Fix OpenSSL 0.9.8za patch for EAP-FAST support

OpenSSL 0.9.8za added a fix for CVE-2014-0224 and the original fix broke
EAP-FAST support due to forgotten SSL3_FLAGS_CCS_OK marking for
tls_session_secret_cb. Fix for this regression was added into OpenSSL
1.x and newer. The same fix is needed in this backport patch for
0.9.8za.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/patches/openssl-0.9.8za-tls-extensions.patch b/patches/openssl-0.9.8za-tls-extensions.patch
index 3ae5aa9f4063ca0252329da5c1b5412034e2df6a..82bfe2302ea351fd3841a74662b1144d85fb752b 100644 (file)
--- a/patches/openssl-0.9.8za-tls-extensions.patch
+++ b/patches/openssl-0.9.8za-tls-extensions.patch
@@ -12,7 +12,7 @@ command line.
 diff -upr openssl-0.9.8za.orig/ssl/s3_clnt.c openssl-0.9.8za/ssl/s3_clnt.c
 --- openssl-0.9.8za.orig/ssl/s3_clnt.c 2014-06-05 11:09:26.000000000 +0300
 +++ openssl-0.9.8za/ssl/s3_clnt.c      2014-06-05 20:37:09.221387312 +0300
-@@ -767,6 +767,21 @@ int ssl3_get_server_hello(SSL *s)
+@@ -767,6 +767,22 @@ int ssl3_get_server_hello(SSL *s)
                goto f_err;
                }
  
@@ -27,6 +27,7 @@ diff -upr openssl-0.9.8za.orig/ssl/s3_clnt.c openssl-0.9.8za/ssl/s3_clnt.c
 +                      {
 +                      s->session->cipher=pref_cipher ?
 +                              pref_cipher : ssl_get_cipher_by_char(s,p+j);
++                      s->s3->flags |= SSL3_FLAGS_CCS_OK;
 +                      }
 +              }
 +#endif /* OPENSSL_NO_TLSEXT */