From a650e4abcbfc71c7aee6a0cae06c38544e36342e Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Oct 16 2009 11:40:27 +0000
Subject: - fix use of freed memory if SSL_CTX_free() is called before SSL_free()

    (#521342)

---

diff --git a/openssl-1.0.0-beta3-ssl-free.patch b/openssl-1.0.0-beta3-ssl-free.patch
new file mode 100644
index 0000000..61f56ea
--- /dev/null
+++ b/openssl-1.0.0-beta3-ssl-free.patch
@@ -0,0 +1,31 @@
+diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.ctx-free openssl-1.0.0-beta3/ssl/ssl_lib.c
+--- openssl-1.0.0-beta3/ssl/ssl_lib.c.ctx-free	2009-10-08 20:44:26.000000000 +0200
++++ openssl-1.0.0-beta3/ssl/ssl_lib.c	2009-10-16 11:56:53.000000000 +0200
+@@ -556,7 +556,6 @@ void SSL_free(SSL *s)
+ 	if (s->cert != NULL) ssl_cert_free(s->cert);
+ 	/* Free up if allocated */
+ 
+-	if (s->ctx) SSL_CTX_free(s->ctx);
+ #ifndef OPENSSL_NO_TLSEXT
+ 	if (s->tlsext_hostname)
+ 		OPENSSL_free(s->tlsext_hostname);
+@@ -580,6 +579,8 @@ void SSL_free(SSL *s)
+ 
+ 	if (s->method != NULL) s->method->ssl_free(s);
+ 
++	if (s->ctx) SSL_CTX_free(s->ctx);
++
+ #ifndef	OPENSSL_NO_KRB5
+ 	if (s->kssl_ctx != NULL)
+ 		kssl_ctx_free(s->kssl_ctx);
+diff -up openssl-1.0.0-beta3/ssl/s3_lib.c.hbuf-clear openssl-1.0.0-beta3/ssl/s3_lib.c
+--- openssl-1.0.0-beta3/ssl/s3_lib.c.hbuf-clear	2009-05-28 20:10:47.000000000 +0200
++++ openssl-1.0.0-beta3/ssl/s3_lib.c	2009-10-16 09:50:24.000000000 +0200
+@@ -2211,6 +2211,7 @@ void ssl3_clear(SSL *s)
+  	wlen = s->s3->wbuf.len;
+ 	if (s->s3->handshake_buffer) {
+ 		BIO_free(s->s3->handshake_buffer);
++		s->s3->handshake_buffer = NULL;
+ 	}
+ 	if (s->s3->handshake_dgst) {
+ 		ssl3_free_digest_list(s);
diff --git a/openssl.spec b/openssl.spec
index ff3176a..1412c86 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0
-Release: 0.9.%{beta}%{?dist}
+Release: 0.10.%{beta}%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -69,6 +69,7 @@ Patch61: openssl-1.0.0-beta3-namingblk.patch
 Patch62: openssl-1.0.0-beta3-camellia-rounds.patch
 Patch63: openssl-1.0.0-beta3-dtls1-fix.patch
 Patch64: openssl-1.0.0-beta3-ssl-session.patch
+Patch65: openssl-1.0.0-beta3-ssl-free.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -155,6 +156,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch62 -p1 -b .cmll-rounds
 %patch63 -p1 -b .dtls1-fix
 %patch64 -p1 -b .ssl-session
+%patch65 -p1 -b .ssl-free
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -403,6 +405,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig
 
 %changelog
+* Fri Oct 16 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.10.beta3
+- fix use of freed memory if SSL_CTX_free() is called before
+  SSL_free() (#521342)
+
 * Thu Oct  8 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.9.beta3
 - fix typo in DTLS1 code (#527015)
 - fix leak in error handling of d2i_SSL_SESSION()