Utilize system-wide crypto-policies

- rhbz#1179324

mutt-1.5.23-ssl_ciphers.patch

@@ -0,0 +1,74 @@
+diff -rup mutt-17a4f92e4a95-orig/init.h mutt-17a4f92e4a95/init.h
+--- mutt-17a4f92e4a95-orig/init.h	2015-07-30 11:09:54.536930119 +0200
++++ mutt-17a4f92e4a95/init.h	2015-07-30 11:11:17.383772131 +0200
+@@ -3092,7 +3092,7 @@ struct option_t MuttVars[] = {
+   ** URL. You should only unset this for particular known hosts, using
+   ** the \fC$<account-hook>\fP function.
+   */
+-  { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL 0 },
++  { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL "@SYSTEM" },
+   /*
+   ** .pp
+   ** Contains a colon-seperated list of ciphers to use when using SSL.
+--- mutt-17a4f92e4a95/mutt_ssl_gnutls.c.ssl_ciphers	2015-08-20 13:19:24.990481900 +0200
++++ mutt-17a4f92e4a95/mutt_ssl_gnutls.c	2015-08-20 14:37:18.405928684 +0200
+@@ -286,32 +286,35 @@
+   else
+     safe_strcat (priority, priority_size, "NORMAL");
+ 
+-  if (! option(OPTTLSV1_2))
++  if (SslCiphers && strcmp(SslCiphers, "@SYSTEM"))
+   {
+-    nproto--;
+-    safe_strcat (priority, priority_size, ":-VERS-TLS1.2");
+-  }
+-  if (! option(OPTTLSV1_1))
+-  {
+-    nproto--;
+-    safe_strcat (priority, priority_size, ":-VERS-TLS1.1");
+-  }
+-  if (! option(OPTTLSV1))
+-  {
+-    nproto--;
+-    safe_strcat (priority, priority_size, ":-VERS-TLS1.0");
+-  }
+-  if (! option(OPTSSLV3))
+-  {
+-    nproto--;
+-    safe_strcat (priority, priority_size, ":-VERS-SSL3.0");
+-  }
++    if (! option(OPTTLSV1_2))
++    {
++      nproto--;
++      safe_strcat (priority, priority_size, ":-VERS-TLS1.2");
++    }
++    if (! option(OPTTLSV1_1))
++    {
++      nproto--;
++      safe_strcat (priority, priority_size, ":-VERS-TLS1.1");
++    }
++    if (! option(OPTTLSV1))
++    {
++      nproto--;
++      safe_strcat (priority, priority_size, ":-VERS-TLS1.0");
++    }
++    if (! option(OPTSSLV3))
++    {
++      nproto--;
++      safe_strcat (priority, priority_size, ":-VERS-SSL3.0");
++    }
+ 
+-  if (nproto == 0)
+-  {
+-    mutt_error (_("All available protocols for TLS/SSL connection disabled"));
+-    FREE (&priority);
+-    return -1;
++    if (nproto == 0)
++    {
++      mutt_error (_("All available protocols for TLS/SSL connection disabled"));
++      FREE (&priority);
++      return -1;
++    }
+   }
+ 
+   if ((err = gnutls_priority_set_direct (data->state, priority, NULL)) < 0)

mutt.spec

@@ -20,7 +20,7 @@
 Summary: A text mode mail user agent
 Name: mutt
 Version: 1.5.23
-Release: 10.%{?snapver}%{?dist}
+Release: 11.%{?snapver}%{?dist}
 Epoch: 5
 # The entire source code is GPLv2+ except
 # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
@@ -37,6 +37,7 @@ Patch3: mutt-1.5.21-syncdebug.patch
 Patch4: mutt-1.5.23-add_debug_option.patch
 Patch7: mutt-1.5.23-domainname.patch
 Patch8: mutt-1.5.23-system_certs.patch
+Patch9: mutt-1.5.23-ssl_ciphers.patch
 Url: http://www.mutt.org/
 Requires: mailcap, urlview
 BuildRequires: ncurses-devel, gettext, automake
@@ -86,6 +87,7 @@ autoreconf --install
 %patch4 -p1 -b .add_debug_option
 %patch7 -p1 -b .domainname
 %patch8  -p1 -b .system_certs
+%patch9  -p1 -b .ssl_ciphers
 
 sed -i -r 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
 # disable mutt_dotlock program - remove support from mutt binary
@@ -99,6 +101,11 @@ if echo %{release} | grep -E -q '%{hgreldate}'; then
   echo %{release} | sed -r 's/.*%{hgreldate}.*/"\1-\2-\3";/' >> reldate.h
 fi
 
+# remove mutt_ssl.c to be sure it won't be used because it violates
+# Packaging:CryptoPolicies
+# https://fedoraproject.org/wiki/Packaging:CryptoPolicies
+rm -f mutt_ssl.c
+
 
 %build
 %configure \
@@ -190,6 +197,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
 
 
 %changelog
+* Wed Aug 26 2015 Matej Muzila <mmuzila@redhat.com> - 5:1.5.23-11.20150609hg17a4f92e4a95
+- Utilize system-wide crypto-policies
+- rhbz#1179324
+
 * Thu Jun 25 2015 Matej Muzila <mmuzila@redhat.com> - 5:1.5.23-10.20150609hg17a4f92e4a95
 - Make system CA bundle default in mutt
 - Resolves: #1069778