update to upstream version 1.1.0g

2017-11-03 16:57:03 +01:00 · 2017-11-03 16:57:03 +01:00 · e85d72778f
commit e85d72778f
parent 50c1418e79
9 changed files with 377 additions and 535 deletions
--- a/openssl-1.1.0-afalg-eventfd2.patch
+++ b/openssl-1.1.0-afalg-eventfd2.patch
@ -1,12 +0,0 @@
 diff -up openssl-1.1.0b/engines/afalg/e_afalg.c.eventfd2 openssl-1.1.0b/engines/afalg/e_afalg.c
 --- openssl-1.1.0b/engines/afalg/e_afalg.c.eventfd2	2016-09-26 11:46:07.000000000 +0200
 +++ openssl-1.1.0b/engines/afalg/e_afalg.c	2016-10-11 10:56:00.884185249 +0200
@@ -104,7 +104,7 @@ static ossl_inline int io_setup(unsigned
 static ossl_inline int eventfd(int n)
 {
 -    return syscall(__NR_eventfd, n);
 +    return syscall(__NR_eventfd2, n, 0);
 }
 static ossl_inline int io_destroy(aio_context_t ctx)
--- a/openssl-1.1.0-build.patch
+++ b/openssl-1.1.0-build.patch
@ -38,12 +38,12 @@ diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configu
     },
     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
         inherit_from     => [ "linux-generic32", asm("aarch64_asm") ],
-diff -up openssl-1.1.0f/test/evptests.txt.build openssl-1.1.0f/test/evptests.txt
+diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt
--- openssl-1.1.0f/test/evptests.txt.build	2017-05-25 14:46:21.000000000 +0200
+--- openssl-1.1.0g/test/evptests.txt.build	2017-11-02 15:29:05.000000000 +0100
-+++ openssl-1.1.0f/test/evptests.txt	2017-06-02 15:05:49.422161136 +0200
+++ openssl-1.1.0g/test/evptests.txt	2017-11-03 16:37:01.253671494 +0100
-@@ -3690,14 +3690,6 @@ PublicKey=Bob-25519-PUBLIC
+@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D
- MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+DQ8hbeGdNrfx+FG+IK08=
+ 
- -----END PUBLIC KEY-----
+ PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC
 -Derive=Alice-25519
 -PeerKey=Bob-25519-PUBLIC
@ -56,7 +56,7 @@ diff -up openssl-1.1.0f/test/evptests.txt.build openssl-1.1.0f/test/evptests.txt
 # Illegal sign/verify operations with X25519 key
 Sign=Alice-25519
-@@ -3710,6 +3702,14 @@ Result = KEYOP_INIT_ERROR
+@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR
 Function = EVP_PKEY_verify_init
 Reason = operation not supported for this keytype
--- a/openssl-1.1.0-dtls-failure.patch
+++ b/openssl-1.1.0-dtls-failure.patch
@ -1,100 +0,0 @@
 From 290cfa823fb3afea5b36ed17113ffb4f675d0165 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Tue, 20 Jun 2017 16:36:30 +0100
 Subject: [PATCH] Fix DTLS failure when used in a build which has SCTP enabled
 The value of BIO_CTRL_DGRAM_SET_PEEK_MODE was clashing with the value for
 BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE. In an SCTP enabled build
 BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE was used unconditionally with
 the reasoning that it would be ignored if SCTP wasn't in use. Unfortunately
 due to this clash, this wasn't the case. The BIO ended up going into peek
 mode and was continually reading the same data over and over - throwing it
 away as a replay.
 Fixes #3723
 ---
 crypto/bio/bss_dgram.c | 9 +++++++++
 include/openssl/bio.h  | 7 ++++---
 ssl/statem/statem.c    | 8 ++++----
 3 files changed, 17 insertions(+), 7 deletions(-)
 diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
 index 7ef4281..4070f20 100644
 --- a/crypto/bio/bss_dgram.c
 +++ b/crypto/bio/bss_dgram.c
@@ -787,6 +787,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
         ret = dgram_get_mtu_overhead(data);
         break;
 +
 +    /*
 +     * BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE is used here for compatibility
 +     * reasons. When BIO_CTRL_DGRAM_SET_PEEK_MODE was first defined its value
 +     * was incorrectly clashing with BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE. The
 +     * value has been updated to a non-clashing value. However to preserve
 +     * binary compatiblity we now respond to both the old value and the new one
 +     */
 +    case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE:
     case BIO_CTRL_DGRAM_SET_PEEK_MODE:
         data->peekmode = (unsigned int)num;
         break;
 diff --git a/include/openssl/bio.h b/include/openssl/bio.h
 index 0955b76..5f8f83a 100644
 --- a/include/openssl/bio.h
 +++ b/include/openssl/bio.h
@@ -126,11 +126,10 @@ extern "C" {
 # define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD   49
 -# define BIO_CTRL_DGRAM_SET_PEEK_MODE      50
 -
 +/* Deliberately outside of OPENSSL_NO_SCTP - used in bss_dgram.c */
 +#  define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE    50
 # ifndef OPENSSL_NO_SCTP
 /* SCTP stuff */
 -#  define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE    50
 #  define BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY                51
 #  define BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY               52
 #  define BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD               53
@@ -143,6 +142,8 @@ extern "C" {
 #  define BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN               70
 # endif
 +# define BIO_CTRL_DGRAM_SET_PEEK_MODE      71
 +
 /* modifiers */
 # define BIO_FP_READ             0x02
 # define BIO_FP_WRITE            0x04
 diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
 index 52beac7..9eab8ce 100644
 --- a/ssl/statem/statem.c
 +++ b/ssl/statem/statem.c
@@ -300,10 +300,10 @@ static int state_machine(SSL *s, int server)
             return -1;
     }
 #ifndef OPENSSL_NO_SCTP
 -    if (SSL_IS_DTLS(s)) {
 +    if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
         /*
          * Notify SCTP BIO socket to enter handshake mode and prevent stream
 -         * identifier other than 0. Will be ignored if no SCTP is used.
 +         * identifier other than 0.
          */
         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
                  st->in_handshake, NULL);
@@ -421,10 +421,10 @@ static int state_machine(SSL *s, int server)
     st->in_handshake--;
 #ifndef OPENSSL_NO_SCTP
 -    if (SSL_IS_DTLS(s)) {
 +    if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
         /*
          * Notify SCTP BIO socket to leave handshake mode and allow stream
 -         * identifier other than 0. Will be ignored if no SCTP is used.
 +         * identifier other than 0.
          */
         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
                  st->in_handshake, NULL);
 -- 
 2.9.3
--- a/openssl-1.1.0-fips.patch
+++ b/openssl-1.1.0-fips.patch
--- a/openssl-1.1.0-manfix.patch
+++ b/openssl-1.1.0-manfix.patch
@ -1,7 +1,7 @@
-diff -up openssl-1.1.0-pre5/doc/apps/ec.pod.manfix openssl-1.1.0-pre5/doc/apps/ec.pod
+diff -up openssl-1.1.0g/doc/apps/ec.pod.manfix openssl-1.1.0g/doc/apps/ec.pod
--- openssl-1.1.0-pre5/doc/apps/ec.pod.manfix	2016-04-19 16:57:55.000000000 +0200
+--- openssl-1.1.0g/doc/apps/ec.pod.manfix	2017-11-02 15:29:04.000000000 +0100
-+++ openssl-1.1.0-pre5/doc/apps/ec.pod	2016-07-20 15:13:07.874678467 +0200
+++ openssl-1.1.0g/doc/apps/ec.pod	2017-11-03 16:09:31.714027145 +0100
-@@ -100,10 +100,6 @@ prints out the public, private key compo
+@@ -101,10 +101,6 @@ prints out the public, private key compo
 this option prevents output of the encoded version of the key.
@ -12,10 +12,10 @@ diff -up openssl-1.1.0-pre5/doc/apps/ec.pod.manfix openssl-1.1.0-pre5/doc/apps/e
 =item B<-pubin>
 by default a private key is read from the input file: with this option a
-diff -up openssl-1.1.0-pre5/doc/apps/openssl.pod.manfix openssl-1.1.0-pre5/doc/apps/openssl.pod
+diff -up openssl-1.1.0g/doc/apps/openssl.pod.manfix openssl-1.1.0g/doc/apps/openssl.pod
--- openssl-1.1.0-pre5/doc/apps/openssl.pod.manfix	2016-04-19 16:57:55.000000000 +0200
+--- openssl-1.1.0g/doc/apps/openssl.pod.manfix	2017-11-02 15:29:04.000000000 +0100
-+++ openssl-1.1.0-pre5/doc/apps/openssl.pod	2016-07-20 15:14:57.596163046 +0200
+++ openssl-1.1.0g/doc/apps/openssl.pod	2017-11-03 16:11:48.478245311 +0100
-@@ -163,7 +163,7 @@ Create or examine a netscape certificate
+@@ -170,7 +170,7 @@ Create or examine a Netscape certificate
 Online Certificate Status Protocol utility.
@ -24,7 +24,7 @@ diff -up openssl-1.1.0-pre5/doc/apps/openssl.pod.manfix openssl-1.1.0-pre5/doc/a
 Generation of hashed passwords.
-@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
+@@ -198,7 +198,7 @@ Public key algorithm parameter managemen
 Public key algorithm cryptographic operation utility.
@ -33,15 +33,19 @@ diff -up openssl-1.1.0-pre5/doc/apps/openssl.pod.manfix openssl-1.1.0-pre5/doc/a
 Generate pseudo-random bytes.
-@@ -401,9 +401,9 @@ L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>,
+@@ -432,13 +432,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
- L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>,
+ L<ec(1)>, L<ecparam(1)>,
- L<enc(1)>, L<engine(1)>, L<gendsa(1)>, L<genpkey(1)>,
+ L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
- L<genrsa(1)>, L<nseq(1)>, L<openssl(1)>,
+ L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
 -L<passwd(1)>,
 +L<sslpasswd(1)>,
 L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
-L<rand(1)>, L<req(1)>, L<rsa(1)>,
+ L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>,
-+L<sslrand(1)>, L<req(1)>, L<rsa(1)>,
+-L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
 +L<rehash(1)>, L<req(1)>, L<rsa(1)>,
 L<rsautl(1)>, L<s_client(1)>,
- L<s_server(1)>, L<s_time(1)>,
+ L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
- L<smime(1)>, L<spkac(1)>,
+ L<smime(1)>, L<speed(1)>, L<spkac(1)>,
 +L<sslpasswd(1)>, L<sslrand(1)>,
 L<ts(1)>,
 L<verify(1)>, L<version(1)>, L<x509(1)>,
 L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
--- a/openssl-1.1.0-no-weak-verify.patch
+++ b/openssl-1.1.0-no-weak-verify.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.0f/crypto/asn1/a_verify.c
+diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/crypto/asn1/a_verify.c
--- openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify	2017-05-25 14:46:18.000000000 +0200
+--- openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify	2017-11-02 15:29:02.000000000 +0100
-+++ openssl-1.1.0f/crypto/asn1/a_verify.c	2017-06-26 16:26:49.496989272 +0200
+++ openssl-1.1.0g/crypto/asn1/a_verify.c	2017-11-03 16:15:46.125801341 +0100
@@ -7,6 +7,9 @@
  * https://www.openssl.org/source/license.html
  */
@ -10,8 +10,8 @@ diff -up openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.0f/cry
 +
 #include <stdio.h>
 #include <time.h>
- 
+ #include <sys/types.h>
-@@ -129,6 +132,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
+@@ -126,6 +129,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
         if (ret != 2)
             goto err;
         ret = -1;
--- a/openssl-1.1.0-secure-getenv.patch
+++ b/openssl-1.1.0-secure-getenv.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.1.0b/crypto/conf/conf_api.c.secure-getenv openssl-1.1.0b/crypto/conf/conf_api.c
+diff -up openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_api.c
--- openssl-1.1.0b/crypto/conf/conf_api.c.secure-getenv	2016-09-26 11:46:05.000000000 +0200
+--- openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv	2017-11-02 15:29:02.000000000 +0100
-+++ openssl-1.1.0b/crypto/conf/conf_api.c	2016-09-26 15:19:19.420705501 +0200
+++ openssl-1.1.0g/crypto/conf/conf_api.c	2017-11-03 16:12:31.826265323 +0100
@@ -9,6 +9,8 @@
 /* Part of the code in here was originally in conf.c, which is now removed */
@ -28,9 +28,9 @@ diff -up openssl-1.1.0b/crypto/conf/conf_api.c.secure-getenv openssl-1.1.0b/cryp
 }
 static unsigned long conf_value_hash(const CONF_VALUE *v)
-diff -up openssl-1.1.0b/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.0b/crypto/conf/conf_mod.c
+diff -up openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_mod.c
--- openssl-1.1.0b/crypto/conf/conf_mod.c.secure-getenv	2016-09-26 11:46:05.000000000 +0200
+--- openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv	2017-11-02 15:29:02.000000000 +0100
-+++ openssl-1.1.0b/crypto/conf/conf_mod.c	2016-09-26 15:19:19.421705524 +0200
+++ openssl-1.1.0g/crypto/conf/conf_mod.c	2017-11-03 16:12:31.827265347 +0100
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
@ -49,9 +49,9 @@ diff -up openssl-1.1.0b/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.0b/cryp
     if (file)
         return OPENSSL_strdup(file);
-diff -up openssl-1.1.0b/crypto/engine/eng_list.c.secure-getenv openssl-1.1.0b/crypto/engine/eng_list.c
+diff -up openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv openssl-1.1.0g/crypto/engine/eng_list.c
--- openssl-1.1.0b/crypto/engine/eng_list.c.secure-getenv	2016-09-26 11:46:05.000000000 +0200
+--- openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv	2017-11-02 15:29:03.000000000 +0100
-+++ openssl-1.1.0b/crypto/engine/eng_list.c	2016-09-26 15:19:19.421705524 +0200
+++ openssl-1.1.0g/crypto/engine/eng_list.c	2017-11-03 16:12:31.827265347 +0100
@@ -13,6 +13,8 @@
  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
  */
@ -70,9 +70,9 @@ diff -up openssl-1.1.0b/crypto/engine/eng_list.c.secure-getenv openssl-1.1.0b/cr
             load_dir = ENGINESDIR;
         iterator = ENGINE_by_id("dynamic");
         if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
-diff -up openssl-1.1.0b/crypto/rand/randfile.c.secure-getenv openssl-1.1.0b/crypto/rand/randfile.c
+diff -up openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv openssl-1.1.0g/crypto/rand/randfile.c
--- openssl-1.1.0b/crypto/rand/randfile.c.secure-getenv	2016-09-26 11:46:05.000000000 +0200
+--- openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv	2017-11-02 15:29:03.000000000 +0100
-+++ openssl-1.1.0b/crypto/rand/randfile.c	2016-09-26 15:22:17.427882518 +0200
+++ openssl-1.1.0g/crypto/rand/randfile.c	2017-11-03 16:12:31.827265347 +0100
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
@ -82,7 +82,7 @@ diff -up openssl-1.1.0b/crypto/rand/randfile.c.secure-getenv openssl-1.1.0b/cryp
 #include "internal/cryptlib.h"
 #include <errno.h>
-@@ -319,10 +321,10 @@ const char *RAND_file_name(char *buf, si
+@@ -317,10 +319,10 @@ const char *RAND_file_name(char *buf, si
     if (OPENSSL_issetugid() != 0) {
         use_randfile = 0;
     } else {
@ -95,9 +95,9 @@ diff -up openssl-1.1.0b/crypto/rand/randfile.c.secure-getenv openssl-1.1.0b/cryp
         }
     }
 #endif
-diff -up openssl-1.1.0b/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0b/crypto/x509/by_dir.c
+diff -up openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0g/crypto/x509/by_dir.c
--- openssl-1.1.0b/crypto/x509/by_dir.c.secure-getenv	2016-09-26 11:46:06.000000000 +0200
+--- openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv	2017-11-02 15:29:04.000000000 +0100
-+++ openssl-1.1.0b/crypto/x509/by_dir.c	2016-09-26 15:19:19.421705524 +0200
+++ openssl-1.1.0g/crypto/x509/by_dir.c	2017-11-03 16:12:31.827265347 +0100
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
@ -107,7 +107,7 @@ diff -up openssl-1.1.0b/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0b/crypto
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
-@@ -80,7 +82,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
+@@ -78,7 +80,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
     switch (cmd) {
     case X509_L_ADD_DIR:
         if (argl == X509_FILETYPE_DEFAULT) {
@ -116,9 +116,9 @@ diff -up openssl-1.1.0b/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0b/crypto
             if (dir)
                 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
             else
-diff -up openssl-1.1.0b/crypto/x509/by_file.c.secure-getenv openssl-1.1.0b/crypto/x509/by_file.c
+diff -up openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv openssl-1.1.0g/crypto/x509/by_file.c
--- openssl-1.1.0b/crypto/x509/by_file.c.secure-getenv	2016-09-26 11:46:06.000000000 +0200
+--- openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv	2017-11-02 15:29:04.000000000 +0100
-+++ openssl-1.1.0b/crypto/x509/by_file.c	2016-09-26 15:19:19.421705524 +0200
+++ openssl-1.1.0g/crypto/x509/by_file.c	2017-11-03 16:14:13.230649686 +0100
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
@ -132,8 +132,8 @@ diff -up openssl-1.1.0b/crypto/x509/by_file.c.secure-getenv openssl-1.1.0b/crypt
     switch (cmd) {
     case X509_L_FILE_LOAD:
         if (argl == X509_FILETYPE_DEFAULT) {
-            file = (char *)getenv(X509_get_default_cert_file_env());
+-            file = getenv(X509_get_default_cert_file_env());
-+            file = (char *)secure_getenv(X509_get_default_cert_file_env());
+            file = secure_getenv(X509_get_default_cert_file_env());
             if (file)
                 ok = (X509_load_cert_crl_file(ctx, file,
                                               X509_FILETYPE_PEM) != 0);
--- a/openssl-1.1.0-thread-local.patch
+++ b/openssl-1.1.0-thread-local.patch
@ -1,48 +0,0 @@
 From c8ec34109cab8c92685958ddfef0776a4b3b8460 Mon Sep 17 00:00:00 2001
 From: Rich Salz <rsalz@openssl.org>
 Date: Wed, 31 May 2017 12:14:55 -0400
 Subject: [PATCH] Only release thread-local key if we created it.
 Thanks to Jan Alexander Steffens for finding the bug and confirming the
 fix.
 Reviewed-by: Richard Levitte <levitte@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/3592)
 (cherry picked from commit 73bc53708c386c1ea85941d345721e23dc61c05c)
 ---
 crypto/err/err.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/crypto/err/err.c b/crypto/err/err.c
 index f866f2f..c55f849 100644
 --- a/crypto/err/err.c
 +++ b/crypto/err/err.c
@@ -122,6 +122,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
 #endif
 static CRYPTO_ONCE err_init = CRYPTO_ONCE_STATIC_INIT;
 +static int set_err_thread_local;
 static CRYPTO_THREAD_LOCAL err_thread_local;
 static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;
@@ -260,7 +261,8 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
 void err_cleanup(void)
 {
 -    CRYPTO_THREAD_cleanup_local(&err_thread_local);
 +    if (set_err_thread_local != 0)
 +        CRYPTO_THREAD_cleanup_local(&err_thread_local);
     CRYPTO_THREAD_lock_free(err_string_lock);
     err_string_lock = NULL;
 }
@@ -639,6 +641,7 @@ void ERR_remove_state(unsigned long pid)
 DEFINE_RUN_ONCE_STATIC(err_do_init)
 {
 +    set_err_thread_local = 1;
     return CRYPTO_THREAD_init_local(&err_thread_local, NULL);
 }
 -- 
 2.9.3
--- a/openssl.spec
+++ b/openssl.spec
@ -21,8 +21,8 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.0f
+Version: 1.1.0g
-Release: 9%{?dist}
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -58,12 +58,9 @@ Patch39: openssl-1.1.0-cc-reqs.patch
 Patch40: openssl-1.1.0-disable-ssl3.patch
 Patch41: openssl-1.1.0-system-cipherlist.patch
 Patch42: openssl-1.1.0-fips.patch
 Patch43: openssl-1.1.0-afalg-eventfd2.patch
 Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
 Patch45: openssl-1.1.0-weak-ciphers.patch
 # Backported fixes including security fixes
 Patch70: openssl-1.1.0-thread-local.patch
 Patch71: openssl-1.1.0-dtls-failure.patch
 License: OpenSSL
 Group: System Environment/Libraries
@ -157,18 +154,14 @@ cp %{SOURCE13} test/
 %patch35 -p1 -b .chil
 %patch36 -p1 -b .secure-getenv
 %patch37 -p1 -b .curves
-%patch38 -p1 -b .no-md5-verify
+%patch38 -p1 -b .no-weak-verify
 %patch39 -p1 -b .cc-reqs
 %patch40 -p1 -b .disable-ssl3
 %patch41 -p1 -b .system-cipherlist
 %patch42 -p1 -b .fips
 %patch43 -p1 -b .eventfd2
 %patch44 -p1 -b .preserve-nl
 %patch45 -p1 -b .weak-ciphers
 %patch70 -p1 -b .thread-local
 %patch71 -p1 -b .dtls-failure
 %build
 # Figure out which flags we want to use.
 # default
@ -235,6 +228,8 @@ sslarch=linux-generic64
 # want to depend on the uninitialized memory as a source of entropy anyway.
 RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY"
 export HASHBANGPERL=/usr/bin/perl
 # ia64, x86_64, ppc are OK by default
 # Configure the build tree.  Override OpenSSL defaults with known-good defaults
 # usable on all platforms.  The Configure script already knows to use -fPIC and
@ -436,6 +431,9 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 %changelog
 * Fri Nov  3 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-1
 - update to upstream version 1.1.0g
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0f-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild