rpms/openssl/devel openssl-1.0.0-beta4-tlsver.patch,NONE,1.1

[Tomáš Mráz]

Author: tmraz

Update of /cvs/pkgs/rpms/openssl/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv17410

Added Files:
	openssl-1.0.0-beta4-tlsver.patch 
Log Message:
* Thu Jan 14 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.19.beta4
- fix CVE-2009-4355 - leak in applications incorrectly calling
  CRYPTO_free_all_ex_data() before application exit (#546707)
- upstream fix for future TLS protocol version handling


openssl-1.0.0-beta4-tlsver.patch:
 s23_srvr.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- NEW FILE openssl-1.0.0-beta4-tlsver.patch ---
Fix handling of future TLS versions.
diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.tlsver openssl-1.0.0-beta4/ssl/s23_srvr.c
--- openssl-1.0.0-beta4/ssl/s23_srvr.c.tlsver	2010-01-12 22:20:15.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/s23_srvr.c	2010-01-13 22:02:47.000000000 +0100
@@ -315,7 +315,7 @@ int ssl23_get_client_hello(SSL *s)
 			 (p[1] == SSL3_VERSION_MAJOR) &&
 			 (p[5] == SSL3_MT_CLIENT_HELLO) &&
 			 ((p[3] == 0 && p[4] < 5 /* silly record length? */)
-				|| (p[9] == p[1])))
+				|| (p[9] >= p[1])))
 			{
 			/*
 			 * SSLv3 or tls1 header
@@ -339,6 +339,13 @@ int ssl23_get_client_hello(SSL *s)
 				v[1] = TLS1_VERSION_MINOR;
 #endif
 				}
+			/* if major version number > 3 set minor to a value
+			 * which will use the highest version 3 we support.
+			 * If TLS 2.0 ever appears we will need to revise
+			 * this....
+			 */
+			else if (p[9] > SSL3_VERSION_MAJOR)
+				v[1]=0xff;
 			else
 				v[1]=p[10]; /* minor version according to client_version */
 			if (v[1] >= TLS1_VERSION_MINOR)