssl-CVE-2006-2940-fixup.patch
 create mode 100644 openssl-hppa-config.diff
 create mode 100644 openssl-s390-config.diff
 create mode 100644 openssl.changes
 create mode 100644 openssl.spec
 create mode 100644 openssl.test
 create mode 100644 ready

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/Equifax-root1.pem b/Equifax-root1.pem
new file mode 100644
index 0000000..e07f0ca
--- /dev/null
+++ b/Equifax-root1.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
+UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
+dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
+MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
+dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
+BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
+cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
+AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
+aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
+ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
+IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
+MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
+A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
+7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
+1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
+-----END CERTIFICATE-----
diff --git a/ICP-Brasil.pem b/ICP-Brasil.pem
new file mode 100644
index 0000000..938e3a9
--- /dev/null
+++ b/ICP-Brasil.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuDCCA6CgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCQlIx
+EzARBgNVBAoTCklDUC1CcmFzaWwxPTA7BgNVBAsTNEluc3RpdHV0byBOYWNpb25h
+bCBkZSBUZWNub2xvZ2lhIGRhIEluZm9ybWFjYW8gLSBJVEkxETAPBgNVBAcTCEJy
+YXNpbGlhMQswCQYDVQQIEwJERjExMC8GA1UEAxMoQXV0b3JpZGFkZSBDZXJ0aWZp
+Y2Fkb3JhIFJhaXogQnJhc2lsZWlyYTAeFw0wMTExMzAxMjU4MDBaFw0xMTExMzAy
+MzU5MDBaMIG0MQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDE9MDsG
+A1UECxM0SW5zdGl0dXRvIE5hY2lvbmFsIGRlIFRlY25vbG9naWEgZGEgSW5mb3Jt
+YWNhbyAtIElUSTERMA8GA1UEBxMIQnJhc2lsaWExCzAJBgNVBAgTAkRGMTEwLwYD
+VQQDEyhBdXRvcmlkYWRlIENlcnRpZmljYWRvcmEgUmFpeiBCcmFzaWxlaXJhMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPMudwX/hvm+Uh2b/lQAcHVA
+isamaLkWdkwP9/S/tOKIgRrL6Oy+ZIGlOUdd6uYtk9Ma/3pUpgcfNAj0vYm5gsyj
+Qo9emsc+x6m4VWwk9iqMZSCK5EQkAq/Ut4n7KuLE1+gdftwdIgxfUsPt4CyNrY50
+QV57KM2UT8x5rrmzEjr7TICGpSUAl2gVqe6xaii+bmYR1QrmWaBSAG59LrkrjrYt
+bRhFboUDe1DK+6T8s5L6k8c8okpbHpa9veMztDVC9sPJ60MWXh6anVKo1UcLcbUR
+yEeNvZneVRKAAU6ouwdjDvwlsaKydFKwed0ToQ47bmUKgcm+wV3eTRk36UOnTwID
+AQABo4HSMIHPME4GA1UdIARHMEUwQwYFYEwBAQAwOjA4BggrBgEFBQcCARYsaHR0
+cDovL2FjcmFpei5pY3BicmFzaWwuZ292LmJyL0RQQ2FjcmFpei5wZGYwPQYDVR0f
+BDYwNDAyoDCgLoYsaHR0cDovL2FjcmFpei5pY3BicmFzaWwuZ292LmJyL0xDUmFj
+cmFpei5jcmwwHQYDVR0OBBYEFIr68VeEERM1kEL6V0lUaQ2kxPA3MA8GA1UdEwEB
+/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAZA5c1
+U/hgIh6OcgLAfiJgFWpvmDZWqlV30/bHFpj8iBobJSm5uDpt7TirYh1Uxe3fQaGl
+YjJe+9zd+izPRbBqXPVQA34EXcwk4qpWuf1hHriWfdrx8AcqSqr6CuQFwSr75Fos
+SzlwDADa70mT7wZjAmQhnZx2xJ6wfWlT9VQfS//JYeIc7Fue2JNLd00UOSMMaiK/
+t79enKNHEA2fupH3vEigf5Eh4bVAN5VohrTm6MY53x7XQZZr1ME7a55lFEnSeT0u
+mlOAjR2mAbvSM5X5oSZNrmetdzyTj2flCM8CC7MLab0kkdngRIlUBGHF1/S5nmPb
+K+9A46sd33oqK8n8
+-----END CERTIFICATE-----
diff --git a/README.SuSE b/README.SuSE
new file mode 100644
index 0000000..ba7ac69
--- /dev/null
+++ b/README.SuSE
@@ -0,0 +1,9 @@
+Please note that the man pages for the openssl libraries and tools
+have been placed in a package on its own right: openssl-doc Please
+install the openssl-doc package if you need the man pages, HTML
+documentation or sample C programs.
+
+The C header files and static libraries have also been extracted, they
+can now be found in the openssl-devel package.
+
+Your SuSE Team.
diff --git a/bswap.diff b/bswap.diff
new file mode 100644
index 0000000..c16d7f2
--- /dev/null
+++ b/bswap.diff
@@ -0,0 +1,11 @@
+--- crypto/camellia/cmll_locl.h
++++ crypto/camellia/cmll_locl.h
+@@ -107,7 +107,7 @@
+ 	(ct)[3] = (uint8_t)(st); }
+ 
+ #ifdef L_ENDIAN
+-#if (defined (__GNUC__) && !defined(i386))
++#if (defined (__GNUC__) && defined(i386))
+ #define CAMELLIA_SWAP4(x) \
+   do{\
+     asm("bswap %1" : "+r" (x));\
diff --git a/non-exec-stack.diff b/non-exec-stack.diff
new file mode 100644
index 0000000..b64308d
--- /dev/null
+++ b/non-exec-stack.diff
@@ -0,0 +1,10 @@
+--- crypto/perlasm/x86unix.pl
++++ crypto/perlasm/x86unix.pl
+@@ -586,6 +586,7 @@
+ 		push(@out,$const);
+ 		$const="";
+ 		}
++	push(@out, ".section 	.note.GNU-stack,\"\",\@progbits");
+ 	}
+ 
+ sub main'data_word
diff --git a/openssl-0.9.6g-alpha.diff b/openssl-0.9.6g-alpha.diff
new file mode 100644
index 0000000..4fc98ca
--- /dev/null
+++ b/openssl-0.9.6g-alpha.diff
@@ -0,0 +1,12 @@
+--- openssl-0.9.8a/config
++++ openssl-0.9.8a/config
+@@ -520,7 +520,8 @@
+   ppc-apple-darwin*) OUT="darwin-ppc-cc" ;;
+   i386-apple-darwin*) OUT="darwin-i386-cc" ;;
+   alpha-*-linux2)
+-        ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
++        #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
++ 	ISA=EV56
+ 	case ${ISA:-generic} in
+ 	*[678])	OUT="linux-alpha+bwx-$CC" ;;
+ 	*)	OUT="linux-alpha-$CC" ;;
diff --git a/openssl-0.9.7f-ppc64.diff b/openssl-0.9.7f-ppc64.diff
new file mode 100644
index 0000000..c17117e
--- /dev/null
+++ b/openssl-0.9.7f-ppc64.diff
@@ -0,0 +1,12 @@
+--- openssl-0.9.8a/config
++++ openssl-0.9.8a/config
+@@ -540,7 +540,8 @@
+ 	    echo "         You have about 5 seconds to press Ctrl-C to abort."
+ 	    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+ 	fi
+-	OUT="linux-ppc"
++	# we have the target and force it here
++	OUT="linux-ppc64"
+ 	;;
+   ppc-*-linux2) OUT="linux-ppc" ;;
+   ia64-*-linux?) OUT="linux-ia64" ;;
diff --git a/openssl-0.9.8-flags-priority.dif b/openssl-0.9.8-flags-priority.dif
new file mode 100644
index 0000000..c16aeef
--- /dev/null
+++ b/openssl-0.9.8-flags-priority.dif
@@ -0,0 +1,11 @@
+--- openssl-0.9.8/Configure.orig	2005-07-05 01:24:11.000000000 +0200
++++ openssl-0.9.8/Configure	2005-07-06 15:16:50.481056819 +0200
+@@ -957,7 +957,7 @@
+ my $no_shared_warn=0;
+ my $no_user_cflags=0;
+ 
+-if ($flags ne "")	{ $cflags="$flags$cflags"; }
++if ($flags ne "")	{ $cflags="$cflags $flags"; }
+ else			{ $no_user_cflags=1;       }
+ 
+ # Kerberos settings.  The flavor must be provided from outside, either through
diff --git a/openssl-0.9.8-sparc.dif b/openssl-0.9.8-sparc.dif
new file mode 100644
index 0000000..46f5c47
--- /dev/null
+++ b/openssl-0.9.8-sparc.dif
@@ -0,0 +1,17 @@
+--- openssl-0.9.8/config.orig	2005-06-26 20:10:20.000000000 +0200
++++ openssl-0.9.8/config	2005-07-06 15:03:56.144875647 +0200
+@@ -558,10 +558,10 @@
+   sparc-*-linux2)
+ 	KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo`
+ 	case ${KARCH:-sun4} in
+-	sun4u*)	OUT="linux-sparcv9" ;;
+-	sun4m)	OUT="linux-sparcv8" ;;
+-	sun4d)	OUT="linux-sparcv8" ;;
+-	*)	OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
++#	sun4u*)	OUT="linux-sparcv9" ;;
++#	sun4m)	OUT="linux-sparcv8" ;;
++#	sun4d)	OUT="linux-sparcv8" ;;
++	*)	OUT="linux-sparcv8" ;;
+ 	esac ;;
+   parisc*-*-linux2)
+ 	# 64-bit builds under parisc64 linux are not supported and
diff --git a/openssl-0.9.8a.ca-app-segfault.bug128655.dif b/openssl-0.9.8a.ca-app-segfault.bug128655.dif
new file mode 100644
index 0000000..4c1f46b
--- /dev/null
+++ b/openssl-0.9.8a.ca-app-segfault.bug128655.dif
@@ -0,0 +1,12 @@
+--- openssl-0.9.8a/apps/ca.c
++++ openssl-0.9.8a/apps/ca.c
+@@ -1515,7 +1515,8 @@
+ 	if (free_key && key)
+ 		OPENSSL_free(key);
+ 	BN_free(serial);
+-	free_index(db);
++	if (db)
++		free_index(db);
+ 	EVP_PKEY_free(pkey);
+ 	if (x509) X509_free(x509);
+ 	X509_CRL_free(crl);
diff --git a/openssl-0.9.8d.tar.bz2 b/openssl-0.9.8d.tar.bz2
new file mode 100644
index 0000000..cef2851
--- /dev/null
+++ b/openssl-0.9.8d.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9c517f6d682b6fc0364738700b4691369580e04db65317a842fa779a1cda4cf8
+size 2655970
diff --git a/openssl-CVE-2006-2940-fixup.patch b/openssl-CVE-2006-2940-fixup.patch
new file mode 100644
index 0000000..b6c6ec2
--- /dev/null
+++ b/openssl-CVE-2006-2940-fixup.patch
@@ -0,0 +1,18 @@
+Fix for the CVE-2006-2940 fix
+
+The newly introduced limit on DH modulus size could lead to a crash when
+exerted.
+This was fixed after the 0.9.8d release in the OpenSSL CVS:
+http://cvs.openssl.org/chngview?cn=15607
+
+--- crypto/dh/dh_key.c	2005-08-20 20:35:53.000000000 +0200
++++ crypto/dh/dh_key.c	2006-10-04 13:25:02.000000000 +0200
+@@ -173,7 +173,7 @@
+ 
+ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ 	{
+-	BN_CTX *ctx;
++	BN_CTX *ctx=NULL;
+ 	BN_MONT_CTX *mont=NULL;
+ 	BIGNUM *tmp;
+ 	int ret= -1;
diff --git a/openssl-hppa-config.diff b/openssl-hppa-config.diff
new file mode 100644
index 0000000..7490646
--- /dev/null
+++ b/openssl-hppa-config.diff
@@ -0,0 +1,15 @@
+--- config
++++ config
+@@ -579,7 +579,11 @@
+ 	#         PA8500   -> 8000   (2.0)
+ 	#         PA8600   -> 8000   (2.0)
+ 
+-	CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'`
++ 	# CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'`
++ 	# lets have CPUSCHEDULE for 1.1:
++ 	CPUSCHEDULE=7100LC
++ 	# we want to support 1.1 CPUs as well:
++ 	CPUARCH=1.1
+ 	# Finish Model transformations
+ 
+ 	options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH"
diff --git a/openssl-s390-config.diff b/openssl-s390-config.diff
new file mode 100644
index 0000000..c71a14c
--- /dev/null
+++ b/openssl-s390-config.diff
@@ -0,0 +1,12 @@
+--- config
++++ config	2006/01/16 10:33:01
+@@ -591,7 +591,8 @@
+ 	OUT="linux-generic32" ;;
+   arm*b-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
+   arm*l-*-linux2) OUT="linux-generic32"; options="$options -DL_ENDIAN" ;;
+-  s390*-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN -DNO_ASM" ;;
++  s390-*-linux2) OUT="linux-s390"; options="$options -DB_ENDIAN -DNO_ASM" ;;
++  s390x-*-linux2) OUT="linux-s390x"; options="$options -DB_ENDIAN -DNO_ASM" ;;
+   x86_64-*-linux?) OUT="linux-x86_64" ;;
+   *86-*-linux2) OUT="linux-elf"
+ 	if [ "$GCCVER" -gt 28 ]; then
diff --git a/openssl.changes b/openssl.changes
new file mode 100644
index 0000000..b4f9e47
--- /dev/null
+++ b/openssl.changes
@@ -0,0 +1,846 @@
+-------------------------------------------------------------------
+Thu Nov 30 14:33:51 CET 2006 - mkoenig@suse.de
+
+- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198
+
+-------------------------------------------------------------------
+Mon Nov  6 18:35:10 CET 2006 - poeml@suse.de
+
+- configure with 'zlib' instead of 'zlib-dynamic'. Build with the
+  latter, there are problems opening the libz when running on the
+  Via Epia or vmware platforms. [#213305]
+
+-------------------------------------------------------------------
+Wed Oct  4 15:07:55 CEST 2006 - poeml@suse.de
+
+- add patch for the CVE-2006-2940 fix: the newly introduced limit
+  on DH modulus size could lead to a crash when exerted. [#208971]
+  Discovered and fixed after the 0.9.8d release.
+
+-------------------------------------------------------------------
+Fri Sep 29 18:37:01 CEST 2006 - poeml@suse.de
+
+- update to 0.9.8d
+  *) Introduce limits to prevent malicious keys being able to
+     cause a denial of service.  (CVE-2006-2940)
+  *) Fix ASN.1 parsing of certain invalid structures that can result
+     in a denial of service.  (CVE-2006-2937)
+  *) Fix buffer overflow in SSL_get_shared_ciphers() function. 
+     (CVE-2006-3738)
+  *) Fix SSL client code which could crash if connecting to a
+     malicious SSLv2 server.  (CVE-2006-4343)
+  *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
+     match only those.  Before that, "AES256-SHA" would be interpreted
+     as a pattern and match "AES128-SHA" too (since AES128-SHA got
+     the same strength classification in 0.9.7h) as we currently only
+     have a single AES bit in the ciphersuite description bitmap.
+     That change, however, also applied to ciphersuite strings such as
+     "RC4-MD5" that intentionally matched multiple ciphersuites --
+     namely, SSL 2.0 ciphersuites in addition to the more common ones
+     from SSL 3.0/TLS 1.0.
+     So we change the selection algorithm again: Naming an explicit
+     ciphersuite selects this one ciphersuite, and any other similar
+     ciphersuite (same bitmap) from *other* protocol versions.
+     Thus, "RC4-MD5" again will properly select both the SSL 2.0
+     ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
+     Since SSL 2.0 does not have any ciphersuites for which the
+     128/256 bit distinction would be relevant, this works for now.
+     The proper fix will be to use different bits for AES128 and
+     AES256, which would have avoided the problems from the beginning;
+     however, bits are scarce, so we can only do this in a new release
+     (not just a patchlevel) when we can change the SSL_CIPHER
+     definition to split the single 'unsigned long mask' bitmap into
+     multiple values to extend the available space.
+- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected
+  [openssl.org #1397]
+
+-------------------------------------------------------------------
+Fri Sep  8 20:33:40 CEST 2006 - schwab@suse.de
+
+- Fix inverted logic.
+
+-------------------------------------------------------------------
+Wed Sep  6 17:56:08 CEST 2006 - poeml@suse.de
+
+- update to 0.9.8c
+  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
+  *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+     (CVE-2006-4339)  [Ben Laurie and Google Security Team]
+  *) Add AES IGE and biIGE modes.  [Ben Laurie]
+  *) Change the Unix randomness entropy gathering to use poll() when
+     possible instead of select(), since the latter has some
+     undesirable limitations.  [Darryl Miles via Richard Levitte and Bodo Moeller]
+  *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
+     treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
+     cannot be implicitly activated as part of, e.g., the "AES" alias.
+     However, please upgrade to OpenSSL 0.9.9[-dev] for
+     non-experimental use of the ECC ciphersuites to get TLS extension
+     support, which is required for curve and point format negotiation
+     to avoid potential handshake problems.  [Bodo Moeller]
+  *) Disable rogue ciphersuites:
+      - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+      - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+      - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+     The latter two were purportedly from
+     draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+     appear there.
+     Also deactive the remaining ciphersuites from
+     draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
+     unofficial, and the ID has long expired.  [Bodo Moeller]
+  *) Fix RSA blinding Heisenbug (problems sometimes occured on
+     dual-core machines) and other potential thread-safety issues.
+     [Bodo Moeller]
+  *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
+     versions), which is now available for royalty-free use
+     (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
+     Also, add Camellia TLS ciphersuites from RFC 4132.
+     To minimize changes between patchlevels in the OpenSSL 0.9.8
+     series, Camellia remains excluded from compilation unless OpenSSL
+     is configured with 'enable-camellia'.  [NTT]
+  *) Disable the padding bug check when compression is in use. The padding
+     bug check assumes the first packet is of even length, this is not
+     necessarily true if compresssion is enabled and can result in false
+     positives causing handshake failure. The actual bug test is ancient
+     code so it is hoped that implementations will either have fixed it by
+     now or any which still have the bug do not support compression.
+     [Steve Henson]
+  Changes between 0.9.8a and 0.9.8b  [04 May 2006]
+  *) When applying a cipher rule check to see if string match is an explicit
+     cipher suite and only match that one cipher suite if it is.  [Steve Henson]
+  *) Link in manifests for VC++ if needed.  [Austin Ziegler <halostatue@gmail.com>]
+  *) Update support for ECC-based TLS ciphersuites according to
+     draft-ietf-tls-ecc-12.txt with proposed changes (but without
+     TLS extensions, which are supported starting with the 0.9.9
+     branch, not in the OpenSSL 0.9.8 branch).  [Douglas Stebila]
+  *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
+     opaque EVP_CIPHER_CTX handling.  [Steve Henson]
+  *) Fixes and enhancements to zlib compression code. We now only use
+     "zlib1.dll" and use the default __cdecl calling convention on Win32
+     to conform with the standards mentioned here:
+           http://www.zlib.net/DLL_FAQ.txt
+     Static zlib linking now works on Windows and the new --with-zlib-include
+     --with-zlib-lib options to Configure can be used to supply the location
+     of the headers and library. Gracefully handle case where zlib library
+     can't be loaded.  [Steve Henson]
+  *) Several fixes and enhancements to the OID generation code. The old code
+     sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
+     handle numbers larger than ULONG_MAX, truncated printing and had a
+     non standard OBJ_obj2txt() behaviour.  [Steve Henson]
+  *) Add support for building of engines under engine/ as shared libraries
+     under VC++ build system.  [Steve Henson]
+  *) Corrected the numerous bugs in the Win32 path splitter in DSO.
+     Hopefully, we will not see any false combination of paths any more.
+     [Richard Levitte]
+- enable Camellia cipher. There is a royalty free license to the
+  patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html.
+  NOTE: the license forbids patches to the cipher.
+- build with zlib-dynamic and add zlib-devel to BuildRequires.
+  Allows compression of data in TLS, although few application would
+  actually use it since there is no standard for negotiating the
+  compression method. The only one I know if is stunnel.
+
+-------------------------------------------------------------------
+Fri Jun  2 15:00:58 CEST 2006 - poeml@suse.de
+
+- fix built-in ENGINESDIR for 64 bit architectures. We change only
+  the builtin search path for engines, not the path where engines
+  are packaged. Path can be overridden with the OPENSSL_ENGINES
+  environment variable. [#179094]
+
+-------------------------------------------------------------------
+Wed Jan 25 21:30:41 CET 2006 - mls@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Mon Jan 16 13:13:13 CET 2006 - mc@suse.de
+
+- fix build problems on s390x (openssl-s390-config.diff)
+- build with -fstack-protector 
+
+-------------------------------------------------------------------
+Mon Nov  7 16:30:49 CET 2005 - dmueller@suse.de
+
+- build with non-executable stack 
+
+-------------------------------------------------------------------
+Thu Oct 20 17:37:47 CEST 2005 - poeml@suse.de
+
+- fix unguarded free() which can cause a segfault in the ca
+  commandline app [#128655]
+
+-------------------------------------------------------------------
+Thu Oct 13 15:10:28 CEST 2005 - poeml@suse.de
+
+- add Geotrusts Equifax Root1 CA certificate, which needed to
+  verify the authenticity of you.novell.com [#121966]
+
+-------------------------------------------------------------------
+Tue Oct 11 15:34:07 CEST 2005 - poeml@suse.de
+
+- update to 0.9.8a
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.  (CAN-2005-2969)
+  *) Add two function to clear and return the verify parameter flags.
+  *) Keep cipherlists sorted in the source instead of sorting them at
+     runtime, thus removing the need for a lock.
+  *) Avoid some small subgroup attacks in Diffie-Hellman.
+  *) Add functions for well-known primes.
+  *) Extended Windows CE support.
+  *) Initialize SSL_METHOD structures at compile time instead of during
+     runtime, thus removing the need for a lock.
+  *) Make PKCS7_decrypt() work even if no certificate is supplied by
+     attempting to decrypt each encrypted key in turn. Add support to
+     smime utility.
+
+-------------------------------------------------------------------
+Thu Sep 29 18:53:08 CEST 2005 - poeml@suse.de
+
+- update to 0.9.8
+  see CHANGES file or http://www.openssl.org/news/changelog.html
+- adjust patches
+- drop obsolete openssl-no-libc.diff
+- disable libica patch until it has been ported
+
+-------------------------------------------------------------------
+Fri May 20 11:27:12 CEST 2005 - poeml@suse.de
+
+- update to 0.9.7g. The significant changes are:
+  *) Fixes for newer kerberos headers. NB: the casts are needed because
+     the 'length' field is signed on one version and unsigned on another
+     with no (?) obvious way to tell the difference, without these VC++
+     complains. Also the "definition" of FAR (blank) is no longer included
+     nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
+     some needed definitions.
+  *) Added support for proxy certificates according to RFC 3820.
+     Because they may be a security thread to unaware applications,
+     they must be explicitely allowed in run-time.  See
+     docs/HOWTO/proxy_certificates.txt for further information.
+
+-------------------------------------------------------------------
+Tue May 17 16:28:51 CEST 2005 - schwab@suse.de
+
+- Include %cflags_profile_generate in ${CC} since it is required for
+  linking as well.
+- Remove explicit reference to libc.
+
+-------------------------------------------------------------------
+Fri Apr  8 17:27:27 CEST 2005 - poeml@suse.de
+
+- update to 0.9.7f. The most significant changes are:
+    o Several compilation issues fixed.
+    o Many memory allocation failure checks added.
+    o Improved comparison of X509 Name type.
+    o Mandatory basic checks on certificates.
+    o Performance improvements.
+  (for a complete list see http://www.openssl.org/source/exp/CHANGES)
+- adjust openssl-0.9.7f-ppc64.diff
+- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435]
+
+-------------------------------------------------------------------
+Tue Jan  4 16:47:02 CET 2005 - poeml@suse.de
+
+- update to 0.9.7e
+  *) Avoid a race condition when CRLs are checked in a multi
+     threaded environment. This would happen due to the reordering
+     of the revoked entries during signature checking and serial
+     number lookup. Now the encoding is cached and the serial
+     number sort performed under a lock.  Add new STACK function
+     sk_is_sorted().
+  *) Add Delta CRL to the extension code.
+  *) Various fixes to s3_pkt.c so alerts are sent properly.
+  *) Reduce the chances of duplicate issuer name and serial numbers
+     (in violation of RFC3280) using the OpenSSL certificate
+     creation utilities.  This is done by creating a random 64 bit
+     value for the initial serial number when a serial number file
+     is created or when a self signed certificate is created using
+     'openssl req -x509'. The initial serial number file is created
+     using 'openssl x509 -next_serial' in CA.pl rather than being
+     initialized to 1.
+- remove obsolete patches
+- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch
+  Makefile, not Makefile.ssl
+- fixup for spaces in names of man pages not needed now
+- pack /usr/bin/openssl_fips_fingerprint
+- in rpm post/postun script, run /sbin/ldconfig directly (the macro
+  is deprecated)
+
+-------------------------------------------------------------------
+Mon Oct 18 15:03:28 CEST 2004 - poeml@suse.de
+
+- don't install openssl.doxy file [#45210]
+
+-------------------------------------------------------------------
+Thu Jul 29 16:56:44 CEST 2004 - poeml@suse.de
+
+- apply patch from CVS to fix segfault in S/MIME encryption
+  (http://cvs.openssl.org/chngview?cn=12081, regression in
+  openssl-0.9.7d) [#43386]
+
+-------------------------------------------------------------------
+Mon Jul 12 15:22:31 CEST 2004 - mludvig@suse.cz
+
+- Updated VIA PadLock engine.
+
+-------------------------------------------------------------------
+Wed Jun 30 21:45:01 CEST 2004 - mludvig@suse.cz
+
+- Updated openssl-0.9.7d-padlock-engine.diff with support for
+  AES192, AES256 and RNG.
+
+-------------------------------------------------------------------
+Tue Jun 15 16:18:36 CEST 2004 - poeml@suse.de
+
+- update IBM ICA patch to last night's version. Fixes ibmca_init()
+  to reset ibmca_dso=NULL after calling DSO_free(), if the device
+  driver could not be loaded. The bug lead to a segfault triggered
+  by stunnel, which does autoload available engines [#41874]
+- patch from CVS: make stack API more robust (return NULL for
+  out-of-range indexes). Fixes another possible segfault during
+  engine detection (could also triggered by stunnel)
+- add patch from Michal Ludvig for VIA PadLock support 
+
+-------------------------------------------------------------------
+Wed Jun  2 20:44:40 CEST 2004 - poeml@suse.de
+
+- add root certificate for the ICP-Brasil CA [#41546]
+
+-------------------------------------------------------------------
+Thu May 13 19:53:48 CEST 2004 - poeml@suse.de
+
+- add patch to use default_md for CRLs too [#40435]
+
+-------------------------------------------------------------------
+Tue May  4 20:45:19 CEST 2004 - poeml@suse.de
+
+- update ICA patch to apr292004 release [#39695]
+
+-------------------------------------------------------------------
+Thu Mar 18 13:47:09 CET 2004 - poeml@suse.de
+
+- update to 0.9.7d
+  o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
+    (CAN-2004-0112)
+  o Security: Fix null-pointer assignment in do_change_cipher_spec() 
+    (CAN-2004-0079)
+  o Allow multiple active certificates with same subject in CA index
+  o Multiple X590 verification fixes
+  o Speed up HMAC and other operations
+- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around
+  IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has
+  OPENSSL_NO_IDEA around it
+- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the
+  pod file)
+- permissions of lib/pkgconfig fixed
+
+-------------------------------------------------------------------
+Wed Feb 25 20:42:39 CET 2004 - poeml@suse.de
+
+- update to 0.9.7c
+  *) Fix various bugs revealed by running the NISCC test suite:
+     Stop out of bounds reads in the ASN1 code when presented with
+     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+     If verify callback ignores invalid public key errors don't try to check
+     certificate signature with the NULL public key.
+  *) New -ignore_err option in ocsp application to stop the server
+     exiting on the first error in a request.
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+     extra data after the compression methods not only for TLS 1.0
+     but also for SSL 3.0 (as required by the specification).
+  *) Change X509_certificate_type() to mark the key as exported/exportable
+     when it's 512 *bits* long, not 512 bytes.
+  *) Change AES_cbc_encrypt() so it outputs exact multiple of
+     blocks during encryption.
+  *) Various fixes to base64 BIO and non blocking I/O. On write
+     flushes were not handled properly if the BIO retried. On read
+     data was not being buffered properly and had various logic bugs.
+     This also affects blocking I/O when the data being decoded is a
+     certain size.
+  *) Various S/MIME bugfixes and compatibility changes:
+     output correct application/pkcs7 MIME type if
+     PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
+     Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
+     of files as .eml work). Correctly handle very long lines in MIME
+     parser.
+- update ICA patch 
+  quote: This version of the engine patch has updated error handling in
+  the DES/SHA code, and turns RSA blinding off for hardware
+  accelerated RSA ops.
+- filenames of some man pages contain spaces now. Replace them with
+  underscores
+- fix compiler warnings in showciphers.c
+- fix permissions of /usr/%_lib/pkgconfig
+
+-------------------------------------------------------------------
+Sat Jan 10 10:55:59 CET 2004 - adrian@suse.de
+
+- add %run_ldconfig
+- remove unneeded PreRequires
+
+-------------------------------------------------------------------
+Tue Nov 18 14:07:53 CET 2003 - poeml@suse.de
+
+- ditch annoying mail to root about moved locations [#31969]
+
+-------------------------------------------------------------------
+Wed Aug 13 22:30:13 CEST 2003 - poeml@suse.de
+
+- enable profile feedback based optimizations (except AES which
+  becomes slower)
+- add -fno-strict-aliasing, due to warnings about code where
+  dereferencing type-punned pointers will break strict aliasing
+- make a readlink function if readlink is not available
+
+-------------------------------------------------------------------
+Mon Aug  4 16:16:57 CEST 2003 - ro@suse.de
+
+- fixed manpages symlinks
+
+-------------------------------------------------------------------
+Wed Jul 30 15:37:37 CEST 2003 - meissner@suse.de
+
+- Fix Makefile to create pkgconfig file with lib64 on lib64 systems.
+
+-------------------------------------------------------------------
+Sun Jul 27 15:51:04 CEST 2003 - poeml@suse.de
+
+- don't explicitely strip binaries since RPM handles it, and may
+  keep the stripped information somewhere
+
+-------------------------------------------------------------------
+Tue Jul 15 16:29:16 CEST 2003 - meissner@suse.de
+
+- -DMD32_REG_T=int for ppc64 and s390x.
+
+-------------------------------------------------------------------
+Thu Jul 10 23:14:22 CEST 2003 - poeml@suse.de
+
+- update ibm ICA patch to 20030708 release (libica-1.3)
+
+-------------------------------------------------------------------
+Mon May 12 23:27:07 CEST 2003 - poeml@suse.de
+
+- package the openssl.pc file for pkgconfig 
+
+-------------------------------------------------------------------
+Wed Apr 16 16:04:32 CEST 2003 - poeml@suse.de
+
+- update to 0.9.7b. The most significant changes are:
+  o New library section OCSP.
+  o Complete rewrite of ASN1 code.
+  o CRL checking in verify code and openssl utility.
+  o Extension copying in 'ca' utility.
+  o Flexible display options in 'ca' utility.
+  o Provisional support for international characters with UTF8.
+  o Support for external crypto devices ('engine') is no longer
+    a separate distribution.
+  o New elliptic curve library section.
+  o New AES (Rijndael) library section.
+  o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
+    Linux x86_64, Linux 64-bit on Sparc v9
+  o Extended support for some platforms: VxWorks
+  o Enhanced support for shared libraries.
+  o Now only builds PIC code when shared library support is requested.
+  o Support for pkg-config.
+  o Lots of new manuals.
+  o Makes symbolic links to or copies of manuals to cover all described
+    functions.
+  o Change DES API to clean up the namespace (some applications link also
+    against libdes providing similar functions having the same name).
+    Provide macros for backward compatibility (will be removed in the
+    future).
+  o Unify handling of cryptographic algorithms (software and engine)
+    to be available via EVP routines for asymmetric and symmetric ciphers.
+  o NCONF: new configuration handling routines.
+  o Change API to use more 'const' modifiers to improve error checking
+    and help optimizers.
+  o Finally remove references to RSAref.
+  o Reworked parts of the BIGNUM code.
+  o Support for new engines: Broadcom ubsec, Accelerated Encryption
+    Processing, IBM 4758.
+  o A few new engines added in the demos area.
+  o Extended and corrected OID (object identifier) table.
+  o PRNG: query at more locations for a random device, automatic query for
+    EGD style random sources at several locations.
+  o SSL/TLS: allow optional cipher choice according to server's preference.
+  o SSL/TLS: allow server to explicitly set new session ids.
+  o SSL/TLS: support Kerberos cipher suites (RFC2712).
+    Only supports MIT Kerberos for now.
+  o SSL/TLS: allow more precise control of renegotiations and sessions.
+  o SSL/TLS: add callback to retrieve SSL/TLS messages.
+  o SSL/TLS: support AES cipher suites (RFC3268).
+- adapt the ibmca patch
+- remove openssl-nocrypt.diff, openssl's crypt() vanished
+- configuration syntax has changed ($sys_id added before $lflags)
+
+-------------------------------------------------------------------
+Thu Feb 20 11:55:34 CET 2003 - poeml@suse.de
+
+- update to bugfix release 0.9.6i:
+  - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize
+    information leaked via timing by performing a MAC computation
+    even if incorrrect block cipher padding has been found.  This
+    is a countermeasure against active attacks where the attacker
+    has to distinguish between bad padding and a MAC verification
+    error.  (CAN-2003-0078)
+  - a few more small bugfixes (mainly missing assertions)
+
+-------------------------------------------------------------------
+Fri Dec  6 10:07:20 CET 2002 - poeml@suse.de
+
+- update to 0.9.6h (last release in the 0.9.6 series)
+  o New configuration targets for Tandem OSS and A/UX.
+  o New OIDs for Microsoft attributes.
+  o Better handling of SSL session caching.
+  o Better comparison of distinguished names.
+  o Better handling of shared libraries in a mixed GNU/non-GNU environment.
+  o Support assembler code with Borland C.
+  o Fixes for length problems.
+  o Fixes for uninitialised variables.
+  o Fixes for memory leaks, some unusual crashes and some race conditions.
+  o Fixes for smaller building problems.
+  o Updates of manuals, FAQ and other instructive documents.
+- add a call to make depend
+- fix sed expression (lib -> lib64) to replace multiple occurences
+  on one line
+
+-------------------------------------------------------------------
+Mon Nov  4 13:16:09 CET 2002 - stepan@suse.de
+
+- fix openssl for alpha ev56 cpus
+
+-------------------------------------------------------------------
+Thu Oct 24 12:57:36 CEST 2002 - poeml@suse.de
+
+- own the /usr/share/ssl directory [#20849]
+- openssl-hppa-config.diff can be applied on all architectures
+
+-------------------------------------------------------------------
+Mon Sep 30 16:07:49 CEST 2002 - bg@suse.de
+
+- enable hppa distribution; use only pa1.1 architecture. 
+
+-------------------------------------------------------------------
+Tue Sep 17 17:13:46 CEST 2002 - froh@suse.de
+
+- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953)
+
+-------------------------------------------------------------------
+Mon Aug 12 18:34:58 CEST 2002 - poeml@suse.de
+
+- update to 0.9.6g and drop the now included ASN1 check patch.
+  Other change:
+  - Use proper error handling instead of 'assertions' in buffer
+    overflow checks added in 0.9.6e.  This prevents DoS (the
+    assertions could call abort()).
+
+-------------------------------------------------------------------
+Fri Aug  9 19:49:59 CEST 2002 - kukuk@suse.de
+
+- Fix requires of openssl-devel subpackage
+
+-------------------------------------------------------------------
+Tue Aug  6 15:18:59 MEST 2002 - draht@suse.de
+
+- Correction for changes in the ASN1 code, assembled in
+  openssl-0.9.6e-cvs-20020802-asn1_lib.diff
+
+-------------------------------------------------------------------
+Thu Aug  1 00:53:33 CEST 2002 - poeml@suse.de
+
+- update to 0.9.6e. Major changes:
+  o Various security fixes (sanity checks to asn1_get_length(),
+    various remote buffer overflows)
+  o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the
+    countermeasure against a vulnerability in the CBC ciphersuites
+    in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to
+    be incompatible with buggy SSL implementations
+- update ibmca crypto hardware patch (security issues fixed)
+- gcc 3.1 version detection is fixed, we can drop the patch
+- move the most used man pages from the -doc to the main package
+  [#9913] and resolve man page conflicts by putting them into ssl
+  sections [#17239] 
+- spec file: use PreReq for %post script
+
+-------------------------------------------------------------------
+Fri Jul 12 17:59:10 CEST 2002 - poeml@suse.de
+
+- update to 0.9.6d. Major changes:
+  o Various SSL/TLS library bugfixes.
+  o Fix DH parameter generation for 'non-standard' generators.
+  Complete Changelog: http://www.openssl.org/news/changelog.html
+- supposed to fix a session caching failure occuring with postfix
+- simplify local configuration for the architectures
+- there's a new config variable: $shared_ldflag
+- use RPM_OPT_FLAGS in favor of predifined cflags by appending them
+  at the end
+- validate config data (config --check-sanity)
+- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982]
+- move configuration to /etc/ssl [#14387]
+- mark openssl.cnf %config (noreplace)
+
+-------------------------------------------------------------------
+Sat Jul  6 20:28:56 CEST 2002 - schwab@suse.de
+
+- Include <crypt.h> to get crypt prototype.
+
+-------------------------------------------------------------------
+Fri Jul  5 08:51:16 CEST 2002 - kukuk@suse.de
+
+- Remove crypt prototype from des.h header file, too.
+
+-------------------------------------------------------------------
+Mon Jun 10 11:38:16 CEST 2002 - meissner@suse.de
+
+- enhanced ppc64 support (needs seperate config), reenabled make check
+
+-------------------------------------------------------------------
+Fri May 31 14:54:06 CEST 2002 - olh@suse.de
+
+- add ppc64 support, temporary disable make check
+
+-------------------------------------------------------------------
+Thu Apr 18 16:30:01 CEST 2002 - meissner@suse.de
+
+- fixed x86_64 build, added bc to needed_for_build (used by tests)
+
+-------------------------------------------------------------------
+Wed Apr 17 16:56:34 CEST 2002 - ro@suse.de
+
+- fixed gcc version determination
+- drop sun4c support/always use sparcv8 
+- ignore return code from showciphers
+
+-------------------------------------------------------------------
+Fri Mar 15 16:54:44 CET 2002 - poeml@suse.de
+
+- add settings for sparc to build shared objects. Note that all
+  sparcs (sun4[mdu]) are recognized as linux-sparcv7 
+
+-------------------------------------------------------------------
+Wed Feb  6 14:23:44 CET 2002 - kukuk@suse.de
+
+- Remove crypt function from libcrypto.so.0 [Bug #13056]
+
+-------------------------------------------------------------------
+Sun Feb  3 22:32:16 CET 2002 - poeml@suse.de
+
+- add settings for mips to build shared objects
+- print out all settings to the build log
+
+-------------------------------------------------------------------
+Tue Jan 29 12:42:58 CET 2002 - poeml@suse.de
+
+- update to 0.9.6c:
+  o bug fixes
+  o support for hardware crypto devices (Cryptographic Appliances,
+  Broadcom, and Accelerated Encryption Processing)
+- add IBMCA patch for IBM eServer Cryptographic Accelerator Device
+  Driver (#12565) (forward ported from 0.9.6b)
+  (http://www-124.ibm.com/developerworks/projects/libica/)
+- tell Configure how to build shared libs for s390 and s390x 
+- tweak Makefile.org to use %_libdir
+- clean up spec file
+- add README.SuSE as source file instead of in a patch
+
+-------------------------------------------------------------------
+Wed Dec  5 10:59:59 CET 2001 - uli@suse.de
+
+- disabled "make test" for ARM (destest segfaults, the other tests
+  seem to succeed)
+
+-------------------------------------------------------------------
+Wed Dec  5 02:39:16 CET 2001 - ro@suse.de
+
+- removed subpackage src 
+
+-------------------------------------------------------------------
+Wed Nov 28 13:28:42 CET 2001 - uli@suse.de
+
+- needs -ldl on ARM, too
+
+-------------------------------------------------------------------
+Mon Nov 19 17:48:31 MET 2001 - mls@suse.de
+
+- made mips big endian, fixed shared library creation for mips
+
+-------------------------------------------------------------------
+Fri Aug 31 11:19:46 CEST 2001 - rolf@suse.de
+
+- added root certificates [BUG#9913]
+- move from /usr/ssh to /usr/share/ssl
+
+-------------------------------------------------------------------
+Wed Jul 18 10:27:54 CEST 2001 - rolf@suse.de
+
+- update to 0.9.6b
+- switch to engine version of openssl, which supports hardware 
+  encryption for a few popular devices
+- check wether shared libraries have been generated
+
+-------------------------------------------------------------------
+Thu Jul  5 15:06:03 CEST 2001 - rolf@suse.de
+
+- appliy PRNG security patch
+
+-------------------------------------------------------------------
+Tue Jun 12 10:52:34 EDT 2001 - bk@suse.de
+
+- added support for s390x
+
+-------------------------------------------------------------------
+Mon May  7 21:02:30 CEST 2001 - kukuk@suse.de
+
+- Fix building of shared libraries on SPARC, too.
+
+-------------------------------------------------------------------
+Mon May  7 11:36:53 MEST 2001 - rolf@suse.de
+
+- Fix ppc and s390 shared library builds
+- resolved conflict in manpage naming: 
+	rand.3 is now sslrand.3 [BUG#7643]
+
+-------------------------------------------------------------------
+Tue May  1 22:32:48 CEST 2001 - schwab@suse.de
+
+- Fix ia64 configuration.
+- Fix link command.
+
+-------------------------------------------------------------------
+Thu Apr 26 03:17:52 CEST 2001 - bjacke@suse.de
+
+- updated to 0.96a
+
+-------------------------------------------------------------------
+Wed Apr 18 12:56:48 CEST 2001 - kkaempf@suse.de
+
+- provide .so files in -devel package only
+
+-------------------------------------------------------------------
+Tue Apr 17 02:45:36 CEST 2001 - bjacke@suse.de
+
+- resolve file name conflict (#6966)
+
+-------------------------------------------------------------------
+Wed Mar 21 10:12:59 MET 2001 - rolf@suse.de
+
+- new subpackage openssl-src [BUG#6383]
+- added README.SuSE which explains where to find the man pages [BUG#6717]
+
+-------------------------------------------------------------------
+Fri Dec 15 18:09:16 CET 2000 - sf@suse.de
+
+- changed CFLAG to -O1 to make the tests run successfully 
+
+-------------------------------------------------------------------
+Mon Dec 11 13:33:55 CET 2000 - rolf@suse.de
+
+- build openssl with no-idea and no-rc5 to meet US & RSA regulations
+- build with -fPIC on all platforms (especially IA64)
+
+-------------------------------------------------------------------
+Wed Nov 22 11:27:39 MET 2000 - rolf@suse.de
+
+- rename openssls to openssl-devel and add shared libs and header files
+- new subpackge openssl-doc for manpages and documentation
+- use BuildRoot
+
+-------------------------------------------------------------------
+Fri Oct 27 16:53:45 CEST 2000 - schwab@suse.de
+
+- Add link-time links for libcrypto and libssl.
+- Make sure that LD_LIBRARY_PATH is passed down to sub-makes.
+
+-------------------------------------------------------------------
+Mon Oct  2 17:33:07 MEST 2000 - rolf@suse.de
+
+- update to 0.9.6
+
+-------------------------------------------------------------------
+Mon Apr 10 23:04:15 CEST 2000 - bk@suse.de
+
+- fix support for s390-linux
+
+-------------------------------------------------------------------
+Mon Apr 10 18:01:46 MEST 2000 - rolf@suse.de
+
+- new version 0.9.5a
+
+-------------------------------------------------------------------
+Sun Apr  9 02:51:42 CEST 2000 - bk@suse.de
+
+- add support for s390-linux
+
+-------------------------------------------------------------------
+Mon Mar 27 19:25:25 CEST 2000 - kukuk@suse.de
+
+- Use sparcv7 for SPARC
+
+-------------------------------------------------------------------
+Wed Mar  1 16:42:00 MET 2000 - rolf@suse.de
+
+- move manpages back, as too many conflict with system manuals
+
+-------------------------------------------------------------------
+Wed Mar  1 02:52:17 CET 2000 - bk@suse.de
+
+- added subpackage source openssls, needed for ppp_ssl
+
+-------------------------------------------------------------------
+Wed Mar  1 11:23:21 MET 2000 - rolf@suse.de
+
+- move manpages to %{_mandir}
+- include static libraries
+
+-------------------------------------------------------------------
+Tue Feb 29 12:50:48 MET 2000 - rolf@suse.de
+
+- new version 0.9.5
+
+-------------------------------------------------------------------
+Thu Feb 24 15:43:38 CET 2000 - schwab@suse.de
+
+- add support for ia64-linux
+
+-------------------------------------------------------------------
+Mon Jan 31 13:05:59 CET 2000 - kukuk@suse.de
+
+- Create and add libcrypto.so.0 and libssl.so.0
+
+-------------------------------------------------------------------
+Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de
+
+- ran old prepare_spec on spec file to switch to new prepare_spec.
+
+-------------------------------------------------------------------
+Wed Sep  1 12:30:08 MEST 1999 - rolf@suse.de
+
+- new version 0.9.4
+
+-------------------------------------------------------------------
+Wed May 26 16:26:49 MEST 1999 - rolf@suse.de
+
+- new version 0.9.3 with new layout
+- alpha asm disabled by default now, no patch needed
+
+-------------------------------------------------------------------
+Thu May 20 09:38:09 MEST 1999 - ro@suse.de
+
+- disable asm for alpha: seems incomplete
+
+-------------------------------------------------------------------
+Mon May 17 17:43:34 MEST 1999 - rolf@suse.de
+
+- don't use -DNO_IDEA
+
+-------------------------------------------------------------------
+Wed May 12 16:10:03 MEST 1999 - rolf@suse.de
+
+- first version 0.9.2b
diff --git a/openssl.spec b/openssl.spec
new file mode 100644
index 0000000..642151f
--- /dev/null
+++ b/openssl.spec
@@ -0,0 +1,900 @@
+#
+# spec file for package openssl (Version 0.9.8d)
+#
+# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# This file and all modifications and additions to the pristine
+# package are under the same license as the package itself.
+#
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
+
+# norootforbuild
+
+Name:           openssl
+BuildRequires:  bc ed zlib-devel
+%ifarch s390x
+%else
+%endif
+%define ssletcdir %{_sysconfdir}/ssl
+%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
+License:        BSD License and BSD-like, Other License(s), see package
+Group:          Productivity/Networking/Security
+Provides:       ssl
+Conflicts:      ssleay
+Obsoletes:      ssleay
+Autoreqprov:    on
+Version:        0.9.8d
+Release:        17
+Summary:        Secure Sockets and Transport Layer Security
+URL:            http://www.openssl.org/
+Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
+Source10:       README.SuSE
+Source20:       ICP-Brasil.pem
+Source21:       Equifax-root1.pem
+Patch0:         openssl-0.9.8-sparc.dif
+Patch1:         openssl-0.9.8-flags-priority.dif
+Patch2:         non-exec-stack.diff
+Patch7:         openssl-0.9.7f-ppc64.diff
+Patch8:         openssl-hppa-config.diff
+Patch9:         openssl-0.9.6g-alpha.diff
+# http://www-124.ibm.com/developerworks/projects/libica/
+#Patch10:      openssl-0.9.7d-ICA_engine-jun142004.patch.bz2
+Patch11:        openssl-s390-config.diff
+Patch20:        openssl-0.9.8a.ca-app-segfault.bug128655.dif
+Patch21:        bswap.diff
+Patch22:        openssl-CVE-2006-2940-fixup.patch
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+
+%description
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, full-featured, and open source toolkit implementing
+the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
+v1) protocols with full-strength cryptography. The project is managed
+by a worldwide community of volunteers that use the Internet to
+communicate, plan, and develop the OpenSSL toolkit and its related
+documentation.
+
+Derivation and License
+
+OpenSSL is based on the excellent SSLeay library developed by Eric A.
+Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
+Apache-style license, which basically means that you are free to get it
+and to use it for commercial and noncommercial purposes.
+
+
+
+Authors:
+--------
+    Mark J. Cox <mark@openssl.org>
+    Ralf S. Engelschall <rse@openssl.org>
+    Dr. Stephen Henson <steve@openssl.org>
+    Ben Laurie <ben@openssl.org>
+    Bodo Moeller <bodo@openssl.org>
+    Ulf Moeller <ulf@openssl.org>
+    Holger Reif <holger@openssl.org>
+    Paul C. Sutton <paul@openssl.org>
+
+%package devel
+Summary:        Include Files and Libraries mandatory for Development.
+Group:          Development/Libraries/C and C++
+Obsoletes:      openssls
+Requires:       openssl = %{version}
+
+%description devel
+This package contains all necessary include files and libraries needed
+to develop applications that require these.
+
+
+
+Authors:
+--------
+    Mark J. Cox <mark@openssl.org>
+    Ralf S. Engelschall <rse@openssl.org>
+    Dr. Stephen <Henson steve@openssl.org>
+    Ben Laurie <ben@openssl.org>
+    Bodo Moeller <bodo@openssl.org>
+    Ulf Moeller <ulf@openssl.org>
+    Holger Reif <holger@openssl.org>
+    Paul C. Sutton <paul@openssl.org>
+
+%package doc
+Summary:        Additional Package Documentation.
+Group:          Productivity/Networking/Security
+
+%description doc
+This package contains optional documentation provided in addition to
+this package's base documentation.
+
+
+
+Authors:
+--------
+    Mark J. Cox <mark@openssl.org>
+    Ralf S. Engelschall <rse@openssl.org>
+    Dr. Stephen <Henson steve@openssl.org>
+    Ben Laurie <ben@openssl.org>
+    Bodo Moeller <bodo@openssl.org>
+    Ulf Moeller <ulf@openssl.org>
+    Holger Reif <holger@openssl.org>
+    Paul C. Sutton <paul@openssl.org>
+
+%prep
+%setup -q 
+%patch -p1
+%patch1 -p1
+%patch2
+%patch7 -p1
+%patch8
+%patch9 -p1
+#%patch10 -p1
+%patch11
+%patch20 -p1
+%patch21
+%patch22
+cp -p %{S:10} .
+cp -p %{S:20} certs/
+cp -p %{S:21} certs/
+# lib64 installation fixes
+for i in Makefile.org engines/Makefile; do
+sed -e 	"s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/%_lib+g" \
+    -e	"s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/%_lib+g" \
+	$i > $i.t
+	diff -u $i $i.t ||:
+	mv $i.t $i
+done
+echo "adding/overwriting some entries in the 'table' hash in Configure"
+# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
+export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):'
+cat <<EOF_ED | ed -s Configure 
+/^);
+-
+i
+# local configuration added from specfile
+#config-string,  $cc:$cflags:$unistd:$thread_cflag:$sys_id:$lflags:$bn_ops:$cpuid_obj:$bn_obj:$des_obj:$aes_obj:$bf_obj:$md5_obj:$sha1_obj:$cast_obj:$rc4_obj:$rmd160_obj:$rc5_obj:$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
+"linux-elf",    "gcc:-DL_ENDIAN			::-D_REENTRANT::-ldl:BN_LLONG \${x86_gcc_des} \${x86_gcc_opts}:\${x86_elf_asm}:$DSO_SCHEME",
+"linux-ia64",   "gcc:-DL_ENDIAN			::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR::asm/ia64.o::::::::::		$DSO_SCHEME",
+"linux-ppc",    "gcc:-DB_ENDIAN			::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::::		$DSO_SCHEME",
+"linux-ppc64",  "gcc:-DB_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL SIXTY_FOUR_BIT_LONG::::::::::::	$DSO_SCHEME",
+"linux-elf-arm","gcc:-DL_ENDIAN			::-D_REENTRANT::-ldl:BN_LLONG::::::::::::							$DSO_SCHEME",
+"linux-mips",   "gcc:-DB_ENDIAN			::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::::		$DSO_SCHEME",
+"linux-sparcv7","gcc:-DB_ENDIAN			::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::			$DSO_SCHEME",
+"linux-sparcv8","gcc:-DB_ENDIAN -DBN_DIV2W -mv8	::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::asm/sparcv8.o::::::::::	$DSO_SCHEME",
+"linux-x86_64", "gcc:-DL_ENDIAN -DNO_ASM	::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::::						$DSO_SCHEME",
+"linux-s390",   "gcc:-DB_ENDIAN			::(unknown):   :-ldl:BN_LLONG::::::::::::							$DSO_SCHEME",
+"linux-s390x",  "gcc:-DB_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::::					$DSO_SCHEME",
+"linux-parisc",	"gcc:-DB_ENDIAN 		::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL DES_RISC1::::::::::::			$DSO_SCHEME",
+.
+wq
+EOF_ED
+# fix ENGINESDIR path
+sed -i 's,/lib/engines,/%_lib/engines,' Configure
+
+%build
+./config --test-sanity 
+#
+config_flags="threads shared no-rc5 no-idea \
+enable-camellia \
+zlib \
+--prefix=%{_prefix} \
+--openssldir=%{ssletcdir} \
+$RPM_OPT_FLAGS \
+-fomit-frame-pointer \
+-fno-strict-aliasing \
+-DTERMIO \
+-Wall \
+-fstack-protector "
+#
+%{!?do_profiling:%define do_profiling 0}
+%if %do_profiling
+	# generate feedback
+	./config $config_flags
+	make depend CC="gcc %cflags_profile_generate"
+	make CC="gcc %cflags_profile_generate"
+	LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate"
+	LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate"
+	LD_LIBRARY_PATH=`pwd` apps/openssl speed
+	make clean
+	# compile with feedback
+	# but not if it makes a cipher slower:
+	#find crypto/aes -name '*.da' | xargs -r rm
+	./config $config_flags %cflags_profile_feedback
+	make depend
+	make
+	LD_LIBRARY_PATH=`pwd` make rehash
+	LD_LIBRARY_PATH=`pwd` make test
+%else
+	./config $config_flags
+	make depend
+	make
+	LD_LIBRARY_PATH=`pwd` make rehash
+	%ifnarch armv4l
+	LD_LIBRARY_PATH=`pwd` make test
+	%endif
+%endif
+# show settings
+make TABLE
+echo $RPM_OPT_FLAGS
+eval $(egrep PLATFORM='[[:alnum:]]' Makefile)
+grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE 
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
+# install standard root certificates
+cp -pr certs/* $RPM_BUILD_ROOT/%{ssletcdir}/certs
+ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
+mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
+mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
+# ln -s %{ssletcdir}/certs 	$RPM_BUILD_ROOT/%{_datadir}/ssl/certs
+# ln -s %{ssletcdir}/private 	$RPM_BUILD_ROOT/%{_datadir}/ssl/private
+# ln -s %{ssletcdir}/openssl.cnf 	$RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
+#
+# avoid file conflicts with man pages from other packages
+#
+pushd $RPM_BUILD_ROOT/%{_mandir}
+# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
+# replace spaces by underscores
+#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
+which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
+for i in man?/*; do 
+	if test -L $i ; then
+	    LDEST=`readlink $i`
+	    rm -f $i ${i}ssl
+	    ln -sf ${LDEST}ssl ${i}ssl
+	else
+	    mv $i ${i}ssl
+        fi
+	case `basename ${i%.*}` in 
+	    asn1parse|ca|config|crl|crl2pkcs7|crypto|dgst|dhparam|dsa|dsaparam|enc|gendsa|genrsa|nseq|openssl|passwd|pkcs12|pkcs7|pkcs8|rand|req|rsa|rsautl|s_client|s_server|smime|spkac|ssl|verify|version|x509)
+		# these are the pages mentioned in openssl(1). They go into the main package.
+		echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;;
+	    *)	
+		# the rest goes into the openssl-doc package.
+		echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;;
+	esac
+done
+popd
+#
+# check wether some shared library has been installed
+#
+ls -l $RPM_BUILD_ROOT/%{_libdir}
+test -f $RPM_BUILD_ROOT/%{_libdir}/libssl.so.%{num_version}
+test -f $RPM_BUILD_ROOT/%{_libdir}/libcrypto.so.%{num_version}
+test -L $RPM_BUILD_ROOT/%{_libdir}/libssl.so
+test -L $RPM_BUILD_ROOT/%{_libdir}/libcrypto.so
+#
+# see what we've got
+#
+cat > showciphers.c <<EOF
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+void main(){
+unsigned int i;
+SSL_CTX *ctx;
+SSL *ssl;
+SSL_METHOD *meth;
+  meth = SSLv2_client_method();
+  SSLeay_add_ssl_algorithms();
+  ctx = SSL_CTX_new(meth);
+  if (ctx == NULL) return 0;
+  ssl = SSL_new(ctx);
+  if (!ssl) return 0;
+  for (i=0; ; i++) {
+    int j, k;
+    SSL_CIPHER *sc;
+    sc = (meth->get_cipher)(i);
+    if (!sc) break;
+    k = SSL_CIPHER_get_bits(sc, &j);
+    printf("%s\n", sc->name);
+  }
+  return 0;
+};
+EOF
+gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c
+gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto
+LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true
+cat AVAILABLE_CIPHERS
+
+%clean
+if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%files devel
+%defattr(-, root, root)
+%{_includedir}/%{name}/
+%{_includedir}/ssl
+%{_libdir}/libcrypto.a
+%{_libdir}/libssl.a
+%{_libdir}/libcrypto.so
+%{_libdir}/libssl.so
+%_libdir/pkgconfig/libcrypto.pc
+%_libdir/pkgconfig/libssl.pc
+%_libdir/pkgconfig/openssl.pc
+
+%files doc -f filelist.doc
+%defattr(-, root, root)
+%doc doc/* demos
+%doc showciphers showciphers.c 
+
+%files -f filelist
+%defattr(-, root, root)
+%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
+%doc LICENSE NEWS README README.SuSE
+%dir %{ssletcdir}
+%config (noreplace) %{ssletcdir}/openssl.cnf
+%{ssletcdir}/certs
+%attr(700,root,root) %{ssletcdir}/private
+%dir %{_datadir}/ssl
+%{_datadir}/ssl/misc
+%{_bindir}/c_rehash
+%{_bindir}/%{name}
+%{_libdir}/libssl.so.%{num_version}
+%{_libdir}/libcrypto.so.%{num_version}
+%{_libdir}/engines
+
+%changelog -n openssl
+* Thu Nov 30 2006 - mkoenig@suse.de
+- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198
+* Mon Nov 06 2006 - poeml@suse.de
+- configure with 'zlib' instead of 'zlib-dynamic'. Build with the
+  latter, there are problems opening the libz when running on the
+  Via Epia or vmware platforms. [#213305]
+* Wed Oct 04 2006 - poeml@suse.de
+- add patch for the CVE-2006-2940 fix: the newly introduced limit
+  on DH modulus size could lead to a crash when exerted. [#208971]
+  Discovered and fixed after the 0.9.8d release.
+* Fri Sep 29 2006 - poeml@suse.de
+- update to 0.9.8d
+  *) Introduce limits to prevent malicious keys being able to
+  cause a denial of service.  (CVE-2006-2940)
+  *) Fix ASN.1 parsing of certain invalid structures that can result
+  in a denial of service.  (CVE-2006-2937)
+  *) Fix buffer overflow in SSL_get_shared_ciphers() function.
+  (CVE-2006-3738)
+  *) Fix SSL client code which could crash if connecting to a
+  malicious SSLv2 server.  (CVE-2006-4343)
+  *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
+  match only those.  Before that, "AES256-SHA" would be interpreted
+  as a pattern and match "AES128-SHA" too (since AES128-SHA got
+  the same strength classification in 0.9.7h) as we currently only
+  have a single AES bit in the ciphersuite description bitmap.
+  That change, however, also applied to ciphersuite strings such as
+  "RC4-MD5" that intentionally matched multiple ciphersuites --
+  namely, SSL 2.0 ciphersuites in addition to the more common ones
+  from SSL 3.0/TLS 1.0.
+  So we change the selection algorithm again: Naming an explicit
+  ciphersuite selects this one ciphersuite, and any other similar
+  ciphersuite (same bitmap) from *other* protocol versions.
+  Thus, "RC4-MD5" again will properly select both the SSL 2.0
+  ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
+  Since SSL 2.0 does not have any ciphersuites for which the
+  128/256 bit distinction would be relevant, this works for now.
+  The proper fix will be to use different bits for AES128 and
+  AES256, which would have avoided the problems from the beginning;
+  however, bits are scarce, so we can only do this in a new release
+  (not just a patchlevel) when we can change the SSL_CIPHER
+  definition to split the single 'unsigned long mask' bitmap into
+  multiple values to extend the available space.
+- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected
+  [openssl.org #1397]
+* Fri Sep 08 2006 - schwab@suse.de
+- Fix inverted logic.
+* Wed Sep 06 2006 - poeml@suse.de
+- update to 0.9.8c
+  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
+  *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+  (CVE-2006-4339)  [Ben Laurie and Google Security Team]
+  *) Add AES IGE and biIGE modes.  [Ben Laurie]
+  *) Change the Unix randomness entropy gathering to use poll() when
+  possible instead of select(), since the latter has some
+  undesirable limitations.  [Darryl Miles via Richard Levitte and Bodo Moeller]
+  *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
+  treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
+  cannot be implicitly activated as part of, e.g., the "AES" alias.
+  However, please upgrade to OpenSSL 0.9.9[-dev] for
+  non-experimental use of the ECC ciphersuites to get TLS extension
+  support, which is required for curve and point format negotiation
+  to avoid potential handshake problems.  [Bodo Moeller]
+  *) Disable rogue ciphersuites:
+      - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+      - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+      - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+  The latter two were purportedly from
+  draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+  appear there.
+  Also deactive the remaining ciphersuites from
+  draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
+  unofficial, and the ID has long expired.  [Bodo Moeller]
+  *) Fix RSA blinding Heisenbug (problems sometimes occured on
+  dual-core machines) and other potential thread-safety issues.
+  [Bodo Moeller]
+  *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
+  versions), which is now available for royalty-free use
+  (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
+  Also, add Camellia TLS ciphersuites from RFC 4132.
+  To minimize changes between patchlevels in the OpenSSL 0.9.8
+  series, Camellia remains excluded from compilation unless OpenSSL
+  is configured with 'enable-camellia'.  [NTT]
+  *) Disable the padding bug check when compression is in use. The padding
+  bug check assumes the first packet is of even length, this is not
+  necessarily true if compresssion is enabled and can result in false
+  positives causing handshake failure. The actual bug test is ancient
+  code so it is hoped that implementations will either have fixed it by
+  now or any which still have the bug do not support compression.
+  [Steve Henson]
+  Changes between 0.9.8a and 0.9.8b  [04 May 2006]
+  *) When applying a cipher rule check to see if string match is an explicit
+  cipher suite and only match that one cipher suite if it is.  [Steve Henson]
+  *) Link in manifests for VC++ if needed.  [Austin Ziegler <halostatue@gmail.com>]
+  *) Update support for ECC-based TLS ciphersuites according to
+  draft-ietf-tls-ecc-12.txt with proposed changes (but without
+  TLS extensions, which are supported starting with the 0.9.9
+  branch, not in the OpenSSL 0.9.8 branch).  [Douglas Stebila]
+  *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
+  opaque EVP_CIPHER_CTX handling.  [Steve Henson]
+  *) Fixes and enhancements to zlib compression code. We now only use
+  "zlib1.dll" and use the default __cdecl calling convention on Win32
+  to conform with the standards mentioned here:
+  http://www.zlib.net/DLL_FAQ.txt
+  Static zlib linking now works on Windows and the new --with-zlib-include
+     --with-zlib-lib options to Configure can be used to supply the location
+  of the headers and library. Gracefully handle case where zlib library
+  can't be loaded.  [Steve Henson]
+  *) Several fixes and enhancements to the OID generation code. The old code
+  sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
+  handle numbers larger than ULONG_MAX, truncated printing and had a
+  non standard OBJ_obj2txt() behaviour.  [Steve Henson]
+  *) Add support for building of engines under engine/ as shared libraries
+  under VC++ build system.  [Steve Henson]
+  *) Corrected the numerous bugs in the Win32 path splitter in DSO.
+  Hopefully, we will not see any false combination of paths any more.
+  [Richard Levitte]
+- enable Camellia cipher. There is a royalty free license to the
+  patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html.
+  NOTE: the license forbids patches to the cipher.
+- build with zlib-dynamic and add zlib-devel to BuildRequires.
+  Allows compression of data in TLS, although few application would
+  actually use it since there is no standard for negotiating the
+  compression method. The only one I know if is stunnel.
+* Fri Jun 02 2006 - poeml@suse.de
+- fix built-in ENGINESDIR for 64 bit architectures. We change only
+  the builtin search path for engines, not the path where engines
+  are packaged. Path can be overridden with the OPENSSL_ENGINES
+  environment variable. [#179094]
+* Wed Jan 25 2006 - mls@suse.de
+- converted neededforbuild to BuildRequires
+* Mon Jan 16 2006 - mc@suse.de
+- fix build problems on s390x (openssl-s390-config.diff)
+- build with -fstack-protector
+* Mon Nov 07 2005 - dmueller@suse.de
+- build with non-executable stack
+* Thu Oct 20 2005 - poeml@suse.de
+- fix unguarded free() which can cause a segfault in the ca
+  commandline app [#128655]
+* Thu Oct 13 2005 - poeml@suse.de
+- add Geotrusts Equifax Root1 CA certificate, which needed to
+  verify the authenticity of you.novell.com [#121966]
+* Tue Oct 11 2005 - poeml@suse.de
+- update to 0.9.8a
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+  (part of SSL_OP_ALL).  This option used to disable the
+  countermeasure against man-in-the-middle protocol-version
+  rollback in the SSL 2.0 server implementation, which is a bad
+  idea.  (CAN-2005-2969)
+  *) Add two function to clear and return the verify parameter flags.
+  *) Keep cipherlists sorted in the source instead of sorting them at
+  runtime, thus removing the need for a lock.
+  *) Avoid some small subgroup attacks in Diffie-Hellman.
+  *) Add functions for well-known primes.
+  *) Extended Windows CE support.
+  *) Initialize SSL_METHOD structures at compile time instead of during
+  runtime, thus removing the need for a lock.
+  *) Make PKCS7_decrypt() work even if no certificate is supplied by
+  attempting to decrypt each encrypted key in turn. Add support to
+  smime utility.
+* Thu Sep 29 2005 - poeml@suse.de
+- update to 0.9.8
+  see CHANGES file or http://www.openssl.org/news/changelog.html
+- adjust patches
+- drop obsolete openssl-no-libc.diff
+- disable libica patch until it has been ported
+* Fri May 20 2005 - poeml@suse.de
+- update to 0.9.7g. The significant changes are:
+  *) Fixes for newer kerberos headers. NB: the casts are needed because
+  the 'length' field is signed on one version and unsigned on another
+  with no (?) obvious way to tell the difference, without these VC++
+  complains. Also the "definition" of FAR (blank) is no longer included
+  nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
+  some needed definitions.
+  *) Added support for proxy certificates according to RFC 3820.
+  Because they may be a security thread to unaware applications,
+  they must be explicitely allowed in run-time.  See
+  docs/HOWTO/proxy_certificates.txt for further information.
+* Tue May 17 2005 - schwab@suse.de
+- Include %%cflags_profile_generate in ${CC} since it is required for
+  linking as well.
+- Remove explicit reference to libc.
+* Fri Apr 08 2005 - poeml@suse.de
+- update to 0.9.7f. The most significant changes are:
+  o Several compilation issues fixed.
+  o Many memory allocation failure checks added.
+  o Improved comparison of X509 Name type.
+  o Mandatory basic checks on certificates.
+  o Performance improvements.
+  (for a complete list see http://www.openssl.org/source/exp/CHANGES)
+- adjust openssl-0.9.7f-ppc64.diff
+- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435]
+* Tue Jan 04 2005 - poeml@suse.de
+- update to 0.9.7e
+  *) Avoid a race condition when CRLs are checked in a multi
+  threaded environment. This would happen due to the reordering
+  of the revoked entries during signature checking and serial
+  number lookup. Now the encoding is cached and the serial
+  number sort performed under a lock.  Add new STACK function
+  sk_is_sorted().
+  *) Add Delta CRL to the extension code.
+  *) Various fixes to s3_pkt.c so alerts are sent properly.
+  *) Reduce the chances of duplicate issuer name and serial numbers
+  (in violation of RFC3280) using the OpenSSL certificate
+  creation utilities.  This is done by creating a random 64 bit
+  value for the initial serial number when a serial number file
+  is created or when a self signed certificate is created using
+  'openssl req -x509'. The initial serial number file is created
+  using 'openssl x509 -next_serial' in CA.pl rather than being
+  initialized to 1.
+- remove obsolete patches
+- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch
+  Makefile, not Makefile.ssl
+- fixup for spaces in names of man pages not needed now
+- pack /usr/bin/openssl_fips_fingerprint
+- in rpm post/postun script, run /sbin/ldconfig directly (the macro
+  is deprecated)
+* Mon Oct 18 2004 - poeml@suse.de
+- don't install openssl.doxy file [#45210]
+* Thu Jul 29 2004 - poeml@suse.de
+- apply patch from CVS to fix segfault in S/MIME encryption
+  (http://cvs.openssl.org/chngview?cn=12081, regression in
+  openssl-0.9.7d) [#43386]
+* Mon Jul 12 2004 - mludvig@suse.cz
+- Updated VIA PadLock engine.
+* Wed Jun 30 2004 - mludvig@suse.cz
+- Updated openssl-0.9.7d-padlock-engine.diff with support for
+  AES192, AES256 and RNG.
+* Tue Jun 15 2004 - poeml@suse.de
+- update IBM ICA patch to last night's version. Fixes ibmca_init()
+  to reset ibmca_dso=NULL after calling DSO_free(), if the device
+  driver could not be loaded. The bug lead to a segfault triggered
+  by stunnel, which does autoload available engines [#41874]
+- patch from CVS: make stack API more robust (return NULL for
+  out-of-range indexes). Fixes another possible segfault during
+  engine detection (could also triggered by stunnel)
+- add patch from Michal Ludvig for VIA PadLock support
+* Wed Jun 02 2004 - poeml@suse.de
+- add root certificate for the ICP-Brasil CA [#41546]
+* Thu May 13 2004 - poeml@suse.de
+- add patch to use default_md for CRLs too [#40435]
+* Tue May 04 2004 - poeml@suse.de
+- update ICA patch to apr292004 release [#39695]
+* Thu Mar 18 2004 - poeml@suse.de
+- update to 0.9.7d
+  o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
+  (CAN-2004-0112)
+  o Security: Fix null-pointer assignment in do_change_cipher_spec()
+  (CAN-2004-0079)
+  o Allow multiple active certificates with same subject in CA index
+  o Multiple X590 verification fixes
+  o Speed up HMAC and other operations
+- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around
+  IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has
+  OPENSSL_NO_IDEA around it
+- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the
+  pod file)
+- permissions of lib/pkgconfig fixed
+* Wed Feb 25 2004 - poeml@suse.de
+- update to 0.9.7c
+  *) Fix various bugs revealed by running the NISCC test suite:
+  Stop out of bounds reads in the ASN1 code when presented with
+  invalid tags (CAN-2003-0543 and CAN-2003-0544).
+  Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+  If verify callback ignores invalid public key errors don't try to check
+  certificate signature with the NULL public key.
+  *) New -ignore_err option in ocsp application to stop the server
+  exiting on the first error in a request.
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+  if the server requested one: as stated in TLS 1.0 and SSL 3.0
+  specifications.
+  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+  extra data after the compression methods not only for TLS 1.0
+  but also for SSL 3.0 (as required by the specification).
+  *) Change X509_certificate_type() to mark the key as exported/exportable
+  when it's 512 *bits* long, not 512 bytes.
+  *) Change AES_cbc_encrypt() so it outputs exact multiple of
+  blocks during encryption.
+  *) Various fixes to base64 BIO and non blocking I/O. On write
+  flushes were not handled properly if the BIO retried. On read
+  data was not being buffered properly and had various logic bugs.
+  This also affects blocking I/O when the data being decoded is a
+  certain size.
+  *) Various S/MIME bugfixes and compatibility changes:
+  output correct application/pkcs7 MIME type if
+  PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
+  Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
+  of files as .eml work). Correctly handle very long lines in MIME
+  parser.
+- update ICA patch
+  quote: This version of the engine patch has updated error handling in
+  the DES/SHA code, and turns RSA blinding off for hardware
+  accelerated RSA ops.
+- filenames of some man pages contain spaces now. Replace them with
+  underscores
+- fix compiler warnings in showciphers.c
+- fix permissions of /usr/%%_lib/pkgconfig
+* Sat Jan 10 2004 - adrian@suse.de
+- add %%run_ldconfig
+- remove unneeded PreRequires
+* Tue Nov 18 2003 - poeml@suse.de
+- ditch annoying mail to root about moved locations [#31969]
+* Wed Aug 13 2003 - poeml@suse.de
+- enable profile feedback based optimizations (except AES which
+  becomes slower)
+- add -fno-strict-aliasing, due to warnings about code where
+  dereferencing type-punned pointers will break strict aliasing
+- make a readlink function if readlink is not available
+* Mon Aug 04 2003 - ro@suse.de
+- fixed manpages symlinks
+* Wed Jul 30 2003 - meissner@suse.de
+- Fix Makefile to create pkgconfig file with lib64 on lib64 systems.
+* Sun Jul 27 2003 - poeml@suse.de
+- don't explicitely strip binaries since RPM handles it, and may
+  keep the stripped information somewhere
+* Tue Jul 15 2003 - meissner@suse.de
+- -DMD32_REG_T=int for ppc64 and s390x.
+* Thu Jul 10 2003 - poeml@suse.de
+- update ibm ICA patch to 20030708 release (libica-1.3)
+* Mon May 12 2003 - poeml@suse.de
+- package the openssl.pc file for pkgconfig
+* Wed Apr 16 2003 - poeml@suse.de
+- update to 0.9.7b. The most significant changes are:
+  o New library section OCSP.
+  o Complete rewrite of ASN1 code.
+  o CRL checking in verify code and openssl utility.
+  o Extension copying in 'ca' utility.
+  o Flexible display options in 'ca' utility.
+  o Provisional support for international characters with UTF8.
+  o Support for external crypto devices ('engine') is no longer
+  a separate distribution.
+  o New elliptic curve library section.
+  o New AES (Rijndael) library section.
+  o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
+  Linux x86_64, Linux 64-bit on Sparc v9
+  o Extended support for some platforms: VxWorks
+  o Enhanced support for shared libraries.
+  o Now only builds PIC code when shared library support is requested.
+  o Support for pkg-config.
+  o Lots of new manuals.
+  o Makes symbolic links to or copies of manuals to cover all described
+  functions.
+  o Change DES API to clean up the namespace (some applications link also
+  against libdes providing similar functions having the same name).
+  Provide macros for backward compatibility (will be removed in the
+  future).
+  o Unify handling of cryptographic algorithms (software and engine)
+  to be available via EVP routines for asymmetric and symmetric ciphers.
+  o NCONF: new configuration handling routines.
+  o Change API to use more 'const' modifiers to improve error checking
+  and help optimizers.
+  o Finally remove references to RSAref.
+  o Reworked parts of the BIGNUM code.
+  o Support for new engines: Broadcom ubsec, Accelerated Encryption
+  Processing, IBM 4758.
+  o A few new engines added in the demos area.
+  o Extended and corrected OID (object identifier) table.
+  o PRNG: query at more locations for a random device, automatic query for
+  EGD style random sources at several locations.
+  o SSL/TLS: allow optional cipher choice according to server's preference.
+  o SSL/TLS: allow server to explicitly set new session ids.
+  o SSL/TLS: support Kerberos cipher suites (RFC2712).
+  Only supports MIT Kerberos for now.
+  o SSL/TLS: allow more precise control of renegotiations and sessions.
+  o SSL/TLS: add callback to retrieve SSL/TLS messages.
+  o SSL/TLS: support AES cipher suites (RFC3268).
+- adapt the ibmca patch
+- remove openssl-nocrypt.diff, openssl's crypt() vanished
+- configuration syntax has changed ($sys_id added before $lflags)
+* Thu Feb 20 2003 - poeml@suse.de
+- update to bugfix release 0.9.6i:
+  - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize
+  information leaked via timing by performing a MAC computation
+  even if incorrrect block cipher padding has been found.  This
+  is a countermeasure against active attacks where the attacker
+  has to distinguish between bad padding and a MAC verification
+  error.  (CAN-2003-0078)
+  - a few more small bugfixes (mainly missing assertions)
+* Fri Dec 06 2002 - poeml@suse.de
+- update to 0.9.6h (last release in the 0.9.6 series)
+  o New configuration targets for Tandem OSS and A/UX.
+  o New OIDs for Microsoft attributes.
+  o Better handling of SSL session caching.
+  o Better comparison of distinguished names.
+  o Better handling of shared libraries in a mixed GNU/non-GNU environment.
+  o Support assembler code with Borland C.
+  o Fixes for length problems.
+  o Fixes for uninitialised variables.
+  o Fixes for memory leaks, some unusual crashes and some race conditions.
+  o Fixes for smaller building problems.
+  o Updates of manuals, FAQ and other instructive documents.
+- add a call to make depend
+- fix sed expression (lib -> lib64) to replace multiple occurences
+  on one line
+* Mon Nov 04 2002 - stepan@suse.de
+- fix openssl for alpha ev56 cpus
+* Thu Oct 24 2002 - poeml@suse.de
+- own the /usr/share/ssl directory [#20849]
+- openssl-hppa-config.diff can be applied on all architectures
+* Mon Sep 30 2002 - bg@suse.de
+- enable hppa distribution; use only pa1.1 architecture.
+* Tue Sep 17 2002 - froh@suse.de
+- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953)
+* Mon Aug 12 2002 - poeml@suse.de
+- update to 0.9.6g and drop the now included ASN1 check patch.
+  Other change:
+  - Use proper error handling instead of 'assertions' in buffer
+  overflow checks added in 0.9.6e.  This prevents DoS (the
+  assertions could call abort()).
+* Fri Aug 09 2002 - kukuk@suse.de
+- Fix requires of openssl-devel subpackage
+* Tue Aug 06 2002 - draht@suse.de
+- Correction for changes in the ASN1 code, assembled in
+  openssl-0.9.6e-cvs-20020802-asn1_lib.diff
+* Thu Aug 01 2002 - poeml@suse.de
+- update to 0.9.6e. Major changes:
+  o Various security fixes (sanity checks to asn1_get_length(),
+  various remote buffer overflows)
+  o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the
+  countermeasure against a vulnerability in the CBC ciphersuites
+  in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to
+  be incompatible with buggy SSL implementations
+- update ibmca crypto hardware patch (security issues fixed)
+- gcc 3.1 version detection is fixed, we can drop the patch
+- move the most used man pages from the -doc to the main package
+  [#9913] and resolve man page conflicts by putting them into ssl
+  sections [#17239]
+- spec file: use PreReq for %%post script
+* Fri Jul 12 2002 - poeml@suse.de
+- update to 0.9.6d. Major changes:
+  o Various SSL/TLS library bugfixes.
+  o Fix DH parameter generation for 'non-standard' generators.
+  Complete Changelog: http://www.openssl.org/news/changelog.html
+- supposed to fix a session caching failure occuring with postfix
+- simplify local configuration for the architectures
+- there's a new config variable: $shared_ldflag
+- use RPM_OPT_FLAGS in favor of predifined cflags by appending them
+  at the end
+- validate config data (config --check-sanity)
+- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982]
+- move configuration to /etc/ssl [#14387]
+- mark openssl.cnf %%config (noreplace)
+* Sat Jul 06 2002 - schwab@suse.de
+- Include <crypt.h> to get crypt prototype.
+* Fri Jul 05 2002 - kukuk@suse.de
+- Remove crypt prototype from des.h header file, too.
+* Mon Jun 10 2002 - meissner@suse.de
+- enhanced ppc64 support (needs seperate config), reenabled make check
+* Fri May 31 2002 - olh@suse.de
+- add ppc64 support, temporary disable make check
+* Thu Apr 18 2002 - meissner@suse.de
+- fixed x86_64 build, added bc to needed_for_build (used by tests)
+* Wed Apr 17 2002 - ro@suse.de
+- fixed gcc version determination
+- drop sun4c support/always use sparcv8
+- ignore return code from showciphers
+* Fri Mar 15 2002 - poeml@suse.de
+- add settings for sparc to build shared objects. Note that all
+  sparcs (sun4[mdu]) are recognized as linux-sparcv7
+* Wed Feb 06 2002 - kukuk@suse.de
+- Remove crypt function from libcrypto.so.0 [Bug #13056]
+* Sun Feb 03 2002 - poeml@suse.de
+- add settings for mips to build shared objects
+- print out all settings to the build log
+* Tue Jan 29 2002 - poeml@suse.de
+- update to 0.9.6c:
+  o bug fixes
+  o support for hardware crypto devices (Cryptographic Appliances,
+  Broadcom, and Accelerated Encryption Processing)
+- add IBMCA patch for IBM eServer Cryptographic Accelerator Device
+  Driver (#12565) (forward ported from 0.9.6b)
+  (http://www-124.ibm.com/developerworks/projects/libica/)
+- tell Configure how to build shared libs for s390 and s390x
+- tweak Makefile.org to use %%_libdir
+- clean up spec file
+- add README.SuSE as source file instead of in a patch
+* Wed Dec 05 2001 - uli@suse.de
+- disabled "make test" for ARM (destest segfaults, the other tests
+  seem to succeed)
+* Wed Dec 05 2001 - ro@suse.de
+- removed subpackage src
+* Wed Nov 28 2001 - uli@suse.de
+- needs -ldl on ARM, too
+* Mon Nov 19 2001 - mls@suse.de
+- made mips big endian, fixed shared library creation for mips
+* Fri Aug 31 2001 - rolf@suse.de
+- added root certificates [BUG#9913]
+- move from /usr/ssh to /usr/share/ssl
+* Wed Jul 18 2001 - rolf@suse.de
+- update to 0.9.6b
+- switch to engine version of openssl, which supports hardware
+  encryption for a few popular devices
+- check wether shared libraries have been generated
+* Thu Jul 05 2001 - rolf@suse.de
+- appliy PRNG security patch
+* Tue Jun 12 2001 - bk@suse.de
+- added support for s390x
+* Mon May 07 2001 - kukuk@suse.de
+- Fix building of shared libraries on SPARC, too.
+* Mon May 07 2001 - rolf@suse.de
+- Fix ppc and s390 shared library builds
+- resolved conflict in manpage naming:
+  rand.3 is now sslrand.3 [BUG#7643]
+* Tue May 01 2001 - schwab@suse.de
+- Fix ia64 configuration.
+- Fix link command.
+* Thu Apr 26 2001 - bjacke@suse.de
+- updated to 0.96a
+* Wed Apr 18 2001 - kkaempf@suse.de
+- provide .so files in -devel package only
+* Tue Apr 17 2001 - bjacke@suse.de
+- resolve file name conflict (#6966)
+* Wed Mar 21 2001 - rolf@suse.de
+- new subpackage openssl-src [BUG#6383]
+- added README.SuSE which explains where to find the man pages [BUG#6717]
+* Fri Dec 15 2000 - sf@suse.de
+- changed CFLAG to -O1 to make the tests run successfully
+* Mon Dec 11 2000 - rolf@suse.de
+- build openssl with no-idea and no-rc5 to meet US & RSA regulations
+- build with -fPIC on all platforms (especially IA64)
+* Wed Nov 22 2000 - rolf@suse.de
+- rename openssls to openssl-devel and add shared libs and header files
+- new subpackge openssl-doc for manpages and documentation
+- use BuildRoot
+* Fri Oct 27 2000 - schwab@suse.de
+- Add link-time links for libcrypto and libssl.
+- Make sure that LD_LIBRARY_PATH is passed down to sub-makes.
+* Mon Oct 02 2000 - rolf@suse.de
+- update to 0.9.6
+* Mon Apr 10 2000 - bk@suse.de
+- fix support for s390-linux
+* Mon Apr 10 2000 - rolf@suse.de
+- new version 0.9.5a
+* Sun Apr 09 2000 - bk@suse.de
+- add support for s390-linux
+* Mon Mar 27 2000 - kukuk@suse.de
+- Use sparcv7 for SPARC
+* Wed Mar 01 2000 - rolf@suse.de
+- move manpages back, as too many conflict with system manuals
+* Wed Mar 01 2000 - rolf@suse.de
+- move manpages to %%{_mandir}
+- include static libraries
+* Wed Mar 01 2000 - bk@suse.de
+- added subpackage source openssls, needed for ppp_ssl
+* Tue Feb 29 2000 - rolf@suse.de
+- new version 0.9.5
+* Thu Feb 24 2000 - schwab@suse.de
+- add support for ia64-linux
+* Mon Jan 31 2000 - kukuk@suse.de
+- Create and add libcrypto.so.0 and libssl.so.0
+* Mon Sep 13 1999 - bs@suse.de
+- ran old prepare_spec on spec file to switch to new prepare_spec.
+* Wed Sep 01 1999 - rolf@suse.de
+- new version 0.9.4
+* Wed May 26 1999 - rolf@suse.de
+- new version 0.9.3 with new layout
+- alpha asm disabled by default now, no patch needed
+* Thu May 20 1999 - ro@suse.de
+- disable asm for alpha: seems incomplete
+* Mon May 17 1999 - rolf@suse.de
+- don't use -DNO_IDEA
+* Wed May 12 1999 - rolf@suse.de
+- first version 0.9.2b
diff --git a/openssl.test b/openssl.test
new file mode 100644
index 0000000..46796de
--- /dev/null
+++ b/openssl.test
@@ -0,0 +1,3 @@
+
+openssl autmatically tests iteslf, no further testing needed
+
diff --git a/ready b/ready
new file mode 100644
index 0000000..473a0f4