From d8cd5c45d88855f1e70f4c206fc7a57a5838ca7c Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Dec 13 2007 17:16:43 +0000
Subject: - set default paths when no explicit paths are set (#418771)

- do not add tls extensions to client hello for SSLv3 (#422081)

---

diff --git a/openssl-0.9.8g-default-paths.patch b/openssl-0.9.8g-default-paths.patch
new file mode 100644
index 0000000..23fa4e1
--- /dev/null
+++ b/openssl-0.9.8g-default-paths.patch
@@ -0,0 +1,77 @@
+diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c
+--- openssl-0.9.8g/apps/s_server.c.default-paths	2007-12-13 17:41:34.000000000 +0100
++++ openssl-0.9.8g/apps/s_server.c	2007-12-13 17:36:58.000000000 +0100
+@@ -1077,12 +1077,13 @@ bad:
+ 		}
+ #endif
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(ctx))
+ 		{
+-		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 	store = SSL_CTX_get_cert_store(ctx);
+ 	X509_STORE_set_flags(store, vflags);
+@@ -1132,8 +1133,11 @@ bad:
+ 
+ 		SSL_CTX_sess_set_cache_size(ctx2,128);
+ 
+-		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
+-			(!SSL_CTX_set_default_verify_paths(ctx2)))
++		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
++		if (!SSL_CTX_set_default_verify_paths(ctx2))
+ 			{
+ 			ERR_print_errors(bio_err);
+ 			}
+diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c
+--- openssl-0.9.8g/apps/s_client.c.default-paths	2007-12-13 17:41:34.000000000 +0100
++++ openssl-0.9.8g/apps/s_client.c	2007-12-13 17:37:34.000000000 +0100
+@@ -673,12 +673,13 @@ bad:
+ 	if (!set_cert_key_stuff(ctx,cert,key))
+ 		goto end;
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(ctx))
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 
+ 	store = SSL_CTX_get_cert_store(ctx);
+diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c
+--- openssl-0.9.8g/apps/s_time.c.default-paths	2003-12-27 15:40:17.000000000 +0100
++++ openssl-0.9.8g/apps/s_time.c	2007-12-13 17:35:27.000000000 +0100
+@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv)
+ 
+ 	SSL_load_error_strings();
+ 
+-	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
++	if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
++		{
++		ERR_print_errors(bio_err);
++		}
++	if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+ 		ERR_print_errors(bio_err);
+-		/* goto end; */
+ 		}
+ 
+ 	if (tm_cipher == NULL)
diff --git a/openssl-0.9.8g-no-extssl.patch b/openssl-0.9.8g-no-extssl.patch
new file mode 100644
index 0000000..2f0407a
--- /dev/null
+++ b/openssl-0.9.8g-no-extssl.patch
@@ -0,0 +1,17 @@
+Skip adding tls extensions to client hello when protocol version is
+not TLS.
+diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
+--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl	2007-10-19 09:44:10.000000000 +0200
++++ openssl-0.9.8g/ssl/t1_lib.c	2007-12-13 17:22:10.000000000 +0100
+@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
+ 	int extdatalen=0;
+ 	unsigned char *ret = p;
+ 
++	if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
++	{
++		return ret;
++	}
++
+ 	ret+=2;
+ 
+ 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
diff --git a/openssl.spec b/openssl.spec
index 62340ca..cc00ae0 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: The OpenSSL toolkit
 Name: openssl
 Version: 0.9.8g
-Release: 2%{?dist}
+Release: 3%{?dist}
 Source: openssl-%{version}-usa.tar.bz2
 Source1: hobble-openssl
 Source2: Makefile.certificate
@@ -44,6 +44,8 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch
 # Bug fixes
 Patch21: openssl-0.9.8b-aliasing-bug.patch
 Patch22: openssl-0.9.8b-x509-name-cmp.patch
+Patch23: openssl-0.9.8g-default-paths.patch
+Patch24: openssl-0.9.8g-no-extssl.patch
 # Functionality changes
 Patch32: openssl-0.9.7-beta6-ia64.patch
 Patch33: openssl-0.9.7f-ca-dir.patch
@@ -106,6 +108,8 @@ from other formats to the formats used by the OpenSSL toolkit.
 
 %patch21 -p1 -b .aliasing-bug
 %patch22 -p1 -b .name-cmp
+%patch23 -p1 -b .default-paths
+%patch24 -p1 -b .no-extssl
 
 %patch32 -p1 -b .ia64
 #patch33 is applied after make test
@@ -356,6 +360,10 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint
 %postun -p /sbin/ldconfig
 
 %changelog
+* Thu Dec 13 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8g-3
+- set default paths when no explicit paths are set (#418771)
+- do not add tls extensions to client hello for SSLv3 (#422081)
+
 * Tue Dec  4 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8g-2
 - enable some new crypto algorithms and features
 - add some more important bug fixes from openssl CVS