summaryrefslogtreecommitdiff
path: root/openssl0.9.8/patches
diff options
context:
space:
mode:
Diffstat (limited to 'openssl0.9.8/patches')
-rw-r--r--openssl0.9.8/patches/15-pkcs11_engine-0.9.8a.patch131
-rw-r--r--openssl0.9.8/patches/28-enginesdir.patch59
-rw-r--r--openssl0.9.8/patches/29-devcrypto_engine.patch52
-rw-r--r--openssl0.9.8/patches/CVE-2010-2939.patch12
-rw-r--r--openssl0.9.8/patches/CVE-2010-3864.patch45
-rw-r--r--openssl0.9.8/patches/CVE-2010-4180.patch63
-rw-r--r--openssl0.9.8/patches/CVE-2011-0014.patch27
-rw-r--r--openssl0.9.8/patches/CVE-2011-1945.patch23
-rw-r--r--openssl0.9.8/patches/CVE-2011-4109.patch60
-rw-r--r--openssl0.9.8/patches/CVE-2011-4576.patch14
-rw-r--r--openssl0.9.8/patches/CVE-2011-4619.patch104
-rw-r--r--openssl0.9.8/patches/CVE-2012-1165.patch22
-rw-r--r--openssl0.9.8/patches/CVE-2012-2131.patch28
-rw-r--r--openssl0.9.8/patches/CVE-2012-2333.patch13
-rw-r--r--openssl0.9.8/patches/block_diginotar.patch59
-rw-r--r--openssl0.9.8/patches/ca.patch20
-rw-r--r--openssl0.9.8/patches/debian-targets.patch56
-rw-r--r--openssl0.9.8/patches/dtls-fragment-alert.patch33
-rw-r--r--openssl0.9.8/patches/kfreebsd-pipe.patch13
-rw-r--r--openssl0.9.8/patches/make-targets.patch13
-rw-r--r--openssl0.9.8/patches/man-dir.patch13
-rw-r--r--openssl0.9.8/patches/man-section.patch32
-rw-r--r--openssl0.9.8/patches/no-rpath.patch13
-rw-r--r--openssl0.9.8/patches/no-symbolic.patch13
-rw-r--r--openssl0.9.8/patches/perl-path.diff760
-rw-r--r--openssl0.9.8/patches/pic.patch301
-rw-r--r--openssl0.9.8/patches/pkg-config.patch34
-rw-r--r--openssl0.9.8/patches/rc4-amd64.patch14
-rw-r--r--openssl0.9.8/patches/rehash-crt.patch33
-rw-r--r--openssl0.9.8/patches/rehash_pod.patch60
-rw-r--r--openssl0.9.8/patches/shared-lib-ext.patch14
-rw-r--r--openssl0.9.8/patches/stddef.patch12
-rw-r--r--openssl0.9.8/patches/valgrind.patch15
33 files changed, 2161 insertions, 0 deletions
diff --git a/openssl0.9.8/patches/15-pkcs11_engine-0.9.8a.patch b/openssl0.9.8/patches/15-pkcs11_engine-0.9.8a.patch
new file mode 100644
index 0000000..59e11fe
--- /dev/null
+++ b/openssl0.9.8/patches/15-pkcs11_engine-0.9.8a.patch
@@ -0,0 +1,131 @@
+diff -ruN ../a/openssl-0.9.8o/Configure openssl-0.9.8o/Configure
+--- ../a/openssl-0.9.8o/Configure 2010-05-20 10:36:23.000000000 -0700
++++ openssl-0.9.8o/Configure 2010-09-22 18:32:18.922795700 -0700
+@@ -12,7 +12,7 @@
+
+ # see INSTALL for instructions.
+
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
++my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+
+ # Options:
+ #
+@@ -21,6 +21,9 @@
+ # --prefix prefix for the OpenSSL include, lib and bin directories
+ # (Default: the OPENSSLDIR directory)
+ #
++# --pk11-libname PKCS#11 library name.
++# (Default: none)
++#
+ # --install_prefix Additional prefix for package builders (empty by
+ # default). This needn't be set in advance, you can
+ # just as well use "make INSTALL_PREFIX=/whatever install".
+@@ -587,6 +590,9 @@
+ my $idx_ranlib = $idx++;
+ my $idx_arflags = $idx++;
+
++# PKCS#11 engine patch
++my $pk11_libname="";
++
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
+@@ -825,6 +831,10 @@
+ {
+ $flags.=$_." ";
+ }
++ elsif (/^--pk11-libname=(.*)$/)
++ {
++ $pk11_libname=$1;
++ }
+ elsif (/^--prefix=(.*)$/)
+ {
+ $prefix=$1;
+@@ -960,6 +970,13 @@
+ exit 0;
+ }
+
++if (! $pk11_libname)
++ {
++ print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
++ print STDERR "See README.pkcs11 for more information.\n";
++ exit 1;
++ }
++
+ if ($target =~ m/^CygWin32(-.*)$/) {
+ $target = "Cygwin".$1;
+ }
+@@ -1126,6 +1143,8 @@
+ if ($flags ne "") { $cflags="$flags$cflags"; }
+ else { $no_user_cflags=1; }
+
++$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
++
+ # Kerberos settings. The flavor must be provided from outside, either through
+ # the script "config" or manually.
+ if (!$no_krb5)
+@@ -1489,6 +1508,7 @@
+ s/^VERSION=.*/VERSION=$version/;
+ s/^MAJOR=.*/MAJOR=$major/;
+ s/^MINOR=.*/MINOR=$minor/;
++ s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
+ s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
+ s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
+ s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
+diff -ruN ../a/openssl-0.9.8o/Makefile.org openssl-0.9.8o/Makefile.org
+--- ../a/openssl-0.9.8o/Makefile.org 2010-01-27 08:06:36.000000000 -0800
++++ openssl-0.9.8o/Makefile.org 2010-09-22 18:32:19.152576100 -0700
+@@ -26,6 +26,9 @@
+ INSTALL_PREFIX=
+ INSTALLTOP=/usr/local/ssl
+
++# You must set this through --pk11-libname configure option.
++PK11_LIB_LOCATION=
++
+ # Do not edit this manually. Use Configure --openssldir=DIR do change this!
+ OPENSSLDIR=/usr/local/ssl
+
+diff -ruN ../a/openssl-0.9.8o/crypto/engine/Makefile openssl-0.9.8o/crypto/engine/Makefile
+--- ../a/openssl-0.9.8o/crypto/engine/Makefile 2009-09-27 07:04:32.000000000 -0700
++++ openssl-0.9.8o/crypto/engine/Makefile 2010-09-22 18:32:19.109972600 -0700
+@@ -21,12 +21,14 @@
+ eng_table.c eng_pkey.c eng_fat.c eng_all.c \
+ tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
+ tb_cipher.c tb_digest.c \
+- eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
++ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
++ hw_pk11.c hw_pk11_pub.c hw_pk11_uri.c
+ LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
+ eng_table.o eng_pkey.o eng_fat.o eng_all.o \
+ tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
+ tb_cipher.o tb_digest.o \
+- eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
++ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
++ hw_pk11.o hw_pk11_pub.o hw_pk11_uri.o
+
+ SRC= $(LIBSRC)
+
+diff -ruN ../a/openssl-0.9.8o/crypto/engine/eng_all.c openssl-0.9.8o/crypto/engine/eng_all.c
+--- ../a/openssl-0.9.8o/crypto/engine/eng_all.c 2010-02-28 16:30:11.000000000 -0800
++++ openssl-0.9.8o/crypto/engine/eng_all.c 2010-09-22 18:33:15.326949000 -0700
+@@ -72,6 +72,9 @@
+ ENGINE_load_padlock();
+ #endif
+ ENGINE_load_dynamic();
++#ifndef OPENSSL_NO_HW_PKCS11
++ ENGINE_load_pk11();
++#endif
+ #ifndef OPENSSL_NO_STATIC_ENGINE
+ #ifndef OPENSSL_NO_HW
+ #ifndef OPENSSL_NO_HW_4758_CCA
+diff -ruN ../a/openssl-0.9.8o/crypto/engine/engine.h openssl-0.9.8o/crypto/engine/engine.h
+--- ../a/openssl-0.9.8o/crypto/engine/engine.h 2010-02-09 06:18:15.000000000 -0800
++++ openssl-0.9.8o/crypto/engine/engine.h 2010-09-22 18:32:19.063758100 -0700
+@@ -337,6 +337,7 @@
+ void ENGINE_load_ubsec(void);
+ #endif
+ void ENGINE_load_cryptodev(void);
++void ENGINE_load_pk11(void);
+ void ENGINE_load_padlock(void);
+ void ENGINE_load_builtin_engines(void);
+ #ifdef OPENSSL_SYS_WIN32
diff --git a/openssl0.9.8/patches/28-enginesdir.patch b/openssl0.9.8/patches/28-enginesdir.patch
new file mode 100644
index 0000000..10a07aa
--- /dev/null
+++ b/openssl0.9.8/patches/28-enginesdir.patch
@@ -0,0 +1,59 @@
+--- openssl-0.9.8n/Configure 2010-04-19 17:45:39.421625300 -0700
++++ openssl-0.9.8n/Configure.new 2010-06-18 15:18:52.437417100 -0700
+@@ -20,6 +20,8 @@
+ # --prefix option is given; /usr/local/ssl otherwise)
+ # --prefix prefix for the OpenSSL include, lib and bin directories
+ # (Default: the OPENSSLDIR directory)
++# --enginesdir engines shared library location
++# (Default: $prefix/lib/engines)
+ #
+ # --pk11-libname PKCS#11 library name.
+ # (Default: none)
+@@ -607,6 +609,7 @@
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -858,6 +861,10 @@
+ {
+ $openssldir=$1;
+ }
++ elsif (/^--enginesdir=(.*)$/)
++ {
++ $enginesdir=$1;
++ }
+ elsif (/^--install.prefix=(.*)$/)
+ {
+ $install_prefix=$1;
+@@ -1125,8 +1132,16 @@
+ }
+ $prefix=$openssldir if $prefix eq "";
+
++if ($enginesdir eq "")
++ {
++ $enginesdir = "$prefix/lib/engines";
++ }
++
+ $libdir="lib" if $libdir eq "";
+
++
++
++
+ $default_ranlib= &which("ranlib") or $default_ranlib="true";
+ $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
+ or $perl="perl";
+@@ -1724,10 +1739,7 @@
+ }
+ elsif (/^#define\s+ENGINESDIR/)
+ {
+- # $foo is to become "$prefix/lib$multilib/engines";
+- # as Makefile.org and engines/Makefile are adapted for
+- # $multilib suffix.
+- my $foo = "$prefix/lib/engines";
++ my $foo = $enginesdir;
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
diff --git a/openssl0.9.8/patches/29-devcrypto_engine.patch b/openssl0.9.8/patches/29-devcrypto_engine.patch
new file mode 100644
index 0000000..57efc17
--- /dev/null
+++ b/openssl0.9.8/patches/29-devcrypto_engine.patch
@@ -0,0 +1,52 @@
+diff -ruN ../a/openssl-0.9.8o/engines/Makefile openssl-0.9.8o/engines/Makefile
+--- ../a/openssl-0.9.8o/engines/Makefile 2009-11-09 17:53:02.000000000 -0800
++++ openssl-0.9.8o/engines/Makefile 2010-07-23 17:36:14.456537100 -0700
+@@ -20,7 +20,8 @@
+ APPS=
+
+ LIB=$(TOP)/libcrypto.a
+-LIBNAMES= 4758cca aep atalla cswift gmp chil nuron sureware ubsec capi
++LIBNAMES= 4758cca aep atalla cswift gmp chil nuron sureware ubsec capi \
++ devcrypto
+
+ LIBSRC= e_4758cca.c \
+ e_aep.c \
+@@ -31,7 +32,8 @@
+ e_nuron.c \
+ e_sureware.c \
+ e_ubsec.c \
+- e_capi.c
++ e_capi.c \
++ e_devcrypto.c
+ LIBOBJ= e_4758cca.o \
+ e_aep.o \
+ e_atalla.o \
+@@ -41,7 +43,8 @@
+ e_nuron.o \
+ e_sureware.o \
+ e_ubsec.o \
+- e_capi.o
++ e_capi.o \
++ e_devcrypto.o
+
+ SRC= $(LIBSRC)
+
+@@ -55,7 +58,8 @@
+ e_nuron_err.c e_nuron_err.h \
+ e_sureware_err.c e_sureware_err.h \
+ e_ubsec_err.c e_ubsec_err.h \
+- e_capi_err.c e_capi_err.h
++ e_capi_err.c e_capi_err.h \
++ e_devcrypto_err.c e_devcrypto_err.h
+
+ ALL= $(GENERAL) $(SRC) $(HEADER)
+
+@@ -70,7 +74,7 @@
+ for l in $(LIBNAMES); do \
+ $(MAKE) -f ../Makefile.shared -e \
+ LIBNAME=$$l LIBEXTRAS=e_$$l.o \
+- LIBDEPS='-L.. -lcrypto $(EX_LIBS)' \
++ LIBDEPS='-L.. -lcrypto -lcryptoutil $(EX_LIBS)' \
+ link_o.$(SHLIB_TARGET); \
+ done; \
+ else \
diff --git a/openssl0.9.8/patches/CVE-2010-2939.patch b/openssl0.9.8/patches/CVE-2010-2939.patch
new file mode 100644
index 0000000..2307326
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2010-2939.patch
@@ -0,0 +1,12 @@
+Index: openssl-0.9.8o/ssl/s3_clnt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_clnt.c 2010-01-26 19:40:36.000000000 +0000
++++ openssl-0.9.8o/ssl/s3_clnt.c 2010-08-26 16:45:11.000000000 +0000
+@@ -1377,6 +1377,7 @@
+ s->session->sess_cert->peer_ecdh_tmp=ecdh;
+ ecdh=NULL;
+ BN_CTX_free(bn_ctx);
++ bn_ctx = NULL;
+ EC_POINT_free(srvr_ecpoint);
+ srvr_ecpoint = NULL;
+ }
diff --git a/openssl0.9.8/patches/CVE-2010-3864.patch b/openssl0.9.8/patches/CVE-2010-3864.patch
new file mode 100644
index 0000000..c2b2f7b
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2010-3864.patch
@@ -0,0 +1,45 @@
+Index: ssl/t1_lib.c
+===================================================================
+RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
+retrieving revision 1.13.2.27
+diff -u -r1.13.2.27 t1_lib.c
+--- openssl/ssl/t1_lib.c 12 Jun 2010 13:18:58 -0000 1.13.2.27
++++ openssl/ssl/t1_lib.c 3 Nov 2010 23:44:54 -0000
+@@ -432,14 +432,23 @@
+ switch (servname_type)
+ {
+ case TLSEXT_NAMETYPE_host_name:
+- if (s->session->tlsext_hostname == NULL)
++ if (!s->hit)
+ {
+- if (len > TLSEXT_MAXLEN_host_name ||
+- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
++ if(s->session->tlsext_hostname)
++ {
++ *al = SSL_AD_DECODE_ERROR;
++ return 0;
++ }
++ if (len > TLSEXT_MAXLEN_host_name)
+ {
+ *al = TLS1_AD_UNRECOGNIZED_NAME;
+ return 0;
+ }
++ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
++ {
++ *al = TLS1_AD_INTERNAL_ERROR;
++ return 0;
++ }
+ memcpy(s->session->tlsext_hostname, sdata, len);
+ s->session->tlsext_hostname[len]='\0';
+ if (strlen(s->session->tlsext_hostname) != len) {
+@@ -452,7 +461,8 @@
+
+ }
+ else
+- s->servername_done = strlen(s->session->tlsext_hostname) == len
++ s->servername_done = s->session->tlsext_hostname
++ && strlen(s->session->tlsext_hostname) == len
+ && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
+
+ break;
+
diff --git a/openssl0.9.8/patches/CVE-2010-4180.patch b/openssl0.9.8/patches/CVE-2010-4180.patch
new file mode 100644
index 0000000..019a780
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2010-4180.patch
@@ -0,0 +1,63 @@
+diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
+index 06025d1..a703ce0 100644
+--- a/doc/ssl/SSL_CTX_set_options.pod
++++ b/doc/ssl/SSL_CTX_set_options.pod
+@@ -78,18 +78,7 @@ this breaks this server so 16 bytes is the way to go.
+
+ =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+
+-ssl3.netscape.com:443, first a connection is established with RC4-MD5.
+-If it is then resumed, we end up using DES-CBC3-SHA. It should be
+-RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
+-
+-Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
+-It only really shows up when connecting via SSLv2/v3 then reconnecting
+-via SSLv3. The cipher list changes....
+-
+-NEW INFORMATION. Try connecting with a cipher list of just
+-DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses
+-RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when
+-doing a re-connect, always takes the first cipher in the cipher list.
++As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
+
+ =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index f0995b9..a7cb7a1 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -814,8 +814,11 @@ int ssl3_get_server_hello(SSL *s)
+ s->session->cipher_id = s->session->cipher->id;
+ if (s->hit && (s->session->cipher_id != c->id))
+ {
++/* Workaround is now obsolete */
++#if 0
+ if (!(s->options &
+ SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
++#endif
+ {
+ al=SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index e696450..e2d570f 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -927,6 +927,10 @@ int ssl3_get_client_hello(SSL *s)
+ break;
+ }
+ }
++/* Disabled because it can be used in a ciphersuite downgrade
++ * attack: CVE-2010-4180.
++ */
++#if 0
+ if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
+ {
+ /* Special case as client bug workaround: the previously used cipher may
+@@ -941,6 +945,7 @@ int ssl3_get_client_hello(SSL *s)
+ j = 1;
+ }
+ }
++#endif
+ if (j == 0)
+ {
+ /* we need to have the cipher in the cipher
diff --git a/openssl0.9.8/patches/CVE-2011-0014.patch b/openssl0.9.8/patches/CVE-2011-0014.patch
new file mode 100644
index 0000000..65c8e4b
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2011-0014.patch
@@ -0,0 +1,27 @@
+--- a/ssl/t1_lib.c 25 Nov 2010 12:28:28 -0000 1.64.2.17
++++ b/ssl/t1_lib.c 8 Feb 2011 00:00:00 -0000
+@@ -917,6 +917,7 @@
+ }
+ n2s(data, idsize);
+ dsize -= 2 + idsize;
++ size -= 2 + idsize;
+ if (dsize < 0)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+@@ -955,9 +956,14 @@
+ }
+
+ /* Read in request_extensions */
++ if (size < 2)
++ {
++ *al = SSL_AD_DECODE_ERROR;
++ return 0;
++ }
+ n2s(data,dsize);
+ size -= 2;
+- if (dsize > size)
++ if (dsize != size)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+
diff --git a/openssl0.9.8/patches/CVE-2011-1945.patch b/openssl0.9.8/patches/CVE-2011-1945.patch
new file mode 100644
index 0000000..c15dc80
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2011-1945.patch
@@ -0,0 +1,23 @@
+Description: Fix CVE-2011-1945, timing attacks against ECDHE_ECDSA makes
+ it easier to determine private keys.
+Origin: http://cvs.openssl.org/chngview?cn=20892
+
+Index: openssl-0.9.8o/crypto/ecdsa/ecs_ossl.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/ecdsa/ecs_ossl.c
++++ openssl-0.9.8o/crypto/ecdsa/ecs_ossl.c
+@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY *ecke
+ }
+ while (BN_is_zero(k));
+
++ /* We do not want timing information to leak the length of k,
++ * so we compute G*k using an equivalent scalar of fixed
++ * bit-length. */
++
++ if (!BN_add(k, k, order)) goto err;
++ if (BN_num_bits(k) <= BN_num_bits(order))
++ if (!BN_add(k, k, order)) goto err;
++
+ /* compute r the x-coordinate of generator * k */
+ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
+ {
diff --git a/openssl0.9.8/patches/CVE-2011-4109.patch b/openssl0.9.8/patches/CVE-2011-4109.patch
new file mode 100644
index 0000000..b602938
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2011-4109.patch
@@ -0,0 +1,60 @@
+diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c
+index f28796e..acd2ede 100644
+--- a/crypto/x509v3/pcy_map.c
++++ b/crypto/x509v3/pcy_map.c
+@@ -70,8 +70,6 @@ static int ref_cmp(const X509_POLICY_REF * const *a,
+
+ static void policy_map_free(X509_POLICY_REF *map)
+ {
+- if (map->subjectDomainPolicy)
+- ASN1_OBJECT_free(map->subjectDomainPolicy);
+ OPENSSL_free(map);
+ }
+
+@@ -95,6 +93,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
+ {
+ POLICY_MAPPING *map;
+ X509_POLICY_REF *ref = NULL;
++ ASN1_OBJECT *subjectDomainPolicyRef;
+ X509_POLICY_DATA *data;
+ X509_POLICY_CACHE *cache = x->policy_cache;
+ int i;
+@@ -153,13 +152,16 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
+ if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
+ map->subjectDomainPolicy))
+ goto bad_mapping;
++ /* map->subjectDomainPolicy will be freed when
++ * cache->data is freed. Set it to NULL to avoid double-free. */
++ subjectDomainPolicyRef = map->subjectDomainPolicy;
++ map->subjectDomainPolicy = NULL;
+
+ ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
+ if (!ref)
+ goto bad_mapping;
+
+- ref->subjectDomainPolicy = map->subjectDomainPolicy;
+- map->subjectDomainPolicy = NULL;
++ ref->subjectDomainPolicy = subjectDomainPolicyRef;
+ ref->data = data;
+
+ if (!sk_X509_POLICY_REF_push(cache->maps, ref))
+diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
+index 89f84bf..92ad0a2 100644
+--- a/crypto/x509v3/pcy_tree.c
++++ b/crypto/x509v3/pcy_tree.c
+@@ -612,6 +612,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
+ case 2:
+ return 1;
+
++ /* Some internal error */
++ case -1:
++ return -1;
++
+ /* Some internal error */
+ case 0:
+ return 0;
+@@ -691,4 +695,3 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
+ return 0;
+
+ }
+-
diff --git a/openssl0.9.8/patches/CVE-2011-4576.patch b/openssl0.9.8/patches/CVE-2011-4576.patch
new file mode 100644
index 0000000..7e65fda
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2011-4576.patch
@@ -0,0 +1,14 @@
+diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
+index 1539a4c..759231d 100644
+--- a/ssl/s3_enc.c
++++ b/ssl/s3_enc.c
+@@ -479,6 +479,9 @@ int ssl3_enc(SSL *s, int send)
+
+ /* we need to add 'i-1' padding bytes */
+ l+=i;
++ /* the last of these zero bytes will be overwritten
++ * with the padding length. */
++ memset(&rec->input[rec->length], 0, i);
+ rec->length+=i;
+ rec->input[l-1]=(i-1);
+ }
diff --git a/openssl0.9.8/patches/CVE-2011-4619.patch b/openssl0.9.8/patches/CVE-2011-4619.patch
new file mode 100644
index 0000000..9e51777
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2011-4619.patch
@@ -0,0 +1,104 @@
+Index: openssl-0.9.8o/ssl/s3_srvr.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_srvr.c 2012-03-13 21:44:39.000000000 +0100
++++ openssl-0.9.8o/ssl/s3_srvr.c 2012-03-13 21:44:42.000000000 +0100
+@@ -235,6 +235,7 @@
+ }
+
+ s->init_num=0;
++ s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
+
+ if (s->state != SSL_ST_RENEGOTIATE)
+ {
+@@ -709,6 +710,13 @@
+ s->s3->tmp.reuse_message = 1;
+ if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
+ {
++ /* We only allow the client to restart the handshake once per
++ * negotiation. */
++ if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
++ {
++ SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
++ return -1;
++ }
+ /* Throw away what we have done so far in the current handshake,
+ * which will now be aborted. (A full SSL_clear would be too much.) */
+ #ifndef OPENSSL_NO_DH
+@@ -725,6 +733,7 @@
+ s->s3->tmp.ecdh = NULL;
+ }
+ #endif
++ s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
+ return 2;
+ }
+ return 1;
+Index: openssl-0.9.8o/ssl/ssl.h
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl.h 2012-03-13 21:44:39.000000000 +0100
++++ openssl-0.9.8o/ssl/ssl.h 2012-03-13 21:44:42.000000000 +0100
+@@ -1739,6 +1739,7 @@
+ #define SSL_F_SSL3_CALLBACK_CTRL 233
+ #define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
+ #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
++#define SSL_F_SSL3_CHECK_CLIENT_HELLO 292
+ #define SSL_F_SSL3_CLIENT_HELLO 131
+ #define SSL_F_SSL3_CONNECT 132
+ #define SSL_F_SSL3_CTRL 213
+@@ -1974,6 +1975,7 @@
+ #define SSL_R_MISSING_TMP_RSA_KEY 172
+ #define SSL_R_MISSING_TMP_RSA_PKEY 173
+ #define SSL_R_MISSING_VERIFY_MESSAGE 174
++#define SSL_R_MULTIPLE_SGC_RESTARTS 325
+ #define SSL_R_NON_SSLV2_INITIAL_PACKET 175
+ #define SSL_R_NO_CERTIFICATES_RETURNED 176
+ #define SSL_R_NO_CERTIFICATE_ASSIGNED 177
+Index: openssl-0.9.8o/ssl/ssl3.h
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl3.h 2012-03-13 21:44:39.000000000 +0100
++++ openssl-0.9.8o/ssl/ssl3.h 2012-03-13 21:44:42.000000000 +0100
+@@ -333,6 +333,17 @@
+ #define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
+ #define SSL3_FLAGS_POP_BUFFER 0x0004
+ #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
++
++/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
++ * restart a handshake because of MS SGC and so prevents us
++ * from restarting the handshake in a loop. It's reset on a
++ * renegotiation, so effectively limits the client to one restart
++ * per negotiation. This limits the possibility of a DDoS
++ * attack where the client handshakes in a loop using SGC to
++ * restart. Servers which permit renegotiation can still be
++ * effected, but we can't prevent that.
++ */
++#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
+
+ typedef struct ssl3_state_st
+ {
+Index: openssl-0.9.8o/ssl/ssl_err.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl_err.c 2012-03-13 21:44:39.000000000 +0100
++++ openssl-0.9.8o/ssl/ssl_err.c 2012-03-13 21:44:42.000000000 +0100
+@@ -1,6 +1,6 @@
+ /* ssl/ssl_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -137,6 +137,7 @@
+ {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
+ {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
+ {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
++{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
+ {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
+ {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
+ {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
+@@ -375,6 +376,7 @@
+ {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
+ {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
+ {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
++{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
+ {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
+ {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
+ {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
diff --git a/openssl0.9.8/patches/CVE-2012-1165.patch b/openssl0.9.8/patches/CVE-2012-1165.patch
new file mode 100644
index 0000000..7abc720
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2012-1165.patch
@@ -0,0 +1,22 @@
+Index: openssl-0.9.8o/crypto/asn1/asn_mime.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/asn1/asn_mime.c 2009-03-08 23:05:34.000000000 +0000
++++ openssl-0.9.8o/crypto/asn1/asn_mime.c 2012-03-17 15:09:03.000000000 +0000
+@@ -790,12 +790,17 @@
+ static int mime_hdr_cmp(const MIME_HEADER * const *a,
+ const MIME_HEADER * const *b)
+ {
++ if (!(*a)->name || !(*b)->name)
++ return !!(*a)->name - !!(*b)->name;
++
+ return(strcmp((*a)->name, (*b)->name));
+ }
+
+ static int mime_param_cmp(const MIME_PARAM * const *a,
+ const MIME_PARAM * const *b)
+ {
++ if (!(*a)->param_name || !(*b)->param_name)
++ return !!(*a)->param_name - !!(*b)->param_name;
+ return(strcmp((*a)->param_name, (*b)->param_name));
+ }
+
diff --git a/openssl0.9.8/patches/CVE-2012-2131.patch b/openssl0.9.8/patches/CVE-2012-2131.patch
new file mode 100644
index 0000000..565467c
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2012-2131.patch
@@ -0,0 +1,28 @@
+Index: openssl-0.9.8o/crypto/buffer/buffer.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/buffer/buffer.c
++++ openssl-0.9.8o/crypto/buffer/buffer.c
+@@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
+ char *ret;
+ unsigned int n;
+
++ if (len < 0)
++ {
++ BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
+ if (str->length >= len)
+ {
+ str->length=len;
+@@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int
+ char *ret;
+ unsigned int n;
+
++ if (len < 0)
++ {
++ BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
+ if (str->length >= len)
+ {
+ memset(&str->data[len],0,str->length-len);
diff --git a/openssl0.9.8/patches/CVE-2012-2333.patch b/openssl0.9.8/patches/CVE-2012-2333.patch
new file mode 100644
index 0000000..2476ee3
--- /dev/null
+++ b/openssl0.9.8/patches/CVE-2012-2333.patch
@@ -0,0 +1,13 @@
+Index: openssl-0.9.8o/ssl/d1_enc.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_enc.c
++++ openssl-0.9.8o/ssl/d1_enc.c
+@@ -257,7 +257,7 @@ int dtls1_enc(SSL *s, int send)
+ }
+ /* TLS 1.0 does not bound the number of padding bytes by the block size.
+ * All of them must have value 'padding_length'. */
+- if (i > (int)rec->length)
++ if (i + bs > (int)rec->length)
+ {
+ /* Incorrect padding. SSLerr() and ssl3_alert are done
+ * by caller: we don't want to reveal whether this is
diff --git a/openssl0.9.8/patches/block_diginotar.patch b/openssl0.9.8/patches/block_diginotar.patch
new file mode 100644
index 0000000..b9f8bad
--- /dev/null
+++ b/openssl0.9.8/patches/block_diginotar.patch
@@ -0,0 +1,59 @@
+From: Raphael Geissert <geissert@debian.org>
+Description: make X509_verify_cert indicate that any certificate whose
+ name contains "DigiNotar" is revoked.
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2011-09-07
+Bug: http://bugs.debian.org/639744
+
+diff -urpN openssl-0.9.8o-4squeeze1.orig/crypto/x509/x509_vfy.c openssl-0.9.8o-4squeeze1/crypto/x509/x509_vfy.c
+--- openssl-0.9.8o-4squeeze1.orig/crypto/x509/x509_vfy.c 2009-06-26 06:34:21.000000000 -0500
++++ openssl-0.9.8o-4squeeze1/crypto/x509/x509_vfy.c 2011-09-07 21:23:58.000000000 -0500
+@@ -78,6 +78,7 @@ static int check_trust(X509_STORE_CTX *c
+ static int check_revocation(X509_STORE_CTX *ctx);
+ static int check_cert(X509_STORE_CTX *ctx);
+ static int check_policy(X509_STORE_CTX *ctx);
++static int check_ca_blacklist(X509_STORE_CTX *ctx);
+ static int internal_verify(X509_STORE_CTX *ctx);
+ const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
+
+@@ -312,6 +313,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+ ok=internal_verify(ctx);
+ if(!ok) goto end;
+
++ ok = check_ca_blacklist(ctx);
++ if(!ok) goto end;
++
+ #ifndef OPENSSL_NO_RFC3779
+ /* RFC 3779 path validation, now that CRL check has been done */
+ ok = v3_asid_validate_path(ctx);
+@@ -661,6 +665,29 @@ static int check_crl_time(X509_STORE_CTX
+ return 1;
+ }
+
++static int check_ca_blacklist(X509_STORE_CTX *ctx)
++ {
++ X509 *x;
++ int i;
++ /* Check all certificates against the blacklist */
++ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
++ {
++ x = sk_X509_value(ctx->chain, i);
++ /* Mark DigiNotar certificates as revoked, no matter
++ * where in the chain they are.
++ */
++ if (x->name && strstr(x->name, "DigiNotar"))
++ {
++ ctx->error = X509_V_ERR_CERT_REVOKED;
++ ctx->error_depth = i;
++ ctx->current_cert = x;
++ if (!ctx->verify_cb(0,ctx))
++ return 0;
++ }
++ }
++ return 1;
++ }
++
+ /* Lookup CRLs from the supplied list. Look for matching isser name
+ * and validity. If we can't find a valid CRL return the last one
+ * with matching name. This gives more meaningful error codes. Otherwise
diff --git a/openssl0.9.8/patches/ca.patch b/openssl0.9.8/patches/ca.patch
new file mode 100644
index 0000000..761eebe
--- /dev/null
+++ b/openssl0.9.8/patches/ca.patch
@@ -0,0 +1,20 @@
+Index: openssl-0.9.8m/apps/CA.pl.in
+===================================================================
+--- openssl-0.9.8m.orig/apps/CA.pl.in 2006-04-28 00:28:51.000000000 +0000
++++ openssl-0.9.8m/apps/CA.pl.in 2010-02-27 00:36:51.000000000 +0000
+@@ -65,6 +65,7 @@
+ foreach (@ARGV) {
+ if ( /^(-\?|-h|-help)$/ ) {
+ print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
++ print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
+ exit 0;
+ } elsif (/^-newcert$/) {
+ # create a certificate
+@@ -165,6 +166,7 @@
+ } else {
+ print STDERR "Unknown arg $_\n";
+ print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
++ print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
+ exit 1;
+ }
+ }
diff --git a/openssl0.9.8/patches/debian-targets.patch b/openssl0.9.8/patches/debian-targets.patch
new file mode 100644
index 0000000..988a789
--- /dev/null
+++ b/openssl0.9.8/patches/debian-targets.patch
@@ -0,0 +1,56 @@
+Index: openssl-0.9.8k/Configure
+===================================================================
+--- openssl-0.9.8k.orig/Configure 2009-12-09 16:09:41.000000000 +0000
++++ openssl-0.9.8k/Configure 2009-12-09 16:09:55.000000000 +0000
+@@ -320,6 +320,51 @@
+ "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so",
+ "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
+
++# Debian GNU/* (various architectures)
++"debian-alpha","gcc:-DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-alpha-ev4","gcc:-DTERMIO -O3 -Wa,--noexecstack -mcpu=ev4 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-alpha-ev5","gcc:-DTERMIO -O3 -Wa,--noexecstack -mcpu=ev5 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-arm","gcc:-DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-armeb","gcc:-DB_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-armel","gcc:-DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-armhf","gcc:-DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++#"debian-amd64","gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -fomit-frame-pointer -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-amd64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm_linux}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-avr32", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -fomit-frame-pointer -g -Wall::-D_REENTRANT::-ldl:BN_LLONG_BF_PTR::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-kfreebsd-amd64","gcc:-m64 -DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++#"debian-freebsd-alpha","gcc:-DTERMIOS -O -Wa,--noexecstack -fomit-frame-pointer -g -Wall::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-kfreebsd-i386","gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-hppa","gcc:-DB_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-hurd-i386","gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -mtune=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-ia64","gcc:-DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++#"debian-i386","gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -fomit-frame-pointer -m486 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC",
++"debian-i386","gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-i386-i486","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i486 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-i386-i586","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i586 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-i386-i686/cmov","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i686 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-m68k","gcc:-DB_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-netbsd-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-netbsd-m68k", "gcc:-DB_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-netbsd-sparc", "gcc:-DB_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -mv8 -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-openbsd-alpha","gcc:-DTERMIOS -O3 -Wa,--noexecstack -g::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-openbsd-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-openbsd-mips","gcc:-O2 -Wa,--noexecstack -g -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-powerpc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_UNROLL DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_UNROLL DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sh4eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-m32r","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++
+ ####
+ #### Variety of LINUX:-)
+ ####
diff --git a/openssl0.9.8/patches/dtls-fragment-alert.patch b/openssl0.9.8/patches/dtls-fragment-alert.patch
new file mode 100644
index 0000000..c538340
--- /dev/null
+++ b/openssl0.9.8/patches/dtls-fragment-alert.patch
@@ -0,0 +1,33 @@
+Index: openssl-0.9.8o/ssl/d1_both.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_both.c 2010-05-03 13:01:59.000000000 +0000
++++ openssl-0.9.8o/ssl/d1_both.c 2012-01-14 21:46:02.000000000 +0000
+@@ -806,7 +806,13 @@
+ *ok = 0;
+ return i;
+ }
+- OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);
++ /* Handshake fails if message header is incomplete */
++ if (i != DTLS1_HM_HEADER_LENGTH)
++ {
++ al=SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
++ goto f_err;
++ }
+
+ /* parse the message fragment header */
+ dtls1_get_message_header(wire, &msg_hdr);
+@@ -876,7 +882,12 @@
+
+ /* XDTLS: an incorrectly formatted fragment should cause the
+ * handshake to fail */
+- OPENSSL_assert(i == (int)frag_len);
++ if (i != (int)frag_len)
++ {
++ al=SSL3_AD_ILLEGAL_PARAMETER;
++ SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
++ goto f_err;
++ }
+
+ *ok = 1;
+
diff --git a/openssl0.9.8/patches/kfreebsd-pipe.patch b/openssl0.9.8/patches/kfreebsd-pipe.patch
new file mode 100644
index 0000000..da97186
--- /dev/null
+++ b/openssl0.9.8/patches/kfreebsd-pipe.patch
@@ -0,0 +1,13 @@
+Index: openssl-0.9.8k/crypto/perlasm/x86_64-xlate.pl
+===================================================================
+--- openssl-0.9.8k.orig/crypto/perlasm/x86_64-xlate.pl 2008-02-13 21:01:48.000000000 +0100
++++ openssl-0.9.8k/crypto/perlasm/x86_64-xlate.pl 2009-07-19 11:37:23.000000000 +0200
+@@ -62,7 +62,7 @@
+ my ($outdev,$outino,@junk)=stat($output);
+
+ open STDOUT,">$output" || die "can't open $output: $!"
+- if ($stddev!=$outdev || $stdino!=$outino);
++# if ($stddev!=$outdev || $stdino!=$outino);
+ }
+
+ my $masmref=8 + 50727*2**-32; # 8.00.50727 shipped with VS2005
diff --git a/openssl0.9.8/patches/make-targets.patch b/openssl0.9.8/patches/make-targets.patch
new file mode 100644
index 0000000..b123972
--- /dev/null
+++ b/openssl0.9.8/patches/make-targets.patch
@@ -0,0 +1,13 @@
+Index: openssl-0.9.8k/Makefile.org
+===================================================================
+--- openssl-0.9.8k.orig/Makefile.org 2009-07-19 11:32:41.000000000 +0200
++++ openssl-0.9.8k/Makefile.org 2009-07-19 11:37:31.000000000 +0200
+@@ -131,7 +131,7 @@
+
+ BASEADDR=
+
+-DIRS= crypto fips ssl engines apps test tools
++DIRS= crypto fips ssl engines apps tools
+ SHLIBDIRS= crypto ssl fips
+
+ # dirs in crypto to build
diff --git a/openssl0.9.8/patches/man-dir.patch b/openssl0.9.8/patches/man-dir.patch
new file mode 100644
index 0000000..29563ec
--- /dev/null
+++ b/openssl0.9.8/patches/man-dir.patch
@@ -0,0 +1,13 @@
+Index: openssl-0.9.8k/Makefile.org
+===================================================================
+--- openssl-0.9.8k.orig/Makefile.org 2009-07-19 11:32:41.000000000 +0200
++++ openssl-0.9.8k/Makefile.org 2009-07-19 11:37:29.000000000 +0200
+@@ -152,7 +152,7 @@
+
+ MAKEFILE= Makefile
+
+-MANDIR=$(OPENSSLDIR)/man
++MANDIR=/usr/share/man
+ MAN1=1
+ MAN3=3
+ MANSUFFIX=
diff --git a/openssl0.9.8/patches/man-section.patch b/openssl0.9.8/patches/man-section.patch
new file mode 100644
index 0000000..fe20ab0
--- /dev/null
+++ b/openssl0.9.8/patches/man-section.patch
@@ -0,0 +1,32 @@
+Index: openssl-0.9.8k/Makefile.org
+===================================================================
+--- openssl-0.9.8k.orig/Makefile.org 2009-07-19 11:34:06.000000000 +0200
++++ openssl-0.9.8k/Makefile.org 2009-07-19 11:37:21.000000000 +0200
+@@ -155,7 +155,8 @@
+ MANDIR=/usr/share/man
+ MAN1=1
+ MAN3=3
+-MANSUFFIX=
++MANSUFFIX=ssl
++MANSECTION=SSL
+ SHELL=/bin/sh
+
+ TOP= .
+@@ -694,7 +695,7 @@
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ (cd `$(PERL) util/dirname.pl $$i`; \
+ sh -c "$$pod2man \
+- --section=$$sec --center=OpenSSL \
++ --section=$${sec}$(MANSECTION) --center=OpenSSL \
+ --release=$(VERSION) `basename $$i`") \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+ $(PERL) util/extract-names.pl < $$i | \
+@@ -711,7 +712,7 @@
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ (cd `$(PERL) util/dirname.pl $$i`; \
+ sh -c "$$pod2man \
+- --section=$$sec --center=OpenSSL \
++ --section=$${sec}$(MANSECTION) --center=OpenSSL \
+ --release=$(VERSION) `basename $$i`") \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+ $(PERL) util/extract-names.pl < $$i | \
diff --git a/openssl0.9.8/patches/no-rpath.patch b/openssl0.9.8/patches/no-rpath.patch
new file mode 100644
index 0000000..3ebc9ac
--- /dev/null
+++ b/openssl0.9.8/patches/no-rpath.patch
@@ -0,0 +1,13 @@
+Index: openssl-0.9.8k/Makefile.shared
+===================================================================
+--- openssl-0.9.8k.orig/Makefile.shared 2008-09-17 17:56:40.000000000 +0200
++++ openssl-0.9.8k/Makefile.shared 2009-07-19 11:37:25.000000000 +0200
+@@ -151,7 +151,7 @@
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+ #This is rather special. It's a special target with which one can link
+ #applications without bothering with any features that have anything to
diff --git a/openssl0.9.8/patches/no-symbolic.patch b/openssl0.9.8/patches/no-symbolic.patch
new file mode 100644
index 0000000..2504fa7
--- /dev/null
+++ b/openssl0.9.8/patches/no-symbolic.patch
@@ -0,0 +1,13 @@
+Index: openssl-0.9.8k/Makefile.shared
+===================================================================
+--- openssl-0.9.8k.orig/Makefile.shared 2009-07-19 11:35:02.000000000 +0200
++++ openssl-0.9.8k/Makefile.shared 2009-07-19 11:35:48.000000000 +0200
+@@ -149,7 +149,7 @@
+ SHLIB_SUFFIX=; \
+ ALLSYMSFLAGS='-Wl,--whole-archive'; \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+ DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
diff --git a/openssl0.9.8/patches/perl-path.diff b/openssl0.9.8/patches/perl-path.diff
new file mode 100644
index 0000000..a72f938
--- /dev/null
+++ b/openssl0.9.8/patches/perl-path.diff
@@ -0,0 +1,760 @@
+From: Kurt Roeckx <kurt@roeckx.be>
+Subject: Change the perl path's to /usr/bin/perl
+
+This is the result of running:
+perl util/perlpath.pl /usr/bin
+
+The upstream sources have this set to various different paths.
+
+--- openssl-0.9.8m.orig/Configure
++++ openssl-0.9.8m/Configure
+@@ -1,4 +1,4 @@
+-:
++#!/usr/bin/perl
+ eval 'exec perl -S $0 ${1+"$@"}'
+ if $running_under_some_shell;
+ ##
+--- openssl-0.9.8m.orig/VMS/VMSify-conf.pl
++++ openssl-0.9.8m/VMS/VMSify-conf.pl
+@@ -1,4 +1,4 @@
+-#! /usr/bin/perl
++#!/usr/bin/perl
+
+ use strict;
+ use warnings;
+--- openssl-0.9.8m.orig/Netware/do_tests.pl
++++ openssl-0.9.8m/Netware/do_tests.pl
+@@ -1,4 +1,4 @@
+-# perl script to run OpenSSL tests
++#!/usr/bin/perl
+
+
+ my $base_path = "\\openssl";
+--- openssl-0.9.8m.orig/apps/progs.pl
++++ openssl-0.9.8m/apps/progs.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ print "/* apps/progs.h */\n";
+ print "/* automatically generated by progs.pl for openssl.c */\n\n";
+--- openssl-0.9.8m.orig/os2/backwardify.pl
++++ openssl-0.9.8m/os2/backwardify.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/perl -w
++#!/usr/bin/perl
+ use strict;
+
+ # Use as $0
+--- openssl-0.9.8m.orig/times/091/mips-rel.pl
++++ openssl-0.9.8m/times/091/mips-rel.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ &doit(100,"Pentium 100 32",0.0195,0.1000,0.6406,4.6100); # pentium-100
+ &doit(200,"PPro 200 32",0.0070,0.0340,0.2087,1.4700); # pentium-100
+--- openssl-0.9.8m.orig/fips/mkfipsscr.pl
++++ openssl-0.9.8m/fips/mkfipsscr.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -w
++#!/usr/bin/perl
+ # Quick & dirty utility to generate a script for executing the
+ # FIPS 140-2 CMVP algorithm tests based on the pathnames of
+ # input algorithm test files actually present (the unqualified
+--- openssl-0.9.8m.orig/fips/fipsalgtest.pl
++++ openssl-0.9.8m/fips/fipsalgtest.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/perl -w
++#!/usr/bin/perl
+ # Perl utility to run or verify FIPS 140-2 CMVP algorithm tests based on the
+ # pathnames of input algorithm test files actually present (the unqualified
+ # file names are consistent but the pathnames are not).
+--- openssl-0.9.8m.orig/ms/uplink.pl
++++ openssl-0.9.8m/ms/uplink.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # For Microsoft CL this is implemented as inline assembler. So that
+ # even though this script can generate even Win32 code, we'll be
+--- openssl-0.9.8m.orig/ms/segrenam.pl
++++ openssl-0.9.8m/ms/segrenam.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ my $quiet = 1;
+
+--- openssl-0.9.8m.orig/ms/cmp.pl
++++ openssl-0.9.8m/ms/cmp.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ ($#ARGV == 1) || die "usage: cmp.pl <file1> <file2>\n";
+
+--- openssl-0.9.8m.orig/test/cms-test.pl
++++ openssl-0.9.8m/test/cms-test.pl
+@@ -1,4 +1,4 @@
+-# test/cms-test.pl
++#!/usr/bin/perl
+ # Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ # project.
+ #
+--- openssl-0.9.8m.orig/test/cms-examples.pl
++++ openssl-0.9.8m/test/cms-examples.pl
+@@ -1,4 +1,4 @@
+-# test/cms-examples.pl
++#!/usr/bin/perl
+ # Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ # project.
+ #
+--- openssl-0.9.8m.orig/demos/b64.pl
++++ openssl-0.9.8m/demos/b64.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ #
+ # Make PEM encoded data have lines of 64 bytes of data
+--- openssl-0.9.8m.orig/demos/tunala/configure.in
++++ openssl-0.9.8m/demos/tunala/configure.in
+@@ -1,4 +1,4 @@
+-dnl Process this file with autoconf to produce a configure script.
++#!/usr/bin/perl
+ AC_INIT(tunala.c)
+ AM_CONFIG_HEADER(config.h)
+ AM_INIT_AUTOMAKE(tunala, 0.0.1-dev)
+--- openssl-0.9.8m.orig/crypto/x86cpuid.pl
++++ openssl-0.9.8m/crypto/x86cpuid.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ push(@INC,"perlasm");
+ require "x86asm.pl";
+--- openssl-0.9.8m.orig/crypto/x86_64cpuid.pl
++++ openssl-0.9.8m/crypto/x86_64cpuid.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ $output=shift;
+ $masm=1 if ($output =~ /\.asm/);
+--- openssl-0.9.8m.orig/crypto/md5/asm/md5-586.pl
++++ openssl-0.9.8m/crypto/md5/asm/md5-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # Normal is the
+ # md5_block_x86(MD5_CTX *c, ULONG *X);
+--- openssl-0.9.8m.orig/crypto/md5/asm/md5-x86_64.pl
++++ openssl-0.9.8m/crypto/md5/asm/md5-x86_64.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/perl -w
++#!/usr/bin/perl
+ #
+ # MD5 optimized for AMD64.
+ #
+--- openssl-0.9.8m.orig/crypto/sha/asm/sha1-ia64.pl
++++ openssl-0.9.8m/crypto/sha/asm/sha1-ia64.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/sha/asm/sha1-x86_64.pl
++++ openssl-0.9.8m/crypto/sha/asm/sha1-x86_64.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/sha/asm/sha512-sse2.pl
++++ openssl-0.9.8m/crypto/sha/asm/sha512-sse2.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/sha/asm/sha512-ia64.pl
++++ openssl-0.9.8m/crypto/sha/asm/sha512-ia64.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/sha/asm/sha512-x86_64.pl
++++ openssl-0.9.8m/crypto/sha/asm/sha512-x86_64.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/sha/asm/sha1-586.pl
++++ openssl-0.9.8m/crypto/sha/asm/sha1-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # ====================================================================
+ # [Re]written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/des/asm/des-586.pl
++++ openssl-0.9.8m/crypto/des/asm/des-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # The inner loop instruction sequence and the IP/FP modifications are from
+ # Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
+--- openssl-0.9.8m.orig/crypto/des/asm/desboth.pl
++++ openssl-0.9.8m/crypto/des/asm/desboth.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ $L="edi";
+ $R="esi";
+--- openssl-0.9.8m.orig/crypto/des/asm/des686.pl
++++ openssl-0.9.8m/crypto/des/asm/des686.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ $prog="des686.pl";
+
+--- openssl-0.9.8m.orig/crypto/des/asm/crypt586.pl
++++ openssl-0.9.8m/crypto/des/asm/crypt586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # The inner loop instruction sequence and the IP/FP modifications are from
+ # Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
+--- openssl-0.9.8m.orig/crypto/lhash/num.pl
++++ openssl-0.9.8m/crypto/lhash/num.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ #node 10 -> 4
+
+--- openssl-0.9.8m.orig/crypto/ripemd/asm/rmd-586.pl
++++ openssl-0.9.8m/crypto/ripemd/asm/rmd-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # Normal is the
+ # ripemd160_block_asm_data_order(RIPEMD160_CTX *c, ULONG *X,int blocks);
+--- openssl-0.9.8m.orig/crypto/rc4/asm/rc4-586.pl
++++ openssl-0.9.8m/crypto/rc4/asm/rc4-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # At some point it became apparent that the original SSLeay RC4
+ # assembler implementation performs suboptimaly on latest IA-32
+--- openssl-0.9.8m.orig/crypto/rc4/asm/rc4-x86_64.pl
++++ openssl-0.9.8m/crypto/rc4/asm/rc4-x86_64.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/cast/asm/cast-586.pl
++++ openssl-0.9.8m/crypto/cast/asm/cast-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # define for pentium pro friendly version
+ $ppro=1;
+--- openssl-0.9.8m.orig/crypto/rc5/asm/rc5-586.pl
++++ openssl-0.9.8m/crypto/rc5/asm/rc5-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ push(@INC,"perlasm","../../perlasm");
+ require "x86asm.pl";
+--- openssl-0.9.8m.orig/crypto/perlasm/x86ms.pl
++++ openssl-0.9.8m/crypto/perlasm/x86ms.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ package x86ms;
+
+--- openssl-0.9.8m.orig/crypto/perlasm/x86asm.pl
++++ openssl-0.9.8m/crypto/perlasm/x86asm.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # require 'x86asm.pl';
+ # &asm_init("cpp","des-586.pl");
+--- openssl-0.9.8m.orig/crypto/perlasm/x86nasm.pl
++++ openssl-0.9.8m/crypto/perlasm/x86nasm.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ package x86nasm;
+
+--- openssl-0.9.8m.orig/crypto/perlasm/x86unix.pl
++++ openssl-0.9.8m/crypto/perlasm/x86unix.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ package x86unix; # GAS actually...
+
+--- openssl-0.9.8m.orig/crypto/perlasm/cbc.pl
++++ openssl-0.9.8m/crypto/perlasm/cbc.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # void des_ncbc_encrypt(input, output, length, schedule, ivec, enc)
+ # des_cblock (*input);
+--- openssl-0.9.8m.orig/crypto/perlasm/x86_64-xlate.pl
++++ openssl-0.9.8m/crypto/perlasm/x86_64-xlate.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # Ascetic x86_64 AT&T to MASM assembler translator by <appro>.
+ #
+--- openssl-0.9.8m.orig/crypto/bf/asm/bf-686.pl
++++ openssl-0.9.8m/crypto/bf/asm/bf-686.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ push(@INC,"perlasm","../../perlasm");
+ require "x86asm.pl";
+--- openssl-0.9.8m.orig/crypto/bf/asm/bf-586.pl
++++ openssl-0.9.8m/crypto/bf/asm/bf-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ push(@INC,"perlasm","../../perlasm");
+ require "x86asm.pl";
+--- openssl-0.9.8m.orig/crypto/objects/objects.pl
++++ openssl-0.9.8m/crypto/objects/objects.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]";
+ $max_nid=0;
+--- openssl-0.9.8m.orig/crypto/objects/obj_dat.pl
++++ openssl-0.9.8m/crypto/objects/obj_dat.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # fixes bug in floating point emulation on sparc64 when
+ # this script produces off-by-one output on sparc64
+--- openssl-0.9.8m.orig/crypto/conf/keysets.pl
++++ openssl-0.9.8m/crypto/conf/keysets.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ $NUMBER=0x01;
+ $UPPER=0x02;
+--- openssl-0.9.8m.orig/crypto/bn/bn_prime.pl
++++ openssl-0.9.8m/crypto/bn/bn_prime.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # bn_prime.pl
+
+ $num=2048;
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ push(@INC,"perlasm","../../perlasm");
+ require "x86asm.pl";
+--- openssl-0.9.8m.orig/crypto/bn/asm/ppc.pl
++++ openssl-0.9.8m/crypto/bn/asm/ppc.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # Implemented as a Perl wrapper as we want to support several different
+ # architectures with single file. We pick up the target based on the
+--- openssl-0.9.8m.orig/crypto/bn/asm/co-586.pl
++++ openssl-0.9.8m/crypto/bn/asm/co-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ push(@INC,"perlasm","../../perlasm");
+ require "x86asm.pl";
+--- openssl-0.9.8m.orig/crypto/bn/asm/bn-586.pl
++++ openssl-0.9.8m/crypto/bn/asm/bn-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ push(@INC,"perlasm","../../perlasm");
+ require "x86asm.pl";
+--- openssl-0.9.8m.orig/crypto/bn/asm/mo-586.pl
++++ openssl-0.9.8m/crypto/bn/asm/mo-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # This is crypto/bn/asm/x86-mont.pl (with asciz from crypto/perlasm/x86asm.pl)
+ # from OpenSSL 0.9.9-dev
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86_64-mont.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86_64-mont.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86/comba.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86/comba.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # x86 assember
+
+ sub mul_add_c
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86/add.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86/add.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # x86 assember
+
+ sub bn_add_words
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86/mul.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86/mul.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # x86 assember
+
+ sub bn_mul_words
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86/mul_add.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86/mul_add.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # x86 assember
+
+ sub bn_mul_add_words
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86/sqr.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86/sqr.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # x86 assember
+
+ sub bn_sqr_words
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86/sub.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86/sub.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # x86 assember
+
+ sub bn_sub_words
+--- openssl-0.9.8m.orig/crypto/bn/asm/x86/div.pl
++++ openssl-0.9.8m/crypto/bn/asm/x86/div.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # x86 assember
+
+ sub bn_div_words
+--- openssl-0.9.8m.orig/crypto/aes/asm/aes-586.pl
++++ openssl-0.9.8m/crypto/aes/asm/aes-586.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/aes/asm/aes-x86_64.pl
++++ openssl-0.9.8m/crypto/aes/asm/aes-x86_64.pl
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+--- openssl-0.9.8m.orig/crypto/asn1/charmap.pl
++++ openssl-0.9.8m/crypto/asn1/charmap.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -w
++#!/usr/bin/perl
+
+ use strict;
+
+--- openssl-0.9.8m.orig/util/mksdef.pl
++++ openssl-0.9.8m/util/mksdef.pl
+@@ -1,4 +1,4 @@
+-
++#!/usr/bin/perl
+ # Perl script to split libeay32.def into two distinct DEF files for use in
+ # fipdso mode. It works out symbols in each case by running "link" command and
+ # parsing the output to find the list of missing symbols then splitting
+--- openssl-0.9.8m.orig/util/dirname.pl
++++ openssl-0.9.8m/util/dirname.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ if ($#ARGV < 0) {
+ die "dirname.pl: too few arguments\n";
+--- openssl-0.9.8m.orig/util/tab_num.pl
++++ openssl-0.9.8m/util/tab_num.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ $num=1;
+ $width=40;
+--- openssl-0.9.8m.orig/util/sp-diff.pl
++++ openssl-0.9.8m/util/sp-diff.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # This file takes as input, the files that have been output from
+ # ssleay speed.
+--- openssl-0.9.8m.orig/util/mkerr.pl
++++ openssl-0.9.8m/util/mkerr.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -w
++#!/usr/bin/perl
+
+ my $config = "crypto/err/openssl.ec";
+ my $debug = 0;
+--- openssl-0.9.8m.orig/util/clean-depend.pl
++++ openssl-0.9.8m/util/clean-depend.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -w
++#!/usr/bin/perl
+ # Clean the dependency list in a makefile of standard includes...
+ # Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
+
+--- openssl-0.9.8m.orig/util/add_cr.pl
++++ openssl-0.9.8m/util/add_cr.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # This adds a copyright message to a souce code file.
+ # It also gets the file name correct.
+--- openssl-0.9.8m.orig/util/pod2man.pl
++++ openssl-0.9.8m/util/pod2man.pl
+@@ -1,4 +1,4 @@
+-: #!/usr/bin/perl-5.005
++#!/usr/bin/perl
+ eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
+ if $running_under_some_shell;
+
+--- openssl-0.9.8m.orig/util/mkstack.pl
++++ openssl-0.9.8m/util/mkstack.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -w
++#!/usr/bin/perl
+
+ # This is a utility that searches out "DECLARE_STACK_OF()"
+ # declarations in .h and .c files, and updates/creates/replaces
+--- openssl-0.9.8m.orig/util/selftest.pl
++++ openssl-0.9.8m/util/selftest.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -w
++#!/usr/bin/perl
+ #
+ # Run the test suite and generate a report
+ #
+--- openssl-0.9.8m.orig/util/ck_errf.pl
++++ openssl-0.9.8m/util/ck_errf.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # This is just a quick script to scan for cases where the 'error'
+ # function name in a XXXerr() macro is wrong.
+--- openssl-0.9.8m.orig/util/mklink.pl
++++ openssl-0.9.8m/util/mklink.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # mklink.pl
+
+--- openssl-0.9.8m.orig/util/src-dep.pl
++++ openssl-0.9.8m/util/src-dep.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # we make up an array of
+ # $file{function_name}=filename;
+--- openssl-0.9.8m.orig/util/deleof.pl
++++ openssl-0.9.8m/util/deleof.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ while (<>)
+ {
+--- openssl-0.9.8m.orig/util/arx.pl
++++ openssl-0.9.8m/util/arx.pl
+@@ -1,4 +1,4 @@
+-#!/bin/perl
++#!/usr/bin/perl
+
+ # Simple perl script to wrap round "ar" program and exclude any
+ # object files in the environment variable EXCL_OBJ
+--- openssl-0.9.8m.orig/util/copy.pl
++++ openssl-0.9.8m/util/copy.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ use Fcntl;
+
+--- openssl-0.9.8m.orig/util/mkdir-p.pl
++++ openssl-0.9.8m/util/mkdir-p.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+
+ # mkdir-p.pl
+
+--- openssl-0.9.8m.orig/util/mkdef.pl
++++ openssl-0.9.8m/util/mkdef.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -w
++#!/usr/bin/perl
+ #
+ # generate a .def file
+ #
+--- openssl-0.9.8m.orig/util/files.pl
++++ openssl-0.9.8m/util/files.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # used to generate the file MINFO for use by util/mk1mf.pl
+ # It is basically a list of all variables from the passed makefile
+--- openssl-0.9.8m.orig/util/mkfiles.pl
++++ openssl-0.9.8m/util/mkfiles.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # This is a hacked version of files.pl for systems that can't do a 'make files'.
+ # Do a perl util/mkminfo.pl >MINFO to build MINFO
+--- openssl-0.9.8m.orig/util/perlpath.pl
++++ openssl-0.9.8m/util/perlpath.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # modify the '#!/usr/local/bin/perl'
+ # line in all scripts that rely on perl.
+--- openssl-0.9.8m.orig/util/mk1mf.pl
++++ openssl-0.9.8m/util/mk1mf.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # A bit of an evil hack but it post processes the file ../MINFO which
+ # is generated by `make files` in the top directory.
+ # This script outputs one mega makefile that has no shell stuff or any
+--- openssl-0.9.8m.orig/util/err-ins.pl
++++ openssl-0.9.8m/util/err-ins.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # tack error codes onto the end of a file
+ #
+--- openssl-0.9.8m.orig/util/pl/Mingw32.pl
++++ openssl-0.9.8m/util/pl/Mingw32.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # Mingw32.pl -- Mingw
+ #
+--- openssl-0.9.8m.orig/util/pl/unix.pl
++++ openssl-0.9.8m/util/pl/unix.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # unix.pl - the standard unix makefile stuff.
+ #
+--- openssl-0.9.8m.orig/util/pl/netware.pl
++++ openssl-0.9.8m/util/pl/netware.pl
+@@ -1,4 +1,4 @@
+-# Metrowerks Codewarrior or gcc / nlmconv for NetWare
++#!/usr/bin/perl
+ #
+
+ $version_header = "crypto/opensslv.h";
+--- openssl-0.9.8m.orig/util/pl/VC-32.pl
++++ openssl-0.9.8m/util/pl/VC-32.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # VC-32.pl - unified script for Microsoft Visual C++, covering Win32,
+ # Win64 and WinCE [follow $FLAVOR variable to trace the differences].
+ #
+--- openssl-0.9.8m.orig/util/pl/OS2-EMX.pl
++++ openssl-0.9.8m/util/pl/OS2-EMX.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # OS2-EMX.pl - for EMX GCC on OS/2
+ #
+--- openssl-0.9.8m.orig/util/pl/ultrix.pl
++++ openssl-0.9.8m/util/pl/ultrix.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # linux.pl - the standard unix makefile stuff.
+ #
+--- openssl-0.9.8m.orig/util/pl/linux.pl
++++ openssl-0.9.8m/util/pl/linux.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ #
+ # linux.pl - the standard unix makefile stuff.
+ #
+--- openssl-0.9.8m.orig/util/pl/BC-32.pl
++++ openssl-0.9.8m/util/pl/BC-32.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/perl
+ # Borland C++ builder 3 and 4 -- Janez Jere <jj@void.si>
+ #
+
diff --git a/openssl0.9.8/patches/pic.patch b/openssl0.9.8/patches/pic.patch
new file mode 100644
index 0000000..b534afa
--- /dev/null
+++ b/openssl0.9.8/patches/pic.patch
@@ -0,0 +1,301 @@
+Index: openssl-0.9.8o/crypto/Makefile
+===================================================================
+--- openssl-0.9.8o.orig/crypto/Makefile 2008-09-17 17:10:55.000000000 +0000
++++ openssl-0.9.8o/crypto/Makefile 2010-06-06 13:09:28.000000000 +0000
+@@ -57,7 +57,7 @@
+ echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
+ echo '#endif' ) >buildinf.h
+
+-x86cpuid-elf.s: x86cpuid.pl perlasm/x86asm.pl
++x86cpuid-elf.S: x86cpuid.pl perlasm/x86asm.pl
+ $(PERL) x86cpuid.pl elf $(CFLAGS) $(PROCESSOR) > $@
+ x86cpuid-cof.s: x86cpuid.pl perlasm/x86asm.pl
+ $(PERL) x86cpuid.pl coff $(CFLAGS) $(PROCESSOR) > $@
+@@ -70,7 +70,7 @@
+ uplink-cof.s: ../ms/uplink.pl
+ $(PERL) ../ms/uplink.pl coff > $@
+
+-x86_64cpuid.s: x86_64cpuid.pl
++x86_64cpuid.S: x86_64cpuid.pl
+ $(PERL) x86_64cpuid.pl $@
+ ia64cpuid.s: ia64cpuid.S
+ $(CC) $(CFLAGS) -E ia64cpuid.S > $@
+Index: openssl-0.9.8o/crypto/x86_64cpuid.pl
+===================================================================
+--- openssl-0.9.8o.orig/crypto/x86_64cpuid.pl 2007-11-11 16:25:00.000000000 +0000
++++ openssl-0.9.8o/crypto/x86_64cpuid.pl 2010-06-06 13:09:28.000000000 +0000
+@@ -95,7 +95,11 @@
+ .size OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu
+
+ .section .init
++#ifdef OPENSSL_PIC
++ call OPENSSL_cpuid_setup\@PLT
++#else
+ call OPENSSL_cpuid_setup
++#endif
+
+ ___
+
+Index: openssl-0.9.8o/crypto/md5/Makefile
+===================================================================
+--- openssl-0.9.8o.orig/crypto/md5/Makefile 2008-09-17 17:11:02.000000000 +0000
++++ openssl-0.9.8o/crypto/md5/Makefile 2010-06-06 13:09:28.000000000 +0000
+@@ -52,7 +52,8 @@
+ mx86-out.s: asm/md5-586.pl ../perlasm/x86asm.pl
+ (cd asm; $(PERL) md5-586.pl a.out $(CFLAGS) > ../$@)
+
+-md5-x86_64.s: asm/md5-x86_64.pl; $(PERL) asm/md5-x86_64.pl $@
++md5-x86_64.s: asm/md5-x86_64.pl
++ $(PERL) asm/md5-x86_64.pl $@
+
+ files:
+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+Index: openssl-0.9.8o/crypto/des/asm/desboth.pl
+===================================================================
+--- openssl-0.9.8o.orig/crypto/des/asm/desboth.pl 2001-10-24 21:20:56.000000000 +0000
++++ openssl-0.9.8o/crypto/des/asm/desboth.pl 2010-06-06 13:09:28.000000000 +0000
+@@ -16,6 +16,11 @@
+
+ &push("edi");
+
++ &call (&label("pic_point0"));
++ &set_label("pic_point0");
++ &blindpop("ebp");
++ &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++
+ &comment("");
+ &comment("Load the data words");
+ &mov($L,&DWP(0,"ebx","",0));
+@@ -47,15 +52,21 @@
+ &mov(&swtmp(2), (DWC(($enc)?"1":"0")));
+ &mov(&swtmp(1), "eax");
+ &mov(&swtmp(0), "ebx");
+- &call("DES_encrypt2");
++ &exch("ebx", "ebp");
++ &call("DES_encrypt2\@PLT");
++ &exch("ebx", "ebp");
+ &mov(&swtmp(2), (DWC(($enc)?"0":"1")));
+ &mov(&swtmp(1), "edi");
+ &mov(&swtmp(0), "ebx");
+- &call("DES_encrypt2");
++ &exch("ebx", "ebp");
++ &call("DES_encrypt2\@PLT");
++ &exch("ebx", "ebp");
+ &mov(&swtmp(2), (DWC(($enc)?"1":"0")));
+ &mov(&swtmp(1), "esi");
+ &mov(&swtmp(0), "ebx");
+- &call("DES_encrypt2");
++ &exch("ebx", "ebp");
++ &call("DES_encrypt2\@PLT");
++ &exch("ebx", "ebp");
+
+ &stack_pop(3);
+ &mov($L,&DWP(0,"ebx","",0));
+Index: openssl-0.9.8o/crypto/rc4/Makefile
+===================================================================
+--- openssl-0.9.8o.orig/crypto/rc4/Makefile 2008-11-19 16:03:50.000000000 +0000
++++ openssl-0.9.8o/crypto/rc4/Makefile 2010-06-06 13:09:28.000000000 +0000
+@@ -51,7 +51,7 @@
+ rx86-out.s: asm/rc4-586.pl ../perlasm/x86asm.pl
+ (cd asm; $(PERL) rc4-586.pl a.out $(CFLAGS) > ../$@)
+
+-rc4-x86_64.s: asm/rc4-x86_64.pl; $(PERL) asm/rc4-x86_64.pl $@
++rc4-x86_64.S: asm/rc4-x86_64.pl; $(PERL) asm/rc4-x86_64.pl $@
+
+ rc4-ia64.s: asm/rc4-ia64.S
+ @case `awk '/^#define RC4_INT/{print$$NF}' $(TOP)/include/openssl/opensslconf.h` in \
+Index: openssl-0.9.8o/crypto/rc4/asm/rc4-x86_64.pl
+===================================================================
+--- openssl-0.9.8o.orig/crypto/rc4/asm/rc4-x86_64.pl 2008-09-16 10:47:27.000000000 +0000
++++ openssl-0.9.8o/crypto/rc4/asm/rc4-x86_64.pl 2010-06-06 13:09:28.000000000 +0000
+@@ -270,7 +270,11 @@
+ xor %r10,%r10
+ xor %r11,%r11
+
++#ifdef OPENSSL_PIC
++ mov OPENSSL_ia32cap_P\@GOTPCREL(%rip),$idx#d
++#else
+ mov OPENSSL_ia32cap_P(%rip),$idx#d
++#endif
+ bt \$20,$idx#d
+ jnc .Lw1stloop
+ bt \$30,$idx#d
+@@ -338,7 +342,11 @@
+ RC4_options:
+ .picmeup %rax
+ lea .Lopts-.(%rax),%rax
++#ifdef OPENSSL_PIC
++ mov OPENSSL_ia32cap_P\@GOTPCREL(%rip),%edx
++#else
+ mov OPENSSL_ia32cap_P(%rip),%edx
++#endif
+ bt \$20,%edx
+ jnc .Ldone
+ add \$12,%rax
+Index: openssl-0.9.8o/crypto/perlasm/x86unix.pl
+===================================================================
+--- openssl-0.9.8o.orig/crypto/perlasm/x86unix.pl 2008-05-01 23:11:32.000000000 +0000
++++ openssl-0.9.8o/crypto/perlasm/x86unix.pl 2010-06-06 13:09:28.000000000 +0000
+@@ -400,6 +400,29 @@
+ $stack=4;
+ }
+
++sub main'function_begin_B_static
++ {
++ local($func,$extra)=@_;
++
++ &main'external_label($func);
++ $func=$under.$func;
++
++ local($tmp)=<<"EOF";
++.text
++EOF
++ push(@out,$tmp);
++ if ($main'cpp)
++ { push(@out,"TYPE($func,\@function)\n"); }
++ elsif ($main'coff)
++ { $tmp=push(@out,".def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
++ elsif ($main'aout and !$main'pic)
++ { }
++ else { push(@out,".type $func,\@function\n"); }
++ push(@out,".align\t$align\n");
++ push(@out,"$func:\n");
++ $stack=4;
++ }
++
+ sub main'function_end
+ {
+ local($func)=@_;
+@@ -694,7 +717,17 @@
+ {
+ $tmp=<<___;
+ .section .init
++#ifdef OPENSSL_PIC
++ pushl %ebx
++ call .pic_point0
++.pic_point0:
++ popl %ebx
++ addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
++ call $under$f\@PLT
++ popl %ebx
++#else
+ call $under$f
++#endif
+ jmp .Linitalign
+ .align $align
+ .Linitalign:
+Index: openssl-0.9.8o/crypto/perlasm/cbc.pl
+===================================================================
+--- openssl-0.9.8o.orig/crypto/perlasm/cbc.pl 2005-05-09 21:48:00.000000000 +0000
++++ openssl-0.9.8o/crypto/perlasm/cbc.pl 2010-06-06 13:09:28.000000000 +0000
+@@ -122,7 +122,11 @@
+ &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
+ &mov(&DWP($data_off+4,"esp","",0), "ebx"); #
+
+- &call($enc_func);
++ &call (&label("pic_point0"));
++ &set_label("pic_point0");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++ &call("$enc_func\@PLT");
+
+ &mov("eax", &DWP($data_off,"esp","",0));
+ &mov("ebx", &DWP($data_off+4,"esp","",0));
+@@ -187,7 +191,11 @@
+ &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
+ &mov(&DWP($data_off+4,"esp","",0), "ebx"); #
+
+- &call($enc_func);
++ &call (&label("pic_point1"));
++ &set_label("pic_point1");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
++ &call("$enc_func\@PLT");
+
+ &mov("eax", &DWP($data_off,"esp","",0));
+ &mov("ebx", &DWP($data_off+4,"esp","",0));
+@@ -220,7 +228,11 @@
+ &mov(&DWP($data_off,"esp","",0), "eax"); # put back
+ &mov(&DWP($data_off+4,"esp","",0), "ebx"); #
+
+- &call($dec_func);
++ &call (&label("pic_point2"));
++ &set_label("pic_point2");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
++ &call("$dec_func\@PLT");
+
+ &mov("eax", &DWP($data_off,"esp","",0)); # get return
+ &mov("ebx", &DWP($data_off+4,"esp","",0)); #
+@@ -263,7 +275,11 @@
+ &mov(&DWP($data_off,"esp","",0), "eax"); # put back
+ &mov(&DWP($data_off+4,"esp","",0), "ebx"); #
+
+- &call($dec_func);
++ &call (&label("pic_point3"));
++ &set_label("pic_point3");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
++ &call("$dec_func\@PLT");
+
+ &mov("eax", &DWP($data_off,"esp","",0)); # get return
+ &mov("ebx", &DWP($data_off+4,"esp","",0)); #
+Index: openssl-0.9.8o/crypto/perlasm/x86_64-xlate.pl
+===================================================================
+--- openssl-0.9.8o.orig/crypto/perlasm/x86_64-xlate.pl 2010-06-06 13:09:00.000000000 +0000
++++ openssl-0.9.8o/crypto/perlasm/x86_64-xlate.pl 2010-06-06 13:09:28.000000000 +0000
+@@ -435,7 +435,7 @@
+
+ chomp($line);
+
+- $line =~ s|[#!].*$||; # get rid of asm-style comments...
++# $line =~ s|[#!].*$||; # get rid of asm-style comments...
+ $line =~ s|/\*.*\*/||; # ... and C-style comments...
+ $line =~ s|^\s+||; # ... and skip white spaces in beginning
+
+Index: openssl-0.9.8o/crypto/aes/asm/aes-586.pl
+===================================================================
+--- openssl-0.9.8o.orig/crypto/aes/asm/aes-586.pl 2008-12-17 14:14:51.000000000 +0000
++++ openssl-0.9.8o/crypto/aes/asm/aes-586.pl 2010-06-06 13:09:28.000000000 +0000
+@@ -250,7 +250,7 @@
+ sub _data_word() { my $i; while(defined($i=shift)) { &data_word($i,$i); } }
+
+ &public_label("AES_Te");
+-&function_begin_B("_x86_AES_encrypt");
++&function_begin_B_static("_x86_AES_encrypt");
+ if ($vertical_spin) {
+ # I need high parts of volatile registers to be accessible...
+ &exch ($s1="edi",$key="ebx");
+@@ -539,7 +539,7 @@
+ }
+
+ &public_label("AES_Td");
+-&function_begin_B("_x86_AES_decrypt");
++&function_begin_B_static("_x86_AES_decrypt");
+ # note that caller is expected to allocate stack frame for me!
+ &mov (&DWP(12,"esp"),$key); # save key
+
+@@ -1461,15 +1461,22 @@
+ &public_label("AES_Td");
+ &public_label("AES_Te");
+ &function_begin_B("AES_set_decrypt_key");
++ &push ("ebx");
+ &mov ("eax",&wparam(0));
+ &mov ("ecx",&wparam(1));
+ &mov ("edx",&wparam(2));
+ &sub ("esp",12);
++
++ &call (&label("pic_point0"));
++ &set_label("pic_point0");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
+ &mov (&DWP(0,"esp"),"eax");
+ &mov (&DWP(4,"esp"),"ecx");
+ &mov (&DWP(8,"esp"),"edx");
+- &call ("AES_set_encrypt_key");
++ &call ("AES_set_encrypt_key\@PLT");
+ &add ("esp",12);
++ &pop ("ebx");
+ &cmp ("eax",0);
+ &je (&label("proceed"));
+ &ret ();
diff --git a/openssl0.9.8/patches/pkg-config.patch b/openssl0.9.8/patches/pkg-config.patch
new file mode 100644
index 0000000..38923b0
--- /dev/null
+++ b/openssl0.9.8/patches/pkg-config.patch
@@ -0,0 +1,34 @@
+Index: openssl-0.9.8k/Makefile.org
+===================================================================
+--- openssl-0.9.8k.orig/Makefile.org 2009-07-19 11:34:56.000000000 +0200
++++ openssl-0.9.8k/Makefile.org 2009-07-19 11:36:02.000000000 +0200
+@@ -444,7 +444,8 @@
+ echo 'Description: OpenSSL cryptography library'; \
+ echo 'Version: '$(VERSION); \
+ echo 'Requires: '; \
+- echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
++ echo 'Libs: -L$${libdir} -lcrypto'; \
++ echo 'Libs.private: $(EX_LIBS)'; \
+ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+
+ libssl.pc: Makefile
+@@ -457,7 +458,8 @@
+ echo 'Description: Secure Sockets Layer and cryptography libraries'; \
+ echo 'Version: '$(VERSION); \
+ echo 'Requires: '; \
+- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
++ echo 'Libs: -L$${libdir} -lssl'; \
++ echo 'Libs.private: -lcrypto $(EX_LIBS)'; \
+ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+
+ openssl.pc: Makefile
+@@ -470,7 +472,8 @@
+ echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+ echo 'Version: '$(VERSION); \
+ echo 'Requires: '; \
+- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
++ echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
++ echo 'Libs.private: $(EX_LIBS)'; \
+ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+
+ Makefile: Makefile.org Configure config
diff --git a/openssl0.9.8/patches/rc4-amd64.patch b/openssl0.9.8/patches/rc4-amd64.patch
new file mode 100644
index 0000000..6f0421a
--- /dev/null
+++ b/openssl0.9.8/patches/rc4-amd64.patch
@@ -0,0 +1,14 @@
+Index: openssl-0.9.8k/Configure
+===================================================================
+--- openssl-0.9.8k.orig/Configure 2009-07-19 11:32:41.000000000 +0200
++++ openssl-0.9.8k/Configure 2009-07-19 11:37:10.000000000 +0200
+@@ -128,6 +128,9 @@
+ my $x86_out_asm="x86cpuid-out.o:bn86-out.o co86-out.o MAYBE-MO86-out.o:dx86-out.o yx86-out.o:ax86-out.o:bx86-out.o:mx86-out.o:sx86-out.o s512sse2-out.o:cx86-out.o:rx86-out.o rc4_skey.o:rm86-out.o:r586-out.o";
+
+ my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o::";
++# rc4 asm is disabled on amd64 because we configured it with RC4_CHAR while
++# the assembler only works with int
++my $x86_64_asm_linux="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::::";
+ my $ia64_asm=":bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o:::sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o::";
+
+ my $no_asm="::::::::::";
diff --git a/openssl0.9.8/patches/rehash-crt.patch b/openssl0.9.8/patches/rehash-crt.patch
new file mode 100644
index 0000000..a8ff28c
--- /dev/null
+++ b/openssl0.9.8/patches/rehash-crt.patch
@@ -0,0 +1,33 @@
+Index: openssl-0.9.8k/tools/c_rehash.in
+===================================================================
+--- openssl-0.9.8k.orig/tools/c_rehash.in 2002-10-11 22:31:27.000000000 +0200
++++ openssl-0.9.8k/tools/c_rehash.in 2009-07-19 11:36:26.000000000 +0200
+@@ -59,12 +59,15 @@
+ }
+ }
+ closedir DIR;
+- FILE: foreach $fname (grep {/\.pem$/} @flist) {
++ FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if(!$cert && !$crl) {
+- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+- next;
++ ($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der -outform pem | ");
++ if(!$cert && !$crl) {
++ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
++ next;
++ }
+ }
+ link_hash_cert($fname) if($cert);
+ link_hash_crl($fname) if($crl);
+@@ -102,6 +105,9 @@
+ my $fname = $_[0];
+ $fname =~ s/'/'\\''/g;
+ my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`;
++ if(!$hash || !fprint) {
++ ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname' -inform der`;
++ }
+ chomp $hash;
+ chomp $fprint;
+ $fprint =~ s/^.*=//;
diff --git a/openssl0.9.8/patches/rehash_pod.patch b/openssl0.9.8/patches/rehash_pod.patch
new file mode 100644
index 0000000..94792c4
--- /dev/null
+++ b/openssl0.9.8/patches/rehash_pod.patch
@@ -0,0 +1,60 @@
+Index: openssl-0.9.8k/doc/apps/c_rehash.pod
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ openssl-0.9.8k/doc/apps/c_rehash.pod 2009-07-19 11:36:27.000000000 +0200
+@@ -0,0 +1,55 @@
++
++=pod
++
++=head1 NAME
++
++c_rehash - Create symbolic links to files named by the hash values
++
++=head1 SYNOPSIS
++
++B<c_rehash>
++[directory] ...
++
++=head1 DESCRIPTION
++
++c_rehash scans directories and takes a hash value of each .pem and .crt file in the directory. It then creates symbolic links for each of the files named by the hash value. This is useful as many programs require directories to be set up like this in order to find the certificates they require.
++
++If any directories are named on the command line then these directories are processed in turn. If not then and the environment variable SSL_CERT_DIR is defined then that is consulted. This variable should be a colon (:) separated list of directories, all of which will be processed. If neither of these conditions are true then /usr/lib/ssl/certs is processed.
++
++For each directory that is to be processed he user must have write permissions on the directory, if they do not then nothing will be printed for that directory.
++
++Note that this program deletes all the symbolic links that look like ones that it creates before processing a directory. Beware that if you run the program on a directory that contains symbolic links for other purposes that are named in the same format as those created by this program they will be lost.
++
++The hashes for certificate files are of the form <hash>.<n> where n is an integer. If the hash value already exists then n will be incremented, unless the file is a duplicate. Duplicates are detected using the fingerprint of the certificate. A warning will be printed if a duplicate is detected. The hashes for CRL files are of the form <hash>.r<n> and have the same behavior.
++
++The program will also warn if there are files with extension .pem which are not certificate or CRL files.
++
++The program uses the openssl program to compute the hashes and fingerprints. It expects the executable to be named openssl and be on the PATH, or in the /usr/lib/ssl/bin directory. If the OPENSSL environment variable is defined then this is used instead as the executable that provides the hashes and fingerprints. When called as $OPENSSL x509 -hash -fingerprint -noout -in $file it must output the hash of $file on the first line followed by the fingerprint on the second line, optionally prefixed with some text and an equals sign (=).
++
++=head1 OPTIONS
++
++None
++
++=head1 ENVIRONMENT
++
++=over 4
++
++=item B<OPENSSL>
++
++The name (and path) of an executable to use to generate hashes and fingerprints (see above).
++
++=item B<SSL_CERT_DIR>
++
++Colon separated list of directories to operate on. Ignored if directories are listed on the command line.
++
++=head1 SEE ALSO
++
++L<openssl(1)|openssl(1)>, L<x509(1)|x509(1)>
++
++=back
++
++=head1 BUGS
++
++No known bugs
++
++=cut
diff --git a/openssl0.9.8/patches/shared-lib-ext.patch b/openssl0.9.8/patches/shared-lib-ext.patch
new file mode 100644
index 0000000..d27e9b2
--- /dev/null
+++ b/openssl0.9.8/patches/shared-lib-ext.patch
@@ -0,0 +1,14 @@
+Index: openssl-0.9.8k/Configure
+===================================================================
+--- openssl-0.9.8k.orig/Configure 2009-07-19 11:36:24.000000000 +0200
++++ openssl-0.9.8k/Configure 2009-07-19 11:37:03.000000000 +0200
+@@ -1568,7 +1568,8 @@
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ {
+ my $sotmp = $1;
+- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++# s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/;
+ }
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ {
diff --git a/openssl0.9.8/patches/stddef.patch b/openssl0.9.8/patches/stddef.patch
new file mode 100644
index 0000000..bb65b23
--- /dev/null
+++ b/openssl0.9.8/patches/stddef.patch
@@ -0,0 +1,12 @@
+Index: openssl-0.9.8k/crypto/sha/sha.h
+===================================================================
+--- openssl-0.9.8k.orig/crypto/sha/sha.h 2008-09-16 12:47:28.000000000 +0200
++++ openssl-0.9.8k/crypto/sha/sha.h 2009-07-19 11:36:28.000000000 +0200
+@@ -59,6 +59,7 @@
+ #ifndef HEADER_SHA_H
+ #define HEADER_SHA_H
+
++#include <stddef.h>
+ #include <openssl/e_os2.h>
+ #include <stddef.h>
+
diff --git a/openssl0.9.8/patches/valgrind.patch b/openssl0.9.8/patches/valgrind.patch
new file mode 100644
index 0000000..e9f86ea
--- /dev/null
+++ b/openssl0.9.8/patches/valgrind.patch
@@ -0,0 +1,15 @@
+Index: openssl-0.9.8k/crypto/rand/md_rand.c
+===================================================================
+--- openssl-0.9.8k.orig/crypto/rand/md_rand.c 2008-09-16 13:50:05.000000000 +0200
++++ openssl-0.9.8k/crypto/rand/md_rand.c 2009-07-19 11:36:05.000000000 +0200
+@@ -477,8 +477,10 @@
+ MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+ MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+ #ifndef PURIFY
++#if 0 /* Don't add uninitialised data. */
+ MD_Update(&m,buf,j); /* purify complains */
+ #endif
++#endif
+ k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
+ if (k > 0)
+ {