From 1f162bf2eec550d133c72ceacf2a22b95f81440f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Oct 10 2014 12:16:48 +0000 Subject: copy negotiated digests when switching certs by SNI (#1150032) --- diff --git a/openssl-1.0.1i-copy-algo.patch b/openssl-1.0.1i-copy-algo.patch new file mode 100644 index 0000000..927c584 --- /dev/null +++ b/openssl-1.0.1i-copy-algo.patch @@ -0,0 +1,33 @@ +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 6a33b9d..76a5f9e 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3177,15 +3177,26 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) + + SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) + { ++ CERT *ocert = ssl->cert; + if (ssl->ctx == ctx) + return ssl->ctx; + #ifndef OPENSSL_NO_TLSEXT + if (ctx == NULL) + ctx = ssl->initial_ctx; + #endif +- if (ssl->cert != NULL) +- ssl_cert_free(ssl->cert); + ssl->cert = ssl_cert_dup(ctx->cert); ++ if (ocert) ++ { ++ int i; ++ /* Copy negotiated digests from original */ ++ for (i = 0; i < SSL_PKEY_NUM; i++) ++ { ++ CERT_PKEY *cpk = ocert->pkeys + i; ++ CERT_PKEY *rpk = ssl->cert->pkeys + i; ++ rpk->digest = cpk->digest; ++ } ++ ssl_cert_free(ocert); ++ } + CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); + if (ssl->ctx != NULL) + SSL_CTX_free(ssl->ctx); /* decrement reference count */ diff --git a/openssl.spec b/openssl.spec index d8f7321..b42bc91 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1i -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -89,6 +89,7 @@ Patch81: openssl-1.0.1-beta2-padlock64.patch Patch84: openssl-1.0.1i-trusted-first.patch Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch Patch89: openssl-1.0.1e-ephemeral-key-size.patch +Patch94: openssl-1.0.1i-copy-algo.patch License: OpenSSL Group: System Environment/Libraries @@ -211,6 +212,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch84 -p1 -b .trusted-first %patch85 -p1 -b .armcap %patch89 -p1 -b .ephemeral +%patch94 -p1 -b .copy-algo sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -478,6 +480,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Fri Oct 10 2014 Tomáš Mráz 1.0.1i-5 +- copy negotiated digests when switching certs by SNI (#1150032) + * Mon Sep 8 2014 Tomáš Mráz 1.0.1i-4 - add support for RFC 5649