[Pkg-openssl-changes] r703 - in openssl/trunk/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Thu Nov 6 23:40:56 UTC 2014
Author: kroeckx
Date: 2014-11-06 23:40:56 +0000 (Thu, 06 Nov 2014)
New Revision: 703
Added:
openssl/trunk/debian/patches/no_ssl3_method.patch
Modified:
openssl/trunk/debian/changelog
openssl/trunk/debian/rules
Log:
Disable ssl3 methods
Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog 2014-11-06 23:39:56 UTC (rev 702)
+++ openssl/trunk/debian/changelog 2014-11-06 23:40:56 UTC (rev 703)
@@ -16,6 +16,10 @@
* Update list of exported symbols
* Update symbols files to require beta3
* Enable unit tests
+ * Add patch to add support for the no-ssl3-method option that completly
+ disable SSLv3 and pass the option. This drops the following functions
+ from the library: SSLv3_method, SSLv3_server_method and
+ SSLv3_client_method
-- Kurt Roeckx <kurt at roeckx.be> Fri, 07 Nov 2014 00:20:10 +0100
Added: openssl/trunk/debian/patches/no_ssl3_method.patch
===================================================================
--- openssl/trunk/debian/patches/no_ssl3_method.patch (rev 0)
+++ openssl/trunk/debian/patches/no_ssl3_method.patch 2014-11-06 23:40:56 UTC (rev 703)
@@ -0,0 +1,112 @@
+diff --git a/Configure b/Configure
+index 2eda5e6..c35ebe3 100755
+--- a/Configure
++++ b/Configure
+@@ -852,6 +852,11 @@ PROCESS_ARGS:
+ {
+ $disabled{"tls1"} = "option(tls)"
+ }
++ elsif ($1 eq "ssl3-method")
++ {
++ $disabled{"ssl3-method"} = "option(ssl)";
++ $disabled{"ssl3"} = "option(ssl)";
++ }
+ else
+ {
+ $disabled{$1} = "option";
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index 68c00c5..c84c662 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -167,9 +167,9 @@
+ #include <openssl/engine.h>
+ #endif
+
+-static const SSL_METHOD *ssl3_get_client_method(int ver);
+ static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
+
++#ifndef OPENSSL_NO_SSL3_METHOD
+ static const SSL_METHOD *ssl3_get_client_method(int ver)
+ {
+ if (ver == SSL3_VERSION)
+@@ -182,6 +182,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
+ ssl_undefined_function,
+ ssl3_connect,
+ ssl3_get_client_method)
++#endif
+
+ int ssl3_connect(SSL *s)
+ {
+diff --git a/ssl/s3_meth.c b/ssl/s3_meth.c
+index cdddb17..16a01e2 100644
+--- a/ssl/s3_meth.c
++++ b/ssl/s3_meth.c
+@@ -60,6 +60,8 @@
+ #include <openssl/objects.h>
+ #include "ssl_locl.h"
+
++#ifndef OPENSSL_NO_SSL3_METHOD
++
+ static const SSL_METHOD *ssl3_get_method(int ver);
+ static const SSL_METHOD *ssl3_get_method(int ver)
+ {
+@@ -74,4 +76,4 @@ IMPLEMENT_ssl3_meth_func(SSLv3_method,
+ ssl3_connect,
+ ssl3_get_method)
+
+-
++#endif
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index bef055a..4f86969 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -170,6 +170,7 @@
+ #endif
+ #include <openssl/md5.h>
+
++#ifndef OPENSSL_NO_SSL3_METHOD
+ static const SSL_METHOD *ssl3_get_server_method(int ver);
+
+ static const SSL_METHOD *ssl3_get_server_method(int ver)
+@@ -180,6 +181,12 @@ static const SSL_METHOD *ssl3_get_server_method(int ver)
+ return(NULL);
+ }
+
++IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
++ ssl3_accept,
++ ssl_undefined_function,
++ ssl3_get_server_method)
++#endif
++
+ #ifndef OPENSSL_NO_SRP
+ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
+ {
+@@ -206,11 +213,6 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
+ }
+ #endif
+
+-IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
+- ssl3_accept,
+- ssl_undefined_function,
+- ssl3_get_server_method)
+-
+ int ssl3_accept(SSL *s)
+ {
+ BUF_MEM *buf;
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 343247c..152daa7 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -2235,9 +2235,11 @@ const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
+ const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
+ #endif
+
++#ifndef OPENSSL_NO_SSL3_METHOD
+ const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
+ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
+ const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
++#endif
+
+ const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
+ const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
+
Modified: openssl/trunk/debian/rules
===================================================================
--- openssl/trunk/debian/rules 2014-11-06 23:39:56 UTC (rev 702)
+++ openssl/trunk/debian/rules 2014-11-06 23:40:56 UTC (rev 703)
@@ -26,7 +26,7 @@
export CROSS_COMPILE ?= $(DEB_HOST_GNU_TYPE)-
endif
-CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 enable-unit-test
+CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 no-ssl3-method enable-unit-test
OPT_alpha = ev4 ev5
OPT_i386 = i586 i686/cmov
ARCHOPTS = OPT_$(DEB_HOST_ARCH)
More information about the Pkg-openssl-changes
mailing list