mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCH] openssl: version bump 1.0.1h -> 1.0.1i
@ 2014-08-07 12:41 Bernhard Walle
  2014-08-08  8:32 ` Michael Olbrich
  0 siblings, 1 reply; 2+ messages in thread
From: Bernhard Walle @ 2014-08-07 12:41 UTC (permalink / raw)
  To: ptxdist; +Cc: Bernhard Walle

Fixes CVE-2014-3508.

Signed-off-by: Bernhard Walle <bernhard@bwalle.de>
---
 patches/openssl-1.0.1h/0001-ca.patch               |  31 ----
 patches/openssl-1.0.1h/0002-debian-targets.patch   |  80 ---------
 patches/openssl-1.0.1h/0003-engines-path.patch     |  92 ----------
 patches/openssl-1.0.1h/0004-no-rpath.patch         |  24 ---
 patches/openssl-1.0.1h/0005-no-symbolic.patch      |  24 ---
 patches/openssl-1.0.1h/0006-pic.patch              | 189 ---------------------
 patches/openssl-1.0.1h/0007-valgrind.patch         |  31 ----
 patches/openssl-1.0.1h/0008-rehash-crt.patch       |  44 -----
 patches/openssl-1.0.1h/0009-shared-lib-ext.patch   |  25 ---
 patches/openssl-1.0.1h/0010-stddef.patch           |  23 ---
 patches/openssl-1.0.1h/0011-block_diginotar.patch  |  66 -------
 .../0012-block_digicert_malaysia.patch             |  30 ----
 .../0013-Change-default-bit-size-and-digest.patch  | 131 --------------
 .../openssl-1.0.1h/0014-openssl_fix_for_x32.patch  |  50 ------
 patches/openssl-1.0.1h/series                      |  17 --
 patches/openssl-1.0.1i/0001-ca.patch               |  31 ++++
 patches/openssl-1.0.1i/0002-debian-targets.patch   |  80 +++++++++
 patches/openssl-1.0.1i/0003-engines-path.patch     |  92 ++++++++++
 patches/openssl-1.0.1i/0004-no-rpath.patch         |  24 +++
 patches/openssl-1.0.1i/0005-no-symbolic.patch      |  24 +++
 patches/openssl-1.0.1i/0006-pic.patch              | 189 +++++++++++++++++++++
 patches/openssl-1.0.1i/0007-valgrind.patch         |  31 ++++
 patches/openssl-1.0.1i/0008-rehash-crt.patch       |  44 +++++
 patches/openssl-1.0.1i/0009-shared-lib-ext.patch   |  25 +++
 patches/openssl-1.0.1i/0010-stddef.patch           |  23 +++
 patches/openssl-1.0.1i/0011-block_diginotar.patch  |  66 +++++++
 .../0012-block_digicert_malaysia.patch             |  30 ++++
 .../0013-Change-default-bit-size-and-digest.patch  | 131 ++++++++++++++
 .../openssl-1.0.1i/0014-openssl_fix_for_x32.patch  |  50 ++++++
 patches/openssl-1.0.1i/series                      |  17 ++
 rules/openssl.make                                 |   4 +-
 31 files changed, 859 insertions(+), 859 deletions(-)
 delete mode 100644 patches/openssl-1.0.1h/0001-ca.patch
 delete mode 100644 patches/openssl-1.0.1h/0002-debian-targets.patch
 delete mode 100644 patches/openssl-1.0.1h/0003-engines-path.patch
 delete mode 100644 patches/openssl-1.0.1h/0004-no-rpath.patch
 delete mode 100644 patches/openssl-1.0.1h/0005-no-symbolic.patch
 delete mode 100644 patches/openssl-1.0.1h/0006-pic.patch
 delete mode 100644 patches/openssl-1.0.1h/0007-valgrind.patch
 delete mode 100644 patches/openssl-1.0.1h/0008-rehash-crt.patch
 delete mode 100644 patches/openssl-1.0.1h/0009-shared-lib-ext.patch
 delete mode 100644 patches/openssl-1.0.1h/0010-stddef.patch
 delete mode 100644 patches/openssl-1.0.1h/0011-block_diginotar.patch
 delete mode 100644 patches/openssl-1.0.1h/0012-block_digicert_malaysia.patch
 delete mode 100644 patches/openssl-1.0.1h/0013-Change-default-bit-size-and-digest.patch
 delete mode 100644 patches/openssl-1.0.1h/0014-openssl_fix_for_x32.patch
 delete mode 100644 patches/openssl-1.0.1h/series
 create mode 100644 patches/openssl-1.0.1i/0001-ca.patch
 create mode 100644 patches/openssl-1.0.1i/0002-debian-targets.patch
 create mode 100644 patches/openssl-1.0.1i/0003-engines-path.patch
 create mode 100644 patches/openssl-1.0.1i/0004-no-rpath.patch
 create mode 100644 patches/openssl-1.0.1i/0005-no-symbolic.patch
 create mode 100644 patches/openssl-1.0.1i/0006-pic.patch
 create mode 100644 patches/openssl-1.0.1i/0007-valgrind.patch
 create mode 100644 patches/openssl-1.0.1i/0008-rehash-crt.patch
 create mode 100644 patches/openssl-1.0.1i/0009-shared-lib-ext.patch
 create mode 100644 patches/openssl-1.0.1i/0010-stddef.patch
 create mode 100644 patches/openssl-1.0.1i/0011-block_diginotar.patch
 create mode 100644 patches/openssl-1.0.1i/0012-block_digicert_malaysia.patch
 create mode 100644 patches/openssl-1.0.1i/0013-Change-default-bit-size-and-digest.patch
 create mode 100644 patches/openssl-1.0.1i/0014-openssl_fix_for_x32.patch
 create mode 100644 patches/openssl-1.0.1i/series

diff --git a/patches/openssl-1.0.1h/0001-ca.patch b/patches/openssl-1.0.1h/0001-ca.patch
deleted file mode 100644
index 3a54d2a..0000000
--- a/patches/openssl-1.0.1h/0001-ca.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] ca
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- apps/CA.pl.in | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/apps/CA.pl.in b/apps/CA.pl.in
-index c783a6e..fa665b7 100644
---- a/apps/CA.pl.in
-+++ b/apps/CA.pl.in
-@@ -65,6 +65,7 @@ $RET = 0;
- foreach (@ARGV) {
- 	if ( /^(-\?|-h|-help)$/ ) {
- 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
-+	    print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
- 	    exit 0;
- 	} elsif (/^-newcert$/) {
- 	    # create a certificate
-@@ -165,6 +166,7 @@ foreach (@ARGV) {
- 	} else {
- 	    print STDERR "Unknown arg $_\n";
- 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
-+	    print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
- 	    exit 1;
- 	}
- }
diff --git a/patches/openssl-1.0.1h/0002-debian-targets.patch b/patches/openssl-1.0.1h/0002-debian-targets.patch
deleted file mode 100644
index b3191ae..0000000
--- a/patches/openssl-1.0.1h/0002-debian-targets.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] debian-targets
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Configure | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 51 insertions(+)
-
-diff --git a/Configure b/Configure
-index de78469..79082df 100755
---- a/Configure
-+++ b/Configure
-@@ -105,6 +105,10 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
- 
- my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
- 
-+# There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS
-+my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";
-+$debian_cflags =~ s/\n/ /g;
-+
- my $strict_warnings = 0;
- 
- my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
-@@ -340,6 +344,53 @@ my %table=(
- "osf1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
- "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
- 
-+# Debian GNU/* (various architectures)
-+"debian-alpha","gcc:-DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-alpha-ev4","gcc:-DTERMIO ${debian_cflags} -mcpu=ev4::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-alpha-ev5","gcc:-DTERMIO ${debian_cflags} -mcpu=ev5::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-arm64","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-armel","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-armhf","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-amd64", "gcc:-m64 -DL_ENDIAN -DTERMIO ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
-+"debian-avr32", "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -fomit-frame-pointer::-D_REENTRANT::-ldl:BN_LLONG_BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-kfreebsd-amd64","gcc:-m64 -DL_ENDIAN -DTERMIOS ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-kfreebsd-i386","gcc:-DL_ENDIAN -DTERMIOS ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-hppa","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-hurd-i386","gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -mtune=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-ia64","gcc:-DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-i386","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-i386-i486","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-i386-i586","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags} -march=i586::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-i386-i686/cmov","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags} -march=i686::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-m68k","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mips",   "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mipsel",   "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mipsn32",   "mips64-linux-gnuabin32-gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mipsn32el",   "mips64el-linux-gnuabin32-gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mips64",   "mips64-linux-gnuabi64-gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-mips64el",   "mips64el-linux-gnuabi64-gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-netbsd-i386",	"gcc:-DL_ENDIAN -DTERMIOS ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-netbsd-m68k",	"gcc:-DB_ENDIAN -DTERMIOS ${debian_cflags}::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-netbsd-sparc",	"gcc:-DB_ENDIAN -DTERMIOS ${debian_cflags} -mv8::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-openbsd-alpha","gcc:-DTERMIOS ${debian_cflags}::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-openbsd-i386",  "gcc:-DL_ENDIAN -DTERMIOS ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-openbsd-mips","gcc:-DL_ENDIAN ${debian_cflags}::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-powerpc","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-s390","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
-+"debian-s390x","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sh3",   "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sh4",   "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sh3eb",   "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sh4eb",   "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-m32r","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sparc","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -mcpu=v8 -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -mcpu=v9 -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO ${debian_cflags} -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-x32","gcc:-mx32 -DL_ENDIAN -DTERMIO ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
-+
- ####
- #### Variety of LINUX:-)
- ####
diff --git a/patches/openssl-1.0.1h/0003-engines-path.patch b/patches/openssl-1.0.1h/0003-engines-path.patch
deleted file mode 100644
index 412247b..0000000
--- a/patches/openssl-1.0.1h/0003-engines-path.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] engines-path
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Configure               |  2 +-
- Makefile.org            |  2 +-
- engines/Makefile        | 10 +++++-----
- engines/ccgost/Makefile |  6 +++---
- 4 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/Configure b/Configure
-index 79082df..c676835 100755
---- a/Configure
-+++ b/Configure
-@@ -1855,7 +1855,7 @@ while (<IN>)
- 		}
- 	elsif	(/^#define\s+ENGINESDIR/)
- 		{
--		my $foo = "$prefix/$libdir/engines";
-+		my $foo = "$prefix/$libdir/openssl-1.0.0/engines";
- 		$foo =~ s/\\/\\\\/g;
- 		print OUT "#define ENGINESDIR \"$foo\"\n";
- 		}
-diff --git a/Makefile.org b/Makefile.org
-index c92806f..5117a0e 100644
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -543,7 +543,7 @@ install: all install_docs install_sw
- install_sw:
- 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
--		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
- 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-diff --git a/engines/Makefile b/engines/Makefile
-index 2fa9534..58e0281 100644
---- a/engines/Makefile
-+++ b/engines/Makefile
-@@ -107,7 +107,7 @@ install:
- 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
- 	@if [ -n "$(SHARED_LIBS)" ]; then \
- 		set -e; \
--		$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines; \
-+		$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines; \
- 		for l in $(LIBNAMES); do \
- 			( echo installing $$l; \
- 			  pfx=lib; \
-@@ -119,13 +119,13 @@ install:
- 				*DSO_WIN32*)	sfx="eay32.dll"; pfx=;;	\
- 				*)		sfx=".bad";;	\
- 				esac; \
--				cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
-+				cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
- 			  else \
- 				sfx=".so"; \
--				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
-+				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
- 			  fi; \
--			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
--			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
-+			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
-+			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx ); \
- 		done; \
- 	fi
- 	@target=install; $(RECURSIVE_MAKE)
-diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile
-index d661c10..3e593b1 100644
---- a/engines/ccgost/Makefile
-+++ b/engines/ccgost/Makefile
-@@ -53,13 +53,13 @@ install:
- 			*DSO_WIN32*) sfx="eay32.dll"; pfx=;; \
- 			*) sfx=".bad";; \
- 			esac; \
--			cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
-+			cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new; \
- 		else \
- 			sfx=".so"; \
- 			cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
- 		fi; \
--		chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
--		mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx; \
-+		chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new; \
-+		mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx; \
- 	fi
- 
- links:
diff --git a/patches/openssl-1.0.1h/0004-no-rpath.patch b/patches/openssl-1.0.1h/0004-no-rpath.patch
deleted file mode 100644
index 8c9fbc1..0000000
--- a/patches/openssl-1.0.1h/0004-no-rpath.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] no-rpath
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Makefile.shared | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile.shared b/Makefile.shared
-index e753f44..6e3f886 100644
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
- 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
- 
--DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(CFLAGS)"
- 
- #This is rather special.  It's a special target with which one can link
- #applications without bothering with any features that have anything to
diff --git a/patches/openssl-1.0.1h/0005-no-symbolic.patch b/patches/openssl-1.0.1h/0005-no-symbolic.patch
deleted file mode 100644
index 7fa7213..0000000
--- a/patches/openssl-1.0.1h/0005-no-symbolic.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] no-symbolic
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Makefile.shared | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile.shared b/Makefile.shared
-index 6e3f886..44e3d9c 100644
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
- 	SHLIB_SUFFIX=; \
- 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
- 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
--	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
- 
- DO_GNU_APP=LDFLAGS="$(CFLAGS)"
- 
diff --git a/patches/openssl-1.0.1h/0006-pic.patch b/patches/openssl-1.0.1h/0006-pic.patch
deleted file mode 100644
index d2494e1..0000000
--- a/patches/openssl-1.0.1h/0006-pic.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] pic
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/des/asm/desboth.pl | 17 ++++++++++++++---
- crypto/perlasm/cbc.pl     | 24 ++++++++++++++++++++----
- crypto/perlasm/x86gas.pl  | 16 ++++++++++++++++
- crypto/x86cpuid.pl        | 10 +++++-----
- 4 files changed, 55 insertions(+), 12 deletions(-)
-
-diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl
-index eec0088..ab6f524 100644
---- a/crypto/des/asm/desboth.pl
-+++ b/crypto/des/asm/desboth.pl
-@@ -16,6 +16,11 @@ sub DES_encrypt3
- 
- 	&push("edi");
- 
-+	&call   (&label("pic_point0"));
-+	&set_label("pic_point0");
-+	&blindpop("ebp");
-+	&add    ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
-+
- 	&comment("");
- 	&comment("Load the data words");
- 	&mov($L,&DWP(0,"ebx","",0));
-@@ -47,15 +52,21 @@ sub DES_encrypt3
- 	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
- 	&mov(&swtmp(1),	"eax");
- 	&mov(&swtmp(0),	"ebx");
--	&call("DES_encrypt2");
-+	&exch("ebx", "ebp");
-+	&call("DES_encrypt2\@PLT");
-+	&exch("ebx", "ebp");
- 	&mov(&swtmp(2),	(DWC(($enc)?"0":"1")));
- 	&mov(&swtmp(1),	"edi");
- 	&mov(&swtmp(0),	"ebx");
--	&call("DES_encrypt2");
-+	&exch("ebx", "ebp");
-+	&call("DES_encrypt2\@PLT");
-+	&exch("ebx", "ebp");
- 	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
- 	&mov(&swtmp(1),	"esi");
- 	&mov(&swtmp(0),	"ebx");
--	&call("DES_encrypt2");
-+	&exch("ebx", "ebp");
-+	&call("DES_encrypt2\@PLT");
-+	&exch("ebx", "ebp");
- 
- 	&stack_pop(3);
- 	&mov($L,&DWP(0,"ebx","",0));
-diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl
-index 24561e7..269fb0b 100644
---- a/crypto/perlasm/cbc.pl
-+++ b/crypto/perlasm/cbc.pl
-@@ -122,7 +122,11 @@ sub cbc
- 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
- 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
- 
--	&call($enc_func);
-+	&call	(&label("pic_point0"));
-+	&set_label("pic_point0");
-+	&blindpop("ebx");
-+	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
-+	&call("$enc_func\@PLT");
- 
- 	&mov("eax",	&DWP($data_off,"esp","",0));
- 	&mov("ebx",	&DWP($data_off+4,"esp","",0));
-@@ -185,7 +189,11 @@ sub cbc
- 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
- 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
- 
--	&call($enc_func);
-+	&call	(&label("pic_point1"));
-+	&set_label("pic_point1");
-+	&blindpop("ebx");
-+	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
-+	&call("$enc_func\@PLT");
- 
- 	&mov("eax",	&DWP($data_off,"esp","",0));
- 	&mov("ebx",	&DWP($data_off+4,"esp","",0));
-@@ -218,7 +226,11 @@ sub cbc
- 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
- 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
- 
--	&call($dec_func);
-+	&call	(&label("pic_point2"));
-+	&set_label("pic_point2");
-+	&blindpop("ebx");
-+	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
-+	&call("$dec_func\@PLT");
- 
- 	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
- 	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
-@@ -261,7 +273,11 @@ sub cbc
- 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
- 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
- 
--	&call($dec_func);
-+	&call	(&label("pic_point3"));
-+	&set_label("pic_point3");
-+	&blindpop("ebx");
-+	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
-+	&call("$dec_func\@PLT");
- 
- 	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
- 	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
-diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl
-index 682a3a3..9d4662c 100644
---- a/crypto/perlasm/x86gas.pl
-+++ b/crypto/perlasm/x86gas.pl
-@@ -161,6 +161,7 @@ sub ::file_end
- 	if ($::macosx)	{ push (@out,"$tmp,2\n"); }
- 	elsif ($::elf)	{ push (@out,"$tmp,4\n"); }
- 	else		{ push (@out,"$tmp\n"); }
-+	if ($::elf)	{ push (@out,".hidden\tOPENSSL_ia32cap_P\n"); }
-     }
-     push(@out,$initseg) if ($initseg);
- }
-@@ -218,8 +219,23 @@ ___
-     elsif ($::elf)
-     {	$initseg.=<<___;
- .section	.init
-+___
-+        if ($::pic)
-+	{   $initseg.=<<___;
-+	pushl	%ebx
-+	call	.pic_point0
-+.pic_point0:
-+	popl	%ebx
-+	addl	\$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
-+	call	$f\@PLT
-+	popl	%ebx
-+___
-+	}
-+	else
-+	{   $initseg.=<<___;
- 	call	$f
- ___
-+	}
-     }
-     elsif ($::coff)
-     {   $initseg.=<<___;	# applies to both Cygwin and Mingw
-diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
-index b270b44..c01ba83 100644
---- a/crypto/x86cpuid.pl
-+++ b/crypto/x86cpuid.pl
-@@ -8,6 +8,8 @@ require "x86asm.pl";
- 
- for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- 
-+push(@out, ".hidden OPENSSL_ia32cap_P\n");
-+
- &function_begin("OPENSSL_ia32_cpuid");
- 	&xor	("edx","edx");
- 	&pushf	();
-@@ -141,9 +143,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- &set_label("nocpuid");
- &function_end("OPENSSL_ia32_cpuid");
- 
--&external_label("OPENSSL_ia32cap_P");
--
--&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
-+&function_begin_B("OPENSSL_rdtsc");
- 	&xor	("eax","eax");
- 	&xor	("edx","edx");
- 	&picmeup("ecx","OPENSSL_ia32cap_P");
-@@ -157,7 +157,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
- # but it's safe to call it on any [supported] 32-bit platform...
- # Just check for [non-]zero return value...
--&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
-+&function_begin_B("OPENSSL_instrument_halt");
- 	&picmeup("ecx","OPENSSL_ia32cap_P");
- 	&bt	(&DWP(0,"ecx"),4);
- 	&jnc	(&label("nohalt"));	# no TSC
-@@ -224,7 +224,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- 	&ret	();
- &function_end_B("OPENSSL_far_spin");
- 
--&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
-+&function_begin_B("OPENSSL_wipe_cpu");
- 	&xor	("eax","eax");
- 	&xor	("edx","edx");
- 	&picmeup("ecx","OPENSSL_ia32cap_P");
diff --git a/patches/openssl-1.0.1h/0007-valgrind.patch b/patches/openssl-1.0.1h/0007-valgrind.patch
deleted file mode 100644
index d3fbd12..0000000
--- a/patches/openssl-1.0.1h/0007-valgrind.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] valgrind
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/rand/md_rand.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
-index aee1c30..1caf69c 100644
---- a/crypto/rand/md_rand.c
-+++ b/crypto/rand/md_rand.c
-@@ -488,6 +488,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
- 		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
- 
- #ifndef PURIFY /* purify complains */
-+#if 0
- 		/* The following line uses the supplied buffer as a small
- 		 * source of entropy: since this buffer is often uninitialised
- 		 * it may cause programs such as purify or valgrind to
-@@ -497,6 +498,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
- 		 */
- 		MD_Update(&m,buf,j);
- #endif
-+#endif
- 
- 		k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
- 		if (k > 0)
diff --git a/patches/openssl-1.0.1h/0008-rehash-crt.patch b/patches/openssl-1.0.1h/0008-rehash-crt.patch
deleted file mode 100644
index c06898f..0000000
--- a/patches/openssl-1.0.1h/0008-rehash-crt.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] rehash-crt
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- tools/c_rehash.in | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index bfc4a69..4958e3d 100644
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -75,12 +75,15 @@ sub hash_dir {
- 		}
- 	}
- 	closedir DIR;
--	FILE: foreach $fname (grep {/\.pem$/} @flist) {
-+	FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) {
- 		# Check to see if certificates and/or CRLs present.
- 		my ($cert, $crl) = check_file($fname);
- 		if(!$cert && !$crl) {
--			print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
--			next;
-+			($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der  -outform pem | ");
-+			if(!$cert && !$crl) {
-+				print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
-+				next;
-+			}
- 		}
- 		link_hash_cert($fname) if($cert);
- 		link_hash_crl($fname) if($crl);
-@@ -153,6 +156,9 @@ sub link_hash_crl {
- 		my $fname = $_[0];
- 		$fname =~ s/'/'\\''/g;
- 		my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
-+		if(!$hash || !fprint) {
-+			($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname' -inform der`;
-+		}
- 		chomp $hash;
- 		chomp $fprint;
- 		$fprint =~ s/^.*=//;
diff --git a/patches/openssl-1.0.1h/0009-shared-lib-ext.patch b/patches/openssl-1.0.1h/0009-shared-lib-ext.patch
deleted file mode 100644
index d7da2a3..0000000
--- a/patches/openssl-1.0.1h/0009-shared-lib-ext.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] shared-lib-ext
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- Configure | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/Configure b/Configure
-index c676835..7571db1 100755
---- a/Configure
-+++ b/Configure
-@@ -1725,7 +1725,8 @@ while (<IN>)
- 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
- 		{
- 		my $sotmp = $1;
--		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+#		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/;
- 		}
- 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
- 		{
diff --git a/patches/openssl-1.0.1h/0010-stddef.patch b/patches/openssl-1.0.1h/0010-stddef.patch
deleted file mode 100644
index e0034c2..0000000
--- a/patches/openssl-1.0.1h/0010-stddef.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] stddef
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/sha/sha.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h
-index 8a6bf4b..734b40a 100644
---- a/crypto/sha/sha.h
-+++ b/crypto/sha/sha.h
-@@ -59,6 +59,7 @@
- #ifndef HEADER_SHA_H
- #define HEADER_SHA_H
- 
-+#include <stddef.h>
- #include <openssl/e_os2.h>
- #include <stddef.h>
- 
diff --git a/patches/openssl-1.0.1h/0011-block_diginotar.patch b/patches/openssl-1.0.1h/0011-block_diginotar.patch
deleted file mode 100644
index 3af0669..0000000
--- a/patches/openssl-1.0.1h/0011-block_diginotar.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Raphael Geissert <geissert@debian.org>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] block_diginotar
-
-This is not meant as final patch.
-
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/x509/x509_vfy.c | 27 +++++++++++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 920066a..5b1a0aa 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -117,6 +117,7 @@ static int check_trust(X509_STORE_CTX *ctx);
- static int check_revocation(X509_STORE_CTX *ctx);
- static int check_cert(X509_STORE_CTX *ctx);
- static int check_policy(X509_STORE_CTX *ctx);
-+static int check_ca_blacklist(X509_STORE_CTX *ctx);
- 
- static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
- 			unsigned int *preasons,
-@@ -369,6 +370,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
- 		ok=internal_verify(ctx);
- 	if(!ok) goto end;
- 
-+	ok = check_ca_blacklist(ctx);
-+	if(!ok) goto end;
-+
- #ifndef OPENSSL_NO_RFC3779
- 	/* RFC 3779 path validation, now that CRL check has been done */
- 	ok = v3_asid_validate_path(ctx);
-@@ -827,6 +831,29 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
- 	return 1;
- 	}
- 
-+static int check_ca_blacklist(X509_STORE_CTX *ctx)
-+	{
-+	X509 *x;
-+	int i;
-+	/* Check all certificates against the blacklist */
-+	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
-+		{
-+		x = sk_X509_value(ctx->chain, i);
-+		/* Mark DigiNotar certificates as revoked, no matter
-+		 * where in the chain they are.
-+		 */
-+		if (x->name && strstr(x->name, "DigiNotar"))
-+			{
-+			ctx->error = X509_V_ERR_CERT_REVOKED;
-+			ctx->error_depth = i;
-+			ctx->current_cert = x;
-+			if (!ctx->verify_cb(0,ctx))
-+				return 0;
-+			}
-+		}
-+	return 1;
-+	}
-+
- static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
- 			X509 **pissuer, int *pscore, unsigned int *preasons,
- 			STACK_OF(X509_CRL) *crls)
diff --git a/patches/openssl-1.0.1h/0012-block_digicert_malaysia.patch b/patches/openssl-1.0.1h/0012-block_digicert_malaysia.patch
deleted file mode 100644
index e1457a8..0000000
--- a/patches/openssl-1.0.1h/0012-block_digicert_malaysia.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Raphael Geissert <geissert@debian.org>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] block_digicert_malaysia
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/x509/x509_vfy.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 5b1a0aa..696f8d6 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -839,10 +839,11 @@ static int check_ca_blacklist(X509_STORE_CTX *ctx)
- 	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
- 		{
- 		x = sk_X509_value(ctx->chain, i);
--		/* Mark DigiNotar certificates as revoked, no matter
--		 * where in the chain they are.
-+		/* Mark certificates containing the following names as
-+		 * revoked, no matter where in the chain they are.
- 		 */
--		if (x->name && strstr(x->name, "DigiNotar"))
-+		if (x->name && (strstr(x->name, "DigiNotar") ||
-+			strstr(x->name, "Digicert Sdn. Bhd.")))
- 			{
- 			ctx->error = X509_V_ERR_CERT_REVOKED;
- 			ctx->error_depth = i;
diff --git a/patches/openssl-1.0.1h/0013-Change-default-bit-size-and-digest.patch b/patches/openssl-1.0.1h/0013-Change-default-bit-size-and-digest.patch
deleted file mode 100644
index 02761e3..0000000
--- a/patches/openssl-1.0.1h/0013-Change-default-bit-size-and-digest.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From: Kurt Roeckx <kurt@roeckx.be>
-Date: Fri, 1 Nov 2013 20:47:14 +0100
-Subject: [PATCH] Change default bit size and digest
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- apps/dhparam.c         | 4 ++--
- apps/gendh.c           | 2 +-
- apps/genrsa.c          | 2 +-
- apps/openssl.cnf       | 2 +-
- crypto/dsa/dsa_ameth.c | 2 +-
- crypto/ec/ec_ameth.c   | 2 +-
- crypto/hmac/hm_ameth.c | 2 +-
- crypto/rsa/rsa_ameth.c | 2 +-
- 8 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/apps/dhparam.c b/apps/dhparam.c
-index 1297d6f..b0c05be 100644
---- a/apps/dhparam.c
-+++ b/apps/dhparam.c
-@@ -130,7 +130,7 @@
- #undef PROG
- #define PROG	dhparam_main
- 
--#define DEFBITS	512
-+#define DEFBITS	2048
- 
- /* -inform arg	- input format - default PEM (DER or PEM)
-  * -outform arg - output format - default PEM
-@@ -253,7 +253,7 @@ bad:
- 		BIO_printf(bio_err," -C            Output C code\n");
- 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
- 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
--		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
-+		BIO_printf(bio_err," numbits       number of bits in to generate (default 2048)\n");
- #ifndef OPENSSL_NO_ENGINE
- 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
- #endif
-diff --git a/apps/gendh.c b/apps/gendh.c
-index 4ec776b..8df8c62 100644
---- a/apps/gendh.c
-+++ b/apps/gendh.c
-@@ -78,7 +78,7 @@
- #include <openssl/x509.h>
- #include <openssl/pem.h>
- 
--#define DEFBITS	512
-+#define DEFBITS	2048
- #undef PROG
- #define PROG gendh_main
- 
-diff --git a/apps/genrsa.c b/apps/genrsa.c
-index ece114c..7a8c6c5 100644
---- a/apps/genrsa.c
-+++ b/apps/genrsa.c
-@@ -78,7 +78,7 @@
- #include <openssl/pem.h>
- #include <openssl/rand.h>
- 
--#define DEFBITS	1024
-+#define DEFBITS	2048
- #undef PROG
- #define PROG genrsa_main
- 
-diff --git a/apps/openssl.cnf b/apps/openssl.cnf
-index 18760c6..1eb86c4 100644
---- a/apps/openssl.cnf
-+++ b/apps/openssl.cnf
-@@ -103,7 +103,7 @@ emailAddress		= optional
- 
- ####################################################################
- [ req ]
--default_bits		= 1024
-+default_bits		= 2048
- default_keyfile 	= privkey.pem
- distinguished_name	= req_distinguished_name
- attributes		= req_attributes
-diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
-index 376156e..13318d7 100644
---- a/crypto/dsa/dsa_ameth.c
-+++ b/crypto/dsa/dsa_ameth.c
-@@ -628,7 +628,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
- #endif
- 
- 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
--		*(int *)arg2 = NID_sha1;
-+		*(int *)arg2 = NID_sha256;
- 		return 2;
- 
- 		default:
-diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
-index 0ce4524..a04ac98 100644
---- a/crypto/ec/ec_ameth.c
-+++ b/crypto/ec/ec_ameth.c
-@@ -615,7 +615,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
- #endif
- 
- 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
--		*(int *)arg2 = NID_sha1;
-+		*(int *)arg2 = NID_sha256;
- 		return 2;
- 
- 		default:
-diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c
-index e03f24a..9fe6505 100644
---- a/crypto/hmac/hm_ameth.c
-+++ b/crypto/hmac/hm_ameth.c
-@@ -89,7 +89,7 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
- 	switch (op)
- 		{
- 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
--		*(int *)arg2 = NID_sha1;
-+		*(int *)arg2 = NID_sha256;
- 		return 1;
- 
- 		default:
-diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
-index 5a2062f..47fe535 100644
---- a/crypto/rsa/rsa_ameth.c
-+++ b/crypto/rsa/rsa_ameth.c
-@@ -435,7 +435,7 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
- #endif
- 
- 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
--		*(int *)arg2 = NID_sha1;
-+		*(int *)arg2 = NID_sha256;
- 		return 1;
- 
- 		default:
diff --git a/patches/openssl-1.0.1h/0014-openssl_fix_for_x32.patch b/patches/openssl-1.0.1h/0014-openssl_fix_for_x32.patch
deleted file mode 100644
index 36bfa49..0000000
--- a/patches/openssl-1.0.1h/0014-openssl_fix_for_x32.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Tue, 8 Apr 2014 07:48:47 +0200
-Subject: [PATCH] openssl_fix_for_x32
-
-Imported from openssl_1.0.1g-1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- crypto/bn/asm/x86_64-gcc.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
-index acb0b40..acd76ce 100644
---- a/crypto/bn/asm/x86_64-gcc.c
-+++ b/crypto/bn/asm/x86_64-gcc.c
-@@ -55,7 +55,7 @@
-  *    machine.
-  */
- 
--#ifdef _WIN64
-+#if defined _WIN64 || !defined __LP64__
- #define BN_ULONG unsigned long long
- #else
- #define BN_ULONG unsigned long
-@@ -192,9 +192,9 @@ BN_ULONG bn_add_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
- 	asm (
- 	"	subq	%2,%2		\n"
- 	".p2align 4			\n"
--	"1:	movq	(%4,%2,8),%0	\n"
--	"	adcq	(%5,%2,8),%0	\n"
--	"	movq	%0,(%3,%2,8)	\n"
-+	"1:	movq	(%q4,%2,8),%0	\n"
-+	"	adcq	(%q5,%2,8),%0	\n"
-+	"	movq	%0,(%q3,%2,8)	\n"
- 	"	leaq	1(%2),%2	\n"
- 	"	loop	1b		\n"
- 	"	sbbq	%0,%0		\n"
-@@ -215,9 +215,9 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
- 	asm (
- 	"	subq	%2,%2		\n"
- 	".p2align 4			\n"
--	"1:	movq	(%4,%2,8),%0	\n"
--	"	sbbq	(%5,%2,8),%0	\n"
--	"	movq	%0,(%3,%2,8)	\n"
-+	"1:	movq	(%q4,%2,8),%0	\n"
-+	"	sbbq	(%q5,%2,8),%0	\n"
-+	"	movq	%0,(%q3,%2,8)	\n"
- 	"	leaq	1(%2),%2	\n"
- 	"	loop	1b		\n"
- 	"	sbbq	%0,%0		\n"
diff --git a/patches/openssl-1.0.1h/series b/patches/openssl-1.0.1h/series
deleted file mode 100644
index f55bace..0000000
--- a/patches/openssl-1.0.1h/series
+++ /dev/null
@@ -1,17 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-ca.patch
-0002-debian-targets.patch
-0003-engines-path.patch
-0004-no-rpath.patch
-0005-no-symbolic.patch
-0006-pic.patch
-0007-valgrind.patch
-0008-rehash-crt.patch
-0009-shared-lib-ext.patch
-0010-stddef.patch
-0011-block_diginotar.patch
-0012-block_digicert_malaysia.patch
-0013-Change-default-bit-size-and-digest.patch
-0014-openssl_fix_for_x32.patch
-# dd4d5e6590bf4d0a9b21935c6ca13a38  - git-ptx-patches magic
diff --git a/patches/openssl-1.0.1i/0001-ca.patch b/patches/openssl-1.0.1i/0001-ca.patch
new file mode 100644
index 0000000..3a54d2a
--- /dev/null
+++ b/patches/openssl-1.0.1i/0001-ca.patch
@@ -0,0 +1,31 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] ca
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ apps/CA.pl.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/apps/CA.pl.in b/apps/CA.pl.in
+index c783a6e..fa665b7 100644
+--- a/apps/CA.pl.in
++++ b/apps/CA.pl.in
+@@ -65,6 +65,7 @@ $RET = 0;
+ foreach (@ARGV) {
+ 	if ( /^(-\?|-h|-help)$/ ) {
+ 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
++	    print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
+ 	    exit 0;
+ 	} elsif (/^-newcert$/) {
+ 	    # create a certificate
+@@ -165,6 +166,7 @@ foreach (@ARGV) {
+ 	} else {
+ 	    print STDERR "Unknown arg $_\n";
+ 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
++	    print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
+ 	    exit 1;
+ 	}
+ }
diff --git a/patches/openssl-1.0.1i/0002-debian-targets.patch b/patches/openssl-1.0.1i/0002-debian-targets.patch
new file mode 100644
index 0000000..b3191ae
--- /dev/null
+++ b/patches/openssl-1.0.1i/0002-debian-targets.patch
@@ -0,0 +1,80 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] debian-targets
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ Configure | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+diff --git a/Configure b/Configure
+index de78469..79082df 100755
+--- a/Configure
++++ b/Configure
+@@ -105,6 +105,10 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
+ 
+ my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
+ 
++# There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS
++my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";
++$debian_cflags =~ s/\n/ /g;
++
+ my $strict_warnings = 0;
+ 
+ my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
+@@ -340,6 +344,53 @@ my %table=(
+ "osf1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
+ "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
+ 
++# Debian GNU/* (various architectures)
++"debian-alpha","gcc:-DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-alpha-ev4","gcc:-DTERMIO ${debian_cflags} -mcpu=ev4::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-alpha-ev5","gcc:-DTERMIO ${debian_cflags} -mcpu=ev5::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-arm64","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-armel","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-armhf","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-amd64", "gcc:-m64 -DL_ENDIAN -DTERMIO ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
++"debian-avr32", "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -fomit-frame-pointer::-D_REENTRANT::-ldl:BN_LLONG_BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-kfreebsd-amd64","gcc:-m64 -DL_ENDIAN -DTERMIOS ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-kfreebsd-i386","gcc:-DL_ENDIAN -DTERMIOS ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-hppa","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-hurd-i386","gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -mtune=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-ia64","gcc:-DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-i386","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-i386-i486","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-i386-i586","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags} -march=i586::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-i386-i686/cmov","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags} -march=i686::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-m68k","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mips",   "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mipsel",   "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mipsn32",   "mips64-linux-gnuabin32-gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mipsn32el",   "mips64el-linux-gnuabin32-gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mips64",   "mips64-linux-gnuabi64-gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mips64el",   "mips64el-linux-gnuabi64-gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-netbsd-i386",	"gcc:-DL_ENDIAN -DTERMIOS ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-netbsd-m68k",	"gcc:-DB_ENDIAN -DTERMIOS ${debian_cflags}::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-netbsd-sparc",	"gcc:-DB_ENDIAN -DTERMIOS ${debian_cflags} -mv8::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-openbsd-alpha","gcc:-DTERMIOS ${debian_cflags}::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-openbsd-i386",  "gcc:-DL_ENDIAN -DTERMIOS ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-openbsd-mips","gcc:-DL_ENDIAN ${debian_cflags}::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-powerpc","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-s390","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
++"debian-s390x","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sh3",   "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sh4",   "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sh3eb",   "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sh4eb",   "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-m32r","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sparc","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -mcpu=v8 -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -mcpu=v9 -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO ${debian_cflags} -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-x32","gcc:-mx32 -DL_ENDIAN -DTERMIO ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
++
+ ####
+ #### Variety of LINUX:-)
+ ####
diff --git a/patches/openssl-1.0.1i/0003-engines-path.patch b/patches/openssl-1.0.1i/0003-engines-path.patch
new file mode 100644
index 0000000..412247b
--- /dev/null
+++ b/patches/openssl-1.0.1i/0003-engines-path.patch
@@ -0,0 +1,92 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] engines-path
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ Configure               |  2 +-
+ Makefile.org            |  2 +-
+ engines/Makefile        | 10 +++++-----
+ engines/ccgost/Makefile |  6 +++---
+ 4 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/Configure b/Configure
+index 79082df..c676835 100755
+--- a/Configure
++++ b/Configure
+@@ -1855,7 +1855,7 @@ while (<IN>)
+ 		}
+ 	elsif	(/^#define\s+ENGINESDIR/)
+ 		{
+-		my $foo = "$prefix/$libdir/engines";
++		my $foo = "$prefix/$libdir/openssl-1.0.0/engines";
+ 		$foo =~ s/\\/\\\\/g;
+ 		print OUT "#define ENGINESDIR \"$foo\"\n";
+ 		}
+diff --git a/Makefile.org b/Makefile.org
+index c92806f..5117a0e 100644
+--- a/Makefile.org
++++ b/Makefile.org
+@@ -543,7 +543,7 @@ install: all install_docs install_sw
+ install_sw:
+ 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
+ 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
+-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
++		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines \
+ 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
+ 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
+ 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
+diff --git a/engines/Makefile b/engines/Makefile
+index 2fa9534..58e0281 100644
+--- a/engines/Makefile
++++ b/engines/Makefile
+@@ -107,7 +107,7 @@ install:
+ 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+ 	@if [ -n "$(SHARED_LIBS)" ]; then \
+ 		set -e; \
+-		$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines; \
++		$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines; \
+ 		for l in $(LIBNAMES); do \
+ 			( echo installing $$l; \
+ 			  pfx=lib; \
+@@ -119,13 +119,13 @@ install:
+ 				*DSO_WIN32*)	sfx="eay32.dll"; pfx=;;	\
+ 				*)		sfx=".bad";;	\
+ 				esac; \
+-				cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++				cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
+ 			  else \
+ 				sfx=".so"; \
+-				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
+ 			  fi; \
+-			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+-			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
++			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
++			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx ); \
+ 		done; \
+ 	fi
+ 	@target=install; $(RECURSIVE_MAKE)
+diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile
+index d661c10..3e593b1 100644
+--- a/engines/ccgost/Makefile
++++ b/engines/ccgost/Makefile
+@@ -53,13 +53,13 @@ install:
+ 			*DSO_WIN32*) sfx="eay32.dll"; pfx=;; \
+ 			*) sfx=".bad";; \
+ 			esac; \
+-			cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
++			cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new; \
+ 		else \
+ 			sfx=".so"; \
+ 			cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
+ 		fi; \
+-		chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
+-		mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx; \
++		chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new; \
++		mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx; \
+ 	fi
+ 
+ links:
diff --git a/patches/openssl-1.0.1i/0004-no-rpath.patch b/patches/openssl-1.0.1i/0004-no-rpath.patch
new file mode 100644
index 0000000..8c9fbc1
--- /dev/null
+++ b/patches/openssl-1.0.1i/0004-no-rpath.patch
@@ -0,0 +1,24 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] no-rpath
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ Makefile.shared | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.shared b/Makefile.shared
+index e753f44..6e3f886 100644
+--- a/Makefile.shared
++++ b/Makefile.shared
+@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+ 
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+ 
+ #This is rather special.  It's a special target with which one can link
+ #applications without bothering with any features that have anything to
diff --git a/patches/openssl-1.0.1i/0005-no-symbolic.patch b/patches/openssl-1.0.1i/0005-no-symbolic.patch
new file mode 100644
index 0000000..7fa7213
--- /dev/null
+++ b/patches/openssl-1.0.1i/0005-no-symbolic.patch
@@ -0,0 +1,24 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] no-symbolic
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ Makefile.shared | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.shared b/Makefile.shared
+index 6e3f886..44e3d9c 100644
+--- a/Makefile.shared
++++ b/Makefile.shared
+@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ 	SHLIB_SUFFIX=; \
+ 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
+ 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
++	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+ 
+ DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+ 
diff --git a/patches/openssl-1.0.1i/0006-pic.patch b/patches/openssl-1.0.1i/0006-pic.patch
new file mode 100644
index 0000000..d2494e1
--- /dev/null
+++ b/patches/openssl-1.0.1i/0006-pic.patch
@@ -0,0 +1,189 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] pic
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ crypto/des/asm/desboth.pl | 17 ++++++++++++++---
+ crypto/perlasm/cbc.pl     | 24 ++++++++++++++++++++----
+ crypto/perlasm/x86gas.pl  | 16 ++++++++++++++++
+ crypto/x86cpuid.pl        | 10 +++++-----
+ 4 files changed, 55 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl
+index eec0088..ab6f524 100644
+--- a/crypto/des/asm/desboth.pl
++++ b/crypto/des/asm/desboth.pl
+@@ -16,6 +16,11 @@ sub DES_encrypt3
+ 
+ 	&push("edi");
+ 
++	&call   (&label("pic_point0"));
++	&set_label("pic_point0");
++	&blindpop("ebp");
++	&add    ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++
+ 	&comment("");
+ 	&comment("Load the data words");
+ 	&mov($L,&DWP(0,"ebx","",0));
+@@ -47,15 +52,21 @@ sub DES_encrypt3
+ 	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
+ 	&mov(&swtmp(1),	"eax");
+ 	&mov(&swtmp(0),	"ebx");
+-	&call("DES_encrypt2");
++	&exch("ebx", "ebp");
++	&call("DES_encrypt2\@PLT");
++	&exch("ebx", "ebp");
+ 	&mov(&swtmp(2),	(DWC(($enc)?"0":"1")));
+ 	&mov(&swtmp(1),	"edi");
+ 	&mov(&swtmp(0),	"ebx");
+-	&call("DES_encrypt2");
++	&exch("ebx", "ebp");
++	&call("DES_encrypt2\@PLT");
++	&exch("ebx", "ebp");
+ 	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
+ 	&mov(&swtmp(1),	"esi");
+ 	&mov(&swtmp(0),	"ebx");
+-	&call("DES_encrypt2");
++	&exch("ebx", "ebp");
++	&call("DES_encrypt2\@PLT");
++	&exch("ebx", "ebp");
+ 
+ 	&stack_pop(3);
+ 	&mov($L,&DWP(0,"ebx","",0));
+diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl
+index 24561e7..269fb0b 100644
+--- a/crypto/perlasm/cbc.pl
++++ b/crypto/perlasm/cbc.pl
+@@ -122,7 +122,11 @@ sub cbc
+ 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
+ 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+ 
+-	&call($enc_func);
++	&call	(&label("pic_point0"));
++	&set_label("pic_point0");
++	&blindpop("ebx");
++	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++	&call("$enc_func\@PLT");
+ 
+ 	&mov("eax",	&DWP($data_off,"esp","",0));
+ 	&mov("ebx",	&DWP($data_off+4,"esp","",0));
+@@ -185,7 +189,11 @@ sub cbc
+ 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
+ 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+ 
+-	&call($enc_func);
++	&call	(&label("pic_point1"));
++	&set_label("pic_point1");
++	&blindpop("ebx");
++	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
++	&call("$enc_func\@PLT");
+ 
+ 	&mov("eax",	&DWP($data_off,"esp","",0));
+ 	&mov("ebx",	&DWP($data_off+4,"esp","",0));
+@@ -218,7 +226,11 @@ sub cbc
+ 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
+ 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+ 
+-	&call($dec_func);
++	&call	(&label("pic_point2"));
++	&set_label("pic_point2");
++	&blindpop("ebx");
++	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
++	&call("$dec_func\@PLT");
+ 
+ 	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
+ 	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
+@@ -261,7 +273,11 @@ sub cbc
+ 	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
+ 	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+ 
+-	&call($dec_func);
++	&call	(&label("pic_point3"));
++	&set_label("pic_point3");
++	&blindpop("ebx");
++	&add	("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
++	&call("$dec_func\@PLT");
+ 
+ 	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
+ 	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
+diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl
+index 682a3a3..9d4662c 100644
+--- a/crypto/perlasm/x86gas.pl
++++ b/crypto/perlasm/x86gas.pl
+@@ -161,6 +161,7 @@ sub ::file_end
+ 	if ($::macosx)	{ push (@out,"$tmp,2\n"); }
+ 	elsif ($::elf)	{ push (@out,"$tmp,4\n"); }
+ 	else		{ push (@out,"$tmp\n"); }
++	if ($::elf)	{ push (@out,".hidden\tOPENSSL_ia32cap_P\n"); }
+     }
+     push(@out,$initseg) if ($initseg);
+ }
+@@ -218,8 +219,23 @@ ___
+     elsif ($::elf)
+     {	$initseg.=<<___;
+ .section	.init
++___
++        if ($::pic)
++	{   $initseg.=<<___;
++	pushl	%ebx
++	call	.pic_point0
++.pic_point0:
++	popl	%ebx
++	addl	\$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
++	call	$f\@PLT
++	popl	%ebx
++___
++	}
++	else
++	{   $initseg.=<<___;
+ 	call	$f
+ ___
++	}
+     }
+     elsif ($::coff)
+     {   $initseg.=<<___;	# applies to both Cygwin and Mingw
+diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
+index b270b44..c01ba83 100644
+--- a/crypto/x86cpuid.pl
++++ b/crypto/x86cpuid.pl
+@@ -8,6 +8,8 @@ require "x86asm.pl";
+ 
+ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ 
++push(@out, ".hidden OPENSSL_ia32cap_P\n");
++
+ &function_begin("OPENSSL_ia32_cpuid");
+ 	&xor	("edx","edx");
+ 	&pushf	();
+@@ -141,9 +143,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ &set_label("nocpuid");
+ &function_end("OPENSSL_ia32_cpuid");
+ 
+-&external_label("OPENSSL_ia32cap_P");
+-
+-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_rdtsc");
+ 	&xor	("eax","eax");
+ 	&xor	("edx","edx");
+ 	&picmeup("ecx","OPENSSL_ia32cap_P");
+@@ -157,7 +157,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
+ # but it's safe to call it on any [supported] 32-bit platform...
+ # Just check for [non-]zero return value...
+-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_instrument_halt");
+ 	&picmeup("ecx","OPENSSL_ia32cap_P");
+ 	&bt	(&DWP(0,"ecx"),4);
+ 	&jnc	(&label("nohalt"));	# no TSC
+@@ -224,7 +224,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ 	&ret	();
+ &function_end_B("OPENSSL_far_spin");
+ 
+-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_wipe_cpu");
+ 	&xor	("eax","eax");
+ 	&xor	("edx","edx");
+ 	&picmeup("ecx","OPENSSL_ia32cap_P");
diff --git a/patches/openssl-1.0.1i/0007-valgrind.patch b/patches/openssl-1.0.1i/0007-valgrind.patch
new file mode 100644
index 0000000..d3fbd12
--- /dev/null
+++ b/patches/openssl-1.0.1i/0007-valgrind.patch
@@ -0,0 +1,31 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] valgrind
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ crypto/rand/md_rand.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
+index aee1c30..1caf69c 100644
+--- a/crypto/rand/md_rand.c
++++ b/crypto/rand/md_rand.c
+@@ -488,6 +488,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
+ 		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+ 
+ #ifndef PURIFY /* purify complains */
++#if 0
+ 		/* The following line uses the supplied buffer as a small
+ 		 * source of entropy: since this buffer is often uninitialised
+ 		 * it may cause programs such as purify or valgrind to
+@@ -497,6 +498,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
+ 		 */
+ 		MD_Update(&m,buf,j);
+ #endif
++#endif
+ 
+ 		k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
+ 		if (k > 0)
diff --git a/patches/openssl-1.0.1i/0008-rehash-crt.patch b/patches/openssl-1.0.1i/0008-rehash-crt.patch
new file mode 100644
index 0000000..c06898f
--- /dev/null
+++ b/patches/openssl-1.0.1i/0008-rehash-crt.patch
@@ -0,0 +1,44 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] rehash-crt
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ tools/c_rehash.in | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index bfc4a69..4958e3d 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -75,12 +75,15 @@ sub hash_dir {
+ 		}
+ 	}
+ 	closedir DIR;
+-	FILE: foreach $fname (grep {/\.pem$/} @flist) {
++	FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) {
+ 		# Check to see if certificates and/or CRLs present.
+ 		my ($cert, $crl) = check_file($fname);
+ 		if(!$cert && !$crl) {
+-			print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+-			next;
++			($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der  -outform pem | ");
++			if(!$cert && !$crl) {
++				print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
++				next;
++			}
+ 		}
+ 		link_hash_cert($fname) if($cert);
+ 		link_hash_crl($fname) if($crl);
+@@ -153,6 +156,9 @@ sub link_hash_crl {
+ 		my $fname = $_[0];
+ 		$fname =~ s/'/'\\''/g;
+ 		my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
++		if(!$hash || !fprint) {
++			($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname' -inform der`;
++		}
+ 		chomp $hash;
+ 		chomp $fprint;
+ 		$fprint =~ s/^.*=//;
diff --git a/patches/openssl-1.0.1i/0009-shared-lib-ext.patch b/patches/openssl-1.0.1i/0009-shared-lib-ext.patch
new file mode 100644
index 0000000..d7da2a3
--- /dev/null
+++ b/patches/openssl-1.0.1i/0009-shared-lib-ext.patch
@@ -0,0 +1,25 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] shared-lib-ext
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ Configure | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Configure b/Configure
+index c676835..7571db1 100755
+--- a/Configure
++++ b/Configure
+@@ -1725,7 +1725,8 @@ while (<IN>)
+ 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ 		{
+ 		my $sotmp = $1;
+-		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++#		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/;
+ 		}
+ 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ 		{
diff --git a/patches/openssl-1.0.1i/0010-stddef.patch b/patches/openssl-1.0.1i/0010-stddef.patch
new file mode 100644
index 0000000..e0034c2
--- /dev/null
+++ b/patches/openssl-1.0.1i/0010-stddef.patch
@@ -0,0 +1,23 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] stddef
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ crypto/sha/sha.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h
+index 8a6bf4b..734b40a 100644
+--- a/crypto/sha/sha.h
++++ b/crypto/sha/sha.h
+@@ -59,6 +59,7 @@
+ #ifndef HEADER_SHA_H
+ #define HEADER_SHA_H
+ 
++#include <stddef.h>
+ #include <openssl/e_os2.h>
+ #include <stddef.h>
+ 
diff --git a/patches/openssl-1.0.1i/0011-block_diginotar.patch b/patches/openssl-1.0.1i/0011-block_diginotar.patch
new file mode 100644
index 0000000..3af0669
--- /dev/null
+++ b/patches/openssl-1.0.1i/0011-block_diginotar.patch
@@ -0,0 +1,66 @@
+From: Raphael Geissert <geissert@debian.org>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] block_diginotar
+
+This is not meant as final patch.
+
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ crypto/x509/x509_vfy.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 920066a..5b1a0aa 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -117,6 +117,7 @@ static int check_trust(X509_STORE_CTX *ctx);
+ static int check_revocation(X509_STORE_CTX *ctx);
+ static int check_cert(X509_STORE_CTX *ctx);
+ static int check_policy(X509_STORE_CTX *ctx);
++static int check_ca_blacklist(X509_STORE_CTX *ctx);
+ 
+ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
+ 			unsigned int *preasons,
+@@ -369,6 +370,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
+ 		ok=internal_verify(ctx);
+ 	if(!ok) goto end;
+ 
++	ok = check_ca_blacklist(ctx);
++	if(!ok) goto end;
++
+ #ifndef OPENSSL_NO_RFC3779
+ 	/* RFC 3779 path validation, now that CRL check has been done */
+ 	ok = v3_asid_validate_path(ctx);
+@@ -827,6 +831,29 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
+ 	return 1;
+ 	}
+ 
++static int check_ca_blacklist(X509_STORE_CTX *ctx)
++	{
++	X509 *x;
++	int i;
++	/* Check all certificates against the blacklist */
++	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
++		{
++		x = sk_X509_value(ctx->chain, i);
++		/* Mark DigiNotar certificates as revoked, no matter
++		 * where in the chain they are.
++		 */
++		if (x->name && strstr(x->name, "DigiNotar"))
++			{
++			ctx->error = X509_V_ERR_CERT_REVOKED;
++			ctx->error_depth = i;
++			ctx->current_cert = x;
++			if (!ctx->verify_cb(0,ctx))
++				return 0;
++			}
++		}
++	return 1;
++	}
++
+ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
+ 			X509 **pissuer, int *pscore, unsigned int *preasons,
+ 			STACK_OF(X509_CRL) *crls)
diff --git a/patches/openssl-1.0.1i/0012-block_digicert_malaysia.patch b/patches/openssl-1.0.1i/0012-block_digicert_malaysia.patch
new file mode 100644
index 0000000..e1457a8
--- /dev/null
+++ b/patches/openssl-1.0.1i/0012-block_digicert_malaysia.patch
@@ -0,0 +1,30 @@
+From: Raphael Geissert <geissert@debian.org>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] block_digicert_malaysia
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ crypto/x509/x509_vfy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 5b1a0aa..696f8d6 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -839,10 +839,11 @@ static int check_ca_blacklist(X509_STORE_CTX *ctx)
+ 	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+ 		{
+ 		x = sk_X509_value(ctx->chain, i);
+-		/* Mark DigiNotar certificates as revoked, no matter
+-		 * where in the chain they are.
++		/* Mark certificates containing the following names as
++		 * revoked, no matter where in the chain they are.
+ 		 */
+-		if (x->name && strstr(x->name, "DigiNotar"))
++		if (x->name && (strstr(x->name, "DigiNotar") ||
++			strstr(x->name, "Digicert Sdn. Bhd.")))
+ 			{
+ 			ctx->error = X509_V_ERR_CERT_REVOKED;
+ 			ctx->error_depth = i;
diff --git a/patches/openssl-1.0.1i/0013-Change-default-bit-size-and-digest.patch b/patches/openssl-1.0.1i/0013-Change-default-bit-size-and-digest.patch
new file mode 100644
index 0000000..02761e3
--- /dev/null
+++ b/patches/openssl-1.0.1i/0013-Change-default-bit-size-and-digest.patch
@@ -0,0 +1,131 @@
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Fri, 1 Nov 2013 20:47:14 +0100
+Subject: [PATCH] Change default bit size and digest
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ apps/dhparam.c         | 4 ++--
+ apps/gendh.c           | 2 +-
+ apps/genrsa.c          | 2 +-
+ apps/openssl.cnf       | 2 +-
+ crypto/dsa/dsa_ameth.c | 2 +-
+ crypto/ec/ec_ameth.c   | 2 +-
+ crypto/hmac/hm_ameth.c | 2 +-
+ crypto/rsa/rsa_ameth.c | 2 +-
+ 8 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/apps/dhparam.c b/apps/dhparam.c
+index 1297d6f..b0c05be 100644
+--- a/apps/dhparam.c
++++ b/apps/dhparam.c
+@@ -130,7 +130,7 @@
+ #undef PROG
+ #define PROG	dhparam_main
+ 
+-#define DEFBITS	512
++#define DEFBITS	2048
+ 
+ /* -inform arg	- input format - default PEM (DER or PEM)
+  * -outform arg - output format - default PEM
+@@ -253,7 +253,7 @@ bad:
+ 		BIO_printf(bio_err," -C            Output C code\n");
+ 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
+ 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
+-		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
++		BIO_printf(bio_err," numbits       number of bits in to generate (default 2048)\n");
+ #ifndef OPENSSL_NO_ENGINE
+ 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
+ #endif
+diff --git a/apps/gendh.c b/apps/gendh.c
+index 4ec776b..8df8c62 100644
+--- a/apps/gendh.c
++++ b/apps/gendh.c
+@@ -78,7 +78,7 @@
+ #include <openssl/x509.h>
+ #include <openssl/pem.h>
+ 
+-#define DEFBITS	512
++#define DEFBITS	2048
+ #undef PROG
+ #define PROG gendh_main
+ 
+diff --git a/apps/genrsa.c b/apps/genrsa.c
+index ece114c..7a8c6c5 100644
+--- a/apps/genrsa.c
++++ b/apps/genrsa.c
+@@ -78,7 +78,7 @@
+ #include <openssl/pem.h>
+ #include <openssl/rand.h>
+ 
+-#define DEFBITS	1024
++#define DEFBITS	2048
+ #undef PROG
+ #define PROG genrsa_main
+ 
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 18760c6..1eb86c4 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -103,7 +103,7 @@ emailAddress		= optional
+ 
+ ####################################################################
+ [ req ]
+-default_bits		= 1024
++default_bits		= 2048
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
+index 376156e..13318d7 100644
+--- a/crypto/dsa/dsa_ameth.c
++++ b/crypto/dsa/dsa_ameth.c
+@@ -628,7 +628,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
+ #endif
+ 
+ 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+-		*(int *)arg2 = NID_sha1;
++		*(int *)arg2 = NID_sha256;
+ 		return 2;
+ 
+ 		default:
+diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
+index 0ce4524..a04ac98 100644
+--- a/crypto/ec/ec_ameth.c
++++ b/crypto/ec/ec_ameth.c
+@@ -615,7 +615,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
+ #endif
+ 
+ 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+-		*(int *)arg2 = NID_sha1;
++		*(int *)arg2 = NID_sha256;
+ 		return 2;
+ 
+ 		default:
+diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c
+index e03f24a..9fe6505 100644
+--- a/crypto/hmac/hm_ameth.c
++++ b/crypto/hmac/hm_ameth.c
+@@ -89,7 +89,7 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
+ 	switch (op)
+ 		{
+ 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+-		*(int *)arg2 = NID_sha1;
++		*(int *)arg2 = NID_sha256;
+ 		return 1;
+ 
+ 		default:
+diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
+index 5a2062f..47fe535 100644
+--- a/crypto/rsa/rsa_ameth.c
++++ b/crypto/rsa/rsa_ameth.c
+@@ -435,7 +435,7 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
+ #endif
+ 
+ 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+-		*(int *)arg2 = NID_sha1;
++		*(int *)arg2 = NID_sha256;
+ 		return 1;
+ 
+ 		default:
diff --git a/patches/openssl-1.0.1i/0014-openssl_fix_for_x32.patch b/patches/openssl-1.0.1i/0014-openssl_fix_for_x32.patch
new file mode 100644
index 0000000..36bfa49
--- /dev/null
+++ b/patches/openssl-1.0.1i/0014-openssl_fix_for_x32.patch
@@ -0,0 +1,50 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Tue, 8 Apr 2014 07:48:47 +0200
+Subject: [PATCH] openssl_fix_for_x32
+
+Imported from openssl_1.0.1g-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ crypto/bn/asm/x86_64-gcc.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
+index acb0b40..acd76ce 100644
+--- a/crypto/bn/asm/x86_64-gcc.c
++++ b/crypto/bn/asm/x86_64-gcc.c
+@@ -55,7 +55,7 @@
+  *    machine.
+  */
+ 
+-#ifdef _WIN64
++#if defined _WIN64 || !defined __LP64__
+ #define BN_ULONG unsigned long long
+ #else
+ #define BN_ULONG unsigned long
+@@ -192,9 +192,9 @@ BN_ULONG bn_add_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
+ 	asm (
+ 	"	subq	%2,%2		\n"
+ 	".p2align 4			\n"
+-	"1:	movq	(%4,%2,8),%0	\n"
+-	"	adcq	(%5,%2,8),%0	\n"
+-	"	movq	%0,(%3,%2,8)	\n"
++	"1:	movq	(%q4,%2,8),%0	\n"
++	"	adcq	(%q5,%2,8),%0	\n"
++	"	movq	%0,(%q3,%2,8)	\n"
+ 	"	leaq	1(%2),%2	\n"
+ 	"	loop	1b		\n"
+ 	"	sbbq	%0,%0		\n"
+@@ -215,9 +215,9 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
+ 	asm (
+ 	"	subq	%2,%2		\n"
+ 	".p2align 4			\n"
+-	"1:	movq	(%4,%2,8),%0	\n"
+-	"	sbbq	(%5,%2,8),%0	\n"
+-	"	movq	%0,(%3,%2,8)	\n"
++	"1:	movq	(%q4,%2,8),%0	\n"
++	"	sbbq	(%q5,%2,8),%0	\n"
++	"	movq	%0,(%q3,%2,8)	\n"
+ 	"	leaq	1(%2),%2	\n"
+ 	"	loop	1b		\n"
+ 	"	sbbq	%0,%0		\n"
diff --git a/patches/openssl-1.0.1i/series b/patches/openssl-1.0.1i/series
new file mode 100644
index 0000000..f55bace
--- /dev/null
+++ b/patches/openssl-1.0.1i/series
@@ -0,0 +1,17 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-ca.patch
+0002-debian-targets.patch
+0003-engines-path.patch
+0004-no-rpath.patch
+0005-no-symbolic.patch
+0006-pic.patch
+0007-valgrind.patch
+0008-rehash-crt.patch
+0009-shared-lib-ext.patch
+0010-stddef.patch
+0011-block_diginotar.patch
+0012-block_digicert_malaysia.patch
+0013-Change-default-bit-size-and-digest.patch
+0014-openssl_fix_for_x32.patch
+# dd4d5e6590bf4d0a9b21935c6ca13a38  - git-ptx-patches magic
diff --git a/rules/openssl.make b/rules/openssl.make
index dce98f5..2939868 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
 #
 # Paths and names
 #
-OPENSSL_VERSION	:= 1.0.1h
-OPENSSL_MD5	:= 8d6d684a9430d5cc98a62a5d8fbda8cf
+OPENSSL_VERSION	:= 1.0.1i
+OPENSSL_MD5	:= c8dc151a671b9b92ff3e4c118b174972
 OPENSSL		:= openssl-$(OPENSSL_VERSION)
 OPENSSL_SUFFIX	:= tar.gz
 OPENSSL_URL	:= http://www.openssl.org/source/$(OPENSSL).$(OPENSSL_SUFFIX)
-- 
2.0.4


-- 
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [ptxdist] [PATCH] openssl: version bump 1.0.1h -> 1.0.1i
  2014-08-07 12:41 [ptxdist] [PATCH] openssl: version bump 1.0.1h -> 1.0.1i Bernhard Walle
@ 2014-08-08  8:32 ` Michael Olbrich
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Olbrich @ 2014-08-08  8:32 UTC (permalink / raw)
  To: ptxdist

[-- Attachment #1: Type: text/plain, Size: 4897 bytes --]

On Thu, Aug 07, 2014 at 02:41:01PM +0200, Bernhard Walle wrote:
> Fixes CVE-2014-3508.
> 

Thanks, applied. I've regenerated the patches (no real changes). I've
attached the script I use for this in case anyone is interested.

Btw, if you run git send-email with '-M' then the patch is smaller and much
better to read.

Michael

> Signed-off-by: Bernhard Walle <bernhard@bwalle.de>
> ---
>  patches/openssl-1.0.1h/0001-ca.patch               |  31 ----
>  patches/openssl-1.0.1h/0002-debian-targets.patch   |  80 ---------
>  patches/openssl-1.0.1h/0003-engines-path.patch     |  92 ----------
>  patches/openssl-1.0.1h/0004-no-rpath.patch         |  24 ---
>  patches/openssl-1.0.1h/0005-no-symbolic.patch      |  24 ---
>  patches/openssl-1.0.1h/0006-pic.patch              | 189 ---------------------
>  patches/openssl-1.0.1h/0007-valgrind.patch         |  31 ----
>  patches/openssl-1.0.1h/0008-rehash-crt.patch       |  44 -----
>  patches/openssl-1.0.1h/0009-shared-lib-ext.patch   |  25 ---
>  patches/openssl-1.0.1h/0010-stddef.patch           |  23 ---
>  patches/openssl-1.0.1h/0011-block_diginotar.patch  |  66 -------
>  .../0012-block_digicert_malaysia.patch             |  30 ----
>  .../0013-Change-default-bit-size-and-digest.patch  | 131 --------------
>  .../openssl-1.0.1h/0014-openssl_fix_for_x32.patch  |  50 ------
>  patches/openssl-1.0.1h/series                      |  17 --
>  patches/openssl-1.0.1i/0001-ca.patch               |  31 ++++
>  patches/openssl-1.0.1i/0002-debian-targets.patch   |  80 +++++++++
>  patches/openssl-1.0.1i/0003-engines-path.patch     |  92 ++++++++++
>  patches/openssl-1.0.1i/0004-no-rpath.patch         |  24 +++
>  patches/openssl-1.0.1i/0005-no-symbolic.patch      |  24 +++
>  patches/openssl-1.0.1i/0006-pic.patch              | 189 +++++++++++++++++++++
>  patches/openssl-1.0.1i/0007-valgrind.patch         |  31 ++++
>  patches/openssl-1.0.1i/0008-rehash-crt.patch       |  44 +++++
>  patches/openssl-1.0.1i/0009-shared-lib-ext.patch   |  25 +++
>  patches/openssl-1.0.1i/0010-stddef.patch           |  23 +++
>  patches/openssl-1.0.1i/0011-block_diginotar.patch  |  66 +++++++
>  .../0012-block_digicert_malaysia.patch             |  30 ++++
>  .../0013-Change-default-bit-size-and-digest.patch  | 131 ++++++++++++++
>  .../openssl-1.0.1i/0014-openssl_fix_for_x32.patch  |  50 ++++++
>  patches/openssl-1.0.1i/series                      |  17 ++
>  rules/openssl.make                                 |   4 +-
>  31 files changed, 859 insertions(+), 859 deletions(-)
>  delete mode 100644 patches/openssl-1.0.1h/0001-ca.patch
>  delete mode 100644 patches/openssl-1.0.1h/0002-debian-targets.patch
>  delete mode 100644 patches/openssl-1.0.1h/0003-engines-path.patch
>  delete mode 100644 patches/openssl-1.0.1h/0004-no-rpath.patch
>  delete mode 100644 patches/openssl-1.0.1h/0005-no-symbolic.patch
>  delete mode 100644 patches/openssl-1.0.1h/0006-pic.patch
>  delete mode 100644 patches/openssl-1.0.1h/0007-valgrind.patch
>  delete mode 100644 patches/openssl-1.0.1h/0008-rehash-crt.patch
>  delete mode 100644 patches/openssl-1.0.1h/0009-shared-lib-ext.patch
>  delete mode 100644 patches/openssl-1.0.1h/0010-stddef.patch
>  delete mode 100644 patches/openssl-1.0.1h/0011-block_diginotar.patch
>  delete mode 100644 patches/openssl-1.0.1h/0012-block_digicert_malaysia.patch
>  delete mode 100644 patches/openssl-1.0.1h/0013-Change-default-bit-size-and-digest.patch
>  delete mode 100644 patches/openssl-1.0.1h/0014-openssl_fix_for_x32.patch
>  delete mode 100644 patches/openssl-1.0.1h/series
>  create mode 100644 patches/openssl-1.0.1i/0001-ca.patch
>  create mode 100644 patches/openssl-1.0.1i/0002-debian-targets.patch
>  create mode 100644 patches/openssl-1.0.1i/0003-engines-path.patch
>  create mode 100644 patches/openssl-1.0.1i/0004-no-rpath.patch
>  create mode 100644 patches/openssl-1.0.1i/0005-no-symbolic.patch
>  create mode 100644 patches/openssl-1.0.1i/0006-pic.patch
>  create mode 100644 patches/openssl-1.0.1i/0007-valgrind.patch
>  create mode 100644 patches/openssl-1.0.1i/0008-rehash-crt.patch
>  create mode 100644 patches/openssl-1.0.1i/0009-shared-lib-ext.patch
>  create mode 100644 patches/openssl-1.0.1i/0010-stddef.patch
>  create mode 100644 patches/openssl-1.0.1i/0011-block_diginotar.patch
>  create mode 100644 patches/openssl-1.0.1i/0012-block_digicert_malaysia.patch
>  create mode 100644 patches/openssl-1.0.1i/0013-Change-default-bit-size-and-digest.patch
>  create mode 100644 patches/openssl-1.0.1i/0014-openssl_fix_for_x32.patch
>  create mode 100644 patches/openssl-1.0.1i/series

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

[-- Attachment #2: openssl-apply-debian --]
[-- Type: text/plain, Size: 1230 bytes --]

#!/bin/bash

set -e
set -x

blacklist="
config-hurd.patch
man-dir.patch
man-section.patch
rehash_pod.patch
version-script.patch
gnu_source.patch
c_rehash-compat.patch
dgst_hmac.patch
fix-pod-errors.patch
"

start="$(pwd)"
src="$(pwd)/$1"
deb="$(pwd)/$2"

tmp="$(mktemp -d)"

cd "$tmp"

tar xf "$src"
openssl="$(ls -d openssl-*)"

tar xf "$deb"
patches=debian/patches
for patch in $blacklist; do
	sed -i "s/\(${patch}\)/#\1/" ${patches}/series
done

cd "$openssl"
git init
git add *
git commit -m "base"
git tag base

git quiltimport --patches=../$patches/ --author "Michael Olbrich <m.olbrich@pengutronix.de>"
git filter-branch --msg-filter "cat | grep -v '^==*$' && echo '\nImported from $(basename $deb)\n\nSigned-off-by: Michael Olbrich <m.olbrich@pengutronix.de>'" base...master

#for patch in $(cat ../$patches/series | grep -v '^#'); do
#	patch=../$patches/$patch
#	name=$(basename $patch)
#	name=${name%.patch}
#	git apply $patch
#	git add *
#	git commit -m "debian $name
#
#Applied $(basename $patch) from $(basename $deb)" -a -s
#done

git format-patch --no-signature -N base
mkdir "$start/$openssl"
mv 0*.patch "$start/$openssl/"
cd "$start"
rm -rf "$tmp"

cd "$start/$openssl/"
sed -i 1d 0*.patch
ls 0*.patch > series


[-- Attachment #3: Type: text/plain, Size: 48 bytes --]

-- 
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-08-08  8:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-07 12:41 [ptxdist] [PATCH] openssl: version bump 1.0.1h -> 1.0.1i Bernhard Walle
2014-08-08  8:32 ` Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox