disable SSLv2 support altogether (without ABI break)

This commit is contained in:
Tomas Mraz 2016-03-29 15:47:40 +02:00
parent 589d3ee15b
commit 0a6d0e5ddc
2 changed files with 35 additions and 3 deletions

View File

@ -0,0 +1,27 @@
diff -up openssl-1.0.2g/ssl/ssl.h.remove-ssl2 openssl-1.0.2g/ssl/ssl.h
--- openssl-1.0.2g/ssl/ssl.h.remove-ssl2 2016-03-02 09:26:24.000000000 +0100
+++ openssl-1.0.2g/ssl/ssl.h 2016-03-29 15:24:01.471422525 +0200
@@ -2283,7 +2283,7 @@ const char *SSL_get_version(const SSL *s
/* This sets the 'default' SSL version that SSL_new() will create */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-# ifndef OPENSSL_NO_SSL2
+# ifndef OPENSSL_NO_SSL2_METHOD
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
diff -up openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 openssl-1.0.2g/ssl/s2_meth.c
--- openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 2016-01-28 14:38:31.000000000 +0100
+++ openssl-1.0.2g/ssl/s2_meth.c 2016-03-29 15:19:49.319654216 +0200
@@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method,
ssl2_accept, ssl2_connect, ssl2_get_method)
#else /* !OPENSSL_NO_SSL2 */
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
+const SSL_METHOD *SSLv2_method(void) { return NULL; }
+const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
+const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
#endif

View File

@ -23,7 +23,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.2g Version: 1.0.2g
Release: 3%{?dist} Release: 4%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -88,6 +88,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
Patch80: openssl-1.0.2e-wrap-pad.patch Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch Patch81: openssl-1.0.2a-padlock64.patch
Patch82: openssl-1.0.2c-trusted-first-doc.patch Patch82: openssl-1.0.2c-trusted-first-doc.patch
Patch83: openssl-1.0.2g-remove-ssl2.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -212,6 +213,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch80 -p1 -b .wrap %patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64 %patch81 -p1 -b .padlock64
%patch82 -p1 -b .trusted-first %patch82 -p1 -b .trusted-first
%patch83 -p1 -b .remove-ssl2
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -287,8 +289,8 @@ sslflags=enable-ec_nistp_64_gcc_128
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \ zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \
enable-cms enable-md2 enable-ssl2 \ enable-cms enable-md2 enable-rc5 \
no-mdc2 enable-rc5 no-ec2m no-gost no-srp \ no-mdc2 no-ec2m no-gost no-srp \
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \ --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips} --with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
@ -502,6 +504,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Tue Mar 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2g-4
- disable SSLv2 support altogether (without ABI break)
* Mon Mar 7 2016 Tom Callaway <spot@fedoraproject.org> - 1.0.2g-3 * Mon Mar 7 2016 Tom Callaway <spot@fedoraproject.org> - 1.0.2g-3
- enable RC5 - enable RC5