new upstream release fixing multiple security issues

.gitignore

@@ -17,3 +17,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.0.1h-hobbled.tar.xz
 /openssl-1.0.1i-hobbled.tar.xz
 /openssl-1.0.1j-hobbled.tar.xz
+/openssl-1.0.1k-hobbled.tar.xz

openssl-1.0.1-beta2-dtls1-abi.patch

@@ -1,23 +0,0 @@
-diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
---- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi	2012-02-06 17:07:34.630336118 +0100
-+++ openssl-1.0.1-beta2/ssl/dtls1.h	2012-02-06 17:10:08.956623707 +0100
-@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
- 	 */
- 	record_pqueue buffered_app_data;
- 
--	/* Is set when listening for new connections with dtls1_listen() */
--	unsigned int listen;
--
- 	unsigned int mtu; /* max DTLS packet size */
- 
- 	struct hm_header_st w_msg_hdr;
-@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
- 	unsigned int retransmitting;
- 	unsigned int change_cipher_spec_ok;
- 
-+	/* Is set when listening for new connections with dtls1_listen() */
-+	unsigned int listen;
-+
- #ifndef OPENSSL_NO_SCTP
- 	/* used when SSL_ST_XX_FLUSH is entered */
- 	int next_state;

openssl-1.0.1k-dtls1-abi.patch

@@ -0,0 +1,26 @@
+diff -up openssl-1.0.1k/ssl/dtls1.h.dtls1-abi openssl-1.0.1k/ssl/dtls1.h
+--- openssl-1.0.1k/ssl/dtls1.h.dtls1-abi	2015-01-09 09:58:59.332596897 +0100
++++ openssl-1.0.1k/ssl/dtls1.h	2015-01-09 10:02:34.908472320 +0100
+@@ -231,10 +231,6 @@ typedef struct dtls1_state_st
+ 	 */
+ 	record_pqueue buffered_app_data;
+ 
+-	/* Is set when listening for new connections with dtls1_listen() */
+-	unsigned int listen;
+-
+-	unsigned int link_mtu; /* max on-the-wire DTLS packet size */
+ 	unsigned int mtu; /* max DTLS packet size */
+ 
+ 	struct hm_header_st w_msg_hdr;
+@@ -262,6 +258,11 @@ typedef struct dtls1_state_st
+ 	 */
+ 	unsigned int change_cipher_spec_ok;
+ 
++	/* Is set when listening for new connections with dtls1_listen() */
++	unsigned int listen;
++
++	unsigned int link_mtu; /* max on-the-wire DTLS packet size */
++
+ #ifndef OPENSSL_NO_SCTP
+ 	/* used when SSL_ST_XX_FLUSH is entered */
+ 	int next_state;

openssl-1.0.1k-ecc-suiteb.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.0.1e/apps/speed.c.suiteb openssl-1.0.1e/apps/speed.c
---- openssl-1.0.1e/apps/speed.c.suiteb	2013-11-08 18:02:53.815229706 +0100
-+++ openssl-1.0.1e/apps/speed.c	2013-11-08 18:04:47.016724297 +0100
+diff -up openssl-1.0.1k/apps/speed.c.suiteb openssl-1.0.1k/apps/speed.c
+--- openssl-1.0.1k/apps/speed.c.suiteb	2015-01-09 10:03:38.406908388 +0100
++++ openssl-1.0.1k/apps/speed.c	2015-01-09 10:03:38.602912821 +0100
 @@ -966,49 +966,23 @@ int MAIN(int argc, char **argv)
  		else
  #endif
@@ -87,38 +87,44 @@ diff -up openssl-1.0.1e/apps/speed.c.suiteb openssl-1.0.1e/apps/speed.c
  			ecdh_doit[i]=1;
  #endif
  		}
-diff -up openssl-1.0.1e/ssl/t1_lib.c.suiteb openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.suiteb	2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/t1_lib.c	2013-11-08 18:05:27.551617554 +0100
-@@ -204,31 +204,9 @@ static int nid_list[] =
- 
- static int pref_list[] =
- 	{
--		NID_sect571r1, /* sect571r1 (14) */ 
--		NID_sect571k1, /* sect571k1 (13) */ 
- 		NID_secp521r1, /* secp521r1 (25) */	
--		NID_sect409k1, /* sect409k1 (11) */ 
--		NID_sect409r1, /* sect409r1 (12) */
- 		NID_secp384r1, /* secp384r1 (24) */
--		NID_sect283k1, /* sect283k1 (9) */
--		NID_sect283r1, /* sect283r1 (10) */ 
+diff -up openssl-1.0.1k/ssl/t1_lib.c.suiteb openssl-1.0.1k/ssl/t1_lib.c
+--- openssl-1.0.1k/ssl/t1_lib.c.suiteb	2015-01-09 10:03:38.603912844 +0100
++++ openssl-1.0.1k/ssl/t1_lib.c	2015-01-09 10:06:35.470912834 +0100
+@@ -218,29 +218,21 @@ static int pref_list[] =
+ 		NID_sect283k1, /* sect283k1 (9) */
+ 		NID_sect283r1, /* sect283r1 (10) */ 
+ #endif
 -		NID_secp256k1, /* secp256k1 (22) */ 
  		NID_X9_62_prime256v1, /* secp256r1 (23) */ 
--		NID_sect239k1, /* sect239k1 (8) */ 
--		NID_sect233k1, /* sect233k1 (6) */
--		NID_sect233r1, /* sect233r1 (7) */ 
+ #ifndef OPENSSL_NO_EC2M
+ 		NID_sect239k1, /* sect239k1 (8) */ 
+ 		NID_sect233k1, /* sect233k1 (6) */
+ 		NID_sect233r1, /* sect233r1 (7) */ 
+ #endif
 -		NID_secp224k1, /* secp224k1 (20) */ 
 -		NID_secp224r1, /* secp224r1 (21) */
--		NID_sect193r1, /* sect193r1 (4) */ 
--		NID_sect193r2, /* sect193r2 (5) */ 
+ #ifndef OPENSSL_NO_EC2M
+ 		NID_sect193r1, /* sect193r1 (4) */ 
+ 		NID_sect193r2, /* sect193r2 (5) */ 
+ #endif
 -		NID_secp192k1, /* secp192k1 (18) */
 -		NID_X9_62_prime192v1, /* secp192r1 (19) */ 
--		NID_sect163k1, /* sect163k1 (1) */
--		NID_sect163r1, /* sect163r1 (2) */
--		NID_sect163r2, /* sect163r2 (3) */
+ #ifndef OPENSSL_NO_EC2M
+ 		NID_sect163k1, /* sect163k1 (1) */
+ 		NID_sect163r1, /* sect163r1 (2) */
+ 		NID_sect163r2, /* sect163r2 (3) */
+ #endif
 -		NID_secp160k1, /* secp160k1 (15) */
 -		NID_secp160r1, /* secp160r1 (16) */ 
 -		NID_secp160r2, /* secp160r2 (17) */ 
  	};
  
  int tls1_ec_curve_id2nid(int curve_id)
+@@ -1820,7 +1812,6 @@ int ssl_prepare_clienthello_tlsext(SSL *
+ 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+ 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
+ 
+-		/* we support all named elliptic curves in RFC 4492 */
+ 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
+ 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
+ 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)

openssl-1.0.1k-ephemeral-key-size.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.0.1j/apps/s_apps.h.ephemeral openssl-1.0.1j/apps/s_apps.h
---- openssl-1.0.1j/apps/s_apps.h.ephemeral	2014-10-16 13:32:30.772817591 +0200
-+++ openssl-1.0.1j/apps/s_apps.h	2014-10-16 13:32:30.865819691 +0200
+diff -up openssl-1.0.1k/apps/s_apps.h.ephemeral openssl-1.0.1k/apps/s_apps.h
+--- openssl-1.0.1k/apps/s_apps.h.ephemeral	2015-01-09 10:22:03.289896211 +0100
++++ openssl-1.0.1k/apps/s_apps.h	2015-01-09 10:22:03.373898111 +0100
 @@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok,
  int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
  int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
@@ -9,9 +9,9 @@ diff -up openssl-1.0.1j/apps/s_apps.h.ephemeral openssl-1.0.1j/apps/s_apps.h
  int init_client(int *sock, char *server, char *port, int type);
  int should_retry(int i);
  int extract_host_port(char *str,char **host_ptr,char **port_ptr);
-diff -up openssl-1.0.1j/apps/s_cb.c.ephemeral openssl-1.0.1j/apps/s_cb.c
---- openssl-1.0.1j/apps/s_cb.c.ephemeral	2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/apps/s_cb.c	2014-10-16 13:32:30.865819691 +0200
+diff -up openssl-1.0.1k/apps/s_cb.c.ephemeral openssl-1.0.1k/apps/s_cb.c
+--- openssl-1.0.1k/apps/s_cb.c.ephemeral	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/apps/s_cb.c	2015-01-09 10:22:03.373898111 +0100
 @@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback(
  		}
  	}
@@ -51,10 +51,10 @@ diff -up openssl-1.0.1j/apps/s_cb.c.ephemeral openssl-1.0.1j/apps/s_cb.c
  
  void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
  	{
-diff -up openssl-1.0.1j/apps/s_client.c.ephemeral openssl-1.0.1j/apps/s_client.c
---- openssl-1.0.1j/apps/s_client.c.ephemeral	2014-10-16 13:32:30.860819578 +0200
-+++ openssl-1.0.1j/apps/s_client.c	2014-10-16 13:32:30.865819691 +0200
-@@ -2044,6 +2044,8 @@ static void print_stuff(BIO *bio, SSL *s
+diff -up openssl-1.0.1k/apps/s_client.c.ephemeral openssl-1.0.1k/apps/s_client.c
+--- openssl-1.0.1k/apps/s_client.c.ephemeral	2015-01-09 10:22:03.367897975 +0100
++++ openssl-1.0.1k/apps/s_client.c	2015-01-09 10:22:03.373898111 +0100
+@@ -2058,6 +2058,8 @@ static void print_stuff(BIO *bio, SSL *s
  			BIO_write(bio,"\n",1);
  			}
  
@@ -63,18 +63,18 @@ diff -up openssl-1.0.1j/apps/s_client.c.ephemeral openssl-1.0.1j/apps/s_client.c
  		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
  			BIO_number_read(SSL_get_rbio(s)),
  			BIO_number_written(SSL_get_wbio(s)));
-diff -up openssl-1.0.1j/ssl/ssl.h.ephemeral openssl-1.0.1j/ssl/ssl.h
---- openssl-1.0.1j/ssl/ssl.h.ephemeral	2014-10-16 13:32:30.851819375 +0200
-+++ openssl-1.0.1j/ssl/ssl.h	2014-10-16 13:33:23.233001903 +0200
-@@ -1585,6 +1585,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
+diff -up openssl-1.0.1k/ssl/ssl.h.ephemeral openssl-1.0.1k/ssl/ssl.h
+--- openssl-1.0.1k/ssl/ssl.h.ephemeral	2015-01-09 10:22:03.358897772 +0100
++++ openssl-1.0.1k/ssl/ssl.h	2015-01-09 10:25:08.644088146 +0100
+@@ -1593,6 +1593,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS		82
  #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS	83
  
 +#define SSL_CTRL_GET_SERVER_TMP_KEY		109
  #define SSL_CTRL_CHECK_PROTO_VERSION		119
- 
- #define DTLSv1_get_timeout(ssl, arg) \
-@@ -1628,6 +1629,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
+ #define DTLS_CTRL_SET_LINK_MTU			120
+ #define DTLS_CTRL_GET_LINK_MIN_MTU		121
+@@ -1638,6 +1639,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  #define SSL_CTX_clear_extra_chain_certs(ctx) \
  	SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
  
@@ -84,9 +84,9 @@ diff -up openssl-1.0.1j/ssl/ssl.h.ephemeral openssl-1.0.1j/ssl/ssl.h
  #ifndef OPENSSL_NO_BIO
  BIO_METHOD *BIO_f_ssl(void);
  BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
-diff -up openssl-1.0.1j/ssl/s3_lib.c.ephemeral openssl-1.0.1j/ssl/s3_lib.c
---- openssl-1.0.1j/ssl/s3_lib.c.ephemeral	2014-10-16 13:32:30.866819713 +0200
-+++ openssl-1.0.1j/ssl/s3_lib.c	2014-10-16 13:34:08.918033262 +0200
+diff -up openssl-1.0.1k/ssl/s3_lib.c.ephemeral openssl-1.0.1k/ssl/s3_lib.c
+--- openssl-1.0.1k/ssl/s3_lib.c.ephemeral	2015-01-08 15:00:56.000000000 +0100
++++ openssl-1.0.1k/ssl/s3_lib.c	2015-01-09 10:22:03.374898133 +0100
 @@ -3356,6 +3356,45 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
  
  #endif /* !OPENSSL_NO_TLSEXT */

openssl-1.0.1k-padlock64.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
---- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64	2011-06-21 18:42:15.000000000 +0200
-+++ openssl-1.0.1-beta2/engines/e_padlock.c	2012-02-06 20:18:52.039537799 +0100
+diff -up openssl-1.0.1k/engines/e_padlock.c.padlock64 openssl-1.0.1k/engines/e_padlock.c
+--- openssl-1.0.1k/engines/e_padlock.c.padlock64	2015-01-08 15:00:56.000000000 +0100
++++ openssl-1.0.1k/engines/e_padlock.c	2015-01-09 10:18:55.579650992 +0100
 @@ -101,7 +101,10 @@
     compiler choice is limited to GCC and Microsoft C. */
  #undef COMPILE_HW_PADLOCK
@@ -30,11 +30,12 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
  /*
   * As for excessive "push %ebx"/"pop %ebx" found all over.
   * When generating position-independent code GCC won't let
-@@ -383,21 +387,6 @@ padlock_available(void)
+@@ -383,23 +387,6 @@ padlock_available(void)
  	return padlock_use_ace + padlock_use_rng;
  }
  
 -#ifndef OPENSSL_NO_AES
+-#ifndef AES_ASM
 -/* Our own htonl()/ntohl() */
 -static inline void
 -padlock_bswapl(AES_KEY *ks)
@@ -48,11 +49,12 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
 -	}
 -}
 -#endif
+-#endif
 -
  /* Force key reload from memory to the CPU microcode.
     Loading EFLAGS from the stack clears EFLAGS[30] 
     which does the trick. */
-@@ -455,12 +444,127 @@ static inline void *name(size_t cnt,		\
+@@ -457,12 +444,129 @@ static inline void *name(size_t cnt,		\
  		: "edx", "cc", "memory");	\
  	return iv;				\
  }
@@ -165,6 +167,7 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
  PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")	/* rep xcryptcfb */
  PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")	/* rep xcryptofb */
 +
++#ifndef AES_ASM
 +/* Our own htonl()/ntohl() */
 +static inline void
 +padlock_bswapl(AES_KEY *ks)
@@ -177,10 +180,11 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
 +		key++;
 +	}
 +}
++#endif
  #endif
  
  /* The RNG call itself */
-@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
+@@ -493,8 +597,8 @@ padlock_xstore(void *addr, unsigned int
  static inline unsigned char *
  padlock_memcpy(void *dst,const void *src,size_t n)
  {

openssl-1.0.1k-trusted-first.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.0.1i/apps/apps.c.trusted-first openssl-1.0.1i/apps/apps.c
---- openssl-1.0.1i/apps/apps.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/apps.c	2014-08-07 13:54:27.751103405 +0200
+diff -up openssl-1.0.1k/apps/apps.c.trusted-first openssl-1.0.1k/apps/apps.c
+--- openssl-1.0.1k/apps/apps.c.trusted-first	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/apps/apps.c	2015-01-09 10:19:45.476779456 +0100
 @@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg
  		flags |= X509_V_FLAG_NOTIFY_POLICY;
  	else if (!strcmp(arg, "-check_ss_sig"))
@@ -10,9 +10,9 @@ diff -up openssl-1.0.1i/apps/apps.c.trusted-first openssl-1.0.1i/apps/apps.c
  	else
  		return 0;
  
-diff -up openssl-1.0.1i/apps/cms.c.trusted-first openssl-1.0.1i/apps/cms.c
---- openssl-1.0.1i/apps/cms.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/cms.c	2014-08-07 13:54:27.751103405 +0200
+diff -up openssl-1.0.1k/apps/cms.c.trusted-first openssl-1.0.1k/apps/cms.c
+--- openssl-1.0.1k/apps/cms.c.trusted-first	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/apps/cms.c	2015-01-09 10:19:45.476779456 +0100
 @@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
  		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
  		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
@@ -21,20 +21,20 @@ diff -up openssl-1.0.1i/apps/cms.c.trusted-first openssl-1.0.1i/apps/cms.c
  		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
  		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
  #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1i/apps/ocsp.c.trusted-first openssl-1.0.1i/apps/ocsp.c
---- openssl-1.0.1i/apps/ocsp.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/ocsp.c	2014-08-07 13:54:27.752103409 +0200
+diff -up openssl-1.0.1k/apps/ocsp.c.trusted-first openssl-1.0.1k/apps/ocsp.c
+--- openssl-1.0.1k/apps/ocsp.c.trusted-first	2015-01-09 10:19:45.477779478 +0100
++++ openssl-1.0.1k/apps/ocsp.c	2015-01-09 10:20:57.726413440 +0100
 @@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
- 		BIO_printf (bio_err, "-path              path to use in OCSP request\n");
- 		BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
- 		BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
-+		BIO_printf (bio_err, "-trusted_first     use trusted certificates first when building the trust chain\n");
- 		BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
- 		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
- 		BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
-diff -up openssl-1.0.1i/apps/s_client.c.trusted-first openssl-1.0.1i/apps/s_client.c
---- openssl-1.0.1i/apps/s_client.c.trusted-first	2014-08-07 13:54:27.752103409 +0200
-+++ openssl-1.0.1i/apps/s_client.c	2014-08-07 15:06:28.443918055 +0200
+ 		BIO_printf (bio_err, "-path                path to use in OCSP request\n");
+ 		BIO_printf (bio_err, "-CApath dir          trusted certificates directory\n");
+ 		BIO_printf (bio_err, "-CAfile file         trusted certificates file\n");
++		BIO_printf (bio_err, "-trusted_first       use trusted certificates first when building the trust chain\n");
+ 		BIO_printf (bio_err, "-VAfile file         validator certificates file\n");
+ 		BIO_printf (bio_err, "-validity_period n   maximum validity discrepancy in seconds\n");
+ 		BIO_printf (bio_err, "-status_age n        maximum status age in seconds\n");
+diff -up openssl-1.0.1k/apps/s_client.c.trusted-first openssl-1.0.1k/apps/s_client.c
+--- openssl-1.0.1k/apps/s_client.c.trusted-first	2015-01-09 10:19:45.438778596 +0100
++++ openssl-1.0.1k/apps/s_client.c	2015-01-09 10:19:45.477779478 +0100
 @@ -299,6 +299,7 @@ static void sc_usage(void)
  	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
  	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
@@ -43,9 +43,9 @@ diff -up openssl-1.0.1i/apps/s_client.c.trusted-first openssl-1.0.1i/apps/s_clie
  	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
  	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
  	BIO_printf(bio_err," -prexit       - print session information even on connection failure\n");
-diff -up openssl-1.0.1i/apps/smime.c.trusted-first openssl-1.0.1i/apps/smime.c
---- openssl-1.0.1i/apps/smime.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/smime.c	2014-08-07 13:54:27.753103414 +0200
+diff -up openssl-1.0.1k/apps/smime.c.trusted-first openssl-1.0.1k/apps/smime.c
+--- openssl-1.0.1k/apps/smime.c.trusted-first	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/apps/smime.c	2015-01-09 10:19:45.477779478 +0100
 @@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
  		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
  		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
@@ -54,9 +54,9 @@ diff -up openssl-1.0.1i/apps/smime.c.trusted-first openssl-1.0.1i/apps/smime.c
  		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
  		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
  #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1i/apps/s_server.c.trusted-first openssl-1.0.1i/apps/s_server.c
---- openssl-1.0.1i/apps/s_server.c.trusted-first	2014-08-07 13:54:27.718103241 +0200
-+++ openssl-1.0.1i/apps/s_server.c	2014-08-07 13:54:27.753103414 +0200
+diff -up openssl-1.0.1k/apps/s_server.c.trusted-first openssl-1.0.1k/apps/s_server.c
+--- openssl-1.0.1k/apps/s_server.c.trusted-first	2015-01-09 10:19:45.445778755 +0100
++++ openssl-1.0.1k/apps/s_server.c	2015-01-09 10:19:45.478779501 +0100
 @@ -502,6 +502,7 @@ static void sv_usage(void)
  	BIO_printf(bio_err," -state        - Print the SSL states\n");
  	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
@@ -65,9 +65,9 @@ diff -up openssl-1.0.1i/apps/s_server.c.trusted-first openssl-1.0.1i/apps/s_serv
  	BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
  	BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
  	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");
-diff -up openssl-1.0.1i/apps/s_time.c.trusted-first openssl-1.0.1i/apps/s_time.c
---- openssl-1.0.1i/apps/s_time.c.trusted-first	2014-08-07 13:54:27.432101823 +0200
-+++ openssl-1.0.1i/apps/s_time.c	2014-08-07 13:54:27.753103414 +0200
+diff -up openssl-1.0.1k/apps/s_time.c.trusted-first openssl-1.0.1k/apps/s_time.c
+--- openssl-1.0.1k/apps/s_time.c.trusted-first	2015-01-09 10:19:45.391777534 +0100
++++ openssl-1.0.1k/apps/s_time.c	2015-01-09 10:19:45.478779501 +0100
 @@ -179,6 +179,7 @@ static void s_time_usage(void)
                  file if not specified by this option\n\
  -CApath arg   - PEM format directory of CA's\n\
@@ -76,9 +76,9 @@ diff -up openssl-1.0.1i/apps/s_time.c.trusted-first openssl-1.0.1i/apps/s_time.c
  -cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
  
  	printf( "usage: s_time <args>\n\n" );
-diff -up openssl-1.0.1i/apps/ts.c.trusted-first openssl-1.0.1i/apps/ts.c
---- openssl-1.0.1i/apps/ts.c.trusted-first	2014-08-07 13:54:27.707103186 +0200
-+++ openssl-1.0.1i/apps/ts.c	2014-08-07 13:54:27.753103414 +0200
+diff -up openssl-1.0.1k/apps/ts.c.trusted-first openssl-1.0.1k/apps/ts.c
+--- openssl-1.0.1k/apps/ts.c.trusted-first	2015-01-09 10:19:45.435778529 +0100
++++ openssl-1.0.1k/apps/ts.c	2015-01-09 10:19:45.478779501 +0100
 @@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
  		   "ts -verify [-data file_to_hash] [-digest digest_bytes] "
  		   "[-queryfile request.tsq] "
@@ -88,9 +88,9 @@ diff -up openssl-1.0.1i/apps/ts.c.trusted-first openssl-1.0.1i/apps/ts.c
  		   "-untrusted cert_file.pem\n");
   cleanup:
  	/* Clean up. */
-diff -up openssl-1.0.1i/apps/verify.c.trusted-first openssl-1.0.1i/apps/verify.c
---- openssl-1.0.1i/apps/verify.c.trusted-first	2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/verify.c	2014-08-07 13:54:27.754103419 +0200
+diff -up openssl-1.0.1k/apps/verify.c.trusted-first openssl-1.0.1k/apps/verify.c
+--- openssl-1.0.1k/apps/verify.c.trusted-first	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/apps/verify.c	2015-01-09 10:19:45.478779501 +0100
 @@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
  
  end:
@@ -100,9 +100,9 @@ diff -up openssl-1.0.1i/apps/verify.c.trusted-first openssl-1.0.1i/apps/verify.c
  		BIO_printf(bio_err," [-attime timestamp]");
  #ifndef OPENSSL_NO_ENGINE
  		BIO_printf(bio_err," [-engine e]");
-diff -up openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.c
---- openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first	2014-08-07 13:54:27.716103231 +0200
-+++ openssl-1.0.1i/crypto/x509/x509_vfy.c	2014-08-07 13:54:27.754103419 +0200
+diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1k/crypto/x509/x509_vfy.c
+--- openssl-1.0.1k/crypto/x509/x509_vfy.c.trusted-first	2015-01-09 10:19:45.443778710 +0100
++++ openssl-1.0.1k/crypto/x509/x509_vfy.c	2015-01-09 10:19:45.479779524 +0100
 @@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
  
  		/* If we are self signed, we break */
@@ -125,9 +125,9 @@ diff -up openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1i/cryp
  
  		/* If we were passed a cert chain, use it first */
  		if (ctx->untrusted != NULL)
-diff -up openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.h
---- openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first	2014-08-07 13:54:27.360101466 +0200
-+++ openssl-1.0.1i/crypto/x509/x509_vfy.h	2014-08-07 13:54:27.754103419 +0200
+diff -up openssl-1.0.1k/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1k/crypto/x509/x509_vfy.h
+--- openssl-1.0.1k/crypto/x509/x509_vfy.h.trusted-first	2015-01-09 10:19:45.266774706 +0100
++++ openssl-1.0.1k/crypto/x509/x509_vfy.h	2015-01-09 10:19:45.479779524 +0100
 @@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
  #define X509_V_FLAG_USE_DELTAS			0x2000
  /* Check selfsigned CA signature */
@@ -137,9 +137,9 @@ diff -up openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1i/cryp
  
  
  #define X509_VP_FLAG_DEFAULT			0x1
-diff -up openssl-1.0.1i/doc/apps/cms.pod.trusted-first openssl-1.0.1i/doc/apps/cms.pod
---- openssl-1.0.1i/doc/apps/cms.pod.trusted-first	2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/cms.pod	2014-08-07 13:54:27.754103419 +0200
+diff -up openssl-1.0.1k/doc/apps/cms.pod.trusted-first openssl-1.0.1k/doc/apps/cms.pod
+--- openssl-1.0.1k/doc/apps/cms.pod.trusted-first	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/doc/apps/cms.pod	2015-01-09 10:19:45.479779524 +0100
 @@ -35,6 +35,7 @@ B<openssl> B<cms>
  [B<-print>]
  [B<-CAfile file>]
@@ -161,9 +161,9 @@ diff -up openssl-1.0.1i/doc/apps/cms.pod.trusted-first openssl-1.0.1i/doc/apps/c
  =item B<-md digest>
  
  digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/ocsp.pod
---- openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first	2014-08-07 13:54:27.708103191 +0200
-+++ openssl-1.0.1i/doc/apps/ocsp.pod	2014-08-07 13:54:27.755103424 +0200
+diff -up openssl-1.0.1k/doc/apps/ocsp.pod.trusted-first openssl-1.0.1k/doc/apps/ocsp.pod
+--- openssl-1.0.1k/doc/apps/ocsp.pod.trusted-first	2015-01-09 10:19:45.436778551 +0100
++++ openssl-1.0.1k/doc/apps/ocsp.pod	2015-01-09 10:19:45.479779524 +0100
 @@ -29,6 +29,7 @@ B<openssl> B<ocsp>
  [B<-path>]
  [B<-CApath dir>]
@@ -172,7 +172,7 @@ diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/
  [B<-VAfile file>]
  [B<-validity_period n>]
  [B<-status_age n>]
-@@ -138,6 +139,13 @@ or "/" by default.
+@@ -142,6 +143,13 @@ connection timeout to the OCSP responder
  file or pathname containing trusted CA certificates. These are used to verify
  the signature on the OCSP response.
  
@@ -186,9 +186,9 @@ diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/
  =item B<-verify_other file>
  
  file containing additional certificates to search when attempting to locate
-diff -up openssl-1.0.1i/doc/apps/s_client.pod.trusted-first openssl-1.0.1i/doc/apps/s_client.pod
---- openssl-1.0.1i/doc/apps/s_client.pod.trusted-first	2014-08-07 13:54:27.726103281 +0200
-+++ openssl-1.0.1i/doc/apps/s_client.pod	2014-08-07 13:54:27.755103424 +0200
+diff -up openssl-1.0.1k/doc/apps/s_client.pod.trusted-first openssl-1.0.1k/doc/apps/s_client.pod
+--- openssl-1.0.1k/doc/apps/s_client.pod.trusted-first	2015-01-09 10:19:45.451778890 +0100
++++ openssl-1.0.1k/doc/apps/s_client.pod	2015-01-09 10:19:45.479779524 +0100
 @@ -19,6 +19,7 @@ B<openssl> B<s_client>
  [B<-pass arg>]
  [B<-CApath directory>]
@@ -206,9 +206,9 @@ diff -up openssl-1.0.1i/doc/apps/s_client.pod.trusted-first openssl-1.0.1i/doc/a
  
  Set various certificate chain valiadition option. See the
  L<B<verify>|verify(1)> manual page for details.
-diff -up openssl-1.0.1i/doc/apps/smime.pod.trusted-first openssl-1.0.1i/doc/apps/smime.pod
---- openssl-1.0.1i/doc/apps/smime.pod.trusted-first	2014-07-22 21:43:11.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/smime.pod	2014-08-07 13:54:27.755103424 +0200
+diff -up openssl-1.0.1k/doc/apps/smime.pod.trusted-first openssl-1.0.1k/doc/apps/smime.pod
+--- openssl-1.0.1k/doc/apps/smime.pod.trusted-first	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/doc/apps/smime.pod	2015-01-09 10:19:45.479779524 +0100
 @@ -15,6 +15,9 @@ B<openssl> B<smime>
  [B<-pk7out>]
  [B<-[cipher]>]
@@ -232,9 +232,9 @@ diff -up openssl-1.0.1i/doc/apps/smime.pod.trusted-first openssl-1.0.1i/doc/apps
  =item B<-md digest>
  
  digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1i/doc/apps/s_server.pod.trusted-first openssl-1.0.1i/doc/apps/s_server.pod
---- openssl-1.0.1i/doc/apps/s_server.pod.trusted-first	2014-08-07 13:54:27.726103281 +0200
-+++ openssl-1.0.1i/doc/apps/s_server.pod	2014-08-07 15:07:12.315099577 +0200
+diff -up openssl-1.0.1k/doc/apps/s_server.pod.trusted-first openssl-1.0.1k/doc/apps/s_server.pod
+--- openssl-1.0.1k/doc/apps/s_server.pod.trusted-first	2015-01-09 10:19:45.451778890 +0100
++++ openssl-1.0.1k/doc/apps/s_server.pod	2015-01-09 10:19:45.479779524 +0100
 @@ -33,6 +33,7 @@ B<openssl> B<s_server>
  [B<-state>]
  [B<-CApath directory>]
@@ -256,9 +256,9 @@ diff -up openssl-1.0.1i/doc/apps/s_server.pod.trusted-first openssl-1.0.1i/doc/a
  =item B<-state>
  
  prints out the SSL session states.
-diff -up openssl-1.0.1i/doc/apps/s_time.pod.trusted-first openssl-1.0.1i/doc/apps/s_time.pod
---- openssl-1.0.1i/doc/apps/s_time.pod.trusted-first	2014-07-22 21:41:23.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/s_time.pod	2014-08-07 13:54:27.755103424 +0200
+diff -up openssl-1.0.1k/doc/apps/s_time.pod.trusted-first openssl-1.0.1k/doc/apps/s_time.pod
+--- openssl-1.0.1k/doc/apps/s_time.pod.trusted-first	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/doc/apps/s_time.pod	2015-01-09 10:19:45.480779546 +0100
 @@ -14,6 +14,7 @@ B<openssl> B<s_time>
  [B<-key filename>]
  [B<-CApath directory>]
@@ -280,9 +280,9 @@ diff -up openssl-1.0.1i/doc/apps/s_time.pod.trusted-first openssl-1.0.1i/doc/app
  =item B<-new>
  
  performs the timing test using a new session ID for each connection.
-diff -up openssl-1.0.1i/doc/apps/ts.pod.trusted-first openssl-1.0.1i/doc/apps/ts.pod
---- openssl-1.0.1i/doc/apps/ts.pod.trusted-first	2014-07-22 21:41:23.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/ts.pod	2014-08-07 13:54:27.756103429 +0200
+diff -up openssl-1.0.1k/doc/apps/ts.pod.trusted-first openssl-1.0.1k/doc/apps/ts.pod
+--- openssl-1.0.1k/doc/apps/ts.pod.trusted-first	2014-10-15 15:49:15.000000000 +0200
++++ openssl-1.0.1k/doc/apps/ts.pod	2015-01-09 10:19:45.480779546 +0100
 @@ -46,6 +46,7 @@ B<-verify>
  [B<-token_in>]
  [B<-CApath> trusted_cert_path]
@@ -304,9 +304,9 @@ diff -up openssl-1.0.1i/doc/apps/ts.pod.trusted-first openssl-1.0.1i/doc/apps/ts
  =item B<-untrusted> cert_file.pem
  
  Set of additional untrusted certificates in PEM format which may be
-diff -up openssl-1.0.1i/doc/apps/verify.pod.trusted-first openssl-1.0.1i/doc/apps/verify.pod
---- openssl-1.0.1i/doc/apps/verify.pod.trusted-first	2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/verify.pod	2014-08-07 13:54:27.756103429 +0200
+diff -up openssl-1.0.1k/doc/apps/verify.pod.trusted-first openssl-1.0.1k/doc/apps/verify.pod
+--- openssl-1.0.1k/doc/apps/verify.pod.trusted-first	2015-01-08 15:00:36.000000000 +0100
++++ openssl-1.0.1k/doc/apps/verify.pod	2015-01-09 10:19:45.480779546 +0100
 @@ -9,6 +9,7 @@ verify - Utility to verify certificates.
  B<openssl> B<verify>
  [B<-CApath directory>]

openssl.spec

@@ -22,8 +22,8 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.0.1j
-Release: 3%{?dist}
+Version: 1.0.1k
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -58,11 +58,11 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
 Patch34: openssl-0.9.6-x509.patch
 Patch35: openssl-0.9.8j-version-add-engines.patch
 Patch39: openssl-1.0.1h-ipv6-apps.patch
-Patch40: openssl-1.0.1j-fips.patch
+Patch40: openssl-1.0.1k-fips.patch
 Patch45: openssl-1.0.1e-env-zlib.patch
 Patch47: openssl-1.0.0-beta5-readme-warning.patch
 Patch49: openssl-1.0.1i-algo-doc.patch
-Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
+Patch50: openssl-1.0.1k-dtls1-abi.patch
 Patch51: openssl-1.0.1e-version.patch
 Patch56: openssl-1.0.0c-rsa-x931.patch
 Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
@@ -75,7 +75,7 @@ Patch69: openssl-1.0.1c-dh-1024.patch
 Patch70: openssl-1.0.1j-fips-ec.patch
 Patch71: openssl-1.0.1i-manfix.patch
 Patch72: openssl-1.0.1e-fips-ctor.patch
-Patch73: openssl-1.0.1e-ecc-suiteb.patch
+Patch73: openssl-1.0.1k-ecc-suiteb.patch
 Patch74: openssl-1.0.1e-no-md5-verify.patch
 Patch75: openssl-1.0.1e-compat-symbols.patch
 Patch76: openssl-1.0.1i-new-fips-reqs.patch
@@ -85,10 +85,10 @@ Patch92: openssl-1.0.1h-system-cipherlist.patch
 Patch93: openssl-1.0.1h-disable-sslv2v3.patch
 # Backported fixes including security fixes
 Patch80: openssl-1.0.1j-evp-wrap.patch
-Patch81: openssl-1.0.1-beta2-padlock64.patch
-Patch84: openssl-1.0.1i-trusted-first.patch
+Patch81: openssl-1.0.1k-padlock64.patch
+Patch84: openssl-1.0.1k-trusted-first.patch
 Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
-Patch89: openssl-1.0.1j-ephemeral-key-size.patch
+Patch89: openssl-1.0.1k-ephemeral-key-size.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -478,6 +478,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Fri Jan  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-1
+- new upstream release fixing multiple security issues
+
 * Thu Nov 20 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-3
 - disable SSLv3 by default again (mail servers and possibly
   LDAP servers should probably allow it explicitly for legacy

sources

@@ -1 +1 @@
-d6eba044f614596f94ba27a90be2b5de  openssl-1.0.1j-hobbled.tar.xz
+c272aff85ade496e3eca96a41a49a06f  openssl-1.0.1k-hobbled.tar.xz