From f7a30f9a15b4e58de45364c4af07473c9aad7456 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Aug 13 2018 09:34:33 +0000
Subject: do not put error on stack when using fixed protocol version


(#1615098)

---

diff --git a/openssl-1.1.1-ignore-bound.patch b/openssl-1.1.1-ignore-bound.patch
new file mode 100644
index 0000000..4838f3d
--- /dev/null
+++ b/openssl-1.1.1-ignore-bound.patch
@@ -0,0 +1,14 @@
+Do not return failure when setting version bound on fixed protocol
+version method.
+diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
+--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200
+@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
+          * methods are not subject to controls that disable individual protocol
+          * versions.
+          */
+-        return 0;
++        return 1;
+ 
+     case TLS_ANY_VERSION:
+         if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
diff --git a/openssl.spec b/openssl.spec
index b0c3116..527344e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -24,7 +24,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1
-Release: 0.%{prerelease}.2%{?dist}
+Release: 0.%{prerelease}.3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -56,6 +56,7 @@ Patch38: openssl-1.1.0-no-weak-verify.patch
 Patch40: openssl-1.1.1-disable-ssl3.patch
 Patch41: openssl-1.1.1-system-cipherlist.patch
 Patch42: openssl-1.1.1-fips.patch
+Patch43: openssl-1.1.1-ignore-bound.patch
 Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.0-weak-ciphers.patch
 # Backported fixes including security fixes
@@ -157,6 +158,7 @@ cp %{SOURCE13} test/
 %patch40 -p1 -b .disable-ssl3
 %patch41 -p1 -b .system-cipherlist
 %patch42 -p1 -b .fips
+%patch43 -p1 -b .ignore-bound
 %patch44 -p1 -b .version-override
 %patch45 -p1 -b .weak-ciphers
 
@@ -440,6 +442,10 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.3
+- do not put error on stack when using fixed protocol version
+  with the default config (#1615098)
+
 * Fri Jul 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.2
 - load crypto policy config file from the default config