- add support for multiple CRLs with same subject

- load only dynamic engine support in FIPS mode
2009-04-15 14:36:54 +00:00 · 2009-04-15 14:36:54 +00:00 · bb917d493c
parent a9e5f01ef5
commit bb917d493c
5 changed files with 328 additions and 193 deletions
--- a/openssl-0.9.8j-evp-nonfips.patch
+++ b/openssl-0.9.8j-evp-nonfips.patch
@ -1,127 +0,0 @@
-diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c
--- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips	2005-04-30 23:51:40.000000000 +0200
-+++ openssl-0.9.8j/crypto/evp/c_alld.c	2009-01-14 17:51:41.000000000 +0100
-@@ -64,6 +64,11 @@
- 
- void OpenSSL_add_all_digests(void)
- 	{
-+#ifdef OPENSSL_FIPS
-+	OPENSSL_init();
-+	if (!FIPS_mode())
-+		{
-+#endif
- #ifndef OPENSSL_NO_MD2
- 	EVP_add_digest(EVP_md2());
- #endif
-@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
- 	EVP_add_digest(EVP_sha384());
- 	EVP_add_digest(EVP_sha512());
- #endif
-+#ifdef OPENSSL_FIPS
-+		}
-+	else
-+		{
-+#ifndef OPENSSL_NO_SHA
-+	EVP_add_digest(EVP_sha1());
-+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-+	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-+#ifndef OPENSSL_NO_DSA
-+	EVP_add_digest(EVP_dss1());
-+	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-+	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-+	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-+#endif
-+#ifndef OPENSSL_NO_ECDSA
-+	EVP_add_digest(EVP_ecdsa());
-+#endif
-+#endif
-+#ifndef OPENSSL_NO_SHA256
-+	EVP_add_digest(EVP_sha224());
-+	EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+	EVP_add_digest(EVP_sha384());
-+	EVP_add_digest(EVP_sha512());
-+#endif
-+		}
-+#endif
- 	}
-diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c
--- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips	2007-04-24 01:50:04.000000000 +0200
-+++ openssl-0.9.8j/crypto/evp/c_allc.c	2009-01-14 17:51:41.000000000 +0100
-@@ -65,6 +65,11 @@
- void OpenSSL_add_all_ciphers(void)
- 	{
- 
-+#ifdef OPENSSL_FIPS
-+	OPENSSL_init();
-+	if(!FIPS_mode()) 
-+		{
-+#endif
- #ifndef OPENSSL_NO_DES
- 	EVP_add_cipher(EVP_des_cfb());
- 	EVP_add_cipher(EVP_des_cfb1());
-@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
- 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
- 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
- #endif
-+#ifdef OPENSSL_FIPS
-+		}
-+	else
-+		{
-+#ifndef OPENSSL_NO_DES
-+	EVP_add_cipher(EVP_des_ede_cfb());
-+	EVP_add_cipher(EVP_des_ede3_cfb());
-+
-+	EVP_add_cipher(EVP_des_ede_ofb());
-+	EVP_add_cipher(EVP_des_ede3_ofb());
-+
-+	EVP_add_cipher(EVP_des_ede_cbc());
-+	EVP_add_cipher(EVP_des_ede3_cbc());
-+	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
-+	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
-+
-+	EVP_add_cipher(EVP_des_ede());
-+	EVP_add_cipher(EVP_des_ede3());
-+#endif
-+
-+#ifndef OPENSSL_NO_AES
-+	EVP_add_cipher(EVP_aes_128_ecb());
-+	EVP_add_cipher(EVP_aes_128_cbc());
-+	EVP_add_cipher(EVP_aes_128_cfb());
-+	EVP_add_cipher(EVP_aes_128_cfb1());
-+	EVP_add_cipher(EVP_aes_128_cfb8());
-+	EVP_add_cipher(EVP_aes_128_ofb());
-+#if 0
-+	EVP_add_cipher(EVP_aes_128_ctr());
-+#endif
-+	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
-+	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
-+	EVP_add_cipher(EVP_aes_192_ecb());
-+	EVP_add_cipher(EVP_aes_192_cbc());
-+	EVP_add_cipher(EVP_aes_192_cfb());
-+	EVP_add_cipher(EVP_aes_192_cfb1());
-+	EVP_add_cipher(EVP_aes_192_cfb8());
-+	EVP_add_cipher(EVP_aes_192_ofb());
-+#if 0
-+	EVP_add_cipher(EVP_aes_192_ctr());
-+#endif
-+	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
-+	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
-+	EVP_add_cipher(EVP_aes_256_ecb());
-+	EVP_add_cipher(EVP_aes_256_cbc());
-+	EVP_add_cipher(EVP_aes_256_cfb());
-+	EVP_add_cipher(EVP_aes_256_cfb1());
-+	EVP_add_cipher(EVP_aes_256_cfb8());
-+	EVP_add_cipher(EVP_aes_256_ofb());
-+#if 0
-+	EVP_add_cipher(EVP_aes_256_ctr());
-+#endif
-+	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
-+	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-+#endif
-+		}
-+#endif
- 
- 	PKCS12_PBE_add();
- 	PKCS5_PBE_add();
--- a/openssl-0.9.8j-kernel-fipsmode.patch
+++ b/openssl-0.9.8j-kernel-fipsmode.patch
@ -1,62 +0,0 @@
-diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c
--- openssl-0.9.8j/crypto/o_init.c.fipsmode	2008-11-05 19:36:36.000000000 +0100
-+++ openssl-0.9.8j/crypto/o_init.c	2009-01-14 17:57:39.000000000 +0100
-@@ -59,6 +59,45 @@
- #include <e_os.h>
- #include <openssl/err.h>
- 
-+#ifdef OPENSSL_FIPS
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+#include <errno.h>
-+#include <stdlib.h>
-+#include <openssl/fips.h>
-+#include <openssl/evp.h>
-+#include <openssl/rand.h>
-+
-+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
-+
-+static void init_fips_mode(void)
-+	{
-+	char buf[2] = "0";
-+	int fd;
-+	
-+	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
-+		{
-+		buf[0] = '1';
-+		}
-+	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
-+		{
-+		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
-+		close(fd);
-+		}
-+	/* Failure reading the fips mode switch file means just not
-+	 * switching into FIPS mode. We would break too many things
-+	 * otherwise. 
-+	 */
-+	
-+	if (buf[0] == '1')
-+		{
-+		FIPS_mode_set(1);
-+		}
-+	}
-+#endif
-+
- /* Perform any essential OpenSSL initialization operations.
-  * Currently only sets FIPS callbacks
-  */
-@@ -73,11 +112,10 @@ void OPENSSL_init(void)
- #ifdef CRYPTO_MDEBUG
- 		CRYPTO_malloc_debug_init();
- #endif
-#ifdef OPENSSL_ENGINE
-+		init_fips_mode();
- 		int_EVP_MD_init_engine_callbacks();
- 		int_EVP_CIPHER_init_engine_callbacks();
- 		int_RAND_init_engine_callbacks();
-#endif
- 		done = 1;
- 		}
- #endif
--- a/openssl-0.9.8k-kernel-fipsmode.patch
+++ b/openssl-0.9.8k-kernel-fipsmode.patch
@ -0,0 +1,230 @@
+diff -up openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode openssl-0.9.8k/crypto/engine/eng_all.c
+--- openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode	2008-06-04 20:01:39.000000000 +0200
+++ openssl-0.9.8k/crypto/engine/eng_all.c	2009-04-15 14:31:32.000000000 +0200
+@@ -58,9 +58,23 @@
+ 
+ #include "cryptlib.h"
+ #include "eng_int.h"
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+ 
+ void ENGINE_load_builtin_engines(void)
+ 	{
+#ifdef OPENSSL_FIPS
+	OPENSSL_init();
+	if (FIPS_mode()) {
+		/* We allow loading dynamic engine as a third party
+		   engine might be FIPS validated.
+		   User is disallowed to load non-validated engines
+		   by security policy. */
+		ENGINE_load_dynamic();
+		return;
+	}
+#endif
+ 	/* There's no longer any need for an "openssl" ENGINE unless, one day,
+ 	 * it is the *only* way for standard builtin implementations to be be
+ 	 * accessed (ie. it would be possible to statically link binaries with
+diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c_allc.c
+--- openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode	2007-04-24 01:50:04.000000000 +0200
+++ openssl-0.9.8k/crypto/evp/c_allc.c	2009-03-26 15:53:42.000000000 +0100
+@@ -65,6 +65,11 @@
+ void OpenSSL_add_all_ciphers(void)
+ 	{
+ 
+#ifdef OPENSSL_FIPS
+	OPENSSL_init();
+	if(!FIPS_mode()) 
+		{
+#endif
+ #ifndef OPENSSL_NO_DES
+ 	EVP_add_cipher(EVP_des_cfb());
+ 	EVP_add_cipher(EVP_des_cfb1());
+@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
+ 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
+ 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
+ #endif
+#ifdef OPENSSL_FIPS
+		}
+	else
+		{
+#ifndef OPENSSL_NO_DES
+	EVP_add_cipher(EVP_des_ede_cfb());
+	EVP_add_cipher(EVP_des_ede3_cfb());
+
+	EVP_add_cipher(EVP_des_ede_ofb());
+	EVP_add_cipher(EVP_des_ede3_ofb());
+
+	EVP_add_cipher(EVP_des_ede_cbc());
+	EVP_add_cipher(EVP_des_ede3_cbc());
+	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
+	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
+
+	EVP_add_cipher(EVP_des_ede());
+	EVP_add_cipher(EVP_des_ede3());
+#endif
+
+#ifndef OPENSSL_NO_AES
+	EVP_add_cipher(EVP_aes_128_ecb());
+	EVP_add_cipher(EVP_aes_128_cbc());
+	EVP_add_cipher(EVP_aes_128_cfb());
+	EVP_add_cipher(EVP_aes_128_cfb1());
+	EVP_add_cipher(EVP_aes_128_cfb8());
+	EVP_add_cipher(EVP_aes_128_ofb());
+#if 0
+	EVP_add_cipher(EVP_aes_128_ctr());
+#endif
+	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
+	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
+	EVP_add_cipher(EVP_aes_192_ecb());
+	EVP_add_cipher(EVP_aes_192_cbc());
+	EVP_add_cipher(EVP_aes_192_cfb());
+	EVP_add_cipher(EVP_aes_192_cfb1());
+	EVP_add_cipher(EVP_aes_192_cfb8());
+	EVP_add_cipher(EVP_aes_192_ofb());
+#if 0
+	EVP_add_cipher(EVP_aes_192_ctr());
+#endif
+	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
+	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
+	EVP_add_cipher(EVP_aes_256_ecb());
+	EVP_add_cipher(EVP_aes_256_cbc());
+	EVP_add_cipher(EVP_aes_256_cfb());
+	EVP_add_cipher(EVP_aes_256_cfb1());
+	EVP_add_cipher(EVP_aes_256_cfb8());
+	EVP_add_cipher(EVP_aes_256_ofb());
+#if 0
+	EVP_add_cipher(EVP_aes_256_ctr());
+#endif
+	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
+	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
+#endif
+		}
+#endif
+ 
+ 	PKCS12_PBE_add();
+ 	PKCS5_PBE_add();
+diff -up openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode openssl-0.9.8k/crypto/evp/c_alld.c
+--- openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode	2005-04-30 23:51:40.000000000 +0200
+++ openssl-0.9.8k/crypto/evp/c_alld.c	2009-03-26 15:53:42.000000000 +0100
+@@ -64,6 +64,11 @@
+ 
+ void OpenSSL_add_all_digests(void)
+ 	{
+#ifdef OPENSSL_FIPS
+	OPENSSL_init();
+	if (!FIPS_mode())
+		{
+#endif
+ #ifndef OPENSSL_NO_MD2
+ 	EVP_add_digest(EVP_md2());
+ #endif
+@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
+ 	EVP_add_digest(EVP_sha384());
+ 	EVP_add_digest(EVP_sha512());
+ #endif
+#ifdef OPENSSL_FIPS
+		}
+	else
+		{
+#ifndef OPENSSL_NO_SHA
+	EVP_add_digest(EVP_sha1());
+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#ifndef OPENSSL_NO_DSA
+	EVP_add_digest(EVP_dss1());
+	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+	EVP_add_digest(EVP_ecdsa());
+#endif
+#endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
+		}
+#endif
+ 	}
+diff -up openssl-0.9.8k/crypto/o_init.c.fipsmode openssl-0.9.8k/crypto/o_init.c
+--- openssl-0.9.8k/crypto/o_init.c.fipsmode	2008-11-05 19:36:36.000000000 +0100
+++ openssl-0.9.8k/crypto/o_init.c	2009-03-26 15:53:42.000000000 +0100
+@@ -59,6 +59,45 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+ 
+#ifdef OPENSSL_FIPS
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <openssl/fips.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static void init_fips_mode(void)
+	{
+	char buf[2] = "0";
+	int fd;
+	
+	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+		{
+		buf[0] = '1';
+		}
+	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
+		{
+		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+		close(fd);
+		}
+	/* Failure reading the fips mode switch file means just not
+	 * switching into FIPS mode. We would break too many things
+	 * otherwise. 
+	 */
+	
+	if (buf[0] == '1')
+		{
+		FIPS_mode_set(1);
+		}
+	}
+#endif
+
+ /* Perform any essential OpenSSL initialization operations.
+  * Currently only sets FIPS callbacks
+  */
+@@ -73,11 +112,10 @@ void OPENSSL_init(void)
+ #ifdef CRYPTO_MDEBUG
+ 		CRYPTO_malloc_debug_init();
+ #endif
+-#ifdef OPENSSL_ENGINE
+		init_fips_mode();
+ 		int_EVP_MD_init_engine_callbacks();
+ 		int_EVP_CIPHER_init_engine_callbacks();
+ 		int_RAND_init_engine_callbacks();
+-#endif
+ 		done = 1;
+ 		}
+ #endif
+diff -up openssl-0.9.8k/ssl/ssl_algs.c.fipsmode openssl-0.9.8k/ssl/ssl_algs.c
+--- openssl-0.9.8k/ssl/ssl_algs.c.fipsmode	2007-04-24 01:50:21.000000000 +0200
+++ openssl-0.9.8k/ssl/ssl_algs.c	2009-04-15 14:32:13.000000000 +0200
+@@ -64,6 +64,10 @@
+ int SSL_library_init(void)
+ 	{
+ 
+#ifdef OPENSSL_FIPS
+	OPENSSL_init();
+#endif
+
+ #ifndef OPENSSL_NO_DES
+ 	EVP_add_cipher(EVP_des_cbc());
+ 	EVP_add_cipher(EVP_des_ede3_cbc());
--- a/openssl-0.9.8k-multi-crl.patch
+++ b/openssl-0.9.8k-multi-crl.patch
@ -0,0 +1,90 @@
+diff -up openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8k/crypto/x509/x509_lu.c
+--- openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl	2005-05-11 05:45:35.000000000 +0200
+++ openssl-0.9.8k/crypto/x509/x509_lu.c	2009-03-26 15:47:45.000000000 +0100
+@@ -453,19 +453,41 @@ X509_OBJECT *X509_OBJECT_retrieve_by_sub
+ 	return sk_X509_OBJECT_value(h, idx);
+ }
+ 
+static int x509_crl_match(const X509_CRL *a, const X509_CRL *b)
+{
+	if (a->signature == NULL || b->signature == NULL)
+		return a->signature != b->signature;
+
+	if (a->signature->length != b->signature->length)
+		return 0;
+
+	return memcmp(a->signature->data, b->signature->data, a->signature->length);
+}
+
+ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
+ {
+ 	int idx, i;
+ 	X509_OBJECT *obj;
+ 	idx = sk_X509_OBJECT_find(h, x);
+ 	if (idx == -1) return NULL;
+-	if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
+	if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
+		return sk_X509_OBJECT_value(h, idx);
+ 	for (i = idx; i < sk_X509_OBJECT_num(h); i++)
+ 		{
+ 		obj = sk_X509_OBJECT_value(h, i);
+ 		if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
+ 			return NULL;
+-		if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
+		if (x->type == X509_LU_X509)
+			{
+			if (!X509_cmp(obj->data.x509, x->data.x509))
+				return obj;
+			}
+		else if (x->type == X509_LU_CRL)
+			{
+			if (!x509_crl_match(obj->data.crl, x->data.crl))
+				return obj;
+			}
+		else
+ 			return obj;
+ 		}
+ 	return NULL;
+diff -up openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl openssl-0.9.8k/crypto/x509/x509_vfy.c
+--- openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl	2008-07-13 16:33:15.000000000 +0200
+++ openssl-0.9.8k/crypto/x509/x509_vfy.c	2009-03-26 15:47:45.000000000 +0100
+@@ -725,7 +725,38 @@ static int get_crl(X509_STORE_CTX *ctx, 
+ 		return 0;
+ 		}
+ 
+-	*pcrl = xobj.data.crl;
+	/* If CRL times not valid look through store */
+	if (!check_crl_time(ctx, xobj.data.crl, 0))
+		{
+		int idx, i;
+		X509_OBJECT *pobj;
+		X509_OBJECT_free_contents(&xobj);
+		idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,
+							X509_LU_CRL, nm);
+		if (idx == -1)
+			return 0;
+		*pcrl = NULL;
+		for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+			{
+			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+			/* Check to see if it is a CRL and issuer matches */
+			if (pobj->type != X509_LU_CRL)
+				break;
+			if (X509_NAME_cmp(nm,
+					X509_CRL_get_issuer(pobj->data.crl)))
+				break;
+			/* Set *pcrl because the CRL will either be valid or
+			 * a "best fit" CRL.
+			 */
+			*pcrl = pobj->data.crl;
+			if (check_crl_time(ctx, *pcrl, 0))
+				break;
+			}
+		if (*pcrl)
+			CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509);
+		}
+	else 
+		*pcrl = xobj.data.crl;
+ 	if (crl)
+ 		X509_CRL_free(crl);
+ 	return 1;
--- a/openssl.spec
+++ b/openssl.spec
@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 0.9.8k
-Release: 1%{?dist}
+Release: 2%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@ -57,14 +57,14 @@ Patch39: openssl-0.9.8g-ipv6-apps.patch
 Patch40: openssl-0.9.8j-nocanister.patch
 Patch41: openssl-0.9.8k-use-fipscheck.patch
 Patch42: openssl-0.9.8k-fipscheck-hmac.patch
-Patch43: openssl-0.9.8j-evp-nonfips.patch
-Patch44: openssl-0.9.8j-kernel-fipsmode.patch
+Patch44: openssl-0.9.8k-kernel-fipsmode.patch
 Patch45: openssl-0.9.8j-env-nozlib.patch
 Patch46: openssl-0.9.8j-eap-fast.patch
 Patch47: openssl-0.9.8j-readme-warning.patch
 Patch48: openssl-0.9.8j-bad-mime.patch
 Patch49: openssl-0.9.8j-fips-no-pairwise.patch
 Patch50: openssl-0.9.8j-fips-rng-seed.patch
+Patch51: openssl-0.9.8k-multi-crl.patch
 # Backported fixes including security fixes

 License: OpenSSL
@ -142,7 +142,6 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch40 -p1 -b .nocanister
 %patch41 -p1 -b .use-fipscheck
 %patch42 -p1 -b .fipscheck-hmac
-%patch43 -p1 -b .evp-nonfips
 %patch44 -p1 -b .fipsmode
 %patch45 -p1 -b .env-nozlib
 %patch46 -p1 -b .eap-fast
@ -150,6 +149,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch48 -p1 -b .bad-mime
 %patch49 -p1 -b .no-pairwise
 %patch50 -p1 -b .rng-seed
+%patch51 -p1 -b .multi-crl

 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@ -408,6 +408,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig

 %changelog
+* Wed Apr 15 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-2
+- add support for multiple CRLs with same subject
+- load only dynamic engine support in FIPS mode
+
 * Thu Mar 25 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-1
 - update to new upstream release (minor bug fixes, security
  fixes and machine code optimizations only)