From d3102ab27ef155338e0327ddcf142567da702e11 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= <arekm@maven.pl>
Date: Sun, 29 Mar 2020 15:20:09 +0200
Subject: [PATCH] - up to 1.1.1e; fixes CVE-2019-1551

---
 bug-11378.patch        | 123 +++++++++++++++++++++++++++++++++++++++++
 openssl-zlib-fix.patch |  57 -------------------
 openssl.spec           |  14 ++---
 3 files changed, 130 insertions(+), 64 deletions(-)
 create mode 100644 bug-11378.patch
 delete mode 100644 openssl-zlib-fix.patch

diff --git a/bug-11378.patch b/bug-11378.patch
new file mode 100644
index 0000000..9d2138a
--- /dev/null
+++ b/bug-11378.patch
@@ -0,0 +1,123 @@
+From 30d190caf311d534867df97e26b552e628cb7d85 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Wed, 25 Mar 2020 14:15:31 +0100
+Subject: [PATCH] Partially revert "Detect EOF while reading in libssl"
+
+This partially reverts commit db943f43a60d1b5b1277e4b5317e8f288e7a0a3a.
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/11400)
+---
+ crypto/err/openssl.txt    | 1 -
+ include/openssl/sslerr.h  | 3 +--
+ ssl/record/rec_layer_s3.c | 6 ------
+ ssl/ssl_err.c             | 4 +---
+ 4 files changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index f5324c6819d8..35512f9caf96 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
+ SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
+ SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
+ SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
+-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading
+ SSL_R_UNEXPECTED_MESSAGE:244:unexpected message
+ SSL_R_UNEXPECTED_RECORD:245:unexpected record
+ SSL_R_UNINITIALIZED:276:uninitialized
+diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
+index 0ef684f3c131..ba4c4ae5fbd3 100644
+--- a/include/openssl/sslerr.h
++++ b/include/openssl/sslerr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void);
+ # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
+ # define SSL_R_UNEXPECTED_CCS_MESSAGE                     262
+ # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA               178
+-# define SSL_R_UNEXPECTED_EOF_WHILE_READING               294
+ # define SSL_R_UNEXPECTED_MESSAGE                         244
+ # define SSL_R_UNEXPECTED_RECORD                          245
+ # define SSL_R_UNINITIALIZED                              276
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 1c885a664f35..b2a7a47eb075 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
+             ret = BIO_read(s->rbio, pkt + len + left, max - left);
+             if (ret >= 0)
+                 bioread = ret;
+-            if (ret <= 0
+-                    && !BIO_should_retry(s->rbio)
+-                    && BIO_eof(s->rbio)) {
+-                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N,
+-                         SSL_R_UNEXPECTED_EOF_WHILE_READING);
+-            }
+         } else {
+             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
+                      SSL_R_READ_BIO_NOT_SET);
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index a0c7b79659d4..4b12ed1485d9 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
+     "unexpected ccs message"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
+     "unexpected end of early data"},
+-    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING),
+-    "unexpected eof while reading"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
+From 0cd2ee64bffcdece599c3e4b5fac3830a55dc0fa Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Wed, 25 Mar 2020 14:18:13 +0100
+Subject: [PATCH] Document the revert of the proper reporting of an unexpected
+ EOF
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/11400)
+---
+ CHANGES                    |  7 +++++++
+ NEWS                       |  4 +++-
+ doc/man3/SSL_get_error.pod | 12 ++++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod
+index 97320a6c153f..6ef6f7d4c5cb 100644
+--- a/doc/man3/SSL_get_error.pod
++++ b/doc/man3/SSL_get_error.pod
+@@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called.
+ 
+ =back
+ 
++=head1 BUGS
++
++The B<SSL_ERROR_SYSCALL> with B<errno> value of 0 indicates unexpected EOF from
++the peer. This will be properly reported as B<SSL_ERROR_SSL> with reason
++code B<SSL_R_UNEXPECTED_EOF_WHILE_READING> in the OpenSSL 3.0 release because
++it is truly a TLS protocol error to terminate the connection without
++a SSL_shutdown().
++
++The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications
++which choose to ignore this protocol error depend on the existing way of
++reporting the error.
++
+ =head1 SEE ALSO
+ 
+ L<ssl(7)>
diff --git a/openssl-zlib-fix.patch b/openssl-zlib-fix.patch
deleted file mode 100644
index afae438..0000000
--- a/openssl-zlib-fix.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 4245d63be73402df5917bbd099178ba56c136e13 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Thu, 12 Sep 2019 12:27:36 +0200
-Subject: [PATCH] BIO_f_zlib: Properly handle BIO_CTRL_PENDING and
- BIO_CTRL_WPENDING calls.
-
-There can be data to write in output buffer and data to read that were
-not yet read in the input stream.
-
-Fixes #9866
----
- crypto/comp/c_zlib.c | 25 +++++++++++++++++++++++++
- 1 file changed, 25 insertions(+)
-
-diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
-index 78219f202d8..3d2c142f004 100644
---- a/crypto/comp/c_zlib.c
-+++ b/crypto/comp/c_zlib.c
-@@ -546,6 +546,7 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
-     int ret, *ip;
-     int ibs, obs;
-     BIO *next = BIO_next(b);
-+    z_stream *zin;
- 
-     if (next == NULL)
-         return 0;
-@@ -598,6 +599,30 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
-         BIO_copy_next_retry(b);
-         break;
- 
-+    case BIO_CTRL_WPENDING:
-+        if (ctx->obuf == NULL)
-+            return 0;
-+
-+        if (ctx->odone) {
-+            ret = ctx->ocount;
-+        }
-+        else {
-+            ret = ctx->ocount;
-+            if (ret == 0)
-+                /* Unknown amount pending but we are not finished */
-+                ret = 1;
-+        }
-+        if (ret == 0)
-+            ret = BIO_ctrl(next, cmd, num, ptr);
-+        break;
-+
-+    case BIO_CTRL_PENDING:
-+        zin = &ctx->zin;
-+        ret = zin->avail_in;
-+        if (ret == 0)
-+            ret = BIO_ctrl(next, cmd, num, ptr);
-+        break;
-+
-     default:
-         ret = BIO_ctrl(next, cmd, num, ptr);
-         break;
diff --git a/openssl.spec b/openssl.spec
index 10a0cc2..f1359ec 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -16,20 +16,20 @@ Summary(uk.UTF-8):	Бібліотеки та утиліти для з'єднан
 Name:		openssl
 # Version 1.1.1 is LTS, supported until 2023-09-11.
 # https://www.openssl.org/about/releasestrat.html
-Version:	1.1.1d
+Version:	1.1.1e
 Release:	1
 License:	Apache-like
 Group:		Libraries
 Source0:	https://www.openssl.org/source/%{name}-%{version}.tar.gz
-# Source0-md5:	3be209000dbc7e1b95bcdf47980a3baa
+# Source0-md5:	baeff2a64d2f3d7e0a69b677c9977b57
 Source2:	%{name}.1.pl
 Source3:	%{name}-ssl-certificate.sh
 Source4:	%{name}-c_rehash.sh
 Patch1:		%{name}-optflags.patch
 # https://github.com/openssl/openssl/commit/4245d63be73402df5917bbd099178ba56c136e13.patch
-Patch2:		%{name}-zlib-fix.patch
-Patch3:		%{name}-man-namespace.patch
 
+Patch3:		%{name}-man-namespace.patch
+Patch4:		bug-11378.patch
 Patch5:		%{name}-ca-certificates.patch
 Patch6:		%{name}-no-win32.patch
 Patch7:		%{name}-find.patch
@@ -256,11 +256,10 @@ RC4, RSA и SSL. Включает статические библиотеки д
 %else
 %setup -q %{?subver:-n %{name}-%{version}-%{subver}}
 %endif
-
 %patch1 -p1
-%patch2 -p1
-%patch3 -p1
 
+%patch3 -p1
+%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
@@ -636,6 +635,7 @@ fi
 %{_mandir}/man7/openssl-x509.7*
 %{_mandir}/man7/ossl_store.7*
 %{_mandir}/man7/ossl_store-file.7*
+%{_mandir}/man7/proxy-certificates.7*
 %{_mandir}/man7/RSA-PSS.7.gz
 
 %files static
-- 
2.44.0