apply properly revert SSL_read() behavior change - patch from upstream (#1394677)

- fix behavior on client certificate request in renegotiation (#1393579)
This commit is contained in:
Tomas Mraz 2016-11-30 14:29:59 +01:00
parent e443a79334
commit 3a8593870a
2 changed files with 31 additions and 2 deletions

View File

@ -0,0 +1,21 @@
diff -up openssl-1.1.0c/ssl/statem/statem.c.certreq openssl-1.1.0c/ssl/statem/statem.c
--- openssl-1.1.0c/ssl/statem/statem.c.certreq 2016-11-10 15:03:46.000000000 +0100
+++ openssl-1.1.0c/ssl/statem/statem.c 2016-11-30 14:23:14.274758723 +0100
@@ -361,6 +361,8 @@ static int state_machine(SSL *s, int ser
*/
s->ctx->stats.sess_accept_renegotiate++;
}
+
+ s->s3->tmp.cert_request = 0;
} else {
s->ctx->stats.sess_connect++;
@@ -368,7 +370,7 @@ static int state_machine(SSL *s, int ser
memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
s->hit = 0;
- s->s3->tmp.cert_request = 0;
+ s->s3->tmp.cert_req = 0;
if (SSL_IS_DTLS(s)) {
st->use_timer = 1;

View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.0c Version: 1.1.0c
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -60,6 +60,8 @@ Patch41: openssl-1.1.0-system-cipherlist.patch
Patch42: openssl-1.1.0-fips.patch Patch42: openssl-1.1.0-fips.patch
Patch43: openssl-1.1.0-afalg-eventfd2.patch Patch43: openssl-1.1.0-afalg-eventfd2.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch60: openssl-1.1.0-sslread-revert.patch
Patch61: openssl-1.1.0-cert-req.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -159,6 +161,9 @@ cp %{SOURCE13} test/
%patch42 -p1 -b .fips %patch42 -p1 -b .fips
%patch43 -p1 -b .eventfd2 %patch43 -p1 -b .eventfd2
%patch60 -p1 -b .sslread-revert
%patch61 -p1 -b .cert-req
%build %build
# Figure out which flags we want to use. # Figure out which flags we want to use.
# default # default
@ -425,8 +430,11 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Tue Nov 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-2 * Wed Nov 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-3
- revert SSL_read() behavior change - patch from upstream (#1394677) - revert SSL_read() behavior change - patch from upstream (#1394677)
- fix behavior on client certificate request in renegotiation (#1393579)
* Tue Nov 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-2
- EC curve NIST P-224 is now allowed, still kept disabled in TLS due - EC curve NIST P-224 is now allowed, still kept disabled in TLS due
to less than optimal security to less than optimal security