From f160409676983ef0adfbbc274f3b889815113912 Mon Sep 17 00:00:00 2001
From: Jakub Bogusz <qboosh@pld-linux.org>
Date: Fri, 27 Sep 2019 18:25:09 +0200
Subject: [PATCH] - updated to 1.1.1d (fixes CVE-2019-1547 CVE-2019-1549
 CVE-2019-1563) - added no-win32 patch (don't require Win32-specific perl
 module for unix installs) - added zlib-fix patch (bugfix from git)

---
 openssl-no-win32.patch | 80 ++++++++++++++++++++++++++++++++++++++++++
 openssl-zlib-fix.patch | 57 ++++++++++++++++++++++++++++++
 openssl.spec           | 13 +++----
 3 files changed, 144 insertions(+), 6 deletions(-)
 create mode 100644 openssl-no-win32.patch
 create mode 100644 openssl-zlib-fix.patch

diff --git a/openssl-no-win32.patch b/openssl-no-win32.patch
new file mode 100644
index 0000000..a54af8b
--- /dev/null
+++ b/openssl-no-win32.patch
@@ -0,0 +1,80 @@
+--- openssl-1.1.1d/Configurations/unix-Makefile.tmpl.orig	2019-09-27 15:57:40.580222104 +0200
++++ openssl-1.1.1d/Configurations/unix-Makefile.tmpl	2019-09-27 16:03:43.774921176 +0200
+@@ -201,77 +201,6 @@
+    "" -}
+ # Do not edit these manually. Use Configure with --prefix or --openssldir
+ # to change this!  Short explanation in the top comment in Configure
+-INSTALLTOP_dev={- # $prefix is used in the OPENSSLDIR perl snippet
+-                  #
+-                  use File::Spec::Win32;
+-                  my $prefix_default = "$mingw_installroot/OpenSSL";
+-                  our $prefix =
+-                      File::Spec::Win32->canonpath($config{prefix}
+-                                                  || $prefix_default);
+-                  our ($prefix_dev, $prefix_dir, $prefix_file) =
+-                      File::Spec::Win32->splitpath($prefix, 1);
+-                  $prefix =~ s|\\|/|g;
+-                  $prefix_dir =~ s|\\|/|g;
+-                  $prefix_dev -}
+-INSTALLTOP_dir={- my $x = File::Spec::Win32->canonpath($prefix_dir);
+-                  $x =~ s|\\|/|g;
+-                  $x -}
+-OPENSSLDIR_dev={- #
+-                  # The logic here is that if no --openssldir was given,
+-                  # OPENSSLDIR will get the value "$mingw_commonroot/SSL".
+-                  # If --openssldir was given and the value is an absolute
+-                  # path, OPENSSLDIR will get its value without change.
+-                  # If the value from --openssldir is a relative path,
+-                  # OPENSSLDIR will get $prefix with the --openssldir
+-                  # value appended as a subdirectory.
+-                  #
+-                  use File::Spec::Win32;
+-                  our $openssldir =
+-                      $config{openssldir} ?
+-                          (File::Spec::Win32->file_name_is_absolute($config{openssldir}) ?
+-                               File::Spec::Win32->canonpath($config{openssldir})
+-                               : File::Spec::Win32->catdir($prefix, $config{openssldir}))
+-                          : File::Spec::Win32->canonpath("$mingw_commonroot/SSL");
+-                  our ($openssldir_dev, $openssldir_dir, $openssldir_file) =
+-                      File::Spec::Win32->splitpath($openssldir, 1);
+-                  $openssldir =~ s|\\|/|g;
+-                  $openssldir_dir =~ s|\\|/|g;
+-                  $openssldir_dev -}
+-OPENSSLDIR_dir={- my $x = File::Spec::Win32->canonpath($openssldir_dir);
+-                  $x =~ s|\\|/|g;
+-                  $x -}
+-LIBDIR={- our $libdir = $config{libdir} || "lib";
+-          File::Spec::Win32->file_name_is_absolute($libdir) ? "" : $libdir -}
+-ENGINESDIR_dev={- use File::Spec::Win32;
+-                  our $enginesdir =
+-                      File::Spec::Win32->catdir($prefix,$libdir,
+-                                                "engines-$sover_dirname");
+-                  our ($enginesdir_dev, $enginesdir_dir, $enginesdir_file) =
+-                      File::Spec::Win32->splitpath($enginesdir, 1);
+-                  $enginesdir =~ s|\\|/|g;
+-                  $enginesdir_dir =~ s|\\|/|g;
+-                  $enginesdir_dev -}
+-ENGINESDIR_dir={- my $x = File::Spec::Win32->canonpath($enginesdir_dir);
+-                  $x =~ s|\\|/|g;
+-                  $x -}
+-# In a Windows environment, $(DESTDIR) is harder to contatenate with other
+-# directory variables, because both may contain devices.  What we do here is
+-# to adapt INSTALLTOP, OPENSSLDIR and ENGINESDIR depending on if $(DESTDIR)
+-# has a value or not, to ensure that concatenation will always work further
+-# down.
+-ifneq "$(DESTDIR)" ""
+-INSTALLTOP=$(INSTALLTOP_dir)
+-OPENSSLDIR=$(OPENSSLDIR_dir)
+-ENGINESDIR=$(ENGINESDIR_dir)
+-else
+-INSTALLTOP=$(INSTALLTOP_dev)$(INSTALLTOP_dir)
+-OPENSSLDIR=$(OPENSSLDIR_dev)$(OPENSSLDIR_dir)
+-ENGINESDIR=$(ENGINESDIR_dev)$(ENGINESDIR_dir)
+-endif
+-
+-# $(libdir) is chosen to be compatible with the GNU coding standards
+-libdir={- File::Spec::Win32->file_name_is_absolute($libdir)
+-          ? $libdir : '$(INSTALLTOP)/$(LIBDIR)' -}
+ {- output_on() if $config{target} !~ /^mingw/; "" -}
+ 
+ MANDIR=$(INSTALLTOP)/share/man
diff --git a/openssl-zlib-fix.patch b/openssl-zlib-fix.patch
new file mode 100644
index 0000000..afae438
--- /dev/null
+++ b/openssl-zlib-fix.patch
@@ -0,0 +1,57 @@
+From 4245d63be73402df5917bbd099178ba56c136e13 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 12 Sep 2019 12:27:36 +0200
+Subject: [PATCH] BIO_f_zlib: Properly handle BIO_CTRL_PENDING and
+ BIO_CTRL_WPENDING calls.
+
+There can be data to write in output buffer and data to read that were
+not yet read in the input stream.
+
+Fixes #9866
+---
+ crypto/comp/c_zlib.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
+index 78219f202d8..3d2c142f004 100644
+--- a/crypto/comp/c_zlib.c
++++ b/crypto/comp/c_zlib.c
+@@ -546,6 +546,7 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
+     int ret, *ip;
+     int ibs, obs;
+     BIO *next = BIO_next(b);
++    z_stream *zin;
+ 
+     if (next == NULL)
+         return 0;
+@@ -598,6 +599,30 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
+         BIO_copy_next_retry(b);
+         break;
+ 
++    case BIO_CTRL_WPENDING:
++        if (ctx->obuf == NULL)
++            return 0;
++
++        if (ctx->odone) {
++            ret = ctx->ocount;
++        }
++        else {
++            ret = ctx->ocount;
++            if (ret == 0)
++                /* Unknown amount pending but we are not finished */
++                ret = 1;
++        }
++        if (ret == 0)
++            ret = BIO_ctrl(next, cmd, num, ptr);
++        break;
++
++    case BIO_CTRL_PENDING:
++        zin = &ctx->zin;
++        ret = zin->avail_in;
++        if (ret == 0)
++            ret = BIO_ctrl(next, cmd, num, ptr);
++        break;
++
+     default:
+         ret = BIO_ctrl(next, cmd, num, ptr);
+         break;
diff --git a/openssl.spec b/openssl.spec
index 550621a..8900821 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -17,21 +17,22 @@ Summary(uk.UTF-8):	Бібліотеки та утиліти для з'єднан
 Name:		openssl
 # Version 1.1.1 is LTS, supported until 2023-09-11.
 # https://www.openssl.org/about/releasestrat.html
-Version:	1.1.1c
+Version:	1.1.1d
 Release:	1
 License:	Apache-like
 Group:		Libraries
 Source0:	https://www.openssl.org/source/%{name}-%{version}.tar.gz
-# Source0-md5:	15e21da6efe8aa0e0768ffd8cd37a5f6
+# Source0-md5:	3be209000dbc7e1b95bcdf47980a3baa
 Source2:	%{name}.1.pl
 Source3:	%{name}-ssl-certificate.sh
 Source4:	%{name}-c_rehash.sh
 Patch1:		%{name}-optflags.patch
-
+# https://github.com/openssl/openssl/commit/4245d63be73402df5917bbd099178ba56c136e13.patch
+Patch2:		%{name}-zlib-fix.patch
 Patch3:		%{name}-man-namespace.patch
 
 Patch5:		%{name}-ca-certificates.patch
-
+Patch6:		%{name}-no-win32.patch
 Patch7:		%{name}-find.patch
 Patch8:		pic.patch
 
@@ -258,11 +259,11 @@ RC4, RSA и SSL. Включает статические библиотеки д
 %endif
 
 %patch1 -p1
-
+%patch2 -p1
 %patch3 -p1
 
 %patch5 -p1
-
+%patch6 -p1
 %patch7 -p1
 %patch8 -p1
 
-- 
2.43.0