- partial update

[packages/ckermit.git] / 050-consider-OPENSSL_NO_SSL3.patch

diff --git a/050-consider-OPENSSL_NO_SSL3.patch b/050-consider-OPENSSL_NO_SSL3.patch
new file mode 100644 (file)
index 0000000..1ffa8cf
--- /dev/null
+++ b/050-consider-OPENSSL_NO_SSL3.patch
@@ -0,0 +1,82 @@
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Tue, 19 Apr 2016 21:32:07 +0200
+Subject: [PATCH] consider OPENSSL_NO_SSL3
+
+and avoid using SSLv3 code when not provided by openssl.
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ ck_ssl.c | 8 ++++++++
+ ckcftp.c | 5 +++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/ck_ssl.c b/ck_ssl.c
+index 428fb7ca6f98..3640d8f07fa8 100644
+--- a/ck_ssl.c
++++ b/ck_ssl.c
+@@ -1579,7 +1579,9 @@ ssl_tn_init(mode) int mode;
+             /* This can fail because we do not have RSA available */
+             if ( !ssl_ctx ) {
+                 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
++#ifndef OPENSSL_NO_SSL3
+                 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
++#endif
+             }
+             if ( !ssl_ctx ) {
+                 debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
+@@ -1593,7 +1595,9 @@ ssl_tn_init(mode) int mode;
+             /* This can fail because we do not have RSA available */
+             if ( !tls_ctx ) {
+                 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
++#ifndef OPENSSL_NO_SSL3
+                 tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
++#endif
+             }
+ #endif /* COMMENT */
+             if ( !tls_ctx ) {
+@@ -1611,7 +1615,9 @@ ssl_tn_init(mode) int mode;
+             /* This can fail because we do not have RSA available */
+             if ( !ssl_ctx ) {
+                 debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
++#ifndef OPENSSL_NO_SSL3
+                 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
++#endif
+             }
+             if ( !ssl_ctx ) {
+                 debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
+@@ -2161,7 +2167,9 @@ ssl_http_init(hostname) char * hostname;
+         /* This can fail because we do not have RSA available */
+         if ( !tls_http_ctx ) {
+             debug(F110,"ssl_http_init","SSLv23_client_method failed",0);
++#ifndef OPENSSL_NO_SSL3
+             tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
++#endif
+         }
+ #endif /* COMMENT */
+         if ( !tls_http_ctx ) {
+diff --git a/ckcftp.c b/ckcftp.c
+index 66c7940dedc2..d718323faac4 100644
+--- a/ckcftp.c
++++ b/ckcftp.c
+@@ -10195,6 +10195,7 @@ ssl_auth() {
+ #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+ #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0L
+ #endif
++#ifndef OPENSSL_NO_SSL3
+     if (auth_type && !strcmp(auth_type,"TLS")) {
+         ssl_ftp_ctx=SSL_CTX_new(SSLv3_client_method());
+         if (!ssl_ftp_ctx)
+@@ -10205,6 +10206,10 @@ ssl_auth() {
+     } else {
+         ssl_ftp_ctx = SSL_CTX_new(ftp_bug_use_ssl_v2 ? SSLv23_client_method() : 
+                                   SSLv3_client_method());
++#else
++    {
++        ssl_ftp_ctx = SSL_CTX_new(SSLv23_client_method());
++#endif
+         if (!ssl_ftp_ctx)
+           return(0);
+         SSL_CTX_set_options(ssl_ftp_ctx,
+-- 
+2.8.0.rc3
+