From 0985bc43b2e10eafdf769155583222069ec628a5594d10c4b8fcfd84bb836abe Mon Sep 17 00:00:00 2001
From: Stephan Kulow <coolo@suse.com>
Date: Mon, 25 Aug 2014 09:03:07 +0000
Subject: [PATCH] Accepting request 245642 from Base:System

- openssl.keyring: the 1.0.1i release was done by
  Matt Caswell <matt@openssl.org> UK 0E604491

- rename README.SuSE (old spelling) to README.SUSE (bnc#889013)

- update to 1.0.1i
  * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
    SRP code can be overrun an internal buffer. Add sanity check that
    g, A, B < N to SRP code.
    (CVE-2014-3512)
  * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
    TLS 1.0 instead of higher protocol versions when the ClientHello message
    is badly fragmented. This allows a man-in-the-middle attacker to force a
    downgrade to TLS 1.0 even if both the server and the client support a
    higher protocol version, by modifying the client's TLS records.
    (CVE-2014-3511)
  * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
    to a denial of service attack. A malicious server can crash the client
    with a null pointer dereference (read) by specifying an anonymous (EC)DH
    ciphersuite and sending carefully crafted handshake messages.
    (CVE-2014-3510)
  * By sending carefully crafted DTLS packets an attacker could cause openssl
    to leak memory. This can be exploited through a Denial of Service attack.
    (CVE-2014-3507)
  * An attacker can force openssl to consume large amounts of memory whilst
    processing DTLS handshake messages. This can be exploited through a
    Denial of Service attack.
    (CVE-2014-3506)
  * An attacker can force an error condition which causes openssl to crash
    whilst processing DTLS packets due to memory being freed twice. This

OBS-URL: https://build.opensuse.org/request/show/245642
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=121
---
 ...-libssl-Hide-library-private-symbols.patch |  58 +++--
 README.SuSE => README.SUSE                    |   0
 openssl-1.0.1e-new-fips-reqs.patch            | 199 +++++++++---------
 openssl-1.0.1h.tar.gz                         |   3 -
 openssl-1.0.1h.tar.gz.asc                     |  17 --
 openssl-1.0.1i.tar.gz                         |   3 +
 openssl-1.0.1i.tar.gz.asc                     |  11 +
 openssl.changes                               |  63 ++++++
 openssl.keyring                               |  37 ++++
 openssl.spec                                  |   6 +-
 10 files changed, 253 insertions(+), 144 deletions(-)
 rename README.SuSE => README.SUSE (100%)
 delete mode 100644 openssl-1.0.1h.tar.gz
 delete mode 100644 openssl-1.0.1h.tar.gz.asc
 create mode 100644 openssl-1.0.1i.tar.gz
 create mode 100644 openssl-1.0.1i.tar.gz.asc

diff --git a/0005-libssl-Hide-library-private-symbols.patch b/0005-libssl-Hide-library-private-symbols.patch
index c0a0c08..ba2a63b 100644
--- a/0005-libssl-Hide-library-private-symbols.patch
+++ b/0005-libssl-Hide-library-private-symbols.patch
@@ -16,8 +16,10 @@ API/ABI when GCC 4 or later is used.
  ssl/t1_lib.c   | 6 ++----
  8 files changed, 23 insertions(+), 12 deletions(-)
 
---- openssl-1.0.1g.orig/ssl/d1_lib.c
-+++ openssl-1.0.1g/ssl/d1_lib.c
+Index: openssl-1.0.1i/ssl/d1_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/d1_lib.c
++++ openssl-1.0.1i/ssl/d1_lib.c
 @@ -67,8 +67,7 @@
  #endif
  
@@ -28,7 +30,7 @@ API/ABI when GCC 4 or later is used.
  
  SSL3_ENC_METHOD DTLSv1_enc_data={
      dtls1_enc,
-@@ -468,7 +467,7 @@ static void get_current_time(struct time
+@@ -471,7 +470,7 @@ static void get_current_time(struct time
  #endif
  }
  
@@ -37,8 +39,10 @@ API/ABI when GCC 4 or later is used.
  	{
  	int ret;
  
---- openssl-1.0.1g.orig/ssl/kssl_lcl.h
-+++ openssl-1.0.1g/ssl/kssl_lcl.h
+Index: openssl-1.0.1i/ssl/kssl_lcl.h
+===================================================================
+--- openssl-1.0.1i.orig/ssl/kssl_lcl.h
++++ openssl-1.0.1i/ssl/kssl_lcl.h
 @@ -61,6 +61,10 @@
  
  #include <openssl/kssl.h>
@@ -60,8 +64,10 @@ API/ABI when GCC 4 or later is used.
 +#endif
 +
  #endif	/* KSSL_LCL_H 	*/
---- openssl-1.0.1g.orig/ssl/s23_srvr.c
-+++ openssl-1.0.1g/ssl/s23_srvr.c
+Index: openssl-1.0.1i/ssl/s23_srvr.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/s23_srvr.c
++++ openssl-1.0.1i/ssl/s23_srvr.c
 @@ -120,7 +120,7 @@
  #endif
  
@@ -80,8 +86,10 @@ API/ABI when GCC 4 or later is used.
  	{
  	char buf_space[11]; /* Request this many bytes in initial read.
  	                     * We can detect SSL 3.0/TLS 1.0 Client Hellos
---- openssl-1.0.1g.orig/ssl/s2_lib.c
-+++ openssl-1.0.1g/ssl/s2_lib.c
+Index: openssl-1.0.1i/ssl/s2_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/s2_lib.c
++++ openssl-1.0.1i/ssl/s2_lib.c
 @@ -116,7 +116,6 @@
  #include <openssl/evp.h>
  #include <openssl/md5.h>
@@ -90,8 +98,10 @@ API/ABI when GCC 4 or later is used.
  
  #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
  
---- openssl-1.0.1g.orig/ssl/s3_lib.c
-+++ openssl-1.0.1g/ssl/s3_lib.c
+Index: openssl-1.0.1i/ssl/s3_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/s3_lib.c
++++ openssl-1.0.1i/ssl/s3_lib.c
 @@ -162,7 +162,6 @@
  #include <openssl/dh.h>
  #endif
@@ -100,8 +110,10 @@ API/ABI when GCC 4 or later is used.
  
  #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
  
---- openssl-1.0.1g.orig/ssl/ssl_lib.c
-+++ openssl-1.0.1g/ssl/ssl_lib.c
+Index: openssl-1.0.1i/ssl/ssl_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/ssl_lib.c
++++ openssl-1.0.1i/ssl/ssl_lib.c
 @@ -160,7 +160,6 @@
  #include <openssl/engine.h>
  #endif
@@ -110,8 +122,10 @@ API/ABI when GCC 4 or later is used.
  
  SSL3_ENC_METHOD ssl3_undef_enc_method={
  	/* evil casts, but these functions are only called if there's a library bug */
---- openssl-1.0.1g.orig/ssl/ssl_locl.h
-+++ openssl-1.0.1g/ssl/ssl_locl.h
+Index: openssl-1.0.1i/ssl/ssl_locl.h
+===================================================================
+--- openssl-1.0.1i.orig/ssl/ssl_locl.h
++++ openssl-1.0.1i/ssl/ssl_locl.h
 @@ -165,6 +165,10 @@
  #include <openssl/ssl.h>
  #include <openssl/symhacks.h>
@@ -123,21 +137,25 @@ API/ABI when GCC 4 or later is used.
  #ifdef OPENSSL_BUILD_SHLIBSSL
  # undef OPENSSL_EXTERN
  # define OPENSSL_EXTERN OPENSSL_EXPORT
-@@ -1174,4 +1178,12 @@ void tls_fips_digest_extra(
- 	const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
- 	const unsigned char *data, size_t data_len, size_t orig_len);
+@@ -1194,5 +1198,14 @@ int srp_verify_server_param(SSL *s, int
+ #define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat
+ #define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat
  
 +int private_tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, int seed2_len,
 +                    const void *seed3, int seed3_len, const void *seed4, int seed4_len, const void *seed5, int seed5_len,
 +                    const unsigned char *sec, int slen, unsigned char *out1, unsigned char *out2, int olen);
++
+ #endif
 +
 +#if defined(__GNUC__) && __GNUC__ >= 4
 +#pragma GCC visibility pop
 +#endif
 +
  #endif
---- openssl-1.0.1g.orig/ssl/t1_lib.c
-+++ openssl-1.0.1g/ssl/t1_lib.c
+Index: openssl-1.0.1i/ssl/t1_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/t1_lib.c
++++ openssl-1.0.1i/ssl/t1_lib.c
 @@ -117,7 +117,6 @@
  #include <openssl/rand.h>
  #include "ssl_locl.h"
diff --git a/README.SuSE b/README.SUSE
similarity index 100%
rename from README.SuSE
rename to README.SUSE
diff --git a/openssl-1.0.1e-new-fips-reqs.patch b/openssl-1.0.1e-new-fips-reqs.patch
index fd217e7..cc569fb 100644
--- a/openssl-1.0.1e-new-fips-reqs.patch
+++ b/openssl-1.0.1e-new-fips-reqs.patch
@@ -1,7 +1,7 @@
-Index: openssl-1.0.1g/crypto/bn/bn_rand.c
+Index: openssl-1.0.1i/crypto/bn/bn_rand.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/bn/bn_rand.c
-+++ openssl-1.0.1g/crypto/bn/bn_rand.c
+--- openssl-1.0.1i.orig/crypto/bn/bn_rand.c	2014-08-07 16:22:48.583087630 +0200
++++ openssl-1.0.1i/crypto/bn/bn_rand.c	2014-08-07 16:22:49.458098281 +0200
 @@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM
  		goto err;
  		}
@@ -18,10 +18,10 @@ Index: openssl-1.0.1g/crypto/bn/bn_rand.c
  
  	if (pseudorand)
  		{
-Index: openssl-1.0.1g/crypto/dh/dh_gen.c
+Index: openssl-1.0.1i/crypto/dh/dh_gen.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/dh/dh_gen.c
-+++ openssl-1.0.1g/crypto/dh/dh_gen.c
+--- openssl-1.0.1i.orig/crypto/dh/dh_gen.c	2014-08-07 16:22:48.583087630 +0200
++++ openssl-1.0.1i/crypto/dh/dh_gen.c	2014-08-07 16:22:49.458098281 +0200
 @@ -125,7 +125,7 @@ static int dh_builtin_genparams(DH *ret,
  		return 0;
  		}
@@ -31,10 +31,10 @@ Index: openssl-1.0.1g/crypto/dh/dh_gen.c
  		{
  		DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
  		goto err;
-Index: openssl-1.0.1g/crypto/dh/dh.h
+Index: openssl-1.0.1i/crypto/dh/dh.h
 ===================================================================
---- openssl-1.0.1g.orig/crypto/dh/dh.h
-+++ openssl-1.0.1g/crypto/dh/dh.h
+--- openssl-1.0.1i.orig/crypto/dh/dh.h	2014-08-07 16:22:48.583087630 +0200
++++ openssl-1.0.1i/crypto/dh/dh.h	2014-08-07 16:22:49.458098281 +0200
 @@ -78,6 +78,7 @@
  #endif
  
@@ -43,10 +43,10 @@ Index: openssl-1.0.1g/crypto/dh/dh.h
  
  #define DH_FLAG_CACHE_MONT_P     0x01
  #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-Index: openssl-1.0.1g/crypto/dh/dh_check.c
+Index: openssl-1.0.1i/crypto/dh/dh_check.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/dh/dh_check.c
-+++ openssl-1.0.1g/crypto/dh/dh_check.c
+--- openssl-1.0.1i.orig/crypto/dh/dh_check.c	2014-08-07 16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/dh/dh_check.c	2014-08-07 16:22:49.458098281 +0200
 @@ -134,7 +134,33 @@ int DH_check_pub_key(const DH *dh, const
  	BN_sub_word(q,1);
  	if (BN_cmp(pub_key,q)>=0)
@@ -67,24 +67,24 @@ Index: openssl-1.0.1g/crypto/dh/dh_check.c
 +			}
 +		if (!BN_is_one(q))
 +			{
-+			/* it would be more correct to add new return flag 
++			/* it would be more correct to add new return flag
 +			 * for this test, but we do not want to do it
 +			 * so just error out
 +			 */
 +			BN_CTX_free(ctx);
 +			goto err;
 +			}
-+		
++
 +		BN_CTX_free(ctx);
 +		}
 +#endif
  	ok = 1;
  err:
  	if (q != NULL) BN_free(q);
-Index: openssl-1.0.1g/crypto/dsa/dsa_gen.c
+Index: openssl-1.0.1i/crypto/dsa/dsa_gen.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/dsa/dsa_gen.c
-+++ openssl-1.0.1g/crypto/dsa/dsa_gen.c
+--- openssl-1.0.1i.orig/crypto/dsa/dsa_gen.c	2014-08-07 16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/dsa/dsa_gen.c	2014-08-07 16:22:49.458098281 +0200
 @@ -159,7 +159,6 @@ int dsa_builtin_paramgen(DSA *ret, size_
  	    }
  
@@ -93,10 +93,10 @@ Index: openssl-1.0.1g/crypto/dsa/dsa_gen.c
  	    (bits != 2048 || qbits != 224) &&
  	    (bits != 2048 || qbits != 256) &&
  	    (bits != 3072 || qbits != 256))
-Index: openssl-1.0.1g/crypto/dsa/dsa.h
+Index: openssl-1.0.1i/crypto/dsa/dsa.h
 ===================================================================
---- openssl-1.0.1g.orig/crypto/dsa/dsa.h
-+++ openssl-1.0.1g/crypto/dsa/dsa.h
+--- openssl-1.0.1i.orig/crypto/dsa/dsa.h	2014-08-07 16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/dsa/dsa.h	2014-08-07 16:22:49.458098281 +0200
 @@ -89,6 +89,7 @@
  #endif
  
@@ -118,10 +118,10 @@ Index: openssl-1.0.1g/crypto/dsa/dsa.h
  #define DSA_is_prime(n, callback, cb_arg) \
  	BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
  
-Index: openssl-1.0.1g/crypto/dsa/dsa_key.c
+Index: openssl-1.0.1i/crypto/dsa/dsa_key.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/dsa/dsa_key.c
-+++ openssl-1.0.1g/crypto/dsa/dsa_key.c
+--- openssl-1.0.1i.orig/crypto/dsa/dsa_key.c	2014-08-07 16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/dsa/dsa_key.c	2014-08-07 16:22:49.458098281 +0200
 @@ -122,7 +122,7 @@ static int dsa_builtin_keygen(DSA *dsa)
  
  #ifdef OPENSSL_FIPS
@@ -131,10 +131,10 @@ Index: openssl-1.0.1g/crypto/dsa/dsa_key.c
  		{
  		DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
  		goto err;
-Index: openssl-1.0.1g/crypto/fips/fips_dh_selftest.c
+Index: openssl-1.0.1i/crypto/fips/fips_dh_selftest.c
 ===================================================================
---- /dev/null
-+++ openssl-1.0.1g/crypto/fips/fips_dh_selftest.c
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ openssl-1.0.1i/crypto/fips/fips_dh_selftest.c	2014-08-07 16:22:49.458098281 +0200
 @@ -0,0 +1,162 @@
 +/* ====================================================================
 + * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
@@ -145,7 +145,7 @@ Index: openssl-1.0.1g/crypto/fips/fips_dh_selftest.c
 + * are met:
 + *
 + * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer. 
++ *    notice, this list of conditions and the following disclaimer.
 + *
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in
@@ -298,10 +298,10 @@ Index: openssl-1.0.1g/crypto/fips/fips_dh_selftest.c
 +	return ret;
 +	}
 +#endif
-Index: openssl-1.0.1g/crypto/fips/fips_drbg_rand.c
+Index: openssl-1.0.1i/crypto/fips/fips_drbg_rand.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips_drbg_rand.c
-+++ openssl-1.0.1g/crypto/fips/fips_drbg_rand.c
+--- openssl-1.0.1i.orig/crypto/fips/fips_drbg_rand.c	2014-08-07 16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/fips/fips_drbg_rand.c	2014-08-07 16:22:49.458098281 +0200
 @@ -77,7 +77,8 @@ static int fips_drbg_bytes(unsigned char
  	int rv = 0;
  	unsigned char *adin = NULL;
@@ -382,10 +382,10 @@ Index: openssl-1.0.1g/crypto/fips/fips_drbg_rand.c
  	}
  
  static const RAND_METHOD rand_drbg_meth =
-Index: openssl-1.0.1g/crypto/fips/fips.h
+Index: openssl-1.0.1i/crypto/fips/fips.h
 ===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips.h
-+++ openssl-1.0.1g/crypto/fips/fips.h
+--- openssl-1.0.1i.orig/crypto/fips/fips.h	2014-08-07 16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/fips/fips.h	2014-08-07 16:22:49.459098294 +0200
 @@ -96,6 +96,7 @@ void FIPS_corrupt_dsa_keygen(void);
  int FIPS_selftest_dsa(void);
  int FIPS_selftest_ecdsa(void);
@@ -394,10 +394,10 @@ Index: openssl-1.0.1g/crypto/fips/fips.h
  void FIPS_corrupt_rng(void);
  void FIPS_rng_stick(void);
  void FIPS_x931_stick(int onoff);
-Index: openssl-1.0.1g/crypto/fips/fips_post.c
+Index: openssl-1.0.1i/crypto/fips/fips_post.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips_post.c
-+++ openssl-1.0.1g/crypto/fips/fips_post.c
+--- openssl-1.0.1i.orig/crypto/fips/fips_post.c	2014-08-07 16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/fips/fips_post.c	2014-08-07 16:22:49.459098294 +0200
 @@ -99,6 +99,8 @@ int FIPS_selftest(void)
  		rv = 0;
  	if (!FIPS_selftest_dsa())
@@ -407,10 +407,10 @@ Index: openssl-1.0.1g/crypto/fips/fips_post.c
  	if (!FIPS_selftest_ecdh())
  		rv = 0;
  	return rv;
-Index: openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c
+Index: openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips_rsa_selftest.c
-+++ openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.1i.orig/crypto/fips/fips_rsa_selftest.c	2014-08-07 16:22:48.585087655 +0200
++++ openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c	2014-08-07 16:22:49.459098294 +0200
 @@ -340,6 +340,42 @@ static const unsigned char kat_RSA_X931_
    0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
  };
@@ -480,10 +480,10 @@ Index: openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c
  		RSA_free(key);
  	return ret;
  	}
-Index: openssl-1.0.1g/crypto/fips/Makefile
+Index: openssl-1.0.1i/crypto/fips/Makefile
 ===================================================================
---- openssl-1.0.1g.orig/crypto/fips/Makefile
-+++ openssl-1.0.1g/crypto/fips/Makefile
+--- openssl-1.0.1i.orig/crypto/fips/Makefile	2014-08-07 16:22:48.585087655 +0200
++++ openssl-1.0.1i/crypto/fips/Makefile	2014-08-07 16:22:49.459098294 +0200
 @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
      fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c  fips_rand.c \
      fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
@@ -502,10 +502,10 @@ Index: openssl-1.0.1g/crypto/fips/Makefile
  
  LIBCRYPTO=-L.. -lcrypto
  
-Index: openssl-1.0.1g/crypto/modes/gcm128.c
+Index: openssl-1.0.1i/crypto/modes/gcm128.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/modes/gcm128.c
-+++ openssl-1.0.1g/crypto/modes/gcm128.c
+--- openssl-1.0.1i.orig/crypto/modes/gcm128.c	2014-08-07 16:22:48.585087655 +0200
++++ openssl-1.0.1i/crypto/modes/gcm128.c	2014-08-07 16:22:49.459098294 +0200
 @@ -906,6 +906,10 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT
  # endif
  #endif
@@ -528,10 +528,10 @@ Index: openssl-1.0.1g/crypto/modes/gcm128.c
  	mlen += len;
  	if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen<len))
  		return -1;
-Index: openssl-1.0.1g/crypto/modes/modes_lcl.h
+Index: openssl-1.0.1i/crypto/modes/modes_lcl.h
 ===================================================================
---- openssl-1.0.1g.orig/crypto/modes/modes_lcl.h
-+++ openssl-1.0.1g/crypto/modes/modes_lcl.h
+--- openssl-1.0.1i.orig/crypto/modes/modes_lcl.h	2014-08-07 16:22:48.585087655 +0200
++++ openssl-1.0.1i/crypto/modes/modes_lcl.h	2014-08-07 16:22:49.459098294 +0200
 @@ -114,6 +114,8 @@ struct gcm128_context {
  	unsigned int mres, ares;
  	block128_f block;
@@ -541,10 +541,10 @@ Index: openssl-1.0.1g/crypto/modes/modes_lcl.h
  };
  
  struct xts128_context {
-Index: openssl-1.0.1g/crypto/rand/md_rand.c
+Index: openssl-1.0.1i/crypto/rand/md_rand.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/rand/md_rand.c
-+++ openssl-1.0.1g/crypto/rand/md_rand.c
+--- openssl-1.0.1i.orig/crypto/rand/md_rand.c	2014-08-07 16:22:44.906042872 +0200
++++ openssl-1.0.1i/crypto/rand/md_rand.c	2014-08-07 16:25:51.798310523 +0200
 @@ -143,12 +143,6 @@ static long md_count[2]={0,0};
  static double entropy=0;
  static int initialized=0;
@@ -558,7 +558,7 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  
  #ifdef PREDICT
  int rand_predictable=0;
-@@ -196,7 +190,7 @@ static void ssleay_rand_add(const void *
+@@ -195,7 +189,7 @@ static void ssleay_rand_add(const void *
  	long md_c[2];
  	unsigned char local_md[MD_DIGEST_LENGTH];
  	EVP_MD_CTX m;
@@ -567,7 +567,7 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  
  	if (!num)
  		return;
-@@ -216,19 +210,8 @@ static void ssleay_rand_add(const void *
+@@ -215,19 +209,8 @@ static void ssleay_rand_add(const void *
           * hash function.
  	 */
  
@@ -588,7 +588,7 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  	st_idx=state_index;
  
  	/* use our own copies of the counters so that even
-@@ -260,7 +243,8 @@ static void ssleay_rand_add(const void *
+@@ -259,7 +242,8 @@ static void ssleay_rand_add(const void *
  
  	md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
  
@@ -598,7 +598,7 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  
  	EVP_MD_CTX_init(&m);
  	for (i=0; i<num; i+=MD_DIGEST_LENGTH)
-@@ -311,7 +295,7 @@ static void ssleay_rand_add(const void *
+@@ -310,7 +294,7 @@ static void ssleay_rand_add(const void *
  		}
  	EVP_MD_CTX_cleanup(&m);
  
@@ -607,7 +607,7 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  	/* Don't just copy back local_md into md -- this could mean that
  	 * other thread's seeding remains without effect (except for
  	 * the incremented counter).  By XORing it we keep at least as
-@@ -322,7 +306,8 @@ static void ssleay_rand_add(const void *
+@@ -321,7 +305,8 @@ static void ssleay_rand_add(const void *
  		}
  	if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
  	    entropy += add;
@@ -617,7 +617,7 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  	
  #if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
  	assert(md_c[1] == md_count[1]);
-@@ -347,6 +332,7 @@ static int ssleay_rand_bytes(unsigned ch
+@@ -346,6 +331,7 @@ int ssleay_rand_bytes(unsigned char *buf
  	pid_t curr_pid = getpid();
  #endif
  	int do_stir_pool = 0;
@@ -625,55 +625,52 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  
  #ifdef PREDICT
  	if (rand_predictable)
-@@ -387,13 +373,8 @@ static int ssleay_rand_bytes(unsigned ch
- 	/* NB: in FIPS mode we are already under a lock */
- 	if (!FIPS_mode())
- #endif
+@@ -382,14 +368,7 @@ int ssleay_rand_bytes(unsigned char *buf
+ 	 * are fed into the hash function and the results are kept in the
+ 	 * global 'md'.
+ 	 */
+-	if (lock)
 -		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- 
+-
 -	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 -	CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
 -	CRYPTO_THREADID_current(&locking_threadid);
 -	CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
 -	crypto_lock_rand = 1;
-+       locked = private_RAND_lock(1);
++        locked = private_RAND_lock(1);
  
  	/* always poll for external entropy in FIPS mode, drbg provides the 
  	 * expansion
-@@ -467,12 +448,11 @@ static int ssleay_rand_bytes(unsigned ch
+@@ -463,10 +442,8 @@ int ssleay_rand_bytes(unsigned char *buf
  
  	md_count[0] += 1;
  
 -	/* before unlocking, we must clear 'crypto_lock_rand' */
 -	crypto_lock_rand = 0;
- #ifdef OPENSSL_FIPS
- 	if (!FIPS_mode())
- #endif
+-	if (lock)
 -		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+       if (locked)
-+               private_RAND_lock(0);
++        if (locked)
++                private_RAND_lock(0);
  
  	while (num > 0)
  		{
-@@ -527,13 +507,15 @@ static int ssleay_rand_bytes(unsigned ch
- #ifdef OPENSSL_FIPS
- 	if (!FIPS_mode())
- #endif
+@@ -518,12 +495,11 @@ int ssleay_rand_bytes(unsigned char *buf
+ 	MD_Init(&m);
+ 	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+ 	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+-	if (lock)
 -		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+       locked = private_RAND_lock(1);
++        locked = private_RAND_lock(1);
  	MD_Update(&m,md,MD_DIGEST_LENGTH);
  	MD_Final(&m,md);
- #ifdef OPENSSL_FIPS
- 	if (!FIPS_mode())
- #endif
+-	if (lock)
 -		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+
-+       if (locked)
-+               private_RAND_lock(0);
++        if (locked)
++                private_RAND_lock(0);
  
  	EVP_MD_CTX_cleanup(&m);
  	if (ok)
-@@ -563,32 +545,10 @@ static int ssleay_rand_pseudo_bytes(unsi
+@@ -553,32 +529,10 @@ static int ssleay_rand_pseudo_bytes(unsi
  
  static int ssleay_rand_status(void)
  	{
@@ -708,7 +705,7 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  	
  	if (!initialized)
  		{
-@@ -598,13 +558,8 @@ static int ssleay_rand_status(void)
+@@ -588,13 +542,8 @@ static int ssleay_rand_status(void)
  
  	ret = entropy >= ENTROPY_NEEDED;
  
@@ -724,10 +721,10 @@ Index: openssl-1.0.1g/crypto/rand/md_rand.c
  	
  	return ret;
  	}
-Index: openssl-1.0.1g/crypto/rand/rand.h
+Index: openssl-1.0.1i/crypto/rand/rand.h
 ===================================================================
---- openssl-1.0.1g.orig/crypto/rand/rand.h
-+++ openssl-1.0.1g/crypto/rand/rand.h
+--- openssl-1.0.1i.orig/crypto/rand/rand.h	2014-08-07 16:22:48.586087667 +0200
++++ openssl-1.0.1i/crypto/rand/rand.h	2014-08-07 16:22:49.459098294 +0200
 @@ -124,6 +124,8 @@ void RAND_set_fips_drbg_type(int type, i
  int RAND_init_fips(void);
  #endif
@@ -737,10 +734,10 @@ Index: openssl-1.0.1g/crypto/rand/rand.h
  /* BEGIN ERROR CODES */
  /* The following lines are auto generated by the script mkerr.pl. Any changes
   * made after this point may be overwritten when the script is next run.
-Index: openssl-1.0.1g/crypto/rand/rand_lcl.h
+Index: openssl-1.0.1i/crypto/rand/rand_lcl.h
 ===================================================================
---- openssl-1.0.1g.orig/crypto/rand/rand_lcl.h
-+++ openssl-1.0.1g/crypto/rand/rand_lcl.h
+--- openssl-1.0.1i.orig/crypto/rand/rand_lcl.h	2014-08-07 16:22:48.586087667 +0200
++++ openssl-1.0.1i/crypto/rand/rand_lcl.h	2014-08-07 16:22:49.459098294 +0200
 @@ -112,7 +112,7 @@
  #ifndef HEADER_RAND_LCL_H
  #define HEADER_RAND_LCL_H
@@ -750,11 +747,11 @@ Index: openssl-1.0.1g/crypto/rand/rand_lcl.h
  
  
  #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-Index: openssl-1.0.1g/crypto/rand/rand_lib.c
+Index: openssl-1.0.1i/crypto/rand/rand_lib.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/rand/rand_lib.c
-+++ openssl-1.0.1g/crypto/rand/rand_lib.c
-@@ -181,6 +181,41 @@ int RAND_status(void)
+--- openssl-1.0.1i.orig/crypto/rand/rand_lib.c	2014-08-07 16:22:48.586087667 +0200
++++ openssl-1.0.1i/crypto/rand/rand_lib.c	2014-08-07 16:22:49.460098306 +0200
+@@ -182,6 +182,41 @@ int RAND_status(void)
  	return 0;
  	}
  
@@ -796,7 +793,7 @@ Index: openssl-1.0.1g/crypto/rand/rand_lib.c
  #ifdef OPENSSL_FIPS
  
  /* FIPS DRBG initialisation code. This sets up the DRBG for use by the
-@@ -239,12 +274,16 @@ static int drbg_rand_add(DRBG_CTX *ctx,
+@@ -240,12 +275,16 @@ static int drbg_rand_add(DRBG_CTX *ctx,
  				double entropy)
  	{
  	RAND_SSLeay()->add(in, inlen, entropy);
@@ -813,10 +810,10 @@ Index: openssl-1.0.1g/crypto/rand/rand_lib.c
  	return 1;
  	}
  
-Index: openssl-1.0.1g/crypto/rsa/rsa_gen.c
+Index: openssl-1.0.1i/crypto/rsa/rsa_gen.c
 ===================================================================
---- openssl-1.0.1g.orig/crypto/rsa/rsa_gen.c
-+++ openssl-1.0.1g/crypto/rsa/rsa_gen.c
+--- openssl-1.0.1i.orig/crypto/rsa/rsa_gen.c	2014-08-07 16:22:44.906042872 +0200
++++ openssl-1.0.1i/crypto/rsa/rsa_gen.c	2014-08-07 16:22:49.460098306 +0200
 @@ -1,5 +1,6 @@
  /* crypto/rsa/rsa_gen.c */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
@@ -914,7 +911,7 @@ Index: openssl-1.0.1g/crypto/rsa/rsa_gen.c
 +                        r = BN_is_prime_fasttest_ex(rsa->p, pbits>1024?4:5, ctx, 0, cb);
 +        		if (r == -1 || (test && r <= 0)) goto err;
 +        		if (r > 0) break;
-+                        } 
++                        }
 +
 +		if(!BN_GENCB_call(cb, 2, n++))
 +			goto err;
@@ -952,7 +949,7 @@ Index: openssl-1.0.1g/crypto/rsa/rsa_gen.c
 +                        r = BN_is_prime_fasttest_ex(rsa->q, pbits>1024?4:5, ctx, 0, cb);
 +        		if (r == -1 || (test && r <= 0)) goto err;
 +        		if (r > 0) break;
-+                        } 
++                        }
 +
 +		if(!BN_GENCB_call(cb, 2, n++))
 +			goto err;
@@ -1084,10 +1081,10 @@ Index: openssl-1.0.1g/crypto/rsa/rsa_gen.c
  	ok=1;
  err:
  	if (ok == -1)
-Index: openssl-1.0.1g/ssl/t1_enc.c
+Index: openssl-1.0.1i/ssl/t1_enc.c
 ===================================================================
---- openssl-1.0.1g.orig/ssl/t1_enc.c
-+++ openssl-1.0.1g/ssl/t1_enc.c
+--- openssl-1.0.1i.orig/ssl/t1_enc.c	2014-08-07 16:22:48.587087679 +0200
++++ openssl-1.0.1i/ssl/t1_enc.c	2014-08-07 16:22:49.460098306 +0200
 @@ -291,6 +291,27 @@ static int tls1_PRF(long digest_mask,
  err:
  	return ret;
diff --git a/openssl-1.0.1h.tar.gz b/openssl-1.0.1h.tar.gz
deleted file mode 100644
index 54200ed..0000000
--- a/openssl-1.0.1h.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093
-size 4475692
diff --git a/openssl-1.0.1h.tar.gz.asc b/openssl-1.0.1h.tar.gz.asc
deleted file mode 100644
index 7147b6c..0000000
--- a/openssl-1.0.1h.tar.gz.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQIcBAABCAAGBQJTkDweAAoJENNXdQf6QOnizlMQAJ/tw6A4s/TMQjiLTapBAJzJ
-b5W2/nOD87oa0HL2aKvTHb0R7RKuvqGR71kgWaPOPJUwyLEWG1SinTeYR0J+yl0K
-5y8TE8p4AwnAEp1JcMfbljl3tkyRXOVqS1idkvcBKBawurL68jfyWWkzZ1D2wZtE
-LEmVm0diQIDSACuisnonE2Q8YvtqV4/imuX4BEZlZ+iNNdL0+NEuLB+xIWSl84lb
-YqM0cXQ09SIZZL+nvO0t5PBNJcQM/6w9TPKDFReQxvhVkdqoWa/o2FfeSgRLNDIu
-gGPTe0cEGUpOYyeC/SbLUOppCsRNBbzWjdRotEOV1GO2dMihZaMZZedJDhAhh5q6
-Z1wctpZGxq/vMIQ669Wayj2OxAtluCjW8GwlaJRi7XfB/fCk1NDFezTL4hhWRhIh
-mvI4oKO7TC2/OhJ2YvNGqYeqNzsIJbszn7bipvbF5KNf0eNtrUoRWsNPia9nRlca
-2yzAxCCx2QtR0PV52/c5Xbfm/Ljxta9ZKgQgAjApz5+YMsap9LyQhklc+r7tETij
-yv3Vf3Xft6n4VtKxHsecebl9VZXsz/hCjHN3PmYI0SLZDZOFBdIYoju2ttspH1pH
-aBXTitvmBUsDIss2fjJJQLX22TgTpTS3FyPb9zlN+ecE/0HJcGIJUAi80i1gldzH
-DQhyf3Qf17vW5g28E7Iv
-=oxkH
------END PGP SIGNATURE-----
diff --git a/openssl-1.0.1i.tar.gz b/openssl-1.0.1i.tar.gz
new file mode 100644
index 0000000..d81aae1
--- /dev/null
+++ b/openssl-1.0.1i.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3c179f46ca77069a6a0bac70212a9b3b838b2f66129cb52d568837fc79d8fcc7
+size 4422117
diff --git a/openssl-1.0.1i.tar.gz.asc b/openssl-1.0.1i.tar.gz.asc
new file mode 100644
index 0000000..855998c
--- /dev/null
+++ b/openssl-1.0.1i.tar.gz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAABAgAGBQJT4pu4AAoJENnE0m0OYESRle0H/A6fmNlUkhJ5NS5/W6HbztKE
+j5xWzecv7HKElr01tleyGkefwg/whBhE1HN0QsFygOR29HFF4dhijjarYj7gh6tR
+rsTGpbi+i0j2355a/BJdisXx9IESQLHeXxIAcGYEyWJKAUPzIHnIq/de+/IU9Luz
+Ck5aNaB2epB8mAyqHD8tkyK52764ngATElsuz9/aSGBSgoNkLXa/3nDEink2ckaD
++fiBftKALEmJy+aaKp3E3PE3rQ02L0UK0hsO9DfOe0SZtFOd1nGF3Pb1DgGvum+R
+RYUXuroGc6D126lK/ThhqZxBOWn+TYmm9g+P15r9nWOUvqvP1Bn2no0AvRvZH30=
+=f6Uy
+-----END PGP SIGNATURE-----
diff --git a/openssl.changes b/openssl.changes
index 16a17c3..4a94b83 100644
--- a/openssl.changes
+++ b/openssl.changes
@@ -1,3 +1,66 @@
+-------------------------------------------------------------------
+Thu Aug 21 15:05:43 UTC 2014 - meissner@suse.com
+
+- openssl.keyring: the 1.0.1i release was done by 
+  Matt Caswell <matt@openssl.org> UK 0E604491
+
+-------------------------------------------------------------------
+Thu Aug 14 10:27:07 UTC 2014 - vcizek@suse.com
+
+- rename README.SuSE (old spelling) to README.SUSE (bnc#889013)
+
+-------------------------------------------------------------------
+Wed Aug 13 17:43:21 UTC 2014 - vcizek@suse.com
+
+- update to 1.0.1i
+  * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
+    SRP code can be overrun an internal buffer. Add sanity check that
+    g, A, B < N to SRP code.
+    (CVE-2014-3512)
+  * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
+    TLS 1.0 instead of higher protocol versions when the ClientHello message
+    is badly fragmented. This allows a man-in-the-middle attacker to force a
+    downgrade to TLS 1.0 even if both the server and the client support a
+    higher protocol version, by modifying the client's TLS records.
+    (CVE-2014-3511)
+  * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+    to a denial of service attack. A malicious server can crash the client
+    with a null pointer dereference (read) by specifying an anonymous (EC)DH
+    ciphersuite and sending carefully crafted handshake messages.
+    (CVE-2014-3510)
+  * By sending carefully crafted DTLS packets an attacker could cause openssl
+    to leak memory. This can be exploited through a Denial of Service attack.
+    (CVE-2014-3507)
+  * An attacker can force openssl to consume large amounts of memory whilst
+    processing DTLS handshake messages. This can be exploited through a
+    Denial of Service attack.
+    (CVE-2014-3506)
+  * An attacker can force an error condition which causes openssl to crash
+    whilst processing DTLS packets due to memory being freed twice. This
+    can be exploited through a Denial of Service attack.
+    (CVE-2014-3505)
+  * If a multithreaded client connects to a malicious server using a resumed
+    session and the server sends an ec point format extension it could write
+    up to 255 bytes to freed memory.
+    (CVE-2014-3509)
+  * A malicious server can crash an OpenSSL client with a null pointer
+    dereference (read) by specifying an SRP ciphersuite even though it was not
+    properly negotiated with the client. This can be exploited through a
+    Denial of Service attack.
+    (CVE-2014-5139)
+  * A flaw in OBJ_obj2txt may cause pretty printing functions such as
+    X509_name_oneline, X509_name_print_ex et al. to leak some information
+    from the stack. Applications may be affected if they echo pretty printing
+    output to the attacker.
+    (CVE-2014-3508)
+  * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+    for corner cases. (Certain input points at infinity could lead to
+    bogus results, with non-infinity inputs mapped to infinity too.)
+- refreshed patches:
+  * openssl-1.0.1e-new-fips-reqs.patch
+  * 0005-libssl-Hide-library-private-symbols.patch
+    (thanks to Marcus Meissner)
+
 -------------------------------------------------------------------
 Mon Jul 21 10:49:35 UTC 2014 - jengelh@inai.de
 
diff --git a/openssl.keyring b/openssl.keyring
index 89c5841..952d91a 100644
--- a/openssl.keyring
+++ b/openssl.keyring
@@ -147,3 +147,40 @@ G/cu/anS1ekMIWkC/QyX6xbXi7IedakaL56y7nJRBRmPuETKACSAWkGJ5ojm6BxT
 TInCFx1evwVXM3s6
 =eP1B
 -----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
+hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
+iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
+2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
+N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
+UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0IE1hdHQgQ2Fzd2VsbCA8
+ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsDBgsJCAcDAgYVCAIJ
+CgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+viob8935Uirei4Fv
+nzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeARGwWTQYGmFmrNRWZ
+2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAjeU8uSarmeZgGVMAI
+nsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE5Q7wnnoRXdLyNet0
+AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R4gYFS/xGfTgocPUD
+Z4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO5vISJkZvqE5UtB9N
+YXR0IENhc3dlbGwgPG1hdHRAb3BlbnNzbC5vcmc+iQE4BBMBAgAiBQJT3r68AhsD
+BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkaA9B/9ZRCV36+uq
+3b7JMjotM1NAEb1Fx425pmJGexE5HV4e1Wv045/NU96cJq9xeCHCxjSw8+BIOu8W
+6v0/K67BDzseZ1f5kZ1E/e1JrELi50dsCxm0QbtuBSjO6F9ykL4CHSVncRxybI6R
+glYhNZiBQEQM5Tfuqd7T250MwDY0cu4vz2FP54hnalXDIXJ2Ql+Re2B+sOrdGZmB
+95tUHkRJ1qn8bu3sh7CL3mzICkyP2zBvGeypS2YWvR8KxV0ADyEk+rH3NW5SifSD
+VAzPYiug0f7pZMO3tIZhy6o1qmLOT88l3qDZ7D1ybevcIgA2Ko+CjQyHTadUaBfa
+n29ZxPgzOq4GuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg
+icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM
+k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6
+2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex
+F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ
+P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC
+AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v
+Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb
+SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x
+dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL
+HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2
+8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g==
+=Q8X3
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/openssl.spec b/openssl.spec
index 22d2f09..8dcd281 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ Provides:       ssl
 %ifarch ppc64
 Obsoletes:      openssl-64bit
 %endif
-Version:        1.0.1h
+Version:        1.0.1i
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL
@@ -42,7 +42,7 @@ Source43:       http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295
 # to get mtime of file:
 Source1:        openssl.changes
 Source2:        baselibs.conf
-Source10:       README.SuSE
+Source10:       README.SUSE
 Source11:       README-FIPS.txt
 Patch0:         merge_from_0.9.8k.patch
 Patch1:         openssl-1.0.0-c_rehash-compat.diff
@@ -467,7 +467,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %files -f filelist
 %defattr(-, root, root)
 %doc CHANGE* INSTAL* AVAILABLE_CIPHERS
-%doc LICENSE NEWS README README.SuSE README-FIPS.txt
+%doc LICENSE NEWS README README.SUSE README-FIPS.txt
 %dir %{ssletcdir}
 %config (noreplace) %{ssletcdir}/openssl.cnf
 %attr(700,root,root) %{ssletcdir}/private