From 3f2f2de8bff3f80b3bd4624066e22e545654bd02e55b4c443962ee778f7c3c01 Mon Sep 17 00:00:00 2001
From: Stephan Kulow <coolo@suse.com>
Date: Fri, 27 Sep 2013 17:48:21 +0000
Subject: [PATCH] Accepting request 201094 from Base:System

- VPN openconnect problem (DTLS handshake failed)
  (git 9fe4603b8, bnc#822642, openssl ticket#2984) (forwarded request 201079 from dmacvicar)

OBS-URL: https://build.opensuse.org/request/show/201094
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=97
---
 openssl-1.0.1e-bnc822642.patch | 26 ++++++++++++++++++++++++++
 openssl.changes                |  6 ++++++
 openssl.spec                   |  2 ++
 3 files changed, 34 insertions(+)
 create mode 100644 openssl-1.0.1e-bnc822642.patch

diff --git a/openssl-1.0.1e-bnc822642.patch b/openssl-1.0.1e-bnc822642.patch
new file mode 100644
index 0000000..6042d81
--- /dev/null
+++ b/openssl-1.0.1e-bnc822642.patch
@@ -0,0 +1,26 @@
+commit 9fe4603b8245425a4c46986ed000fca054231253
+Author: David Woodhouse <dwmw2@infradead.org>
+Date:   Tue Feb 12 14:55:32 2013 +0000
+
+    Check DTLS_BAD_VER for version number.
+    
+    The version check for DTLS1_VERSION was redundant as
+    DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+    check for DTLS1_BAD_VER for compatibility.
+    
+    PR:2984
+    (cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ 	unsigned padding_length, good, to_check, i;
+ 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ 	/* Check if version requires explicit IV */
+-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ 		{
+ 		/* These lengths are all public so we can test them in
+ 		 * non-constant time.
diff --git a/openssl.changes b/openssl.changes
index 725cdb4..dbd8ef1 100644
--- a/openssl.changes
+++ b/openssl.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Sep 27 10:26:43 UTC 2013 - dmacvicar@suse.de
+
+- VPN openconnect problem (DTLS handshake failed)
+  (git 9fe4603b8, bnc#822642, openssl ticket#2984)
+
 -------------------------------------------------------------------
 Wed Sep  4 18:56:38 UTC 2013 - guillaume@opensuse.org
 
diff --git a/openssl.spec b/openssl.spec
index 3ea8725..4d5adca 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -54,6 +54,7 @@ Patch8:         0005-libssl-Hide-library-private-symbols.patch
 Patch9:         openssl-1.0.1c-default-paths.patch
 Patch10:        openssl-pkgconfig.patch
 Patch11:        SSL_get_certificate-broken.patch
+Patch12:        openssl-1.0.1e-bnc822642.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -141,6 +142,7 @@ this package's base documentation.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"