From 3a8593870afda41424d6753c313bc0252090a248 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 30 Nov 2016 14:29:59 +0100 Subject: [PATCH] apply properly revert SSL_read() behavior change - patch from upstream (#1394677) - fix behavior on client certificate request in renegotiation (#1393579) --- openssl-1.1.0-cert-req.patch | 21 +++++++++++++++++++++ openssl.spec | 12 ++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 openssl-1.1.0-cert-req.patch diff --git a/openssl-1.1.0-cert-req.patch b/openssl-1.1.0-cert-req.patch new file mode 100644 index 0000000..f448af0 --- /dev/null +++ b/openssl-1.1.0-cert-req.patch @@ -0,0 +1,21 @@ +diff -up openssl-1.1.0c/ssl/statem/statem.c.certreq openssl-1.1.0c/ssl/statem/statem.c +--- openssl-1.1.0c/ssl/statem/statem.c.certreq 2016-11-10 15:03:46.000000000 +0100 ++++ openssl-1.1.0c/ssl/statem/statem.c 2016-11-30 14:23:14.274758723 +0100 +@@ -361,6 +361,8 @@ static int state_machine(SSL *s, int ser + */ + s->ctx->stats.sess_accept_renegotiate++; + } ++ ++ s->s3->tmp.cert_request = 0; + } else { + s->ctx->stats.sess_connect++; + +@@ -368,7 +370,7 @@ static int state_machine(SSL *s, int ser + memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); + s->hit = 0; + +- s->s3->tmp.cert_request = 0; ++ s->s3->tmp.cert_req = 0; + + if (SSL_IS_DTLS(s)) { + st->use_timer = 1; diff --git a/openssl.spec b/openssl.spec index 065f9f3..bb7d0ba 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.0c -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -60,6 +60,8 @@ Patch41: openssl-1.1.0-system-cipherlist.patch Patch42: openssl-1.1.0-fips.patch Patch43: openssl-1.1.0-afalg-eventfd2.patch # Backported fixes including security fixes +Patch60: openssl-1.1.0-sslread-revert.patch +Patch61: openssl-1.1.0-cert-req.patch License: OpenSSL Group: System Environment/Libraries @@ -159,6 +161,9 @@ cp %{SOURCE13} test/ %patch42 -p1 -b .fips %patch43 -p1 -b .eventfd2 +%patch60 -p1 -b .sslread-revert +%patch61 -p1 -b .cert-req + %build # Figure out which flags we want to use. # default @@ -425,8 +430,11 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog -* Tue Nov 22 2016 Tomáš Mráz 1.1.0c-2 +* Wed Nov 30 2016 Tomáš Mráz 1.1.0c-3 - revert SSL_read() behavior change - patch from upstream (#1394677) +- fix behavior on client certificate request in renegotiation (#1393579) + +* Tue Nov 22 2016 Tomáš Mráz 1.1.0c-2 - EC curve NIST P-224 is now allowed, still kept disabled in TLS due to less than optimal security