This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssl.git#3413ff9700373616a74dcf14fe75868d046e22e2epel8
parent
16459847f1
commit
a99ab8f40a
@ -1,14 +0,0 @@
|
|||||||
Do not return failure when setting version bound on fixed protocol
|
|
||||||
version method.
|
|
||||||
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
|
|
||||||
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
|
|
||||||
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
|
|
||||||
* methods are not subject to controls that disable individual protocol
|
|
||||||
* versions.
|
|
||||||
*/
|
|
||||||
- return 0;
|
|
||||||
+ return 1;
|
|
||||||
|
|
||||||
case TLS_ANY_VERSION:
|
|
||||||
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
|
|
@ -1,44 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
|
|
||||||
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
|
|
||||||
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
|
|
||||||
@@ -292,6 +292,9 @@ extern "C" {
|
|
||||||
|
|
||||||
# define TLS1_FLAGS_STATELESS 0x0800
|
|
||||||
|
|
||||||
+/* Set if extended master secret extension required on renegotiation */
|
|
||||||
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
|
|
||||||
+
|
|
||||||
# define SSL3_MT_HELLO_REQUEST 0
|
|
||||||
# define SSL3_MT_CLIENT_HELLO 1
|
|
||||||
# define SSL3_MT_SERVER_HELLO 2
|
|
||||||
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
|
|
||||||
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
|
|
||||||
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
|
|
||||||
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
|
|
||||||
|
|
||||||
static int init_ems(SSL *s, unsigned int context)
|
|
||||||
{
|
|
||||||
- if (!s->server)
|
|
||||||
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
|
|
||||||
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
|
|
||||||
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int final_ems(SSL *s, unsigned int context, int sent)
|
|
||||||
{
|
|
||||||
+ /*
|
|
||||||
+ * Check extended master secret extension is not dropped on
|
|
||||||
+ * renegotiation.
|
|
||||||
+ */
|
|
||||||
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
|
|
||||||
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
|
|
||||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
|
|
||||||
+ SSL_R_INCONSISTENT_EXTMS);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
if (!s->server && s->hit) {
|
|
||||||
/*
|
|
||||||
* Check extended master secret extension is consistent with
|
|
@ -1 +1 @@
|
|||||||
SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971
|
SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908
|
||||||
|
Loading…
Reference in new issue