Accepting request 233553 from Base:System

- Add upstream patches fixing coverity scan issues:
* 0018-fix-coverity-issues-966593-966596.patch
* 0020-Initialize-num-properly.patch
* 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
* 0023-evp-prevent-underflow-in-base64-decoding.patch
* 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
* 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
- Update 0001-libcrypto-Hide-library-private-symbols.patch
  to cover more private symbols, now 98% complete and probably
  not much more can be done to fix the rest of the ill-defined API.
- openssl-fips-hidden.patch new, hides private symbols added by the
  FIPS patches.
- openssl-no-egd.patch disable the EGD (entropy gathering daemon)
  interface, we have no EGD in the distro and obtaining entropy from
  a place other than /dev/*random, the hardware rng or the openSSL
  internal PRNG is an extremely bad & dangerous idea.
- use secure_getenv instead of getenv everywhere. (forwarded request 233217 from elvigia)

OBS-URL: https://build.opensuse.org/request/show/233553
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=117

0001-libcrypto-Hide-library-private-symbols.patch

@@ -37,8 +37,6 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
  crypto/x509v3/pcy_int.h          |  3 +++
  31 files changed, 85 insertions(+), 17 deletions(-)
 
-Index: openssl-1.0.1g/apps/Makefile
-===================================================================
 --- openssl-1.0.1g.orig/apps/Makefile
 +++ openssl-1.0.1g/apps/Makefile
 @@ -20,7 +20,7 @@ EXE_EXT=
@@ -50,8 +48,6 @@ Index: openssl-1.0.1g/apps/Makefile
  
  GENERAL=Makefile makeapps.com install.com
  
-Index: openssl-1.0.1g/crypto/asn1/asn1_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/asn1/asn1_locl.h
 +++ openssl-1.0.1g/crypto/asn1/asn1_locl.h
 @@ -58,6 +58,8 @@
@@ -69,8 +65,6 @@ Index: openssl-1.0.1g/crypto/asn1/asn1_locl.h
  	};
 +
 +#pragma GCC visibility pop
-Index: openssl-1.0.1g/crypto/bn/bn_lcl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/bn/bn_lcl.h
 +++ openssl-1.0.1g/crypto/bn/bn_lcl.h
 @@ -483,6 +483,8 @@ extern "C" {
@@ -91,8 +85,6 @@ Index: openssl-1.0.1g/crypto/bn/bn_lcl.h
  #ifdef  __cplusplus
  }
  #endif
-Index: openssl-1.0.1g/crypto/camellia/cmll_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/camellia/cmll_locl.h
 +++ openssl-1.0.1g/crypto/camellia/cmll_locl.h
 @@ -68,6 +68,8 @@
@@ -110,8 +102,6 @@ Index: openssl-1.0.1g/crypto/camellia/cmll_locl.h
  			     CAMELLIA_KEY *key);
 +#pragma GCC visibility pop
  #endif /* #ifndef HEADER_CAMELLIA_LOCL_H */
-Index: openssl-1.0.1g/crypto/cast/cast_lcl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/cast/cast_lcl.h
 +++ openssl-1.0.1g/crypto/cast/cast_lcl.h
 @@ -217,6 +217,7 @@
@@ -127,8 +117,6 @@ Index: openssl-1.0.1g/crypto/cast/cast_lcl.h
  extern const CAST_LONG CAST_S_table6[256];
  extern const CAST_LONG CAST_S_table7[256];
 +#pragma GCC visibility pop
-Index: openssl-1.0.1g/crypto/cms/cms_lcl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/cms/cms_lcl.h
 +++ openssl-1.0.1g/crypto/cms/cms_lcl.h
 @@ -426,6 +426,8 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerA
@@ -150,8 +138,6 @@ Index: openssl-1.0.1g/crypto/cms/cms_lcl.h
  #ifdef  __cplusplus
  }
  #endif
-Index: openssl-1.0.1g/crypto/des/des_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/des/des_locl.h
 +++ openssl-1.0.1g/crypto/des/des_locl.h
 @@ -421,10 +421,12 @@
@@ -167,8 +153,6 @@ Index: openssl-1.0.1g/crypto/des/des_locl.h
  
  #ifdef OPENSSL_SMALL_FOOTPRINT
  #undef DES_UNROLL
-Index: openssl-1.0.1g/crypto/dsa/dsa_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/dsa/dsa_locl.h
 +++ openssl-1.0.1g/crypto/dsa/dsa_locl.h
 @@ -57,4 +57,4 @@
@@ -177,8 +161,6 @@ Index: openssl-1.0.1g/crypto/dsa/dsa_locl.h
  	unsigned char *seed_out,
 -	int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
 +	int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) __attribute__ ((visibility ("hidden")));
-Index: openssl-1.0.1g/crypto/ec/ec_lcl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/ec/ec_lcl.h
 +++ openssl-1.0.1g/crypto/ec/ec_lcl.h
 @@ -88,6 +88,8 @@
@@ -196,8 +178,6 @@ Index: openssl-1.0.1g/crypto/ec/ec_lcl.h
  #endif
 +
 +#pragma GCC visibility pop
-Index: openssl-1.0.1g/crypto/ecdh/ech_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/ecdh/ech_locl.h
 +++ openssl-1.0.1g/crypto/ecdh/ech_locl.h
 @@ -58,6 +58,8 @@
@@ -216,8 +196,6 @@ Index: openssl-1.0.1g/crypto/ecdh/ech_locl.h
 -
 +#pragma GCC visibility pop
  #endif /* HEADER_ECH_LOCL_H */
-Index: openssl-1.0.1g/crypto/ecdsa/ecs_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/ecdsa/ecs_locl.h
 +++ openssl-1.0.1g/crypto/ecdsa/ecs_locl.h
 @@ -61,6 +61,8 @@
@@ -236,8 +214,6 @@ Index: openssl-1.0.1g/crypto/ecdsa/ecs_locl.h
 +#pragma GCC visibility pop
 +
  #endif /* HEADER_ECS_LOCL_H */
-Index: openssl-1.0.1g/crypto/engine/eng_int.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/engine/eng_int.h
 +++ openssl-1.0.1g/crypto/engine/eng_int.h
 @@ -68,6 +68,8 @@
@@ -256,8 +232,6 @@ Index: openssl-1.0.1g/crypto/engine/eng_int.h
 -
 +#pragma GCC visibility pop
  #endif /* HEADER_ENGINE_INT_H */
-Index: openssl-1.0.1g/crypto/engine/eng_rsax.c
-===================================================================
 --- openssl-1.0.1g.orig/crypto/engine/eng_rsax.c
 +++ openssl-1.0.1g/crypto/engine/eng_rsax.c
 @@ -262,7 +262,7 @@ static int mod_exp_pre_compute_data_512(
@@ -269,8 +243,6 @@ Index: openssl-1.0.1g/crypto/engine/eng_rsax.c
  
  typedef struct st_e_rsax_mod_ctx
  {
-Index: openssl-1.0.1g/crypto/evp/e_aes.c
-===================================================================
 --- openssl-1.0.1g.orig/crypto/evp/e_aes.c
 +++ openssl-1.0.1g/crypto/evp/e_aes.c
 @@ -108,6 +108,8 @@ typedef struct
@@ -318,8 +290,6 @@ Index: openssl-1.0.1g/crypto/evp/e_aes.c
  static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  		   const unsigned char *iv, int enc)
  	{
-Index: openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c
-===================================================================
 --- openssl-1.0.1g.orig/crypto/evp/e_aes_cbc_hmac_sha1.c
 +++ openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c
 @@ -97,6 +97,8 @@ typedef struct
@@ -340,8 +310,6 @@ Index: openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c
  #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
  
  static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
-Index: openssl-1.0.1g/crypto/evp/evp_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/evp/evp_locl.h
 +++ openssl-1.0.1g/crypto/evp/evp_locl.h
 @@ -263,6 +263,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
@@ -362,8 +330,6 @@ Index: openssl-1.0.1g/crypto/evp/evp_locl.h
  #ifdef OPENSSL_FIPS
  
  #ifdef OPENSSL_DOING_MAKEDEPEND
-Index: openssl-1.0.1g/crypto/md4/md4_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/md4/md4_locl.h
 +++ openssl-1.0.1g/crypto/md4/md4_locl.h
 @@ -65,7 +65,7 @@
@@ -375,8 +341,6 @@ Index: openssl-1.0.1g/crypto/md4/md4_locl.h
  
  #define DATA_ORDER_IS_LITTLE_ENDIAN
  
-Index: openssl-1.0.1g/crypto/md5/md5_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/md5/md5_locl.h
 +++ openssl-1.0.1g/crypto/md5/md5_locl.h
 @@ -74,7 +74,7 @@
@@ -388,8 +352,6 @@ Index: openssl-1.0.1g/crypto/md5/md5_locl.h
  
  #define DATA_ORDER_IS_LITTLE_ENDIAN
  
-Index: openssl-1.0.1g/crypto/modes/modes_lcl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/modes/modes_lcl.h
 +++ openssl-1.0.1g/crypto/modes/modes_lcl.h
 @@ -83,6 +83,8 @@ typedef unsigned char u8;
@@ -407,8 +369,6 @@ Index: openssl-1.0.1g/crypto/modes/modes_lcl.h
  };
 -
 +#pragma GCC visibility pop
-Index: openssl-1.0.1g/crypto/o_str.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/o_str.h
 +++ openssl-1.0.1g/crypto/o_str.h
 @@ -61,8 +61,12 @@
@@ -424,8 +384,6 @@ Index: openssl-1.0.1g/crypto/o_str.h
 +#pragma GCC visibility pop
 +
  #endif
-Index: openssl-1.0.1g/crypto/o_time.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/o_time.h
 +++ openssl-1.0.1g/crypto/o_time.h
 @@ -61,7 +61,11 @@
@@ -440,8 +398,6 @@ Index: openssl-1.0.1g/crypto/o_time.h
 +#pragma GCC visibility pop
 +
  #endif
-Index: openssl-1.0.1g/crypto/ripemd/rmd_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/ripemd/rmd_locl.h
 +++ openssl-1.0.1g/crypto/ripemd/rmd_locl.h
 @@ -76,7 +76,7 @@
@@ -453,8 +409,6 @@ Index: openssl-1.0.1g/crypto/ripemd/rmd_locl.h
  
  #define DATA_ORDER_IS_LITTLE_ENDIAN
  
-Index: openssl-1.0.1g/crypto/rsa/rsa_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/rsa/rsa_locl.h
 +++ openssl-1.0.1g/crypto/rsa/rsa_locl.h
 @@ -1,4 +1,4 @@
@@ -463,8 +417,6 @@ Index: openssl-1.0.1g/crypto/rsa/rsa_locl.h
  		const unsigned char *sigbuf, size_t siglen,
 -		RSA *rsa);
 +		RSA *rsa) __attribute__ ((visibility ("hidden")));
-Index: openssl-1.0.1g/crypto/sha/sha256.c
-===================================================================
 --- openssl-1.0.1g.orig/crypto/sha/sha256.c
 +++ openssl-1.0.1g/crypto/sha/sha256.c
 @@ -110,7 +110,7 @@ int SHA224_Final (unsigned char *md, SHA
@@ -476,8 +428,6 @@ Index: openssl-1.0.1g/crypto/sha/sha256.c
  
  #include "md32_common.h"
  
-Index: openssl-1.0.1g/crypto/sha/sha512.c
-===================================================================
 --- openssl-1.0.1g.orig/crypto/sha/sha512.c
 +++ openssl-1.0.1g/crypto/sha/sha512.c
 @@ -94,7 +94,7 @@ fips_md_init(SHA512)
@@ -489,8 +439,6 @@ Index: openssl-1.0.1g/crypto/sha/sha512.c
  
  int SHA512_Final (unsigned char *md, SHA512_CTX *c)
  	{
-Index: openssl-1.0.1g/crypto/sha/sha_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/sha/sha_locl.h
 +++ openssl-1.0.1g/crypto/sha/sha_locl.h
 @@ -108,7 +108,7 @@ static void sha_block_data_order (SHA_CT
@@ -502,8 +450,6 @@ Index: openssl-1.0.1g/crypto/sha/sha_locl.h
  
  #else
  # error "Either SHA_0 or SHA_1 must be defined."
-Index: openssl-1.0.1g/crypto/store/str_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/store/str_locl.h
 +++ openssl-1.0.1g/crypto/store/str_locl.h
 @@ -62,6 +62,8 @@
@@ -522,8 +468,6 @@ Index: openssl-1.0.1g/crypto/store/str_locl.h
 -
 +#pragma GCC visibility pop
  #endif
-Index: openssl-1.0.1g/crypto/ui/ui_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/ui/ui_locl.h
 +++ openssl-1.0.1g/crypto/ui/ui_locl.h
 @@ -66,6 +66,8 @@
@@ -542,8 +486,6 @@ Index: openssl-1.0.1g/crypto/ui/ui_locl.h
 -
 +#pragma GCC visibility pop
  #endif
-Index: openssl-1.0.1g/crypto/whrlpool/wp_locl.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/whrlpool/wp_locl.h
 +++ openssl-1.0.1g/crypto/whrlpool/wp_locl.h
 @@ -1,3 +1,3 @@
@@ -551,8 +493,6 @@ Index: openssl-1.0.1g/crypto/whrlpool/wp_locl.h
  
 -void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t);
 +void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t) __attribute__ ((visibility ("hidden")));
-Index: openssl-1.0.1g/crypto/x509v3/ext_dat.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/x509v3/ext_dat.h
 +++ openssl-1.0.1g/crypto/x509v3/ext_dat.h
 @@ -57,6 +57,8 @@
@@ -572,8 +512,6 @@ Index: openssl-1.0.1g/crypto/x509v3/ext_dat.h
  /* Number of standard extensions */
  
  #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
-Index: openssl-1.0.1g/crypto/x509v3/pcy_int.h
-===================================================================
 --- openssl-1.0.1g.orig/crypto/x509v3/pcy_int.h
 +++ openssl-1.0.1g/crypto/x509v3/pcy_int.h
 @@ -56,6 +56,7 @@
@@ -590,10 +528,19 @@ Index: openssl-1.0.1g/crypto/x509v3/pcy_int.h
  const X509_POLICY_CACHE *policy_cache_set(X509 *x);
 +
 +#pragma GCC visibility pop
-Index: openssl-1.0.1g/crypto/modes/gcm128.c
-===================================================================
 --- openssl-1.0.1g.orig/crypto/modes/gcm128.c
 +++ openssl-1.0.1g/crypto/modes/gcm128.c
+@@ -567,8 +567,8 @@ static void gcm_ghash_4bit(u64 Xi[2],con
+ }
+ #endif
+ #else
+-void gcm_gmult_4bit(u64 Xi[2],const u128 Htable[16]);
+-void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
++void gcm_gmult_4bit(u64 Xi[2],const u128 Htable[16]) __attribute__ ((visibility ("hidden")));
++void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len) __attribute__ ((visibility ("hidden")));
+ #endif
+ 
+ #define GCM_MUL(ctx,Xi)   gcm_gmult_4bit(ctx->Xi.u,ctx->Htable)
 @@ -651,9 +651,9 @@ static void gcm_gmult_1bit(u64 Xi[2],con
  #  define GCM_FUNCREF_4BIT
  extern unsigned int OPENSSL_ia32cap_P[2];
@@ -607,8 +554,6 @@ Index: openssl-1.0.1g/crypto/modes/gcm128.c
  
  #  if	defined(__i386) || defined(__i386__) || defined(_M_IX86)
  #   define GHASH_ASM_X86
-Index: openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c
-===================================================================
 --- openssl-1.0.1g.orig/crypto/evp/e_rc4_hmac_md5.c
 +++ openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c
 @@ -78,7 +78,7 @@ typedef struct
@@ -620,3 +565,207 @@ Index: openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c
  
  #define data(ctx) ((EVP_RC4_HMAC_MD5 *)(ctx)->cipher_data)
  
+--- openssl-1.0.1g.orig/crypto/cmac/cm_ameth.c
++++ openssl-1.0.1g/crypto/cmac/cm_ameth.c
+@@ -73,6 +73,7 @@ static void cmac_key_free(EVP_PKEY *pkey
+ 		CMAC_CTX_free(cmctx);
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = 
+ 	{
+ 	EVP_PKEY_CMAC,
+--- openssl-1.0.1g.orig/crypto/evp/pmeth_lib.c
++++ openssl-1.0.1g/crypto/evp/pmeth_lib.c
+@@ -70,7 +70,7 @@
+ typedef int sk_cmp_fn_type(const char * const *a, const char * const *b);
+ 
+ DECLARE_STACK_OF(EVP_PKEY_METHOD)
+-STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
++static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
+ 
+ extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth;
+ extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth;
+--- openssl-1.0.1g.orig/crypto/cmac/cm_pmeth.c
++++ openssl-1.0.1g/crypto/cmac/cm_pmeth.c
+@@ -188,6 +188,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
+ 	return -2;
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_METHOD cmac_pkey_meth = 
+ 	{
+ 	EVP_PKEY_CMAC,
+--- openssl-1.0.1g.orig/crypto/rand/md_rand.c
++++ openssl-1.0.1g/crypto/rand/md_rand.c
+@@ -164,7 +164,7 @@ static int ssleay_rand_nopseudo_bytes(un
+ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
+ static int ssleay_rand_status(void);
+ 
+-RAND_METHOD rand_ssleay_meth={
++static RAND_METHOD rand_ssleay_meth={
+ 	ssleay_rand_seed,
+ 	ssleay_rand_nopseudo_bytes,
+ 	ssleay_rand_cleanup,
+--- openssl-1.0.1g.orig/crypto/dh/dh_ameth.c
++++ openssl-1.0.1g/crypto/dh/dh_ameth.c
+@@ -466,6 +466,7 @@ int DHparams_print(BIO *bp, const DH *x)
+ 	return do_dh_print(bp, x, 4, NULL, 0);
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = 
+ 	{
+ 	EVP_PKEY_DH,
+--- openssl-1.0.1g.orig/crypto/dh/dh_pmeth.c
++++ openssl-1.0.1g/crypto/dh/dh_pmeth.c
+@@ -217,6 +217,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
+ 	return 1;
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_METHOD dh_pkey_meth = 
+ 	{
+ 	EVP_PKEY_DH,
+--- openssl-1.0.1g.orig/crypto/dsa/dsa_ameth.c
++++ openssl-1.0.1g/crypto/dsa/dsa_ameth.c
+@@ -639,7 +639,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
+ 	}
+ 
+ /* NB these are sorted in pkey_id order, lowest first */
+-
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = 
+ 	{
+ 
+--- openssl-1.0.1g.orig/crypto/dsa/dsa_pmeth.c
++++ openssl-1.0.1g/crypto/dsa/dsa_pmeth.c
+@@ -281,6 +281,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX
+ 	return DSA_generate_key(pkey->pkey.dsa);
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_METHOD dsa_pkey_meth = 
+ 	{
+ 	EVP_PKEY_DSA,
+--- openssl-1.0.1g.orig/crypto/ec/ec_ameth.c
++++ openssl-1.0.1g/crypto/ec/ec_ameth.c
+@@ -625,6 +625,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey,
+ 
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = 
+ 	{
+ 	EVP_PKEY_EC,
+--- openssl-1.0.1g.orig/crypto/ec/ec_pmeth.c
++++ openssl-1.0.1g/crypto/ec/ec_pmeth.c
+@@ -304,6 +304,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
+ 	return EC_KEY_generate_key(pkey->pkey.ec);
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_METHOD ec_pkey_meth = 
+ 	{
+ 	EVP_PKEY_EC,
+--- openssl-1.0.1g.orig/crypto/hmac/hm_ameth.c
++++ openssl-1.0.1g/crypto/hmac/hm_ameth.c
+@@ -138,6 +138,7 @@ static int old_hmac_encode(const EVP_PKE
+ 
+ #endif
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = 
+ 	{
+ 	EVP_PKEY_HMAC,
+--- openssl-1.0.1g.orig/crypto/hmac/hm_pmeth.c
++++ openssl-1.0.1g/crypto/hmac/hm_pmeth.c
+@@ -235,6 +235,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C
+ 	return -2;
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_METHOD hmac_pkey_meth = 
+ 	{
+ 	EVP_PKEY_HMAC,
+--- openssl-1.0.1g.orig/crypto/rsa/rsa_ameth.c
++++ openssl-1.0.1g/crypto/rsa/rsa_ameth.c
+@@ -657,6 +657,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx
+ 	return 2;
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = 
+ 	{
+ 		{
+--- openssl-1.0.1g.orig/crypto/rsa/rsa_pmeth.c
++++ openssl-1.0.1g/crypto/rsa/rsa_pmeth.c
+@@ -685,6 +685,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX
+ 	return ret;
+ 	}
+ 
++__attribute__ ((visibility ("hidden")))
+ const EVP_PKEY_METHOD rsa_pkey_meth = 
+ 	{
+ 	EVP_PKEY_RSA,
+--- openssl-1.0.1g.orig/crypto/objects/obj_xref.c
++++ openssl-1.0.1g/crypto/objects/obj_xref.c
+@@ -60,7 +60,7 @@
+ #include "obj_xref.h"
+ 
+ DECLARE_STACK_OF(nid_triple)
+-STACK_OF(nid_triple) *sig_app, *sigx_app;
++static STACK_OF(nid_triple) *sig_app, *sigx_app;
+ 
+ static int sig_cmp(const nid_triple *a, const nid_triple *b)
+ 	{
+--- openssl-1.0.1g.orig/crypto/pem/pem_lib.c
++++ openssl-1.0.1g/crypto/pem/pem_lib.c
+@@ -80,7 +80,7 @@ const char PEM_version[]="PEM" OPENSSL_V
+ 
+ static int load_iv(char **fromp,unsigned char *to, int num);
+ static int check_pem(const char *nm, const char *name);
+-int pem_check_suffix(const char *pem_str, const char *suffix);
++int pem_check_suffix(const char *pem_str, const char *suffix) __attribute__ ((visibility ("hidden")));
+ 
+ int PEM_def_callback(char *buf, int num, int w, void *key)
+ 	{
+--- openssl-1.0.1g.orig/crypto/asn1/tasn_prn.c
++++ openssl-1.0.1g/crypto/asn1/tasn_prn.c
+@@ -72,7 +72,7 @@
+ 
+ /* ASN1_PCTX routines */
+ 
+-ASN1_PCTX default_pctx = 
++static ASN1_PCTX default_pctx = 
+ 	{
+ 	ASN1_PCTX_FLAGS_SHOW_ABSENT,	/* flags */
+ 	0,	/* nm_flags */
+--- openssl-1.0.1g.orig/crypto/bn/bn_exp.c
++++ openssl-1.0.1g/crypto/bn/bn_exp.c
+@@ -684,11 +684,11 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
+ 	{
+ 	void bn_mul_mont_gather5(BN_ULONG *rp,const BN_ULONG *ap,
+ 			const void *table,const BN_ULONG *np,
+-			const BN_ULONG *n0,int num,int power);
++			const BN_ULONG *n0,int num,int power) __attribute__ ((visibility ("hidden")));
+ 	void bn_scatter5(const BN_ULONG *inp,size_t num,
+-			void *table,size_t power);
++			void *table,size_t power) __attribute__ ((visibility ("hidden")));
+ 	void bn_gather5(BN_ULONG *out,size_t num,
+-			void *table,size_t power);
++			void *table,size_t power) __attribute__ ((visibility ("hidden")));
+ 
+ 	BN_ULONG *np=mont->N.d, *n0=mont->n0;
+ 
+--- openssl-1.0.1g.orig/crypto/bn/bn_gf2m.c
++++ openssl-1.0.1g/crypto/bn/bn_gf2m.c
+@@ -220,7 +220,7 @@ static void bn_GF2m_mul_2x2(BN_ULONG *r,
+ 	r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0;  /* l1 ^= l0 ^ h0 ^ m0; */
+ 	}
+ #else
+-void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, BN_ULONG b0);
++void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, BN_ULONG b0) __attribute__ ((visibility ("hidden")));
+ #endif 
+ 
+ /* Add polynomials a and b and store result in r; r could be a or b, a and b 

0018-fix-coverity-issues-966593-966596.patch

@@ -0,0 +1,26 @@
+From 7b7b18c57e899201338d91083bc49cc8c5a915fc Mon Sep 17 00:00:00 2001
+From: Tim Hudson <tjh@cryptsoft.com>
+Date: Mon, 5 May 2014 06:41:22 +1000
+Subject: [PATCH 18/23] - fix coverity issues 966593-966596
+
+---
+ crypto/srp/srp_vfy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
+index 4a3d13e..fdca19f 100644
+--- a/crypto/srp/srp_vfy.c
++++ b/crypto/srp/srp_vfy.c
+@@ -93,6 +93,9 @@ static int t_fromb64(unsigned char *a, const char *src)
+ 		else a[i] = loc - b64table;
+ 		++i;
+ 		}
++	/* if nothing valid to process we have a zero length response */
++	if (i == 0)
++		return 0;
+ 	size = i;
+ 	i = size - 1;
+ 	j = size;
+-- 
+1.8.4.5
+

0020-Initialize-num-properly.patch

@@ -0,0 +1,27 @@
+From a41d5174e27c99d1caefd76a8e927c814ede509e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Tue, 6 May 2014 14:07:37 +0100
+Subject: [PATCH 20/23] Initialize num properly.
+
+PR#3289
+PR#3345
+(cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155)
+---
+ crypto/evp/bio_b64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c
+index ac6d441..16863fe 100644
+--- a/crypto/evp/bio_b64.c
++++ b/crypto/evp/bio_b64.c
+@@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl)
+ 		else if (ctx->start)
+ 			{
+ 			q=p=(unsigned char *)ctx->tmp;
++			num = 0;
+ 			for (j=0; j<i; j++)
+ 				{
+ 				if (*(q++) != '\n') continue;
+-- 
+1.8.4.5
+

0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch

@@ -0,0 +1,85 @@
+From d8afda60a991791f27cfac79186b1f8a4f4e30a0 Mon Sep 17 00:00:00 2001
+From: Geoff Thorpe <geoff@openssl.org>
+Date: Sun, 4 May 2014 16:19:22 -0400
+Subject: [PATCH 22/23] bignum: allow concurrent BN_MONT_CTX_set_locked()
+
+The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
+noted by Daniel Sands and co at Sandia. This was to handle the case that
+2 or more threads race to lazy-init the same context, but stunted all
+scalability in the case where 2 or more threads are doing unrelated
+things! We favour the latter case by punishing the former. The init work
+gets done by each thread that finds the context to be uninitialised, and
+we then lock the "set" logic after that work is done - the winning
+thread's work gets used, the losing threads throw away what they've done.
+
+Signed-off-by: Geoff Thorpe <geoff@openssl.org>
+---
+ crypto/bn/bn_mont.c | 46 ++++++++++++++++++++++++++--------------------
+ 1 file changed, 26 insertions(+), 20 deletions(-)
+
+diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
+index 427b5cf..ee8532c 100644
+--- a/crypto/bn/bn_mont.c
++++ b/crypto/bn/bn_mont.c
+@@ -478,32 +478,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
+ BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+ 					const BIGNUM *mod, BN_CTX *ctx)
+ 	{
+-	int got_write_lock = 0;
+ 	BN_MONT_CTX *ret;
+ 
+ 	CRYPTO_r_lock(lock);
+-	if (!*pmont)
++	ret = *pmont;
++	CRYPTO_r_unlock(lock);
++	if (ret)
++		return ret;
++
++	/* We don't want to serialise globally while doing our lazy-init math in
++	 * BN_MONT_CTX_set. That punishes threads that are doing independent
++	 * things. Instead, punish the case where more than one thread tries to
++	 * lazy-init the same 'pmont', by having each do the lazy-init math work
++	 * independently and only use the one from the thread that wins the race
++	 * (the losers throw away the work they've done). */
++	ret = BN_MONT_CTX_new();
++	if (!ret)
++		return NULL;
++	if (!BN_MONT_CTX_set(ret, mod, ctx))
+ 		{
+-		CRYPTO_r_unlock(lock);
+-		CRYPTO_w_lock(lock);
+-		got_write_lock = 1;
++		BN_MONT_CTX_free(ret);
++		return NULL;
++		}
+ 
+-		if (!*pmont)
+-			{
+-			ret = BN_MONT_CTX_new();
+-			if (ret && !BN_MONT_CTX_set(ret, mod, ctx))
+-				BN_MONT_CTX_free(ret);
+-			else
+-				*pmont = ret;
+-			}
++	/* The locked compare-and-set, after the local work is done. */
++	CRYPTO_w_lock(lock);
++	if (*pmont)
++		{
++		BN_MONT_CTX_free(ret);
++		ret = *pmont;
+ 		}
+-	
+-	ret = *pmont;
+-	
+-	if (got_write_lock)
+-		CRYPTO_w_unlock(lock);
+ 	else
+-		CRYPTO_r_unlock(lock);
+-		
++		*pmont = ret;
++	CRYPTO_w_unlock(lock);
+ 	return ret;
+ 	}
+-- 
+1.8.4.5
+

0023-evp-prevent-underflow-in-base64-decoding.patch

@@ -0,0 +1,30 @@
+From d0666f289ac013094bbbf547bfbcd616199b7d2d Mon Sep 17 00:00:00 2001
+From: Geoff Thorpe <geoff@openssl.org>
+Date: Sun, 4 May 2014 18:44:14 -0400
+Subject: [PATCH 23/23] evp: prevent underflow in base64 decoding
+
+This patch resolves RT ticket #2608.
+
+Thanks to Robert Dugal for originally spotting this, and to David
+Ramos for noticing that the ball had been dropped.
+
+Signed-off-by: Geoff Thorpe <geoff@openssl.org>
+---
+ crypto/evp/encode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
+index 28546a8..4654bdc 100644
+--- a/crypto/evp/encode.c
++++ b/crypto/evp/encode.c
+@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
+ 				v=EVP_DecodeBlock(out,d,n);
+ 				n=0;
+ 				if (v < 0) { rv=0; goto end; }
++				if (eof > v) { rv=-1; goto end; }
+ 				ret+=(v-eof);
+ 				}
+ 			else
+-- 
+1.8.4.5
+

0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch

@@ -0,0 +1,63 @@
+From c6a47f988c19093e4716d58dbed92938c18e1640 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 7 May 2014 23:21:02 +0100
+Subject: [PATCH 24/25] Fixed NULL pointer dereference in PKCS7_dataDecode
+ reported by David Ramos in PR#3339
+
+---
+ crypto/pkcs7/pk7_doit.c | 5 +++++
+ crypto/pkcs7/pkcs7.h    | 1 +
+ crypto/pkcs7/pkcs7err.c | 3 ++-
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
+index 4c12a9d..d91aa11 100644
+--- a/crypto/pkcs7/pk7_doit.c
++++ b/crypto/pkcs7/pk7_doit.c
+@@ -440,6 +440,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
+ 		{
+ 	case NID_pkcs7_signed:
+ 		data_body=PKCS7_get_octet_string(p7->d.sign->contents);
++		if (!PKCS7_is_detached(p7) && data_body == NULL)
++			{
++			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE);
++			goto err;
++			}
+ 		md_sk=p7->d.sign->md_algs;
+ 		break;
+ 	case NID_pkcs7_signedAndEnveloped:
+diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h
+index e4d4431..04f6037 100644
+--- a/crypto/pkcs7/pkcs7.h
++++ b/crypto/pkcs7/pkcs7.h
+@@ -453,6 +453,7 @@ void ERR_load_PKCS7_strings(void);
+ #define PKCS7_R_ERROR_SETTING_CIPHER			 121
+ #define PKCS7_R_INVALID_MIME_TYPE			 131
+ #define PKCS7_R_INVALID_NULL_POINTER			 143
++#define PKCS7_R_INVALID_SIGNED_DATA_TYPE		 155
+ #define PKCS7_R_MIME_NO_CONTENT_TYPE			 132
+ #define PKCS7_R_MIME_PARSE_ERROR			 133
+ #define PKCS7_R_MIME_SIG_PARSE_ERROR			 134
+diff --git a/crypto/pkcs7/pkcs7err.c b/crypto/pkcs7/pkcs7err.c
+index d0af32a..f3db08e 100644
+--- a/crypto/pkcs7/pkcs7err.c
++++ b/crypto/pkcs7/pkcs7err.c
+@@ -1,6 +1,6 @@
+ /* crypto/pkcs7/pkcs7err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
++ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -130,6 +130,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[]=
+ {ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"},
+ {ERR_REASON(PKCS7_R_INVALID_MIME_TYPE)   ,"invalid mime type"},
+ {ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"},
++{ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),"invalid signed data type"},
+ {ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"},
+ {ERR_REASON(PKCS7_R_MIME_PARSE_ERROR)    ,"mime parse error"},
+ {ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"},
+-- 
+1.8.4.5
+

0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch

@@ -0,0 +1,49 @@
+From 6a60b414318ec4315ee016c3e15777c448603115 Mon Sep 17 00:00:00 2001
+From: Tim Hudson <tjh@cryptsoft.com>
+Date: Mon, 5 May 2014 08:22:42 +1000
+Subject: [PATCH 25/25] fix coverity issue 966597 - error line is not always
+ initialised
+
+---
+ ssl/ssl_asn1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
+index 38540be..4775003 100644
+--- a/ssl/ssl_asn1.c
++++ b/ssl/ssl_asn1.c
+@@ -408,6 +408,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
+ 		if (os.length != 3)
+ 			{
+ 			c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
++			c.line=__LINE__;
+ 			goto err;
+ 			}
+ 		id=0x02000000L|
+@@ -420,6 +421,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
+ 		if (os.length != 2)
+ 			{
+ 			c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
++			c.line=__LINE__;
+ 			goto err;
+ 			}
+ 		id=0x03000000L|
+@@ -429,6 +431,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
+ 	else
+ 		{
+ 		c.error=SSL_R_UNKNOWN_SSL_VERSION;
++		c.line=__LINE__;
+ 		goto err;
+ 		}
+ 	
+@@ -521,6 +524,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
+ 	    if (os.length > SSL_MAX_SID_CTX_LENGTH)
+ 		{
+ 		c.error=SSL_R_BAD_LENGTH;
++		c.line=__LINE__;
+ 		goto err;
+ 		}
+ 	    else
+-- 
+1.8.4.5
+

openssl-fips-hidden.patch

@@ -0,0 +1,28 @@
+--- openssl-1.0.1g.orig/crypto/fips/fips_rand_lcl.h
++++ openssl-1.0.1g/crypto/fips/fips_rand_lcl.h
+@@ -51,6 +51,8 @@
+  * ====================================================================
+  */
+ 
++#pragma GCC visibility push(hidden)
++
+ typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
+ typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
+ typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
+@@ -217,3 +219,5 @@ const struct evp_cipher_st *FIPS_get_cip
+ #define FIPS_digestupdate EVP_DigestUpdate
+ #define FIPS_digestfinal EVP_DigestFinal
+ #define M_EVP_MD_size EVP_MD_size
++
++#pragma GCC visibility pop
+--- openssl-1.0.1g.orig/crypto/fips/fips_rsa_x931g.c
++++ openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c
+@@ -65,7 +65,7 @@
+ #ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
+ 
+-extern int fips_check_rsa(RSA *rsa);
++extern int fips_check_rsa(RSA *rsa) __attribute__ ((visibility ("hidden")));
+ #endif
+ 
+ /* X9.31 RSA key derivation and generation */

openssl-no-egd.patch

@@ -0,0 +1,11 @@
+--- openssl-1.0.1g.orig/crypto/rand/rand_egd.c
++++ openssl-1.0.1g/crypto/rand/rand_egd.c
+@@ -95,7 +95,7 @@
+  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
+  */
+ 
+-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS)
++#if defined(__linux__) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS)
+ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
+ 	{
+ 	return(-1);

openssl.changes

@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Fri May  9 04:42:46 UTC 2014 - crrodriguez@opensuse.org
+
+- Add upstream patches fixing coverity scan issues:
+* 0018-fix-coverity-issues-966593-966596.patch
+* 0020-Initialize-num-properly.patch
+* 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
+* 0023-evp-prevent-underflow-in-base64-decoding.patch
+* 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
+* 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
+
+- Update 0001-libcrypto-Hide-library-private-symbols.patch
+  to cover more private symbols, now 98% complete and probably
+  not much more can be done to fix the rest of the ill-defined API.
+
+- openssl-fips-hidden.patch new, hides private symbols added by the
+  FIPS patches.
+
+- openssl-no-egd.patch disable the EGD (entropy gathering daemon)
+  interface, we have no EGD in the distro and obtaining entropy from
+  a place other than /dev/*random, the hardware rng or the openSSL
+  internal PRNG is an extremely bad & dangerous idea.
+
+- use secure_getenv instead of getenv everywhere.
+
 -------------------------------------------------------------------
 Mon May  5 16:25:17 UTC 2014 - crrodriguez@opensuse.org
 

openssl.spec

@@ -72,6 +72,14 @@ Patch23:        0009-Fix-double-frees.patch
 Patch24:        0012-Fix-eckey_priv_encode.patch
 Patch25:        0017-Double-free-in-i2o_ECPublicKey.patch
 Patch26:        0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+Patch27:        0018-fix-coverity-issues-966593-966596.patch
+Patch28:        0020-Initialize-num-properly.patch
+Patch29:        0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
+Patch30:        0023-evp-prevent-underflow-in-base64-decoding.patch
+Patch31:        0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
+Patch32:        0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
+Patch33:        openssl-no-egd.patch
+Patch34:        openssl-fips-hidden.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -185,6 +193,14 @@ this package's base documentation.
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
 cp -p %{S:10} .
 cp -p %{S:11} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
@@ -222,6 +238,11 @@ CHANGES=`stat --format="%y" %SOURCE1`
 sed -i -e "s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES|" crypto/Makefile
 
 %build
+
+%if 0%{suse_version} >= 1230
+find -type f -name "*.c" -exec sed -i -e "s@getenv@secure_getenv@g" {} +
+%endif
+
 %ifarch armv5el armv5tel
 export MACHINE=armv5el
 %endif
@@ -236,7 +257,7 @@ fips \
 no-ssl2 \
 enable-rfc3779 \
 %endif
-%ifarch x86_64 
+%ifarch x86_64 aarch64 ppc64le
 enable-ec_nistp_64_gcc_128 \
 %endif
 enable-camellia \