From 555d1d3ad92ade3e12c88f4c9a987ca7423fa1b149ccdee2342714b3bc36192b Mon Sep 17 00:00:00 2001
From: Sascha Peilicke <null@suse.de>
Date: Fri, 15 Apr 2011 07:20:15 +0000
Subject: [PATCH] Accepting request 67324 from Base:System

Accepted submit request 67324 from user coolo

OBS-URL: https://build.opensuse.org/request/show/67324
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=52
---
 CVE-2011-0014.patch                           |  28 ---
 _service                                      |  12 +
 _service:download_url:openssl-1.0.0d.tar.gz   |   3 +
 bug610223.patch                               |   8 +-
 ...esni.patch => openssl-1.0.0-aesni-v4.patch | 237 ++++++++----------
 openssl-1.0.0c.tar.bz2                        |   3 -
 openssl-padlock-x86_64-head.patch             | 215 ++++++++++++++++
 openssl.changes                               |  19 ++
 openssl.spec                                  |  49 +++-
 9 files changed, 397 insertions(+), 177 deletions(-)
 delete mode 100644 CVE-2011-0014.patch
 create mode 100644 _service
 create mode 100644 _service:download_url:openssl-1.0.0d.tar.gz
 rename openssl-1.0.0b-aesni.patch => openssl-1.0.0-aesni-v4.patch (91%)
 delete mode 100644 openssl-1.0.0c.tar.bz2
 create mode 100644 openssl-padlock-x86_64-head.patch

diff --git a/CVE-2011-0014.patch b/CVE-2011-0014.patch
deleted file mode 100644
index ac65f0e..0000000
--- a/CVE-2011-0014.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Index: openssl-1.0.0c/ssl/t1_lib.c
-===================================================================
---- openssl-1.0.0c.orig/ssl/t1_lib.c
-+++ openssl-1.0.0c/ssl/t1_lib.c
-@@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- 						}
- 					n2s(data, idsize);
- 					dsize -= 2 + idsize;
-+					size -= 2 + idsize;
- 					if (dsize < 0)
- 						{
- 						*al = SSL_AD_DECODE_ERROR;
-@@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- 					}
- 
- 				/* Read in request_extensions */
-+				if (size < 2)
-+				{
-+					*al = SSL_AD_DECODE_ERROR;
-+					return 0;
-+				}
- 				n2s(data,dsize);
- 				size -= 2;
--				if (dsize > size) 
-+				if (dsize != size) 
- 					{
- 					*al = SSL_AD_DECODE_ERROR;
- 					return 0;
diff --git a/_service b/_service
new file mode 100644
index 0000000..99d1cef
--- /dev/null
+++ b/_service
@@ -0,0 +1,12 @@
+<services>
+  <service name="download_url">
+    <param name="protocol">http</param>
+    <param name="host">www.openssl.org</param>
+    <param name="path">/source/openssl-1.0.0d.tar.gz</param>
+  </service>
+  <service name="verify_file">
+    <param name="file">_service:download_url:openssl-1.0.0d.tar.gz</param>
+    <param name="verifier">sha256</param>
+    <param name="checksum">92511d1f0caaa298dba250426f8e7d5d00b271847886d1adc62422778d6320db</param>
+  </service>
+</services>
\ No newline at end of file
diff --git a/_service:download_url:openssl-1.0.0d.tar.gz b/_service:download_url:openssl-1.0.0d.tar.gz
new file mode 100644
index 0000000..d41c3d6
--- /dev/null
+++ b/_service:download_url:openssl-1.0.0d.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:92511d1f0caaa298dba250426f8e7d5d00b271847886d1adc62422778d6320db
+size 4025484
diff --git a/bug610223.patch b/bug610223.patch
index 957125e..3c7037a 100644
--- a/bug610223.patch
+++ b/bug610223.patch
@@ -1,8 +1,6 @@
-Index: openssl-1.0.0/Configure
-===================================================================
---- openssl-1.0.0.orig/Configure
-+++ openssl-1.0.0/Configure
-@@ -1673,7 +1673,8 @@ while (<IN>)
+--- Configure.orig
++++ Configure
+@@ -1688,7 +1688,8 @@ while (<IN>)
  		}
  	elsif	(/^#define\s+ENGINESDIR/)
  		{
diff --git a/openssl-1.0.0b-aesni.patch b/openssl-1.0.0-aesni-v4.patch
similarity index 91%
rename from openssl-1.0.0b-aesni.patch
rename to openssl-1.0.0-aesni-v4.patch
index 3b07c2f..73f10a3 100644
--- a/openssl-1.0.0b-aesni.patch
+++ b/openssl-1.0.0-aesni-v4.patch
@@ -1,6 +1,5 @@
-diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
---- openssl-1.0.0b/Configure.aesni	2010-11-16 17:33:22.000000000 +0100
-+++ openssl-1.0.0b/Configure	2010-11-16 17:35:15.000000000 +0100
+--- Configure.orig
++++ Configure
 @@ -123,11 +123,11 @@ my $tlib="-lnsl -lsocket";
  my $bits1="THIRTY_TWO_BIT ";
  my $bits2="SIXTY_FOUR_BIT ";
@@ -15,16 +14,7 @@ diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
  my $ia64_asm="ia64cpuid.o:bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::void";
  my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::void";
  my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::void";
-@@ -491,7 +491,7 @@ my %table=(
- #
- # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
- "VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
--"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
-+"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o aesni-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
- "debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
- "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
- # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
-@@ -1419,6 +1419,7 @@ if ($rmd160_obj =~ /\.o$/)
+@@ -1410,6 +1410,7 @@ if ($rmd160_obj =~ /\.o$/)
  if ($aes_obj =~ /\.o$/)
  	{
  	$cflags.=" -DAES_ASM";
@@ -32,9 +22,102 @@ diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
  	}
  else	{
  	$aes_obj=$aes_enc;
-diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl
---- openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni	2010-11-16 17:33:23.000000000 +0100
-+++ openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl	2010-11-16 17:33:23.000000000 +0100
+--- crypto/aes/Makefile.orig
++++ crypto/aes/Makefile
+@@ -50,9 +50,13 @@ aes-ia64.s: asm/aes-ia64.S
+ 
+ aes-586.s:	asm/aes-586.pl ../perlasm/x86asm.pl
+ 	$(PERL) asm/aes-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
++aesni-x86.s:	asm/aesni-x86.pl ../perlasm/x86asm.pl
++	$(PERL) asm/aesni-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
+ 
+ aes-x86_64.s: asm/aes-x86_64.pl
+ 	$(PERL) asm/aes-x86_64.pl $(PERLASM_SCHEME) > $@
++aesni-x86_64.s: asm/aesni-x86_64.pl
++	$(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) > $@
+ 
+ aes-sparcv9.s: asm/aes-sparcv9.pl
+ 	$(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
+--- crypto/engine/Makefile.orig
++++ crypto/engine/Makefile
+@@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e
+ 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
+ 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
+ 	tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \
+-	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c
++	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c \
++	eng_aesni.c
+ LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
+ 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
+ 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
+ 	tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \
+-	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o
++	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o \
++	eng_aesni.o
+ 
+ SRC= $(LIBSRC)
+ 
+--- crypto/engine/eng_all.c.orig
++++ crypto/engine/eng_all.c
+@@ -61,6 +61,8 @@
+ 
+ void ENGINE_load_builtin_engines(void)
+ 	{
++	/* Engines may depend on CPU capabilities */
++	OPENSSL_cpuid_setup();
+ #if 0
+ 	/* There's no longer any need for an "openssl" ENGINE unless, one day,
+ 	 * it is the *only* way for standard builtin implementations to be be
+@@ -71,6 +73,9 @@ void ENGINE_load_builtin_engines(void)
+ #if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV))
+ 	ENGINE_load_cryptodev();
+ #endif
++#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI)
++	ENGINE_load_aesni();
++#endif
+ 	ENGINE_load_dynamic();
+ #ifndef OPENSSL_NO_STATIC_ENGINE
+ #ifndef OPENSSL_NO_HW
+@@ -112,6 +117,7 @@ void ENGINE_load_builtin_engines(void)
+ 	ENGINE_load_capi();
+ #endif
+ #endif
++	ENGINE_register_all_complete();
+ 	}
+ 
+ #if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
+--- crypto/engine/engine.h.orig
++++ crypto/engine/engine.h
+@@ -344,6 +344,7 @@ void ENGINE_load_gost(void);
+ #endif
+ #endif
+ void ENGINE_load_cryptodev(void);
++void ENGINE_load_aesni(void);
+ void ENGINE_load_builtin_engines(void);
+ 
+ /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
+--- crypto/evp/evp.h.orig
++++ crypto/evp/evp.h
+@@ -1190,6 +1190,7 @@ void ERR_load_EVP_strings(void);
+ /* Error codes for the EVP functions. */
+ 
+ /* Function codes. */
++#define EVP_F_AESNI_INIT_KEY				 165
+ #define EVP_F_AES_INIT_KEY				 133
+ #define EVP_F_CAMELLIA_INIT_KEY				 159
+ #define EVP_F_D2I_PKEY					 100
+--- crypto/evp/evp_err.c.orig
++++ crypto/evp/evp_err.c
+@@ -70,6 +70,7 @@
+ 
+ static ERR_STRING_DATA EVP_str_functs[]=
+ 	{
++{ERR_FUNC(EVP_F_AESNI_INIT_KEY),	"AESNI_INIT_KEY"},
+ {ERR_FUNC(EVP_F_AES_INIT_KEY),	"AES_INIT_KEY"},
+ {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY),	"CAMELLIA_INIT_KEY"},
+ {ERR_FUNC(EVP_F_D2I_PKEY),	"D2I_PKEY"},
+--- /dev/null
++++ crypto/aes/asm/aesni-x86.pl
 @@ -0,0 +1,765 @@
 +#!/usr/bin/env perl
 +
@@ -801,9 +884,8 @@ diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0b/crypto/
 +&asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");
 +
 +&asm_finish();
-diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl
---- openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni	2010-11-16 17:33:23.000000000 +0100
-+++ openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl	2010-11-16 17:33:23.000000000 +0100
+--- /dev/null
++++ crypto/aes/asm/aesni-x86_64.pl
 @@ -0,0 +1,991 @@
 +#!/usr/bin/env perl
 +#
@@ -1796,27 +1878,9 @@ diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0b/cryp
 +print $code;
 +
 +close STDOUT;
-diff -up openssl-1.0.0b/crypto/aes/Makefile.aesni openssl-1.0.0b/crypto/aes/Makefile
---- openssl-1.0.0b/crypto/aes/Makefile.aesni	2008-12-23 12:33:00.000000000 +0100
-+++ openssl-1.0.0b/crypto/aes/Makefile	2010-11-16 17:33:23.000000000 +0100
-@@ -50,9 +50,13 @@ aes-ia64.s: asm/aes-ia64.S
- 
- aes-586.s:	asm/aes-586.pl ../perlasm/x86asm.pl
- 	$(PERL) asm/aes-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
-+aesni-x86.s:	asm/aesni-x86.pl ../perlasm/x86asm.pl
-+	$(PERL) asm/aesni-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
- 
- aes-x86_64.s: asm/aes-x86_64.pl
- 	$(PERL) asm/aes-x86_64.pl $(PERLASM_SCHEME) > $@
-+aesni-x86_64.s: asm/aesni-x86_64.pl
-+	$(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) > $@
- 
- aes-sparcv9.s: asm/aes-sparcv9.pl
- 	$(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
-diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/engine/eng_aesni.c
---- openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni	2010-11-16 17:33:23.000000000 +0100
-+++ openssl-1.0.0b/crypto/engine/eng_aesni.c	2010-11-16 17:33:23.000000000 +0100
-@@ -0,0 +1,413 @@
+--- /dev/null
++++ crypto/engine/eng_aesni.c
+@@ -0,0 +1,412 @@
 +/*
 + * Support for Intel AES-NI intruction set
 + *   Author: Huang Ying <ying.huang@intel.com>
@@ -1924,7 +1988,6 @@ diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/en
 +	if (!toadd)
 +		return;
 +	ENGINE_add (toadd);
-+	ENGINE_register_complete (toadd);
 +	ENGINE_free (toadd);
 +	ERR_clear_error ();
 +#endif
@@ -1982,10 +2045,10 @@ diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/en
 +{
 +	int engage;
 +	if (sizeof(OPENSSL_ia32cap_P) > 4) {
-+		engage = (OPENSSL_ia32cap_P >> 57) & 1;
++		engage = (int)((OPENSSL_ia32cap_P >> 30) >> 27) & 1;
 +	} else {
 +		IA32CAP OPENSSL_ia32_cpuid(void);
-+		engage = (OPENSSL_ia32_cpuid() >> 57) & 1;
++		engage = (int)(OPENSSL_ia32_cpuid() >> 57) & 1;
 +	}
 +
 +	/* Register everything or return with an error */
@@ -2230,92 +2293,8 @@ diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/en
 +
 +#endif /* COMPILE_HW_AESNI */
 +#endif /* !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) && !defined(OPENSSL_NO_AES) */
-diff -up openssl-1.0.0b/crypto/engine/eng_all.c.aesni openssl-1.0.0b/crypto/engine/eng_all.c
---- openssl-1.0.0b/crypto/engine/eng_all.c.aesni	2010-11-16 17:33:22.000000000 +0100
-+++ openssl-1.0.0b/crypto/engine/eng_all.c	2010-11-16 17:33:23.000000000 +0100
-@@ -85,6 +85,9 @@ void ENGINE_load_builtin_engines(void)
- #if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV))
- 	ENGINE_load_cryptodev();
- #endif
-+#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI)
-+	ENGINE_load_aesni();
-+#endif
- 	ENGINE_load_dynamic();
- #ifndef OPENSSL_NO_STATIC_ENGINE
- #ifndef OPENSSL_NO_HW
-diff -up openssl-1.0.0b/crypto/engine/engine.h.aesni openssl-1.0.0b/crypto/engine/engine.h
---- openssl-1.0.0b/crypto/engine/engine.h.aesni	2010-11-16 17:33:22.000000000 +0100
-+++ openssl-1.0.0b/crypto/engine/engine.h	2010-11-16 17:33:23.000000000 +0100
-@@ -338,6 +338,7 @@ void ENGINE_load_gost(void);
- #endif
- #endif
- void ENGINE_load_cryptodev(void);
-+void ENGINE_load_aesni(void);
- void ENGINE_load_builtin_engines(void);
- 
- /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
-diff -up openssl-1.0.0b/crypto/engine/Makefile.aesni openssl-1.0.0b/crypto/engine/Makefile
---- openssl-1.0.0b/crypto/engine/Makefile.aesni	2010-11-15 15:44:49.000000000 +0100
-+++ openssl-1.0.0b/crypto/engine/Makefile	2010-11-16 17:33:23.000000000 +0100
-@@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e
- 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
- 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
- 	tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \
--	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c
-+	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c \
-+	eng_aesni.c
- LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
- 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
- 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
- 	tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \
--	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o
-+	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o \
-+	eng_aesni.o
- 
- SRC= $(LIBSRC)
- 
-diff -up openssl-1.0.0b/crypto/evp/evp_err.c.aesni openssl-1.0.0b/crypto/evp/evp_err.c
---- openssl-1.0.0b/crypto/evp/evp_err.c.aesni	2010-11-16 17:33:22.000000000 +0100
-+++ openssl-1.0.0b/crypto/evp/evp_err.c	2010-11-16 17:33:23.000000000 +0100
-@@ -1,6 +1,6 @@
- /* crypto/evp/evp_err.c */
- /* ====================================================================
-- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
-+ * Copyright (c) 1999-2009 The OpenSSL Project.  All rights reserved.
-  *
-  * Redistribution and use in source and binary forms, with or without
-  * modification, are permitted provided that the following conditions
-@@ -70,6 +70,7 @@
- 
- static ERR_STRING_DATA EVP_str_functs[]=
- 	{
-+{ERR_FUNC(EVP_F_AESNI_INIT_KEY),	"AESNI_INIT_KEY"},
- {ERR_FUNC(EVP_F_AES_INIT_KEY),	"AES_INIT_KEY"},
- {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY),	"CAMELLIA_INIT_KEY"},
- {ERR_FUNC(EVP_F_D2I_PKEY),	"D2I_PKEY"},
-@@ -86,7 +87,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
- {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX),	"EVP_DigestInit_ex"},
- {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX),	"EVP_EncryptFinal_ex"},
- {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX),	"EVP_MD_CTX_copy_ex"},
--{ERR_FUNC(EVP_F_EVP_MD_SIZE),	"EVP_MD_SIZE"},
-+{ERR_FUNC(EVP_F_EVP_MD_SIZE),	"EVP_MD_size"},
- {ERR_FUNC(EVP_F_EVP_OPENINIT),	"EVP_OpenInit"},
- {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD),	"EVP_PBE_alg_add"},
- {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE),	"EVP_PBE_alg_add_type"},
-diff -up openssl-1.0.0b/crypto/evp/evp.h.aesni openssl-1.0.0b/crypto/evp/evp.h
---- openssl-1.0.0b/crypto/evp/evp.h.aesni	2010-11-16 17:33:22.000000000 +0100
-+++ openssl-1.0.0b/crypto/evp/evp.h	2010-11-16 17:33:23.000000000 +0100
-@@ -1167,6 +1167,7 @@ void ERR_load_EVP_strings(void);
- /* Error codes for the EVP functions. */
- 
- /* Function codes. */
-+#define EVP_F_AESNI_INIT_KEY				 163
- #define EVP_F_AES_INIT_KEY				 133
- #define EVP_F_CAMELLIA_INIT_KEY				 159
- #define EVP_F_D2I_PKEY					 100
-diff -up openssl-1.0.0b/test/test_aesni.aesni openssl-1.0.0b/test/test_aesni
---- openssl-1.0.0b/test/test_aesni.aesni	2010-11-16 17:33:23.000000000 +0100
-+++ openssl-1.0.0b/test/test_aesni	2010-11-16 17:33:23.000000000 +0100
+--- /dev/null
++++ test/test_aesni
 @@ -0,0 +1,69 @@
 +#!/bin/sh
 +
diff --git a/openssl-1.0.0c.tar.bz2 b/openssl-1.0.0c.tar.bz2
deleted file mode 100644
index dca4042..0000000
--- a/openssl-1.0.0c.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fabc7750eb05c2b15916b1abdff7287064dd4bc120b0b77e233bc390352bae5d
-size 3207024
diff --git a/openssl-padlock-x86_64-head.patch b/openssl-padlock-x86_64-head.patch
new file mode 100644
index 0000000..f2ff2b0
--- /dev/null
+++ b/openssl-padlock-x86_64-head.patch
@@ -0,0 +1,215 @@
+diff --git a/engines/e_padlock.c b/engines/e_padlock.c
+index 7d09419..ce7e086 100644
+--- a/engines/e_padlock.c
++++ b/engines/e_padlock.c
+@@ -101,10 +101,15 @@
+    compiler choice is limited to GCC and Microsoft C. */
+ #undef COMPILE_HW_PADLOCK
+ #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
+-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
++# if (defined(__GNUC__) && __GNUC__>=2 && \
++	(defined(__i386__) || defined(__i386) || \
++	 defined(__x86_64__) || defined(__x86_64)) \
++     ) || \
+      (defined(_MSC_VER) && defined(_M_IX86))
+ #  define COMPILE_HW_PADLOCK
++#  ifdef OPENSSL_NO_DYNAMIC_ENGINE
+ static ENGINE *ENGINE_padlock (void);
++#  endif
+ # endif
+ #endif
+ 
+@@ -135,7 +140,7 @@ void ENGINE_load_padlock (void)
+ # endif
+ #elif defined(__GNUC__)
+ # ifndef alloca
+-#  define alloca(s) __builtin_alloca(s)
++#  define alloca(s) __builtin_alloca((s))
+ # endif
+ #endif
+ 
+@@ -197,6 +202,7 @@ padlock_bind_helper(ENGINE *e)
+ 	return 1;
+ }
+ 
++#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+ /* Constructor */
+ static ENGINE *
+ ENGINE_padlock(void)
+@@ -214,6 +220,7 @@ ENGINE_padlock(void)
+ 
+ 	return eng;
+ }
++#endif
+ 
+ /* Check availability of the engine */
+ static int
+@@ -298,6 +305,7 @@ static volatile struct padlock_cipher_data *padlock_saved_context;
+  * =======================================================
+  */
+ #if defined(__GNUC__) && __GNUC__>=2
++#if defined(__i386__) || defined(__i386)
+ /*
+  * As for excessive "push %ebx"/"pop %ebx" found all over.
+  * When generating position-independent code GCC won't let
+@@ -377,21 +385,6 @@ padlock_available(void)
+ 	return padlock_use_ace + padlock_use_rng;
+ }
+ 
+-#ifndef OPENSSL_NO_AES
+-/* Our own htonl()/ntohl() */
+-static inline void
+-padlock_bswapl(AES_KEY *ks)
+-{
+-	size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
+-	unsigned int *key = ks->rd_key;
+-
+-	while (i--) {
+-		asm volatile ("bswapl %0" : "+r"(*key));
+-		key++;
+-	}
+-}
+-#endif
+-
+ /* Force key reload from memory to the CPU microcode.
+    Loading EFLAGS from the stack clears EFLAGS[30] 
+    which does the trick. */
+@@ -449,12 +442,127 @@ static inline void *name(size_t cnt,		\
+ 		: "edx", "cc", "memory");	\
+ 	return iv;				\
+ }
++#endif
++
++#elif defined(__x86_64__) || defined(__x86_64)
++
++/* Load supported features of the CPU to see if
++   the PadLock is available. */
++static int
++padlock_available(void)
++{
++	char vendor_string[16];
++	unsigned int eax, edx;
++
++	/* Are we running on the Centaur (VIA) CPU? */
++	eax = 0x00000000;
++	vendor_string[12] = 0;
++	asm volatile (
++		"cpuid\n"
++		"movl	%%ebx,(%1)\n"
++		"movl	%%edx,4(%1)\n"
++		"movl	%%ecx,8(%1)\n"
++		: "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
++	if (strcmp(vendor_string, "CentaurHauls") != 0)
++		return 0;
++
++	/* Check for Centaur Extended Feature Flags presence */
++	eax = 0xC0000000;
++	asm volatile ("cpuid"
++		: "+a"(eax) : : "rbx", "rcx", "rdx");
++	if (eax < 0xC0000001)
++		return 0;
++
++	/* Read the Centaur Extended Feature Flags */
++	eax = 0xC0000001;
++	asm volatile ("cpuid"
++		: "+a"(eax), "=d"(edx) : : "rbx", "rcx");
++
++	/* Fill up some flags */
++	padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
++	padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
++
++	return padlock_use_ace + padlock_use_rng;
++}
++
++/* Force key reload from memory to the CPU microcode.
++   Loading EFLAGS from the stack clears EFLAGS[30] 
++   which does the trick. */
++static inline void
++padlock_reload_key(void)
++{
++	asm volatile ("pushfq; popfq");
++}
++
++#ifndef OPENSSL_NO_AES
++/*
++ * This is heuristic key context tracing. At first one
++ * believes that one should use atomic swap instructions,
++ * but it's not actually necessary. Point is that if
++ * padlock_saved_context was changed by another thread
++ * after we've read it and before we compare it with cdata,
++ * our key *shall* be reloaded upon thread context switch
++ * and we are therefore set in either case...
++ */
++static inline void
++padlock_verify_context(struct padlock_cipher_data *cdata)
++{
++	asm volatile (
++	"pushfq\n"
++"	btl	$30,(%%rsp)\n"
++"	jnc	1f\n"
++"	cmpq	%2,%1\n"
++"	je	1f\n"
++"	popfq\n"
++"	subq	$8,%%rsp\n"
++"1:	addq	$8,%%rsp\n"
++"	movq	%2,%0"
++	:"+m"(padlock_saved_context)
++	: "r"(padlock_saved_context), "r"(cdata) : "cc");
++}
++
++/* Template for padlock_xcrypt_* modes */
++/* BIG FAT WARNING: 
++ * 	The offsets used with 'leal' instructions
++ * 	describe items of the 'padlock_cipher_data'
++ * 	structure.
++ */
++#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt)	\
++static inline void *name(size_t cnt,		\
++	struct padlock_cipher_data *cdata,	\
++	void *out, const void *inp) 		\
++{	void *iv; 				\
++	asm volatile ( "leaq	16(%0),%%rdx\n"	\
++		"	leaq	32(%0),%%rbx\n"	\
++			rep_xcrypt "\n"		\
++		: "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
++		: "0"(cdata), "1"(cnt), "2"(out), "3"(inp)  \
++		: "rbx", "rdx", "cc", "memory");	\
++	return iv;				\
++}
++#endif
++
++#endif	/* cpu */
+ 
++#ifndef OPENSSL_NO_AES
+ /* Generate all functions with appropriate opcodes */
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8")	/* rep xcryptecb */
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0")	/* rep xcryptcbc */
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")	/* rep xcryptcfb */
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")	/* rep xcryptofb */
++
++/* Our own htonl()/ntohl() */
++static inline void
++padlock_bswapl(AES_KEY *ks)
++{
++	size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
++	unsigned int *key = ks->rd_key;
++
++	while (i--) {
++		asm volatile ("bswapl %0" : "+r"(*key));
++		key++;
++	}
++}
+ #endif
+ 
+ /* The RNG call itself */
+@@ -485,8 +593,8 @@ padlock_xstore(void *addr, unsigned int edx_in)
+ static inline unsigned char *
+ padlock_memcpy(void *dst,const void *src,size_t n)
+ {
+-	long       *d=dst;
+-	const long *s=src;
++	size_t       *d=dst;
++	const size_t *s=src;
+ 
+ 	n /= sizeof(*d);
+ 	do { *d++ = *s++; } while (--n);
diff --git a/openssl.changes b/openssl.changes
index 6e33d06..2ef4fe6 100644
--- a/openssl.changes
+++ b/openssl.changes
@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Wed Apr 13 02:03:02 UTC 2011 - crrodriguez@opensuse.org
+
+- Fix engine loading issues [bnc#660452]
+- Update AES-NI patch to upstream version 4 
+- Drop CVE-2011-0014.patch and replace it with pristine tarball
+  of 1.0.0d which only fixes this vulnerability.
+ 
+-------------------------------------------------------------------
+Sat Apr  9 18:18:42 UTC 2011 - crrodriguez@opensuse.org
+
+- Correct last change 
+
+-------------------------------------------------------------------
+Sat Apr  9 15:00:33 UTC 2011 - crrodriguez@opensuse.org
+
+- Disable SSLv2 support permanently,it must not be used.
+- No longer requires -fno-strict-aliasing 
+
 -------------------------------------------------------------------
 Thu Feb 10 07:42:01 UTC 2011 - gjhe@novell.com
 
diff --git a/openssl.spec b/openssl.spec
index d909b80..2cc19fc 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -32,11 +32,11 @@ Obsoletes:      openssl-64bit
 %endif
 #
 #Version:        1.0.0
-Version:        1.0.0c
+Version:        1.0.0d
 Release:        20
 Summary:        Secure Sockets and Transport Layer Security
 Url:            http://www.openssl.org/
-Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
+Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.gz
 # to get mtime of file:
 Source1:        openssl.changes
 Source2:        baselibs.conf
@@ -48,8 +48,9 @@ Patch2:         bug610223.patch
 #Patch4:         patchset-19727.diff
 #Patch5:         CVE-2010-2939.patch
 #Patch6:         CVE-2010-3864.patch
-Patch7:         openssl-1.0.0b-aesni.patch
-Patch8:         CVE-2011-0014.patch
+Patch7:         openssl-1.0.0-aesni-v4.patch
+#PATCH_FIX-UPSTREAM Fix padlock engine in x86_64 hosts
+Patch8:         openssl-padlock-x86_64-head.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -178,12 +179,12 @@ Authors:
 %setup -q 
 %patch0 -p1
 %patch1 -p1
-%patch2 -p1
+%patch2
 #%patch3 -p1
 #%patch4 -p1
 #%patch5 -p1
 #%patch6 -p1
-%patch7 -p1
+%patch7
 %patch8 -p1
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
@@ -224,6 +225,9 @@ sed -i -e "s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES|" crypto/
 ./config --test-sanity 
 #
 config_flags="threads shared no-rc5 no-idea \
+%if 0%{suse_version} > 1140
+no-ssl2 \
+%endif
 enable-camellia \
 zlib \
 --prefix=%{_prefix} \
@@ -232,7 +236,6 @@ zlib \
 $RPM_OPT_FLAGS \
 -Wa,--noexecstack \
 -fomit-frame-pointer \
--fno-strict-aliasing \
 -DTERMIO \
 -DPURIFY \
 %ifnarch hppa
@@ -337,7 +340,7 @@ unsigned int i;
 SSL_CTX *ctx;
 SSL *ssl;
 SSL_METHOD *meth;
-  meth = SSLv2_client_method();
+  meth = SSLv23_client_method();
   SSLeay_add_ssl_algorithms();
   ctx = SSL_CTX_new(meth);
   if (ctx == NULL) return 0;
@@ -370,14 +373,36 @@ cd $RPM_BUILD_ROOT%{_libdir}/
 ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
 ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
 
+#ugly artifact to delete engines that are disabled/unusable in LINUX
+#that for some reason the build system insist on creating.
+
+# CAPI, Windows specific
+rm %{buildroot}/%_lib/engines/libcapi.so
+# GMP, has been always non-functional
+rm %{buildroot}/%_lib/engines/libgmp.so
+# Requires propietary Broadcom library, not available
+rm %{buildroot}/%_lib/engines/libubsec.so
+#Requires library called libnfhwcrhk.so which is not available 
+rm %{buildroot}/%_lib/engines/libchil.so
+#requires library named "SureWareHook" which is not available
+rm %{buildroot}/%_lib/engines/libsureware.so
+#requires DSO "libswift.so",propietary and not available
+rm %{buildroot}/%_lib/engines/libcswift.so
+#requires DSO "nuronssl.so", propietary and not available
+rm %{buildroot}/%_lib/engines/libnuron.so
+#only supported in AIX and Windows...
+rm %{buildroot}/%_lib/engines/lib4758cca.so
+# deprecated in favor of http://sourceforge.net/projects/opencryptoki/files/ (??)
+rm %{buildroot}/%_lib/engines/libaep.so
+# HP Atalla AXL600L SSL Accelerator Card, EOL, linux 2.4/SLE8, useless nowdays
+rm %{buildroot}/%_lib/engines/libatalla.so
+
 %clean
 if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 
-%post -n libopenssl1_0_0
-/sbin/ldconfig
+%post -n libopenssl1_0_0 -p /sbin/ldconfig
 
-%postun -n libopenssl1_0_0
-/sbin/ldconfig
+%postun -n libopenssl1_0_0 -p /sbin/ldconfig
 
 %files -n libopenssl1_0_0
 %defattr(-, root, root)