From 9fc25c1d2897c4a1881efd8ecbb3ba44010bdae7 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed, 10 Aug 2016 13:50:49 +0200
Subject: [PATCH] fix regression in Cisco AnyConnect VPN support (#1354588)

---
 openssl-1.0.2h-dtls-bad-ver.patch | 12 ++++++++++++
 openssl.spec                      |  7 ++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 openssl-1.0.2h-dtls-bad-ver.patch

diff --git a/openssl-1.0.2h-dtls-bad-ver.patch b/openssl-1.0.2h-dtls-bad-ver.patch
new file mode 100644
index 0000000..19fb577
--- /dev/null
+++ b/openssl-1.0.2h-dtls-bad-ver.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.2h/ssl/ssl_lib.c.dtls-bad-ver openssl-1.0.2h/ssl/ssl_lib.c
+--- openssl-1.0.2h/ssl/ssl_lib.c.dtls-bad-ver	2016-05-03 18:06:45.000000000 +0200
++++ openssl-1.0.2h/ssl/ssl_lib.c	2016-08-10 13:47:33.995530954 +0200
+@@ -1828,7 +1828,7 @@ int SSL_export_keying_material(SSL *s, u
+                                const unsigned char *p, size_t plen,
+                                int use_context)
+ {
+-    if (s->version < TLS1_VERSION)
++    if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
+         return -1;
+ 
+     return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
diff --git a/openssl.spec b/openssl.spec
index 8a47df8..18121a8 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.2h
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -87,6 +87,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
 Patch80: openssl-1.0.2e-wrap-pad.patch
 Patch81: openssl-1.0.2a-padlock64.patch
 Patch82: openssl-1.0.2h-trusted-first-doc.patch
+Patch83: openssl-1.0.2h-dtls-bad-ver.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -210,6 +211,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch80 -p1 -b .wrap
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .trusted-first
+%patch83 -p1 -b .dtls-bad-ver
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -500,6 +502,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Wed Aug 10 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2h-3
+- fix regression in Cisco AnyConnect VPN support (#1354588)
+
 * Mon Jun 27 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2h-2
 - require libcrypto in libssl.pc (#1301301)