050-consider-OPENSSL_NO_SSL3.patch

   1 From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
   2 Date: Tue, 19 Apr 2016 21:32:07 +0200
   3 Subject: [PATCH] consider OPENSSL_NO_SSL3
   4
   5 and avoid using SSLv3 code when not provided by openssl.
   6
   7 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
   8 ---
   9  ck_ssl.c | 8 ++++++++
  10  ckcftp.c | 5 +++++
  11  2 files changed, 13 insertions(+)
  12
  13 diff --git a/ck_ssl.c b/ck_ssl.c
  14 index 428fb7ca6f98..3640d8f07fa8 100644
  15 --- a/ck_ssl.c
  16 +++ b/ck_ssl.c
  17 @@ -1579,7 +1579,9 @@ ssl_tn_init(mode) int mode;
  18              /* This can fail because we do not have RSA available */
  19              if ( !ssl_ctx ) {
  20                  debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
  21 +#ifndef OPENSSL_NO_SSL3
  22                  ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
  23 +#endif
  24              }
  25              if ( !ssl_ctx ) {
  26                  debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
  27 @@ -1593,7 +1595,9 @@ ssl_tn_init(mode) int mode;
  28              /* This can fail because we do not have RSA available */
  29              if ( !tls_ctx ) {
  30                  debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
  31 +#ifndef OPENSSL_NO_SSL3
  32                  tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
  33 +#endif
  34              }
  35  #endif /* COMMENT */
  36              if ( !tls_ctx ) {
  37 @@ -1611,7 +1615,9 @@ ssl_tn_init(mode) int mode;
  38              /* This can fail because we do not have RSA available */
  39              if ( !ssl_ctx ) {
  40                  debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
  41 +#ifndef OPENSSL_NO_SSL3
  42                  ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
  43 +#endif
  44              }
  45              if ( !ssl_ctx ) {
  46                  debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
  47 @@ -2161,7 +2167,9 @@ ssl_http_init(hostname) char * hostname;
  48          /* This can fail because we do not have RSA available */
  49          if ( !tls_http_ctx ) {
  50              debug(F110,"ssl_http_init","SSLv23_client_method failed",0);
  51 +#ifndef OPENSSL_NO_SSL3
  52              tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
  53 +#endif
  54          }
  55  #endif /* COMMENT */
  56          if ( !tls_http_ctx ) {
  57 diff --git a/ckcftp.c b/ckcftp.c
  58 index 66c7940dedc2..d718323faac4 100644
  59 --- a/ckcftp.c
  60 +++ b/ckcftp.c
  61 @@ -10195,6 +10195,7 @@ ssl_auth() {
  62  #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
  63  #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0L
  64  #endif
  65 +#ifndef OPENSSL_NO_SSL3
  66      if (auth_type && !strcmp(auth_type,"TLS")) {
  67          ssl_ftp_ctx=SSL_CTX_new(SSLv3_client_method());
  68          if (!ssl_ftp_ctx)
  69 @@ -10205,6 +10206,10 @@ ssl_auth() {
  70      } else {
  71          ssl_ftp_ctx = SSL_CTX_new(ftp_bug_use_ssl_v2 ? SSLv23_client_method() :
  72                                    SSLv3_client_method());
  73 +#else
  74 +    {
  75 +        ssl_ftp_ctx = SSL_CTX_new(SSLv23_client_method());
  76 +#endif
  77          if (!ssl_ftp_ctx)
  78            return(0);
  79          SSL_CTX_set_options(ssl_ftp_ctx,
  80 --
  81 2.8.0.rc3
  82