core/openssl-cryptodev to 1.0.1h-1

core/openssl-cryptodev/0001-cryptodev-Fix-issue-with-signature-generation.patch

@@ -0,0 +1,429 @@
+From fa47376f4c3e03b18ccd52df53d8c5041155d4ed Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Fri, 4 Jul 2014 07:31:25 +0200
+Subject: [PATCH] cryptodev: Fix issue with signature generation
+
+That patch also enables support for SHA2 hashes, and
+removes support for hashes that were never supported by
+cryptodev.
+---
+ crypto/engine/eng_cryptodev.c | 192 ++++++++++++++++++++++++++++++------------
+ 1 file changed, 140 insertions(+), 52 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index 568e131..a1c39e5 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -2,6 +2,7 @@
+  * Copyright (c) 2002 Bob Beck <beck@openbsd.org>
+  * Copyright (c) 2002 Theo de Raadt
+  * Copyright (c) 2002 Markus Friedl
++ * Copyright (c) 2012 Nikos Mavrogiannopoulos
+  * All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+@@ -74,8 +75,6 @@ struct dev_crypto_state {
+ 	int d_fd;
+ 
+ #ifdef USE_CRYPTODEV_DIGESTS
+-	char dummy_mac_key[HASH_MAX_LEN];
+-
+ 	unsigned char digest_res[HASH_MAX_LEN];
+ 	char *mac_data;
+ 	int mac_len;
+@@ -162,15 +161,21 @@ static struct {
+ static struct {
+ 	int	id;
+ 	int	nid;
+-	int 	keylen;
++	int 	digestlen;
+ } digests[] = {
++#if 0
++        /* HMAC is not supported */
+ 	{ CRYPTO_MD5_HMAC,		NID_hmacWithMD5,	16},
+ 	{ CRYPTO_SHA1_HMAC,		NID_hmacWithSHA1,	20},
+-	{ CRYPTO_RIPEMD160_HMAC,	NID_ripemd160,		16/*?*/},
+-	{ CRYPTO_MD5_KPDK,		NID_undef,		0},
+-	{ CRYPTO_SHA1_KPDK,		NID_undef,		0},
++	{ CRYPTO_SHA2_256_HMAC,		NID_hmacWithSHA256,	32},
++	{ CRYPTO_SHA2_384_HMAC,		NID_hmacWithSHA384,	48},
++	{ CRYPTO_SHA2_512_HMAC,		NID_hmacWithSHA512,	64},
++#endif
+ 	{ CRYPTO_MD5,			NID_md5,		16},
+ 	{ CRYPTO_SHA1,			NID_sha1,		20},
++	{ CRYPTO_SHA2_256,		NID_sha256,		32},
++	{ CRYPTO_SHA2_384,		NID_sha384,		48},
++	{ CRYPTO_SHA2_512,		NID_sha512,		64},
+ 	{ 0,				NID_undef,		0},
+ };
+ #endif
+@@ -248,13 +253,14 @@ get_cryptodev_ciphers(const int **cnids)
+ 	static int nids[CRYPTO_ALGORITHM_MAX];
+ 	struct session_op sess;
+ 	int fd, i, count = 0;
++	unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN];
+ 
+ 	if ((fd = get_dev_crypto()) < 0) {
+ 		*cnids = NULL;
+ 		return (0);
+ 	}
+ 	memset(&sess, 0, sizeof(sess));
+-	sess.key = (caddr_t)"123456789abcdefghijklmno";
++	sess.key = (void*)fake_key;
+ 
+ 	for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+ 		if (ciphers[i].nid == NID_undef)
+@@ -286,6 +292,7 @@ static int
+ get_cryptodev_digests(const int **cnids)
+ {
+ 	static int nids[CRYPTO_ALGORITHM_MAX];
++	unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN];
+ 	struct session_op sess;
+ 	int fd, i, count = 0;
+ 
+@@ -294,12 +301,12 @@ get_cryptodev_digests(const int **cnids)
+ 		return (0);
+ 	}
+ 	memset(&sess, 0, sizeof(sess));
+-	sess.mackey = (caddr_t)"123456789abcdefghijklmno";
++	sess.mackey = fake_key;
+ 	for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+ 		if (digests[i].nid == NID_undef)
+ 			continue;
+ 		sess.mac = digests[i].id;
+-		sess.mackeylen = digests[i].keylen;
++		sess.mackeylen = 8;
+ 		sess.cipher = 0;
+ 		if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
+ 		    ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
+@@ -387,14 +394,14 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ 	cryp.ses = sess->ses;
+ 	cryp.flags = 0;
+ 	cryp.len = inl;
+-	cryp.src = (caddr_t) in;
+-	cryp.dst = (caddr_t) out;
++	cryp.src = (void*) in;
++	cryp.dst = (void*) out;
+ 	cryp.mac = 0;
+ 
+ 	cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+ 
+ 	if (ctx->cipher->iv_len) {
+-		cryp.iv = (caddr_t) ctx->iv;
++		cryp.iv = (void*) ctx->iv;
+ 		if (!ctx->encrypt) {
+ 			iiv = in + inl - ctx->cipher->iv_len;
+ 			memcpy(save_iv, iiv, ctx->cipher->iv_len);
+@@ -445,7 +452,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+ 	if ((state->d_fd = get_dev_crypto()) < 0)
+ 		return (0);
+ 
+-	sess->key = (caddr_t)key;
++	sess->key = (void*)key;
+ 	sess->keylen = ctx->key_len;
+ 	sess->cipher = cipher;
+ 
+@@ -715,18 +722,6 @@ digest_nid_to_cryptodev(int nid)
+ }
+ 
+ 
+-static int
+-digest_key_length(int nid)
+-{
+-	int i;
+-
+-	for (i = 0; digests[i].id; i++)
+-		if (digests[i].nid == nid)
+-			return digests[i].keylen;
+-	return (0);
+-}
+-
+-
+ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
+ {
+ 	struct dev_crypto_state *state = ctx->md_data;
+@@ -737,7 +732,6 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
+ 		printf("cryptodev_digest_init: Can't get digest \n");
+ 		return (0);
+ 	}
+-
+ 	memset(state, 0, sizeof(struct dev_crypto_state));
+ 
+ 	if ((state->d_fd = get_dev_crypto()) < 0) {
+@@ -745,8 +739,8 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
+ 		return (0);
+ 	}
+ 
+-	sess->mackey = state->dummy_mac_key;
+-	sess->mackeylen = digest_key_length(ctx->digest->type);
++	sess->mackey = NULL;
++	sess->mackeylen = 0;
+ 	sess->mac = digest;
+ 
+ 	if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) {
+@@ -762,8 +756,8 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
+ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
+ 		size_t count)
+ {
+-	struct crypt_op cryp;
+ 	struct dev_crypto_state *state = ctx->md_data;
++	struct crypt_op cryp;
+ 	struct session_op *sess = &state->d_sess;
+ 
+ 	if (!data || state->d_fd < 0) {
+@@ -772,7 +766,7 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
+ 	}
+ 
+ 	if (!count) {
+-		return (0);
++		return (1);
+ 	}
+ 
+ 	if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) {
+@@ -795,9 +789,9 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
+ 	cryp.ses = sess->ses;
+ 	cryp.flags = 0;
+ 	cryp.len = count;
+-	cryp.src = (caddr_t) data;
++	cryp.src = (void*) data;
+ 	cryp.dst = NULL;
+-	cryp.mac = (caddr_t) state->digest_res;
++	cryp.mac = (void*) state->digest_res;
+ 	if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
+ 		printf("cryptodev_digest_update: digest failed\n");
+ 		return (0);
+@@ -812,8 +806,6 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
+ 	struct dev_crypto_state *state = ctx->md_data;
+ 	struct session_op *sess = &state->d_sess;
+ 
+-	int ret = 1;
+-
+ 	if (!md || state->d_fd < 0) {
+ 		printf("cryptodev_digest_final: illegal input\n");
+ 		return(0);
+@@ -827,7 +819,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
+ 		cryp.len = state->mac_len;
+ 		cryp.src = state->mac_data;
+ 		cryp.dst = NULL;
+-		cryp.mac = (caddr_t)md;
++		cryp.mac = (void*)md;
+ 		if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
+ 			printf("cryptodev_digest_final: digest failed\n");
+ 			return (0);
+@@ -838,7 +830,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
+ 
+ 	memcpy(md, state->digest_res, ctx->digest->md_size);
+ 
+-	return (ret);
++	return 1;
+ }
+ 
+ 
+@@ -890,8 +882,8 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
+ 
+ 	digest = digest_nid_to_cryptodev(to->digest->type);
+ 
+-	sess->mackey = dstate->dummy_mac_key;
+-	sess->mackeylen = digest_key_length(to->digest->type);
++	sess->mackey = NULL;
++	sess->mackeylen = 0;
+ 	sess->mac = digest;
+ 
+ 	dstate->d_fd = get_dev_crypto();
+@@ -916,34 +908,117 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
+ }
+ 
+ 
+-const EVP_MD cryptodev_sha1 = {
++static const EVP_MD cryptodev_sha1 = {
+ 	NID_sha1,
+-	NID_undef, 
++	NID_sha1WithRSAEncryption,
+ 	SHA_DIGEST_LENGTH, 
++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
++	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
++	EVP_MD_FLAG_DIGALGID_ABSENT|
++#endif
+ 	EVP_MD_FLAG_ONESHOT,
+ 	cryptodev_digest_init,
+ 	cryptodev_digest_update,
+ 	cryptodev_digest_final,
+ 	cryptodev_digest_copy,
+ 	cryptodev_digest_cleanup,
+-	EVP_PKEY_NULL_method,
++	EVP_PKEY_RSA_method,
+ 	SHA_CBLOCK,
+-	sizeof(struct dev_crypto_state),
++	sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
++};
++
++static const EVP_MD cryptodev_sha256 = {
++	NID_sha256,
++	NID_sha256WithRSAEncryption,
++	SHA256_DIGEST_LENGTH, 
++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
++	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
++	EVP_MD_FLAG_DIGALGID_ABSENT|
++#endif
++	EVP_MD_FLAG_ONESHOT,
++	cryptodev_digest_init,
++	cryptodev_digest_update,
++	cryptodev_digest_final,
++	cryptodev_digest_copy,
++	cryptodev_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	SHA256_CBLOCK,
++	sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
++};
++static const EVP_MD cryptodev_sha224 = {
++	NID_sha224,
++	NID_sha224WithRSAEncryption, 
++	SHA224_DIGEST_LENGTH, 
++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
++	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
++	EVP_MD_FLAG_DIGALGID_ABSENT|
++#endif
++	EVP_MD_FLAG_ONESHOT,
++	cryptodev_digest_init,
++	cryptodev_digest_update,
++	cryptodev_digest_final,
++	cryptodev_digest_copy,
++	cryptodev_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	SHA256_CBLOCK,
++	sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
++};
++
++static const EVP_MD cryptodev_sha384 = {
++	NID_sha384,
++	NID_sha384WithRSAEncryption, 
++	SHA384_DIGEST_LENGTH, 
++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
++	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
++	EVP_MD_FLAG_DIGALGID_ABSENT|
++#endif
++	EVP_MD_FLAG_ONESHOT,
++	cryptodev_digest_init,
++	cryptodev_digest_update,
++	cryptodev_digest_final,
++	cryptodev_digest_copy,
++	cryptodev_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	SHA512_CBLOCK,
++	sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
++};
++
++static const EVP_MD cryptodev_sha512 = {
++	NID_sha512,
++	NID_sha512WithRSAEncryption, 
++	SHA512_DIGEST_LENGTH, 
++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
++	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
++	EVP_MD_FLAG_DIGALGID_ABSENT|
++#endif
++	EVP_MD_FLAG_ONESHOT,
++	cryptodev_digest_init,
++	cryptodev_digest_update,
++	cryptodev_digest_final,
++	cryptodev_digest_copy,
++	cryptodev_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	SHA512_CBLOCK,
++	sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+ };
+ 
+-const EVP_MD cryptodev_md5 = {
++static const EVP_MD cryptodev_md5 = {
+ 	NID_md5,
+-	NID_undef, 
++	NID_md5WithRSAEncryption, 
+ 	16 /* MD5_DIGEST_LENGTH */, 
++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
++	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
++	EVP_MD_FLAG_DIGALGID_ABSENT|
++#endif
+ 	EVP_MD_FLAG_ONESHOT,
+ 	cryptodev_digest_init,
+ 	cryptodev_digest_update,
+ 	cryptodev_digest_final,
+ 	cryptodev_digest_copy,
+ 	cryptodev_digest_cleanup,
+-	EVP_PKEY_NULL_method,
++	EVP_PKEY_RSA_method,
+ 	64 /* MD5_CBLOCK */,
+-	sizeof(struct dev_crypto_state),
++	sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+ };
+ 
+ #endif /* USE_CRYPTODEV_DIGESTS */
+@@ -964,6 +1039,18 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
+ 	case NID_sha1:
+ 		*digest = &cryptodev_sha1;
+  		break;
++	case NID_sha224:
++		*digest = &cryptodev_sha224;
++ 		break;
++	case NID_sha256:
++		*digest = &cryptodev_sha256;
++ 		break;
++	case NID_sha384:
++		*digest = &cryptodev_sha384;
++ 		break;
++	case NID_sha512:
++		*digest = &cryptodev_sha512;
++ 		break;
+ 	default:
+ #endif /* USE_CRYPTODEV_DIGESTS */
+ 		*digest = NULL;
+@@ -995,7 +1082,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
+ 		return (1);
+ 	memset(b, 0, bytes);
+ 
+-	crp->crp_p = (caddr_t) b;
++	crp->crp_p = (void*) b;
+ 	crp->crp_nbits = bits;
+ 
+ 	for (i = 0, j = 0; i < a->top; i++) {
+@@ -1248,7 +1335,7 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+ 	kop.crk_op = CRK_DSA_SIGN;
+ 
+ 	/* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */
+-	kop.crk_param[0].crp_p = (caddr_t)dgst;
++	kop.crk_param[0].crp_p = (void*)dgst;
+ 	kop.crk_param[0].crp_nbits = dlen * 8;
+ 	if (bn2crparam(dsa->p, &kop.crk_param[1]))
+ 		goto err;
+@@ -1288,7 +1375,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
+ 	kop.crk_op = CRK_DSA_VERIFY;
+ 
+ 	/* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */
+-	kop.crk_param[0].crp_p = (caddr_t)dgst;
++	kop.crk_param[0].crp_p = (void*)dgst;
+ 	kop.crk_param[0].crp_nbits = dlen * 8;
+ 	if (bn2crparam(dsa->p, &kop.crk_param[1]))
+ 		goto err;
+@@ -1366,9 +1453,10 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ 		goto err;
+ 	kop.crk_iparams = 3;
+ 
+-	kop.crk_param[3].crp_p = (caddr_t) key;
+-	kop.crk_param[3].crp_nbits = keylen * 8;
++	kop.crk_param[3].crp_p = (void*) key;
++	kop.crk_param[3].crp_nbits = keylen;
+ 	kop.crk_oparams = 1;
++	dhret = keylen/8;
+ 
+ 	if (ioctl(fd, CIOCKEY, &kop) == -1) {
+ 		const DH_METHOD *meth = DH_OpenSSL();
+@@ -1440,7 +1528,7 @@ ENGINE_load_cryptodev(void)
+ 	put_dev_crypto(fd);
+ 
+ 	if (!ENGINE_set_id(engine, "cryptodev") ||
+-	    !ENGINE_set_name(engine, "BSD cryptodev engine") ||
++	    !ENGINE_set_name(engine, "cryptodev engine") ||
+ 	    !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
+ 	    !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
+ 	    !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
+-- 
+2.0.0
+

core/openssl-cryptodev/0002-cryptodev-allow-copying-EVP-contexts.patch

@@ -0,0 +1,202 @@
+From 656b55e39ab22ed135221214ccc47a00369f3ff6 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Fri, 4 Jul 2014 08:41:04 +0200
+Subject: [PATCH 2/2] cryptodev: allow copying EVP contexts
+
+---
+ crypto/engine/eng_cryptodev.c | 57 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 35 insertions(+), 22 deletions(-)
+
+diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
+index a1c39e5..0d54613 100644
+--- a/crypto/engine/eng_cryptodev.c
++++ b/crypto/engine/eng_cryptodev.c
+@@ -505,150 +505,163 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
+  * gets called when libcrypto requests a cipher NID.
+  */
+ 
++static int cryptodev_cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void *p2)
++{
++	struct dev_crypto_state *state = ctx->cipher_data;
++	struct session_op *sess = &state->d_sess;
++
++	if (type == EVP_CTRL_COPY) {
++		EVP_CIPHER_CTX *out = p2;
++		return cryptodev_init_key(out, sess->key, ctx->iv, 0);
++	}
++
++	return 0;
++}
++
+ /* RC4 */
+ const EVP_CIPHER cryptodev_rc4 = {
+ 	NID_rc4,
+ 	1, 16, 0,
+-	EVP_CIPH_VARIABLE_LENGTH,
++	EVP_CIPH_VARIABLE_LENGTH|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	NULL,
+ 	NULL,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ /* DES CBC EVP */
+ const EVP_CIPHER cryptodev_des_cbc = {
+ 	NID_des_cbc,
+ 	8, 8, 8,
+-	EVP_CIPH_CBC_MODE,
++	EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ /* 3DES CBC EVP */
+ const EVP_CIPHER cryptodev_3des_cbc = {
+ 	NID_des_ede3_cbc,
+ 	8, 24, 8,
+-	EVP_CIPH_CBC_MODE,
++	EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ const EVP_CIPHER cryptodev_bf_cbc = {
+ 	NID_bf_cbc,
+ 	8, 16, 8,
+-	EVP_CIPH_CBC_MODE,
++	EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ const EVP_CIPHER cryptodev_cast_cbc = {
+ 	NID_cast5_cbc,
+ 	8, 16, 8,
+-	EVP_CIPH_CBC_MODE,
++	EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ const EVP_CIPHER cryptodev_aes_cbc = {
+ 	NID_aes_128_cbc,
+ 	16, 16, 16,
+-	EVP_CIPH_CBC_MODE,
++	EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ const EVP_CIPHER cryptodev_aes_192_cbc = {
+ 	NID_aes_192_cbc,
+ 	16, 24, 16,
+-	EVP_CIPH_CBC_MODE,
++	EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ const EVP_CIPHER cryptodev_aes_256_cbc = {
+ 	NID_aes_256_cbc,
+ 	16, 32, 16,
+-	EVP_CIPH_CBC_MODE,
++	EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ #ifdef CRYPTO_AES_CTR
+ const EVP_CIPHER cryptodev_aes_ctr = {
+ 	NID_aes_128_ctr,
+ 	16, 16, 14,
+-	EVP_CIPH_CTR_MODE,
++	EVP_CIPH_CTR_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ const EVP_CIPHER cryptodev_aes_ctr_192 = {
+ 	NID_aes_192_ctr,
+ 	16, 24, 14,
+-	EVP_CIPH_CTR_MODE,
++	EVP_CIPH_CTR_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ 
+ const EVP_CIPHER cryptodev_aes_ctr_256 = {
+ 	NID_aes_256_ctr,
+ 	16, 32, 14,
+-	EVP_CIPH_CTR_MODE,
++	EVP_CIPH_CTR_MODE|EVP_CIPH_CUSTOM_COPY,
+ 	cryptodev_init_key,
+ 	cryptodev_cipher,
+ 	cryptodev_cleanup,
+ 	sizeof(struct dev_crypto_state),
+ 	EVP_CIPHER_set_asn1_iv,
+ 	EVP_CIPHER_get_asn1_iv,
+-	NULL
++	cryptodev_cipher_ctrl
+ };
+ #endif
+ /*
+-- 
+2.0.0
+

core/openssl-cryptodev/CVE-2014-0160.patch

@@ -1,94 +0,0 @@
-Description: fix memory disclosure in TLS heartbeat extension
-Origin: upstream, http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
-
-Index: openssl-1.0.1f/ssl/d1_both.c
-===================================================================
---- openssl-1.0.1f.orig/ssl/d1_both.c	2014-01-06 08:47:42.000000000 -0500
-+++ openssl-1.0.1f/ssl/d1_both.c	2014-04-07 15:37:38.548342862 -0400
-@@ -1459,26 +1459,36 @@
- 	unsigned int payload;
- 	unsigned int padding = 16; /* Use minimum padding */
- 
--	/* Read type and payload length first */
--	hbtype = *p++;
--	n2s(p, payload);
--	pl = p;
--
- 	if (s->msg_callback)
- 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- 			&s->s3->rrec.data[0], s->s3->rrec.length,
- 			s, s->msg_callback_arg);
- 
-+	/* Read type and payload length first */
-+	if (1 + 2 + 16 > s->s3->rrec.length)
-+		return 0; /* silently discard */
-+	hbtype = *p++;
-+	n2s(p, payload);
-+	if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+		return 0; /* silently discard per RFC 6520 sec. 4 */
-+	pl = p;
-+
- 	if (hbtype == TLS1_HB_REQUEST)
- 		{
- 		unsigned char *buffer, *bp;
-+		unsigned int write_length = 1 /* heartbeat type */ +
-+					    2 /* heartbeat length */ +
-+					    payload + padding;
- 		int r;
- 
-+		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
-+			return 0;
-+
- 		/* Allocate memory for the response, size is 1 byte
- 		 * message type, plus 2 bytes payload length, plus
- 		 * payload, plus padding
- 		 */
--		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-+		buffer = OPENSSL_malloc(write_length);
- 		bp = buffer;
- 
- 		/* Enter response type, length and copy payload */
-@@ -1489,11 +1499,11 @@
- 		/* Random padding */
- 		RAND_pseudo_bytes(bp, padding);
- 
--		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
-+		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
- 
- 		if (r >= 0 && s->msg_callback)
- 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
--				buffer, 3 + payload + padding,
-+				buffer, write_length,
- 				s, s->msg_callback_arg);
- 
- 		OPENSSL_free(buffer);
-Index: openssl-1.0.1f/ssl/t1_lib.c
-===================================================================
---- openssl-1.0.1f.orig/ssl/t1_lib.c	2014-01-06 08:47:42.000000000 -0500
-+++ openssl-1.0.1f/ssl/t1_lib.c	2014-04-07 15:37:38.548342862 -0400
-@@ -2558,16 +2558,20 @@
- 	unsigned int payload;
- 	unsigned int padding = 16; /* Use minimum padding */
- 
--	/* Read type and payload length first */
--	hbtype = *p++;
--	n2s(p, payload);
--	pl = p;
--
- 	if (s->msg_callback)
- 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- 			&s->s3->rrec.data[0], s->s3->rrec.length,
- 			s, s->msg_callback_arg);
- 
-+	/* Read type and payload length first */
-+	if (1 + 2 + 16 > s->s3->rrec.length)
-+		return 0; /* silently discard */
-+	hbtype = *p++;
-+	n2s(p, payload);
-+	if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+		return 0; /* silently discard per RFC 6520 sec. 4 */
-+	pl = p;
-+
- 	if (hbtype == TLS1_HB_REQUEST)
- 		{
- 		unsigned char *buffer, *bp;

core/openssl-cryptodev/CVE-2014-0224.patch

@@ -1,111 +0,0 @@
-commit a5852a6db4b36f91d6254b2d8757f125e6e8e5cb
-Author: Dr. Stephen Henson <steve@openssl.org>
-Date:   Fri May 16 12:55:16 2014 +0100
-
-    Additional CVE-2014-0224 protection.
-    
-    Return a fatal error if an attempt is made to use a zero length
-    master secret.
-
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 98c36e6..59011e3 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -1459,7 +1459,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
- 
- 	if (s->s3->tmp.key_block == NULL)
- 		{
--		if (s->session == NULL) 
-+		if (s->session == NULL || s->session->master_key_length == 0)
- 			{
- 			/* might happen if dtls1_read_bytes() calls this */
- 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
-
-commit eaa71076511eab5e84ed36ddecbfc6cc20a48952
-Author: Dr. Stephen Henson <steve@openssl.org>
-Date:   Fri May 16 12:49:48 2014 +0100
-
-    Fix for CVE-2014-0224
-    
-    Only accept change cipher spec when it is expected instead of at any
-    time. This prevents premature setting of session keys before the master
-    secret is determined which an attacker could use as a MITM attack.
-    
-    Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
-    and providing the initial fix this patch is based on.
-
-diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index a6b3c01..d35376d 100644
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
- 		case SSL3_ST_CR_FINISHED_A:
- 		case SSL3_ST_CR_FINISHED_B:
- 
-+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
- 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
- 				SSL3_ST_CR_FINISHED_B);
- 			if (ret <= 0) goto end;
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 6bc8bf9..98c36e6 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -1316,6 +1316,15 @@ start:
- 			goto f_err;
- 			}
- 
-+		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
-+			{
-+			al=SSL_AD_UNEXPECTED_MESSAGE;
-+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
-+			goto f_err;
-+			}
-+
-+		s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
-+
- 		rr->length=0;
- 
- 		if (s->msg_callback)
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index 4de9d19..29f8b14 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
- 		case SSL3_ST_SR_CERT_VRFY_A:
- 		case SSL3_ST_SR_CERT_VRFY_B:
- 
-+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
- 			/* we should decide if we expected this one */
- 			ret=ssl3_get_cert_verify(s);
- 			if (ret <= 0) goto end;
-@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
- 
- 		case SSL3_ST_SR_FINISHED_A:
- 		case SSL3_ST_SR_FINISHED_B:
-+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
- 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
- 				SSL3_ST_SR_FINISHED_B);
- 			if (ret <= 0) goto end;
-@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
- 				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
- #else
- 				if (s->s3->next_proto_neg_seen)
-+					{
-+					s->s3->flags |= SSL3_FLAGS_CCS_OK;
- 					s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
-+					}
- 				else
- 					s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
- #endif
-diff --git a/ssl/ssl3.h b/ssl/ssl3.h
-index cb8b249..4ac4199 100644
---- a/ssl/ssl3.h
-+++ b/ssl/ssl3.h
-@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
- #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
- #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
- #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
-+#define SSL3_FLAGS_CCS_OK			0x0040
-  
- /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
-  * restart a handshake because of MS SGC and so prevents us

core/openssl-cryptodev/PKGBUILD

@@ -6,18 +6,18 @@
 #  - cryptodev-enabled version
 #
 #	moonman <moonman [dot] ca [at] gmail [dot] com>
-#  - replace eng_cryptodev in openssl with the one provided with cryptodev
 #  - get cryptodev.h from cryptodev tarball instead of the kernel headers
+#  - patches from cryptodev developers for openssl
 
 buildarch=6
 
 pkgname=openssl-cryptodev
 _pkgname=openssl
-_ver=1.0.1e
+_ver=1.0.1h
 # use a pacman compatible version scheme
 pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
 #pkgver=$_ver
-pkgrel=7
+pkgrel=1
 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
 arch=('arm' 'armv7h')
 url='https://www.openssl.org'
@@ -33,22 +33,20 @@ _cryptover=1.6
 source=("https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz"
         'no-rpath.patch'
         'ca-dir.patch'
-        'openssl-1.0.1e-fix_pod_syntax-1.patch'
         "http://download.gna.org/cryptodev-linux/cryptodev-linux-${_cryptover}.tar.gz"
-        'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch'
-        'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch'
-        'CVE-2014-0160.patch'
-        'CVE-2014-0224.patch')
+	"https://github.com/openssl/openssl/commit/be2c4d9bd9e81030c547a34216ae2d8e5c888190.patch"
+	"https://github.com/openssl/openssl/commit/6ecbc2bb62835a401ad6efe240d469a23b21755b.patch"
+        '0001-cryptodev-Fix-issue-with-signature-generation.patch'
+        '0002-cryptodev-allow-copying-EVP-contexts.patch')
 
-md5sums=('66bf6f10f060d561929de96f9dfe5b8c'
+md5sums=('8d6d684a9430d5cc98a62a5d8fbda8cf'
          'dc78d3d06baffc16217519242ce92478'
          '3bf51be3a1bbd262be46dc619f92aa90'
-         '88d3bef4bbdc640b0412315d8d347bdf'
          'eade38998313c25fd7934719cdf8a2ea'
-         'ae7848bb152b8834ceff30c8c480d422'
-         'c5cc62a47cef72f4e5ad119a88e97ae4'
-         '5fd0261f74e5358fe28b725cddd24bbf'
-         '8c724df827d6036946dc5074aea9ae66')
+         'a1761273d79bc5c62eb3bd4cb91f66b4'
+         '310a63a4ea3e948eee54c953d49a6bf1'
+         '440f706c63735f32274e13325557a331'
+         'e8ec495c49ae2494acbfb47d98c363b6')
 
 prepare() {
         cd $srcdir/${_pkgname}-$_ver
@@ -58,24 +56,13 @@ prepare() {
         # set ca dir to /etc/ssl by default
         patch -p0 -i $srcdir/ca-dir.patch
 
-        patch -p1 -i $srcdir/openssl-1.0.1e-fix_pod_syntax-1.patch
+	msg "Bring eng_cryptodev.c up-to-date for the following 2 patches"
+	patch -Np1 -i $srcdir/be2c4d9bd9e81030c547a34216ae2d8e5c888190.patch
+	patch -Np1 -i $srcdir/6ecbc2bb62835a401ad6efe240d469a23b21755b.patch
 
-        # OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER
-        # http://rt.openssl.org/Ticket/Display.html?id=2984
-        patch -p1 -i $srcdir/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
-
-        # Communication problems with 1.0.1e
-        # http://rt.openssl.org/Ticket/Display.html?id=3002
-        patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
-
-        # Patch the heartbleed vulnerability
-        patch -p1 -i $srcdir/CVE-2014-0160.patch
-
-        msg2 "Patch zero length master secret vulnerability"
-        patch -p1 -i $srcdir/CVE-2014-0224.patch
-
-        # Replace eng_cryptodev.c with cryptodev version
-        cp -u ${srcdir}/cryptodev-linux-${_cryptover}/extras/eng_cryptodev.c ${srcdir}/openssl-${_ver}/crypto/engine/
+        msg2 "Patch eng_cryptodev.c"
+        patch -p1 -i $srcdir/0001-cryptodev-Fix-issue-with-signature-generation.patch
+        patch -p1 -i $srcdir/0002-cryptodev-allow-copying-EVP-contexts.patch
 
         # Copy the header file
         cp -u ${srcdir}/cryptodev-linux-${_cryptover}/crypto/cryptodev.h ${srcdir}/openssl-${_ver}/crypto/
@@ -98,7 +85,7 @@ build() {
 		-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DHASH_MAX_LEN=64 \
 		shared threads zlib \
 		"${openssltarget}" \
-		-Wa,--noexecstack "${CFLAGS}"
+		"-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}"
 
 	make depend
 	make
@@ -109,7 +96,7 @@ check() {
 	# the test fails due to missing write permissions in /etc/ssl
 	# revert this patch for make test
 	patch -p0 -R -i $srcdir/ca-dir.patch
-#	make test
+	make test
 	patch -p0 -i $srcdir/ca-dir.patch
 }
 

core/openssl-cryptodev/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch

@@ -1,31 +0,0 @@
-From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw2@infradead.org>
-Date: Tue, 12 Feb 2013 14:55:32 +0000
-Subject: Check DTLS_BAD_VER for version number.
-
-The version check for DTLS1_VERSION was redundant as
-DTLS1_VERSION > TLS1_1_VERSION, however we do need to
-check for DTLS1_BAD_VER for compatibility.
-
-PR:2984
-(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
----
- ssl/s3_cbc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
-index 02edf3f..443a31e 100644
---- a/ssl/s3_cbc.c
-+++ b/ssl/s3_cbc.c
-@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
- 	unsigned padding_length, good, to_check, i;
- 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
- 	/* Check if version requires explicit IV */
--	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
-+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
- 		{
- 		/* These lengths are all public so we can test them in
- 		 * non-constant time.
--- 
-1.8.4.2
-

core/openssl-cryptodev/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch

@@ -1,32 +0,0 @@
-From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Mon, 18 Mar 2013 19:29:41 +0100
-Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
-
-PR: 3002
-(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)
----
- crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
-index 483e04b..fb2c884 100644
---- a/crypto/evp/e_aes_cbc_hmac_sha1.c
-+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
-@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
- 
- 				if (res!=SHA_CBLOCK) continue;
- 
--				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
-+				/* j is not incremented yet */
-+				mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
- 				data->u[SHA_LBLOCK-1] |= bitlen&mask;
- 				sha1_block_data_order(&key->md,data,1);
--				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
-+				mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
- 				pmac->u[0] |= key->md.h0 & mask;
- 				pmac->u[1] |= key->md.h1 & mask;
- 				pmac->u[2] |= key->md.h2 & mask;
--- 
-1.8.4.2
-

core/openssl-cryptodev/openssl-1.0.1e-fix_pod_syntax-1.patch

@@ -1,393 +0,0 @@
-Submitted By: Martin Ward <macros_the_black at ntlworld dot com>
-Date: 2013-06-18
-Initial Package Version: 1.0.1e
-Upstream Status: Unknown
-Origin: self, based on fedora
-Description: Fixes install with perl-5.18.
-
-diff -Naur openssl-1.0.1e.orig/doc/apps/cms.pod openssl-1.0.1e/doc/apps/cms.pod
---- openssl-1.0.1e.orig/doc/apps/cms.pod	2013-06-06 14:35:15.867871879 +0100
-+++ openssl-1.0.1e/doc/apps/cms.pod	2013-06-06 14:35:25.791747119 +0100
-@@ -450,28 +450,28 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- the operation was completely successfully.
- 
--=item 1 
-+=item C<1>
- 
- an error occurred parsing the command options.
- 
--=item 2
-+=item C<2>
- 
- one of the input files could not be read.
- 
--=item 3
-+=item C<3>
- 
- an error occurred creating the CMS file or when reading the MIME
- message.
- 
--=item 4
-+=item C<4>
- 
- an error occurred decrypting or verifying the message.
- 
--=item 5
-+=item C<5>
- 
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-diff -Naur openssl-1.0.1e.orig/doc/apps/smime.pod openssl-1.0.1e/doc/apps/smime.pod
---- openssl-1.0.1e.orig/doc/apps/smime.pod	2013-06-06 14:35:15.867871879 +0100
-+++ openssl-1.0.1e/doc/apps/smime.pod	2013-06-06 14:35:25.794747082 +0100
-@@ -308,28 +308,28 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- the operation was completely successfully.
- 
--=item 1 
-+=item C<1>
- 
- an error occurred parsing the command options.
- 
--=item 2
-+=item C<2>
- 
- one of the input files could not be read.
- 
--=item 3
-+=item C<3>
- 
- an error occurred creating the PKCS#7 file or when reading the MIME
- message.
- 
--=item 4
-+=item C<4>
- 
- an error occurred decrypting or verifying the message.
- 
--=item 5
-+=item C<5>
- 
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-diff -Naur openssl-1.0.1e.orig/doc/crypto/X509_STORE_CTX_get_error.pod openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod
---- openssl-1.0.1e.orig/doc/crypto/X509_STORE_CTX_get_error.pod	2013-06-06 14:35:15.874871791 +0100
-+++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod	2013-06-06 14:37:13.826388940 +0100
-@@ -278,6 +278,8 @@
- an application specific error. This will never be returned unless explicitly
- set by an application.
- 
-+=back
-+
- =head1 NOTES
- 
- The above functions should be used instead of directly referencing the fields
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_accept.pod openssl-1.0.1e/doc/ssl/SSL_accept.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_accept.pod	2013-06-06 14:35:15.871871829 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod	2013-06-06 14:35:25.796747057 +0100
-@@ -44,12 +44,12 @@
- 
- =over 4
- 
--=item 1
-+=item C<1>
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
--=item 0
-+=item C<0>
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_clear.pod openssl-1.0.1e/doc/ssl/SSL_clear.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_clear.pod	2013-06-06 14:35:15.871871829 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod	2013-06-06 14:35:25.803746969 +0100
-@@ -56,12 +56,12 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- The SSL_clear() operation could not be performed. Check the error stack to
- find out the reason.
- 
--=item 1
-+=item C<1>
- 
- The SSL_clear() operation was successful.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod	2013-06-06 14:35:15.870871842 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod	2013-06-06 14:35:25.806746931 +0100
-@@ -53,11 +53,11 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- The operation succeeded.
- 
--=item 1
-+=item C<1>
- 
- The operation failed. Check the error queue to find out the reason.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_connect.pod openssl-1.0.1e/doc/ssl/SSL_connect.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_connect.pod	2013-06-06 14:35:15.869871854 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod	2013-06-06 14:35:25.808746906 +0100
-@@ -41,12 +41,12 @@
- 
- =over 4
- 
--=item 1
-+=item C<1>
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
--=item 0
-+=item C<0>
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_add_session.pod openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_add_session.pod	2013-06-06 14:35:15.871871829 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod	2013-06-06 14:35:25.816746805 +0100
-@@ -52,13 +52,13 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
-  The operation failed. In case of the add operation, it was tried to add
-  the same (identical) session twice. In case of the remove operation, the
-  session was not found in the cache.
- 
--=item 1
-+=item C<1>
-  
-  The operation succeeded.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_load_verify_locations.pod openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_load_verify_locations.pod	2013-06-06 14:35:15.870871842 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod	2013-06-06 14:35:25.818746780 +0100
-@@ -100,13 +100,13 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- The operation failed because B<CAfile> and B<CApath> are NULL or the
- processing at one of the locations specified failed. Check the error
- stack to find out the reason.
- 
--=item 1
-+=item C<1>
- 
- The operation succeeded.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod	2013-06-06 14:35:15.871871829 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod	2013-06-06 14:35:25.821746742 +0100
-@@ -66,11 +66,11 @@
- 
- =over 4
- 
--=item 1
-+=item C<1>
- 
- The operation succeeded.
- 
--=item 0
-+=item C<0>
- 
- A failure while manipulating the STACK_OF(X509_NAME) object occurred or
- the X509_NAME could not be extracted from B<cacert>. Check the error stack
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_session_id_context.pod openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_session_id_context.pod	2013-06-06 14:35:15.871871829 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod	2013-06-06 14:35:25.828746654 +0100
-@@ -64,13 +64,13 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
- the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
- is logged to the error stack.
- 
--=item 1
-+=item C<1>
- 
- The operation succeeded.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_ssl_version.pod openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_ssl_version.pod	2013-06-06 14:35:15.871871829 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod	2013-06-06 14:35:25.831746617 +0100
-@@ -42,11 +42,11 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- The new choice failed, check the error stack to find out the reason.
- 
--=item 1
-+=item C<1>
- 
- The operation succeeded.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod	2013-06-06 14:35:15.870871842 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod	2013-06-06 14:36:42.456783309 +0100
-@@ -81,6 +81,8 @@
- 
- Return values from the server callback are interpreted as follows:
- 
-+=over
-+
- =item > 0
- 
- PSK identity was found and the server callback has provided the PSK
-@@ -94,9 +96,11 @@
- connection will fail with decryption_error before it will be finished
- completely.
- 
--=item 0
-+=item C<0>
- 
- PSK identity was not found. An "unknown_psk_identity" alert message
- will be sent and the connection setup fails.
- 
-+=back
-+
- =cut
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_do_handshake.pod openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_do_handshake.pod	2013-06-06 14:35:15.869871854 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod	2013-06-06 14:35:25.839746516 +0100
-@@ -45,12 +45,12 @@
- 
- =over 4
- 
--=item 1
-+=item C<1>
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
--=item 0
-+=item C<0>
- 
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_read.pod openssl-1.0.1e/doc/ssl/SSL_read.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_read.pod	2013-06-06 14:35:15.871871829 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_read.pod	2013-06-06 14:35:25.847746415 +0100
-@@ -86,7 +86,7 @@
- The read operation was successful; the return value is the number of
- bytes actually read from the TLS/SSL connection.
- 
--=item 0
-+=item C<0>
- 
- The read operation was not successful. The reason may either be a clean
- shutdown due to a "close notify" alert sent by the peer (in which case
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_session_reused.pod openssl-1.0.1e/doc/ssl/SSL_session_reused.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_session_reused.pod	2013-06-06 14:35:15.871871829 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod	2013-06-06 14:35:25.849746390 +0100
-@@ -27,11 +27,11 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- A new session was negotiated.
- 
--=item 1
-+=item C<1>
- 
- A session was reused.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_set_fd.pod openssl-1.0.1e/doc/ssl/SSL_set_fd.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_set_fd.pod	2013-06-06 14:35:15.869871854 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod	2013-06-06 14:35:25.852746353 +0100
-@@ -35,11 +35,11 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- The operation failed. Check the error stack to find out why.
- 
--=item 1
-+=item C<1>
- 
- The operation succeeded.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_set_session.pod openssl-1.0.1e/doc/ssl/SSL_set_session.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_set_session.pod	2013-06-06 14:35:15.870871842 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod	2013-06-06 14:35:25.855746315 +0100
-@@ -37,11 +37,11 @@
- 
- =over 4
- 
--=item 0
-+=item C<0>
- 
- The operation failed; check the error stack to find out the reason.
- 
--=item 1
-+=item C<1>
- 
- The operation succeeded.
- 
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_shutdown.pod openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_shutdown.pod	2013-06-06 14:35:15.870871842 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod	2013-06-06 14:35:25.857746290 +0100
-@@ -92,12 +92,12 @@
- 
- =over 4
- 
--=item 1
-+=item C<1>
- 
- The shutdown was successfully completed. The "close notify" alert was sent
- and the peer's "close notify" alert was received.
- 
--=item 0
-+=item C<0>
- 
- The shutdown is not yet finished. Call SSL_shutdown() for a second time,
- if a bidirectional shutdown shall be performed.
-diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_write.pod openssl-1.0.1e/doc/ssl/SSL_write.pod
---- openssl-1.0.1e.orig/doc/ssl/SSL_write.pod	2013-06-06 14:35:15.870871842 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_write.pod	2013-06-06 14:35:25.865746189 +0100
-@@ -79,7 +79,7 @@
- The write operation was successful, the return value is the number of
- bytes actually written to the TLS/SSL connection.
- 
--=item 0
-+=item C<0>
- 
- The write operation was not successful. Probably the underlying connection
- was closed. Call SSL_get_error() with the return value B<ret> to find out,