From 6b68d87d06bd6c24de8652d531f1f081b4e8b975 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Jun 05 2017 15:20:12 +0000
Subject: only release thread-local key if we created it (from upstream) (#1458775)


---

diff --git a/openssl-1.1.0-thread-local.patch b/openssl-1.1.0-thread-local.patch
new file mode 100644
index 0000000..a51062a
--- /dev/null
+++ b/openssl-1.1.0-thread-local.patch
@@ -0,0 +1,48 @@
+From c8ec34109cab8c92685958ddfef0776a4b3b8460 Mon Sep 17 00:00:00 2001
+From: Rich Salz <rsalz@openssl.org>
+Date: Wed, 31 May 2017 12:14:55 -0400
+Subject: [PATCH] Only release thread-local key if we created it.
+
+Thanks to Jan Alexander Steffens for finding the bug and confirming the
+fix.
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/3592)
+(cherry picked from commit 73bc53708c386c1ea85941d345721e23dc61c05c)
+---
+ crypto/err/err.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/err/err.c b/crypto/err/err.c
+index f866f2f..c55f849 100644
+--- a/crypto/err/err.c
++++ b/crypto/err/err.c
+@@ -122,6 +122,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
+ #endif
+ 
+ static CRYPTO_ONCE err_init = CRYPTO_ONCE_STATIC_INIT;
++static int set_err_thread_local;
+ static CRYPTO_THREAD_LOCAL err_thread_local;
+ 
+ static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;
+@@ -260,7 +261,8 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
+ 
+ void err_cleanup(void)
+ {
+-    CRYPTO_THREAD_cleanup_local(&err_thread_local);
++    if (set_err_thread_local != 0)
++        CRYPTO_THREAD_cleanup_local(&err_thread_local);
+     CRYPTO_THREAD_lock_free(err_string_lock);
+     err_string_lock = NULL;
+ }
+@@ -639,6 +641,7 @@ void ERR_remove_state(unsigned long pid)
+ 
+ DEFINE_RUN_ONCE_STATIC(err_do_init)
+ {
++    set_err_thread_local = 1;
+     return CRYPTO_THREAD_init_local(&err_thread_local, NULL);
+ }
+ 
+-- 
+2.9.3
+
diff --git a/openssl.spec b/openssl.spec
index bd6fc44..925239d 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.0f
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -61,6 +61,7 @@ Patch42: openssl-1.1.0-fips.patch
 Patch43: openssl-1.1.0-afalg-eventfd2.patch
 Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
 # Backported fixes including security fixes
+Patch70: openssl-1.1.0-thread-local.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -162,6 +163,8 @@ cp %{SOURCE13} test/
 %patch43 -p1 -b .eventfd2
 %patch44 -p1 -b .preserve-nl
 
+%patch70 -p1 -b .thread-local
+
 %build
 # Figure out which flags we want to use.
 # default
@@ -428,6 +431,9 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Jun  5 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-2
+- only release thread-local key if we created it (from upstream) (#1458775)
+
 * Fri Jun  2 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-1
 - update to upstream version 1.1.0f
 - SRP and GOST is now allowed, note that GOST support requires