From bb917d493cf2d502687ab7eafd733931cfd8cdd0 Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Apr 15 2009 14:36:54 +0000
Subject: - add support for multiple CRLs with same subject

- load only dynamic engine support in FIPS mode

---

diff --git a/openssl-0.9.8j-evp-nonfips.patch b/openssl-0.9.8j-evp-nonfips.patch
deleted file mode 100644
index c25cf38..0000000
--- a/openssl-0.9.8j-evp-nonfips.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c
---- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips	2005-04-30 23:51:40.000000000 +0200
-+++ openssl-0.9.8j/crypto/evp/c_alld.c	2009-01-14 17:51:41.000000000 +0100
-@@ -64,6 +64,11 @@
- 
- void OpenSSL_add_all_digests(void)
- 	{
-+#ifdef OPENSSL_FIPS
-+	OPENSSL_init();
-+	if (!FIPS_mode())
-+		{
-+#endif
- #ifndef OPENSSL_NO_MD2
- 	EVP_add_digest(EVP_md2());
- #endif
-@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
- 	EVP_add_digest(EVP_sha384());
- 	EVP_add_digest(EVP_sha512());
- #endif
-+#ifdef OPENSSL_FIPS
-+		}
-+	else
-+		{
-+#ifndef OPENSSL_NO_SHA
-+	EVP_add_digest(EVP_sha1());
-+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-+	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-+#ifndef OPENSSL_NO_DSA
-+	EVP_add_digest(EVP_dss1());
-+	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-+	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-+	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-+#endif
-+#ifndef OPENSSL_NO_ECDSA
-+	EVP_add_digest(EVP_ecdsa());
-+#endif
-+#endif
-+#ifndef OPENSSL_NO_SHA256
-+	EVP_add_digest(EVP_sha224());
-+	EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+	EVP_add_digest(EVP_sha384());
-+	EVP_add_digest(EVP_sha512());
-+#endif
-+		}
-+#endif
- 	}
-diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c
---- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips	2007-04-24 01:50:04.000000000 +0200
-+++ openssl-0.9.8j/crypto/evp/c_allc.c	2009-01-14 17:51:41.000000000 +0100
-@@ -65,6 +65,11 @@
- void OpenSSL_add_all_ciphers(void)
- 	{
- 
-+#ifdef OPENSSL_FIPS
-+	OPENSSL_init();
-+	if(!FIPS_mode()) 
-+		{
-+#endif
- #ifndef OPENSSL_NO_DES
- 	EVP_add_cipher(EVP_des_cfb());
- 	EVP_add_cipher(EVP_des_cfb1());
-@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
- 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
- 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
- #endif
-+#ifdef OPENSSL_FIPS
-+		}
-+	else
-+		{
-+#ifndef OPENSSL_NO_DES
-+	EVP_add_cipher(EVP_des_ede_cfb());
-+	EVP_add_cipher(EVP_des_ede3_cfb());
-+
-+	EVP_add_cipher(EVP_des_ede_ofb());
-+	EVP_add_cipher(EVP_des_ede3_ofb());
-+
-+	EVP_add_cipher(EVP_des_ede_cbc());
-+	EVP_add_cipher(EVP_des_ede3_cbc());
-+	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
-+	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
-+
-+	EVP_add_cipher(EVP_des_ede());
-+	EVP_add_cipher(EVP_des_ede3());
-+#endif
-+
-+#ifndef OPENSSL_NO_AES
-+	EVP_add_cipher(EVP_aes_128_ecb());
-+	EVP_add_cipher(EVP_aes_128_cbc());
-+	EVP_add_cipher(EVP_aes_128_cfb());
-+	EVP_add_cipher(EVP_aes_128_cfb1());
-+	EVP_add_cipher(EVP_aes_128_cfb8());
-+	EVP_add_cipher(EVP_aes_128_ofb());
-+#if 0
-+	EVP_add_cipher(EVP_aes_128_ctr());
-+#endif
-+	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
-+	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
-+	EVP_add_cipher(EVP_aes_192_ecb());
-+	EVP_add_cipher(EVP_aes_192_cbc());
-+	EVP_add_cipher(EVP_aes_192_cfb());
-+	EVP_add_cipher(EVP_aes_192_cfb1());
-+	EVP_add_cipher(EVP_aes_192_cfb8());
-+	EVP_add_cipher(EVP_aes_192_ofb());
-+#if 0
-+	EVP_add_cipher(EVP_aes_192_ctr());
-+#endif
-+	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
-+	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
-+	EVP_add_cipher(EVP_aes_256_ecb());
-+	EVP_add_cipher(EVP_aes_256_cbc());
-+	EVP_add_cipher(EVP_aes_256_cfb());
-+	EVP_add_cipher(EVP_aes_256_cfb1());
-+	EVP_add_cipher(EVP_aes_256_cfb8());
-+	EVP_add_cipher(EVP_aes_256_ofb());
-+#if 0
-+	EVP_add_cipher(EVP_aes_256_ctr());
-+#endif
-+	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
-+	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-+#endif
-+		}
-+#endif
- 
- 	PKCS12_PBE_add();
- 	PKCS5_PBE_add();
diff --git a/openssl-0.9.8j-kernel-fipsmode.patch b/openssl-0.9.8j-kernel-fipsmode.patch
deleted file mode 100644
index fed04c3..0000000
--- a/openssl-0.9.8j-kernel-fipsmode.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c
---- openssl-0.9.8j/crypto/o_init.c.fipsmode	2008-11-05 19:36:36.000000000 +0100
-+++ openssl-0.9.8j/crypto/o_init.c	2009-01-14 17:57:39.000000000 +0100
-@@ -59,6 +59,45 @@
- #include <e_os.h>
- #include <openssl/err.h>
- 
-+#ifdef OPENSSL_FIPS
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+#include <errno.h>
-+#include <stdlib.h>
-+#include <openssl/fips.h>
-+#include <openssl/evp.h>
-+#include <openssl/rand.h>
-+
-+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
-+
-+static void init_fips_mode(void)
-+	{
-+	char buf[2] = "0";
-+	int fd;
-+	
-+	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
-+		{
-+		buf[0] = '1';
-+		}
-+	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
-+		{
-+		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
-+		close(fd);
-+		}
-+	/* Failure reading the fips mode switch file means just not
-+	 * switching into FIPS mode. We would break too many things
-+	 * otherwise. 
-+	 */
-+	
-+	if (buf[0] == '1')
-+		{
-+		FIPS_mode_set(1);
-+		}
-+	}
-+#endif
-+
- /* Perform any essential OpenSSL initialization operations.
-  * Currently only sets FIPS callbacks
-  */
-@@ -73,11 +112,10 @@ void OPENSSL_init(void)
- #ifdef CRYPTO_MDEBUG
- 		CRYPTO_malloc_debug_init();
- #endif
--#ifdef OPENSSL_ENGINE
-+		init_fips_mode();
- 		int_EVP_MD_init_engine_callbacks();
- 		int_EVP_CIPHER_init_engine_callbacks();
- 		int_RAND_init_engine_callbacks();
--#endif
- 		done = 1;
- 		}
- #endif
diff --git a/openssl-0.9.8k-kernel-fipsmode.patch b/openssl-0.9.8k-kernel-fipsmode.patch
new file mode 100644
index 0000000..4a4079e
--- /dev/null
+++ b/openssl-0.9.8k-kernel-fipsmode.patch
@@ -0,0 +1,230 @@
+diff -up openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode openssl-0.9.8k/crypto/engine/eng_all.c
+--- openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode	2008-06-04 20:01:39.000000000 +0200
++++ openssl-0.9.8k/crypto/engine/eng_all.c	2009-04-15 14:31:32.000000000 +0200
+@@ -58,9 +58,23 @@
+ 
+ #include "cryptlib.h"
+ #include "eng_int.h"
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+ 
+ void ENGINE_load_builtin_engines(void)
+ 	{
++#ifdef OPENSSL_FIPS
++	OPENSSL_init();
++	if (FIPS_mode()) {
++		/* We allow loading dynamic engine as a third party
++		   engine might be FIPS validated.
++		   User is disallowed to load non-validated engines
++		   by security policy. */
++		ENGINE_load_dynamic();
++		return;
++	}
++#endif
+ 	/* There's no longer any need for an "openssl" ENGINE unless, one day,
+ 	 * it is the *only* way for standard builtin implementations to be be
+ 	 * accessed (ie. it would be possible to statically link binaries with
+diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c_allc.c
+--- openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode	2007-04-24 01:50:04.000000000 +0200
++++ openssl-0.9.8k/crypto/evp/c_allc.c	2009-03-26 15:53:42.000000000 +0100
+@@ -65,6 +65,11 @@
+ void OpenSSL_add_all_ciphers(void)
+ 	{
+ 
++#ifdef OPENSSL_FIPS
++	OPENSSL_init();
++	if(!FIPS_mode()) 
++		{
++#endif
+ #ifndef OPENSSL_NO_DES
+ 	EVP_add_cipher(EVP_des_cfb());
+ 	EVP_add_cipher(EVP_des_cfb1());
+@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
+ 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
+ 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
+ #endif
++#ifdef OPENSSL_FIPS
++		}
++	else
++		{
++#ifndef OPENSSL_NO_DES
++	EVP_add_cipher(EVP_des_ede_cfb());
++	EVP_add_cipher(EVP_des_ede3_cfb());
++
++	EVP_add_cipher(EVP_des_ede_ofb());
++	EVP_add_cipher(EVP_des_ede3_ofb());
++
++	EVP_add_cipher(EVP_des_ede_cbc());
++	EVP_add_cipher(EVP_des_ede3_cbc());
++	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
++	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
++
++	EVP_add_cipher(EVP_des_ede());
++	EVP_add_cipher(EVP_des_ede3());
++#endif
++
++#ifndef OPENSSL_NO_AES
++	EVP_add_cipher(EVP_aes_128_ecb());
++	EVP_add_cipher(EVP_aes_128_cbc());
++	EVP_add_cipher(EVP_aes_128_cfb());
++	EVP_add_cipher(EVP_aes_128_cfb1());
++	EVP_add_cipher(EVP_aes_128_cfb8());
++	EVP_add_cipher(EVP_aes_128_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_128_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
++	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
++	EVP_add_cipher(EVP_aes_192_ecb());
++	EVP_add_cipher(EVP_aes_192_cbc());
++	EVP_add_cipher(EVP_aes_192_cfb());
++	EVP_add_cipher(EVP_aes_192_cfb1());
++	EVP_add_cipher(EVP_aes_192_cfb8());
++	EVP_add_cipher(EVP_aes_192_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_192_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
++	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
++	EVP_add_cipher(EVP_aes_256_ecb());
++	EVP_add_cipher(EVP_aes_256_cbc());
++	EVP_add_cipher(EVP_aes_256_cfb());
++	EVP_add_cipher(EVP_aes_256_cfb1());
++	EVP_add_cipher(EVP_aes_256_cfb8());
++	EVP_add_cipher(EVP_aes_256_ofb());
++#if 0
++	EVP_add_cipher(EVP_aes_256_ctr());
++#endif
++	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
++	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
++#endif
++		}
++#endif
+ 
+ 	PKCS12_PBE_add();
+ 	PKCS5_PBE_add();
+diff -up openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode openssl-0.9.8k/crypto/evp/c_alld.c
+--- openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode	2005-04-30 23:51:40.000000000 +0200
++++ openssl-0.9.8k/crypto/evp/c_alld.c	2009-03-26 15:53:42.000000000 +0100
+@@ -64,6 +64,11 @@
+ 
+ void OpenSSL_add_all_digests(void)
+ 	{
++#ifdef OPENSSL_FIPS
++	OPENSSL_init();
++	if (!FIPS_mode())
++		{
++#endif
+ #ifndef OPENSSL_NO_MD2
+ 	EVP_add_digest(EVP_md2());
+ #endif
+@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
+ 	EVP_add_digest(EVP_sha384());
+ 	EVP_add_digest(EVP_sha512());
+ #endif
++#ifdef OPENSSL_FIPS
++		}
++	else
++		{
++#ifndef OPENSSL_NO_SHA
++	EVP_add_digest(EVP_sha1());
++	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
++	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
++#ifndef OPENSSL_NO_DSA
++	EVP_add_digest(EVP_dss1());
++	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
++	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
++	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
++#endif
++#ifndef OPENSSL_NO_ECDSA
++	EVP_add_digest(EVP_ecdsa());
++#endif
++#endif
++#ifndef OPENSSL_NO_SHA256
++	EVP_add_digest(EVP_sha224());
++	EVP_add_digest(EVP_sha256());
++#endif
++#ifndef OPENSSL_NO_SHA512
++	EVP_add_digest(EVP_sha384());
++	EVP_add_digest(EVP_sha512());
++#endif
++		}
++#endif
+ 	}
+diff -up openssl-0.9.8k/crypto/o_init.c.fipsmode openssl-0.9.8k/crypto/o_init.c
+--- openssl-0.9.8k/crypto/o_init.c.fipsmode	2008-11-05 19:36:36.000000000 +0100
++++ openssl-0.9.8k/crypto/o_init.c	2009-03-26 15:53:42.000000000 +0100
+@@ -59,6 +59,45 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+ 
++#ifdef OPENSSL_FIPS
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
++#include <stdlib.h>
++#include <openssl/fips.h>
++#include <openssl/evp.h>
++#include <openssl/rand.h>
++
++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++	{
++	char buf[2] = "0";
++	int fd;
++	
++	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
++		{
++		buf[0] = '1';
++		}
++	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
++		{
++		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
++		close(fd);
++		}
++	/* Failure reading the fips mode switch file means just not
++	 * switching into FIPS mode. We would break too many things
++	 * otherwise. 
++	 */
++	
++	if (buf[0] == '1')
++		{
++		FIPS_mode_set(1);
++		}
++	}
++#endif
++
+ /* Perform any essential OpenSSL initialization operations.
+  * Currently only sets FIPS callbacks
+  */
+@@ -73,11 +112,10 @@ void OPENSSL_init(void)
+ #ifdef CRYPTO_MDEBUG
+ 		CRYPTO_malloc_debug_init();
+ #endif
+-#ifdef OPENSSL_ENGINE
++		init_fips_mode();
+ 		int_EVP_MD_init_engine_callbacks();
+ 		int_EVP_CIPHER_init_engine_callbacks();
+ 		int_RAND_init_engine_callbacks();
+-#endif
+ 		done = 1;
+ 		}
+ #endif
+diff -up openssl-0.9.8k/ssl/ssl_algs.c.fipsmode openssl-0.9.8k/ssl/ssl_algs.c
+--- openssl-0.9.8k/ssl/ssl_algs.c.fipsmode	2007-04-24 01:50:21.000000000 +0200
++++ openssl-0.9.8k/ssl/ssl_algs.c	2009-04-15 14:32:13.000000000 +0200
+@@ -64,6 +64,10 @@
+ int SSL_library_init(void)
+ 	{
+ 
++#ifdef OPENSSL_FIPS
++	OPENSSL_init();
++#endif
++
+ #ifndef OPENSSL_NO_DES
+ 	EVP_add_cipher(EVP_des_cbc());
+ 	EVP_add_cipher(EVP_des_ede3_cbc());
diff --git a/openssl-0.9.8k-multi-crl.patch b/openssl-0.9.8k-multi-crl.patch
new file mode 100644
index 0000000..c2c59fb
--- /dev/null
+++ b/openssl-0.9.8k-multi-crl.patch
@@ -0,0 +1,90 @@
+diff -up openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8k/crypto/x509/x509_lu.c
+--- openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl	2005-05-11 05:45:35.000000000 +0200
++++ openssl-0.9.8k/crypto/x509/x509_lu.c	2009-03-26 15:47:45.000000000 +0100
+@@ -453,19 +453,41 @@ X509_OBJECT *X509_OBJECT_retrieve_by_sub
+ 	return sk_X509_OBJECT_value(h, idx);
+ }
+ 
++static int x509_crl_match(const X509_CRL *a, const X509_CRL *b)
++{
++	if (a->signature == NULL || b->signature == NULL)
++		return a->signature != b->signature;
++
++	if (a->signature->length != b->signature->length)
++		return 0;
++
++	return memcmp(a->signature->data, b->signature->data, a->signature->length);
++}
++
+ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
+ {
+ 	int idx, i;
+ 	X509_OBJECT *obj;
+ 	idx = sk_X509_OBJECT_find(h, x);
+ 	if (idx == -1) return NULL;
+-	if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
++	if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
++		return sk_X509_OBJECT_value(h, idx);
+ 	for (i = idx; i < sk_X509_OBJECT_num(h); i++)
+ 		{
+ 		obj = sk_X509_OBJECT_value(h, i);
+ 		if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
+ 			return NULL;
+-		if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
++		if (x->type == X509_LU_X509)
++			{
++			if (!X509_cmp(obj->data.x509, x->data.x509))
++				return obj;
++			}
++		else if (x->type == X509_LU_CRL)
++			{
++			if (!x509_crl_match(obj->data.crl, x->data.crl))
++				return obj;
++			}
++		else
+ 			return obj;
+ 		}
+ 	return NULL;
+diff -up openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl openssl-0.9.8k/crypto/x509/x509_vfy.c
+--- openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl	2008-07-13 16:33:15.000000000 +0200
++++ openssl-0.9.8k/crypto/x509/x509_vfy.c	2009-03-26 15:47:45.000000000 +0100
+@@ -725,7 +725,38 @@ static int get_crl(X509_STORE_CTX *ctx, 
+ 		return 0;
+ 		}
+ 
+-	*pcrl = xobj.data.crl;
++	/* If CRL times not valid look through store */
++	if (!check_crl_time(ctx, xobj.data.crl, 0))
++		{
++		int idx, i;
++		X509_OBJECT *pobj;
++		X509_OBJECT_free_contents(&xobj);
++		idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,
++							X509_LU_CRL, nm);
++		if (idx == -1)
++			return 0;
++		*pcrl = NULL;
++		for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
++			{
++			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
++			/* Check to see if it is a CRL and issuer matches */
++			if (pobj->type != X509_LU_CRL)
++				break;
++			if (X509_NAME_cmp(nm,
++					X509_CRL_get_issuer(pobj->data.crl)))
++				break;
++			/* Set *pcrl because the CRL will either be valid or
++			 * a "best fit" CRL.
++			 */
++			*pcrl = pobj->data.crl;
++			if (check_crl_time(ctx, *pcrl, 0))
++				break;
++			}
++		if (*pcrl)
++			CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509);
++		}
++	else 
++		*pcrl = xobj.data.crl;
+ 	if (crl)
+ 		X509_CRL_free(crl);
+ 	return 1;
diff --git a/openssl.spec b/openssl.spec
index 107081d..da54199 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 0.9.8k
-Release: 1%{?dist}
+Release: 2%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@@ -57,14 +57,14 @@ Patch39: openssl-0.9.8g-ipv6-apps.patch
 Patch40: openssl-0.9.8j-nocanister.patch
 Patch41: openssl-0.9.8k-use-fipscheck.patch
 Patch42: openssl-0.9.8k-fipscheck-hmac.patch
-Patch43: openssl-0.9.8j-evp-nonfips.patch
-Patch44: openssl-0.9.8j-kernel-fipsmode.patch
+Patch44: openssl-0.9.8k-kernel-fipsmode.patch
 Patch45: openssl-0.9.8j-env-nozlib.patch
 Patch46: openssl-0.9.8j-eap-fast.patch
 Patch47: openssl-0.9.8j-readme-warning.patch
 Patch48: openssl-0.9.8j-bad-mime.patch
 Patch49: openssl-0.9.8j-fips-no-pairwise.patch
 Patch50: openssl-0.9.8j-fips-rng-seed.patch
+Patch51: openssl-0.9.8k-multi-crl.patch
 # Backported fixes including security fixes
 
 License: OpenSSL
@@ -142,7 +142,6 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch40 -p1 -b .nocanister
 %patch41 -p1 -b .use-fipscheck
 %patch42 -p1 -b .fipscheck-hmac
-%patch43 -p1 -b .evp-nonfips
 %patch44 -p1 -b .fipsmode
 %patch45 -p1 -b .env-nozlib
 %patch46 -p1 -b .eap-fast
@@ -150,6 +149,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch48 -p1 -b .bad-mime
 %patch49 -p1 -b .no-pairwise
 %patch50 -p1 -b .rng-seed
+%patch51 -p1 -b .multi-crl
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -408,6 +408,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig
 
 %changelog
+* Wed Apr 15 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-2
+- add support for multiple CRLs with same subject
+- load only dynamic engine support in FIPS mode
+
 * Thu Mar 25 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-1
 - update to new upstream release (minor bug fixes, security
   fixes and machine code optimizations only)