diff --git a/SOURCES/openssl-1.0.1e-keymat-algo.patch b/SOURCES/openssl-1.0.1e-keymat-algo.patch
new file mode 100644
index 0000000..5f5cab0
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-keymat-algo.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/ssl/t1_enc.c.keymat-algo openssl-1.0.1e/ssl/t1_enc.c
+--- openssl-1.0.1e/ssl/t1_enc.c.keymat-algo	2016-04-07 13:54:03.000000000 +0200
++++ openssl-1.0.1e/ssl/t1_enc.c	2016-04-07 14:45:25.216561938 +0200
+@@ -1205,7 +1205,7 @@ int tls1_export_keying_material(SSL *s,
+ 	if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
+ 		 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1;
+ 
+-	rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
++	rv = tls1_PRF(ssl_get_algorithm2(s),
+ 		      val, vallen,
+ 		      NULL, 0,
+ 		      NULL, 0,
diff --git a/SOURCES/openssl-1.0.1e-krb5keytab.patch b/SOURCES/openssl-1.0.1e-krb5keytab.patch
new file mode 100644
index 0000000..45d3dd8
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-krb5keytab.patch
@@ -0,0 +1,179 @@
+diff -up openssl-1.0.1e/apps/s_client.c.krb5keytab openssl-1.0.1e/apps/s_client.c
+--- openssl-1.0.1e/apps/s_client.c.krb5keytab	2015-03-03 14:41:41.248686764 +0100
++++ openssl-1.0.1e/apps/s_client.c	2015-03-03 15:43:38.285048063 +0100
+@@ -169,6 +169,10 @@ typedef unsigned int u_int;
+ #include "s_apps.h"
+ #include "timeouts.h"
+ 
++#ifndef OPENSSL_NO_KRB5
++static char *krb5svc=NULL;
++#endif
++
+ #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
+ /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+ #undef FIONBIO
+@@ -348,6 +352,9 @@ static void sc_usage(void)
+ 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
+ 	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+ 	BIO_printf(bio_err,"                 are supported.\n");
++#ifndef OPENSSL_NO_KRB5
++	BIO_printf(bio_err," -krb5svc arg  - Kerberos service name\n");
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
+ #endif
+@@ -906,6 +913,13 @@ int MAIN(int argc, char **argv)
+ 		else if (strcmp(*argv,"-nbio") == 0)
+ 			{ c_nbio=1; }
+ #endif
++#ifndef OPENSSL_NO_KRB5
++		else if	(strcmp(*argv,"-krb5svc") == 0)
++			{
++			if (--argc < 1) goto bad;
++			krb5svc= *(++argv);
++			}
++#endif
+ 		else if	(strcmp(*argv,"-starttls") == 0)
+ 			{
+ 			if (--argc < 1) goto bad;
+@@ -1266,6 +1280,8 @@ bad:
+                 {
+ 		SSL_set0_kssl_ctx(con, kctx);
+                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
++		if (krb5svc != NULL)
++			kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
+ 		}
+ #endif	/* OPENSSL_NO_KRB5  */
+ /*	SSL_set_cipher_list(con,"RC4-MD5"); */
+diff -up openssl-1.0.1e/apps/s_server.c.krb5keytab openssl-1.0.1e/apps/s_server.c
+--- openssl-1.0.1e/apps/s_server.c.krb5keytab	2015-03-03 14:41:41.198686492 +0100
++++ openssl-1.0.1e/apps/s_server.c	2015-03-03 16:14:14.827107550 +0100
+@@ -201,6 +201,11 @@ typedef unsigned int u_int;
+ #include <fcntl.h>
+ #endif
+ 
++#ifndef OPENSSL_NO_KRB5
++static char *krb5svc=NULL;
++static char *keytab=NULL;
++#endif
++
+ #ifndef OPENSSL_NO_RSA
+ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
+ #endif
+@@ -507,6 +512,10 @@ static void sv_usage(void)
+ 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");
+ 	BIO_printf(bio_err," -quiet        - No server output\n");
+ 	BIO_printf(bio_err," -no_tmp_rsa   - Do not generate a tmp RSA key\n");
++#ifndef OPENSSL_NO_KRB5
++	BIO_printf(bio_err," -krb5svc arg  - Kerberos service name\n");
++	BIO_printf(bio_err," -keytab arg   - Kerberos keytab filename\n");
++#endif
+ #ifndef OPENSSL_NO_PSK
+ 	BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
+ 	BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
+@@ -1121,6 +1130,18 @@ int MAIN(int argc, char *argv[])
+ 			if (--argc < 1) goto bad;
+ 			cipher= *(++argv);
+ 			}
++#ifndef OPENSSL_NO_KRB5
++		else if	(strcmp(*argv,"-krb5svc") == 0)
++			{
++			if (--argc < 1) goto bad;
++			krb5svc= *(++argv);
++			}
++		else if	(strcmp(*argv,"-keytab") == 0)
++			{
++			if (--argc < 1) goto bad;
++			keytab= *(++argv);
++			}
++#endif
+ 		else if	(strcmp(*argv,"-CAfile") == 0)
+ 			{
+ 			if (--argc < 1) goto bad;
+@@ -2019,8 +2040,10 @@ static int sv_body(char *hostname, int s
+ 		if ((kctx = kssl_ctx_new()) != NULL)
+                         {
+ 			SSL_set0_kssl_ctx(con, kctx);
+-                        kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+-                        kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
++			kssl_ctx_setstring(kctx, KSSL_SERVICE, 
++					krb5svc == NULL ? KRB5SVC : krb5svc);
++			if (keytab != NULL)
++				kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
+                         }
+ #endif	/* OPENSSL_NO_KRB5 */
+ 		if(context)
+@@ -2613,8 +2636,11 @@ static int www_body(char *hostname, int
+ #ifndef OPENSSL_NO_KRB5
+ 	if ((kctx = kssl_ctx_new()) != NULL)
+ 		{
+-		kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+-		kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
++		SSL_set0_kssl_ctx(con, kctx);
++		kssl_ctx_setstring(kctx, KSSL_SERVICE,
++				krb5svc == NULL ? KRB5SVC : krb5svc);
++		if (keytab != NULL)
++			kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
+ 		}
+ #endif	/* OPENSSL_NO_KRB5 */
+ 	if(context) SSL_set_session_id_context(con, context,
+diff -up openssl-1.0.1e/doc/apps/s_client.pod.krb5keytab openssl-1.0.1e/doc/apps/s_client.pod
+--- openssl-1.0.1e/doc/apps/s_client.pod.krb5keytab	2015-03-03 14:41:41.249686770 +0100
++++ openssl-1.0.1e/doc/apps/s_client.pod	2015-03-03 16:28:08.374701114 +0100
+@@ -18,6 +18,8 @@ B<openssl> B<s_client>
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
+ [B<-trusted_first>]
++[B<-krb5svc service>]
++[B<-keytab filename>]
+ [B<-reconnect>]
+ [B<-pause>]
+ [B<-showcerts>]
+@@ -115,6 +117,17 @@ and to use when attempting to build the
+ Set various certificate chain valiadition option. See the
+ L<B<verify>|verify(1)> manual page for details.
+ 
++=item B<-krb5svc service>
++
++the Kerberos service name to use (default "host"). This means s_server
++will expect a ticket for the principal I<service>/hostname@REALM, and will
++need keys for that principal in its keytab.
++
++=item B<-keytab filename>
++
++the Kerberos "keytab" (key table) file, containing keys for the s_server
++service principal (Kerberos identity; see -krb5svc).
++
+ =item B<-reconnect>
+ 
+ reconnects to the same server 5 times using the same session ID, this can
+diff -up openssl-1.0.1e/doc/apps/s_server.pod.krb5keytab openssl-1.0.1e/doc/apps/s_server.pod
+--- openssl-1.0.1e/doc/apps/s_server.pod.krb5keytab	2015-03-03 14:41:41.200686503 +0100
++++ openssl-1.0.1e/doc/apps/s_server.pod	2015-03-03 16:29:35.631184313 +0100
+@@ -34,6 +34,8 @@ B<openssl> B<s_server>
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
+ [B<-trusted_first>]
++[B<-krb5svc service>]
++[B<-keytab filename>]
+ [B<-nocert>]
+ [B<-cipher cipherlist>]
+ [B<-quiet>]
+@@ -181,6 +183,17 @@ Use certificates in CA file or CA direct
+ when building the trust chain to verify client certificates.
+ This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+ 
++=item B<-krb5svc service>
++
++the Kerberos service name to use (default "host"). This means s_server
++will expect a ticket for the principal I<service>/hostname@REALM, and will
++need keys for that principal in its keytab.
++
++=item B<-keytab filename>
++
++the Kerberos "keytab" (key table) file, containing keys for the s_server
++service principal (Kerberos identity; see -krb5svc).
++
+ =item B<-state>
+ 
+ prints out the SSL session states.
diff --git a/SOURCES/openssl-1.0.1e-pkcs12-memleak.patch b/SOURCES/openssl-1.0.1e-pkcs12-memleak.patch
new file mode 100644
index 0000000..261b16e
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-pkcs12-memleak.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/crypto/pkcs12/p12_kiss.c.memleak openssl-1.0.1e/crypto/pkcs12/p12_kiss.c
+--- openssl-1.0.1e/crypto/pkcs12/p12_kiss.c.memleak	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/pkcs12/p12_kiss.c	2016-01-14 17:45:56.346941782 +0100
+@@ -269,7 +269,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag
+ 			int len, r;
+ 			unsigned char *data;
+ 			len = ASN1_STRING_to_UTF8(&data, fname);
+-			if(len > 0) {
++			if(len >= 0) {
+ 				r = X509_alias_set1(x509, data, len);
+ 				OPENSSL_free(data);
+ 				if (!r)
diff --git a/SOURCES/openssl-1.0.1e-sctp-updates.patch b/SOURCES/openssl-1.0.1e-sctp-updates.patch
new file mode 100644
index 0000000..b152189
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-sctp-updates.patch
@@ -0,0 +1,313 @@
+diff -up openssl-1.0.1e/crypto/bio/bio.h.sctp openssl-1.0.1e/crypto/bio/bio.h
+--- openssl-1.0.1e/crypto/bio/bio.h.sctp	2016-04-07 13:54:03.296270801 +0200
++++ openssl-1.0.1e/crypto/bio/bio.h	2016-04-07 14:02:53.436214294 +0200
+@@ -175,6 +175,8 @@ extern "C" {
+ #define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT   45 /* Next DTLS handshake timeout to
+                                               * adjust socket timeouts */
+ 
++#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD   49
++
+ #ifndef OPENSSL_NO_SCTP
+ /* SCTP stuff */
+ #define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE	50
+@@ -607,6 +609,8 @@ int BIO_ctrl_reset_read_request(BIO *b);
+          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)
+ #define BIO_dgram_set_peer(b,peer) \
+          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
++#define BIO_dgram_get_mtu_overhead(b) \
++         (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL)
+ 
+ /* These two aren't currently implemented */
+ /* int BIO_get_ex_num(BIO *bio); */
+diff -up openssl-1.0.1e/crypto/bio/bss_dgram.c.sctp openssl-1.0.1e/crypto/bio/bss_dgram.c
+--- openssl-1.0.1e/crypto/bio/bss_dgram.c.sctp	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/bio/bss_dgram.c	2016-04-07 14:02:53.437214317 +0200
+@@ -454,6 +454,36 @@ static int dgram_write(BIO *b, const cha
+ 	return(ret);
+ 	}
+ 
++static long dgram_get_mtu_overhead(bio_dgram_data *data)
++	{
++	long ret;
++
++	switch (data->peer.sa.sa_family)
++		{
++		case AF_INET:
++			/* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
++			ret = 28;
++			break;
++#if OPENSSL_USE_IPV6
++		case AF_INET6:
++#ifdef IN6_IS_ADDR_V4MAPPED
++			if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
++				/* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
++				ret = 28;
++			else
++#endif
++				/* Assume this is UDP - 40 bytes for IP, 8 bytes for UDP */
++				ret = 48;
++			break;
++#endif
++		default:
++			/* We don't know. Go with the historical default */
++			ret = 28;
++			break;
++		}
++	return ret;
++	}
++
+ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
+ 	{
+ 	long ret=1;
+@@ -630,23 +660,24 @@ static long dgram_ctrl(BIO *b, int cmd,
+ #endif
+ 		break;
+ 	case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
++		ret = -dgram_get_mtu_overhead(data);
+ 		switch (data->peer.sa.sa_family)
+ 			{
+ 			case AF_INET:
+-				ret = 576 - 20 - 8;
++				ret += 576;
+ 				break;
+ #if OPENSSL_USE_IPV6
+ 			case AF_INET6:
+ #ifdef IN6_IS_ADDR_V4MAPPED
+ 				if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
+-					ret = 576 - 20 - 8;
++					ret += 576;
+ 				else
+ #endif
+-					ret = 1280 - 40 - 8;
++					ret += 1280;
+ 				break;
+ #endif
+ 			default:
+-				ret = 576 - 20 - 8;
++				ret += 576;
+ 				break;
+ 			}
+ 		break;
+@@ -847,6 +878,9 @@ static long dgram_ctrl(BIO *b, int cmd,
+ 			ret = 0;
+ 		break;
+ #endif
++	case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
++		ret = dgram_get_mtu_overhead(data);
++		break;
+ 	default:
+ 		ret=0;
+ 		break;
+@@ -906,8 +940,8 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
+ 	memset(authchunks, 0, sizeof(sockopt_len));
+ 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
+ 	OPENSSL_assert(ret >= 0);
+-	
+-	for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
++
++	for (p = (unsigned char*) authchunks->gauth_chunks;
+ 	     p < (unsigned char*) authchunks + sockopt_len;
+ 	     p += sizeof(uint8_t))
+ 		{
+@@ -1197,7 +1231,7 @@ static int dgram_sctp_read(BIO *b, char
+ 			ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
+ 			OPENSSL_assert(ii >= 0);
+ 
+-			for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
++			for (p = (unsigned char*) authchunks->gauth_chunks;
+ 				 p < (unsigned char*) authchunks + optlen;
+ 				 p += sizeof(uint8_t))
+ 				{
+@@ -1367,6 +1401,10 @@ static long dgram_sctp_ctrl(BIO *b, int
+ 		 * Returns always 1.
+ 		 */
+ 		break;
++	case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
++		/* We allow transport protocol fragmentation so this is irrelevant */
++		ret = 0;
++		break;
+ 	case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE:
+ 		if (num > 0)
+ 			data->in_handshake = 1;
+@@ -1399,6 +1437,7 @@ static long dgram_sctp_ctrl(BIO *b, int
+ 		memcpy(&authkey->sca_key[0], ptr, 64 * sizeof(uint8_t));
+ 
+ 		ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_KEY, authkey, sockopt_len);
++		OPENSSL_free(authkey);
+ 		if (ret < 0) break;
+ 
+ 		/* Reset active key */
+diff -up openssl-1.0.1e/ssl/d1_both.c.sctp openssl-1.0.1e/ssl/d1_both.c
+--- openssl-1.0.1e/ssl/d1_both.c.sctp	2016-04-07 14:09:35.193261496 +0200
++++ openssl-1.0.1e/ssl/d1_both.c	2016-04-07 14:11:18.838592357 +0200
+@@ -1458,14 +1458,17 @@ int dtls1_shutdown(SSL *s)
+ 	{
+ 	int ret;
+ #ifndef OPENSSL_NO_SCTP
+-	if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
++	BIO *wbio;
++
++	wbio = SSL_get_wbio(s);
++	if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
+ 	    !(s->shutdown & SSL_SENT_SHUTDOWN))
+ 		{
+-		ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
++		ret = BIO_dgram_sctp_wait_for_dry(wbio);
+ 		if (ret < 0) return -1;
+ 
+ 		if (ret == 0)
+-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, NULL);
++			BIO_ctrl(wbio, BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, NULL);
+ 		}
+ #endif
+ 	ret = ssl3_shutdown(s);
+diff -up openssl-1.0.1e/ssl/d1_clnt.c.sctp openssl-1.0.1e/ssl/d1_clnt.c
+--- openssl-1.0.1e/ssl/d1_clnt.c.sctp	2016-04-07 13:54:03.505275509 +0200
++++ openssl-1.0.1e/ssl/d1_clnt.c	2016-04-07 14:06:48.581511870 +0200
+@@ -338,9 +338,13 @@ int dtls1_connect(SSL *s)
+ 					snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
+ 					         DTLS1_SCTP_AUTH_LABEL);
+ 
+-					SSL_export_keying_material(s, sctpauthkey,
++					if (SSL_export_keying_material(s, sctpauthkey,
+ 					                           sizeof(sctpauthkey), labelbuffer,
+-					                           sizeof(labelbuffer), NULL, 0, 0);
++					                           sizeof(labelbuffer), NULL, 0, 0) <= 0)
++						{
++						ret = -1;
++						goto end;
++						}
+ 
+ 					BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
+ 							 sizeof(sctpauthkey), sctpauthkey);
+@@ -479,9 +483,13 @@ int dtls1_connect(SSL *s)
+ 			snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
+ 			         DTLS1_SCTP_AUTH_LABEL);
+ 
+-			SSL_export_keying_material(s, sctpauthkey,
++			if (SSL_export_keying_material(s, sctpauthkey,
+ 			                           sizeof(sctpauthkey), labelbuffer,
+-			                           sizeof(labelbuffer), NULL, 0, 0);
++			                           sizeof(labelbuffer), NULL, 0, 0) <= 0)
++				{
++				ret = -1;
++				goto end;
++				}
+ 
+ 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
+ 					 sizeof(sctpauthkey), sctpauthkey);
+@@ -538,13 +546,6 @@ int dtls1_connect(SSL *s)
+ 				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
+ 			if (ret <= 0) goto end;
+ 
+-#ifndef OPENSSL_NO_SCTP
+-			/* Change to new shared key of SCTP-Auth,
+-			 * will be ignored if no SCTP used.
+-			 */
+-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+-#endif
+-
+ 			s->state=SSL3_ST_CW_FINISHED_A;
+ 			s->init_num=0;
+ 
+@@ -571,6 +572,16 @@ int dtls1_connect(SSL *s)
+ 				goto end;
+ 				}
+ 			
++#ifndef OPENSSL_NO_SCTP
++				if (s->hit)
++					{
++					/* Change to new shared key of SCTP-Auth,
++					 * will be ignored if no SCTP used.
++					 */
++					BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
++					}
++#endif
++
+ 			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
+ 			break;
+ 
+@@ -613,6 +624,13 @@ int dtls1_connect(SSL *s)
+ 				}
+ 			else
+ 				{
++#ifndef OPENSSL_NO_SCTP
++				/* Change to new shared key of SCTP-Auth,
++				 * will be ignored if no SCTP used.
++				 */
++				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
++#endif
++
+ #ifndef OPENSSL_NO_TLSEXT
+ 				/* Allow NewSessionTicket if ticket expected */
+ 				if (s->tlsext_ticket_expected)
+diff -up openssl-1.0.1e/ssl/d1_srvr.c.sctp openssl-1.0.1e/ssl/d1_srvr.c
+--- openssl-1.0.1e/ssl/d1_srvr.c.sctp	2016-04-07 13:54:03.529276050 +0200
++++ openssl-1.0.1e/ssl/d1_srvr.c	2016-04-07 14:08:56.110382568 +0200
+@@ -395,9 +395,13 @@ int dtls1_accept(SSL *s)
+ 				snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
+ 				         DTLS1_SCTP_AUTH_LABEL);
+ 
+-				SSL_export_keying_material(s, sctpauthkey,
++				if (SSL_export_keying_material(s, sctpauthkey,
+ 				                           sizeof(sctpauthkey), labelbuffer,
+-				                           sizeof(labelbuffer), NULL, 0, 0);
++				                           sizeof(labelbuffer), NULL, 0, 0) <= 0)
++					{
++					ret = -1;
++					goto end;
++					}
+ 				
+ 				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
+                          sizeof(sctpauthkey), sctpauthkey);
+@@ -609,9 +613,13 @@ int dtls1_accept(SSL *s)
+ 			snprintf((char *) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
+ 			         DTLS1_SCTP_AUTH_LABEL);
+ 
+-			SSL_export_keying_material(s, sctpauthkey,
++			if (SSL_export_keying_material(s, sctpauthkey,
+ 			                           sizeof(sctpauthkey), labelbuffer,
+-			                           sizeof(labelbuffer), NULL, 0, 0);
++			                           sizeof(labelbuffer), NULL, 0, 0) <= 0)
++				{
++				ret = -1;
++				goto end;
++				}
+ 
+ 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
+ 			         sizeof(sctpauthkey), sctpauthkey);
+@@ -713,10 +721,13 @@ int dtls1_accept(SSL *s)
+ 			if (ret <= 0) goto end;
+ 
+ #ifndef OPENSSL_NO_SCTP
+-			/* Change to new shared key of SCTP-Auth,
+-			 * will be ignored if no SCTP used.
+-			 */
+-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
++			if (!s->hit)
++				{
++				/* Change to new shared key of SCTP-Auth,
++				 * will be ignored if no SCTP used.
++				 */
++				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
++				}
+ #endif
+ 
+ 			s->state=SSL3_ST_SW_FINISHED_A;
+@@ -741,7 +752,16 @@ int dtls1_accept(SSL *s)
+ 			if (ret <= 0) goto end;
+ 			s->state=SSL3_ST_SW_FLUSH;
+ 			if (s->hit)
++				{
+ 				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
++
++#ifndef OPENSSL_NO_SCTP
++				/* Change to new shared key of SCTP-Auth,
++				 * will be ignored if no SCTP used.
++				 */
++				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
++#endif
++				}
+ 			else
+ 				{
+ 				s->s3->tmp.next_state=SSL_ST_OK;
diff --git a/SOURCES/openssl-1.0.1e-speed-doc.patch b/SOURCES/openssl-1.0.1e-speed-doc.patch
new file mode 100644
index 0000000..60527c8
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-speed-doc.patch
@@ -0,0 +1,57 @@
+diff -up openssl-1.0.1e/apps/speed.c.speed-doc openssl-1.0.1e/apps/speed.c
+--- openssl-1.0.1e/apps/speed.c.speed-doc	2016-01-15 14:21:57.447624338 +0100
++++ openssl-1.0.1e/apps/speed.c	2016-01-15 14:22:37.044532716 +0100
+@@ -628,10 +628,6 @@ int MAIN(int argc, char **argv)
+ 	int multi=0;
+ #endif
+ 
+-#ifndef TIMES
+-	usertime=-1;
+-#endif
+-
+ 	apps_startup();
+ 	memset(results, 0, sizeof(results));
+ #ifndef OPENSSL_NO_DSA
+@@ -1112,9 +1108,7 @@ int MAIN(int argc, char **argv)
+ 
+ 			BIO_printf(bio_err,"\n");
+ 			BIO_printf(bio_err,"Available options:\n");
+-#if defined(TIMES) || defined(USE_TOD)
+ 			BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
+-#endif
+ #ifndef OPENSSL_NO_ENGINE
+ 			BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
+ #endif
+diff -up openssl-1.0.1e/doc/apps/speed.pod.speed-doc openssl-1.0.1e/doc/apps/speed.pod
+--- openssl-1.0.1e/doc/apps/speed.pod.speed-doc	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/doc/apps/speed.pod	2016-01-15 14:21:57.448624361 +0100
+@@ -8,6 +8,9 @@ speed - test library performance
+ 
+ B<openssl speed>
+ [B<-engine id>]
++[B<-elapsed>]
++[B<-evp algo>]
++[B<-decrypt>]
+ [B<md2>]
+ [B<mdc2>]
+ [B<md5>]
+@@ -49,6 +52,19 @@ to attempt to obtain a functional refere
+ thus initialising it if needed. The engine will then be set as the default
+ for all available algorithms.
+ 
++=item B<-elapsed>
++
++Measure time in real time instead of CPU time. It can be useful when testing
++speed of hardware engines.
++
++=item B<-evp algo>
++
++Use the specified cipher or message digest algorithm via the EVP interface.
++
++=item B<-decrypt>
++
++Time the decryption instead of encryption. Affects only the EVP testing.
++
+ =item B<[zero or more test algorithms]>
+ 
+ If any options are given, B<speed> tests those algorithms, otherwise all of
diff --git a/SOURCES/openssl-1.0.1e-timestamp.patch b/SOURCES/openssl-1.0.1e-timestamp.patch
new file mode 100644
index 0000000..d944666
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-timestamp.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/crypto/ts/ts_rsp_sign.c.timestamp openssl-1.0.1e/crypto/ts/ts_rsp_sign.c
+--- openssl-1.0.1e/crypto/ts/ts_rsp_sign.c.timestamp	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/ts/ts_rsp_sign.c	2016-01-14 17:35:44.495973697 +0100
+@@ -977,7 +977,7 @@ TS_RESP_set_genTime_with_precision(ASN1_
+ 	if (precision > 0)
+ 	{
+ 		/* Add fraction of seconds (leave space for dot and null). */
+-		BIO_snprintf(p, 2 + precision, ".%ld", usec);
++		BIO_snprintf(p, 2 + precision, ".%06ld", usec);
+ 		/* We cannot use the snprintf return value, 
+ 		   because it might have been truncated. */
+ 		p += strlen(p);
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index 9fc07d6..297ecc1 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 51%{?dist}.7
+Release: 60%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -61,6 +61,7 @@ Patch36: openssl-1.0.0e-doc-noeof.patch
 Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
 Patch39: openssl-1.0.1c-ipv6-apps.patch
 Patch40: openssl-1.0.1e-fips.patch
+Patch43: openssl-1.0.1e-krb5keytab.patch
 Patch45: openssl-1.0.1e-env-zlib.patch
 Patch47: openssl-1.0.0-beta5-readme-warning.patch
 Patch49: openssl-1.0.1a-algo-doc.patch
@@ -144,12 +145,17 @@ Patch135: openssl-1.0.1e-cve-2015-3194.patch
 Patch136: openssl-1.0.1e-cve-2015-3195.patch
 Patch137: openssl-1.0.1e-cve-2015-3196.patch
 Patch138: openssl-1.0.1e-cve-2015-7575.patch
+Patch139: openssl-1.0.1e-timestamp.patch
+Patch140: openssl-1.0.1e-pkcs12-memleak.patch
+Patch141: openssl-1.0.1e-speed-doc.patch
 Patch142: openssl-1.0.1e-cve-2015-3197.patch
 Patch143: openssl-1.0.1e-disable-sslv2.patch
 Patch144: openssl-1.0.1e-cve-2016-0702.patch
 Patch145: openssl-1.0.1e-cve-2016-0705.patch
 Patch146: openssl-1.0.1e-cve-2016-0797.patch
 Patch147: openssl-1.0.1e-cve-2016-0799.patch
+Patch148: openssl-1.0.1e-sctp-updates.patch
+Patch149: openssl-1.0.1e-keymat-algo.patch
 Patch150: openssl-1.0.1e-cve-2016-2105.patch
 Patch151: openssl-1.0.1e-cve-2016-2106.patch
 Patch152: openssl-1.0.1e-cve-2016-2107.patch
@@ -171,6 +177,7 @@ Group: System Environment/Libraries
 URL: http://www.openssl.org/
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: coreutils, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp
+BuildRequires: lksctp-tools-devel
 BuildRequires: /usr/bin/rename
 Requires: coreutils, make
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@@ -322,6 +329,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch119 -p1 -b .dh-unauthenticated
 %patch120 -p1 -b .dtls-rec-leak
 %patch121 -p1 -b .cc-reqs
+%patch43  -p1 -b .krb5keytab 
 %patch122 -p1 -b .use-after-free
 %patch123 -p1 -b .bool-cmp
 %patch124 -p1 -b .item-reuse
@@ -339,12 +347,17 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch136 -p1 -b .combine-leak
 %patch137 -p1 -b .psk-identity
 %patch138 -p1 -b .no-md5-tls
+%patch139 -p1 -b .timestamp
+%patch140 -p1 -b .memleak
+%patch141 -p1 -b .speed-doc
 %patch142 -p1 -b .ssl2-ciphers
 %patch143 -p1 -b .disable-sslv2
 %patch144 -p1 -b .rsa-const
 %patch145 -p1 -b .dsa-doublefree
 %patch146 -p1 -b .bn-hex
 %patch147 -p1 -b .bio-printf
+%patch148 -p1 -b .sctp
+%patch149 -p1 -b .keymat-algo
 %patch150 -p1 -b .b64-overflow
 %patch151 -p1 -b .enc-overflow
 %patch152 -p1 -b .padding-check
@@ -417,7 +430,8 @@ sslarch="linux-ppc64le"
 ./Configure \
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
 	zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
-	enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \
+	enable-cms enable-md2 enable-sctp \
+	no-mdc2 no-rc5 no-ec2m no-gost no-srp \
 	--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
 	--with-krb5-dir=/usr shared  ${sslarch} %{?!nofips:fips}
 
@@ -626,7 +640,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
-* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.7
+* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-60
 - fix CVE-2016-2177 - possible integer overflow
 - fix CVE-2016-2178 - non-constant time DSA operations
 - fix CVE-2016-2179 - further DoS issues in DTLS
@@ -638,29 +652,40 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 - fix CVE-2016-6306 - certificate message OOB reads
 - mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
   112 bit effective strength
+
+* Tue Jun 21 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-58
 - replace expired testing certificates
 
-* Fri Apr 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.5
+* Fri Apr 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-57
 - fix CVE-2016-2105 - possible overflow in base64 encoding
 - fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
 - fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
 - fix CVE-2016-2108 - memory corruption in ASN.1 encoder
 - fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
+
+* Thu Apr  7 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-56
+- fix 1-byte memory leak in pkcs12 parse (#1312112)
+- document some options of the speed command (#1312110)
+- fix high-precision timestamps in timestamping authority
+- enable SCTP support in DTLS 
+- use correct digest when exporting keying material in TLS1.2 (#1289620)
 - fix CVE-2016-0799 - memory issues in BIO_printf
+- add support for setting Kerberos service and keytab in
+  s_server and s_client
 
-* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
+* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-55
 - fix CVE-2016-0702 - side channel attack on modular exponentiation
 - fix CVE-2016-0705 - double-free in DSA private key parsing
 - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
 
-* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
+* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-54
 - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
 - disable SSLv2 in the generic TLS method
 
-* Mon Dec 21 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.2
+* Mon Dec 21 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-53
 - fix CVE-2015-7575 - disallow use of MD5 in TLS1.2
 
-* Fri Dec  4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.1
+* Fri Dec  4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-52
 - fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
 - fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
 - fix CVE-2015-3196 - race condition when handling PSK identity hint