From 3b10b313032fe32e8e611a7c47e6e90259972ce3 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 28 Nov 2017 13:58:29 +0000
Subject: [PATCH] elinks: Patch to build against OpenSSL 1.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/elinks                                  |  4 +-
 src/patches/elinks-0.11.0-ssl-noegd.patch   | 21 ++++++
 src/patches/elinks-0.12pre6-openssl11.patch | 73 +++++++++++++++++++++
 3 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 src/patches/elinks-0.11.0-ssl-noegd.patch
 create mode 100644 src/patches/elinks-0.12pre6-openssl11.patch

diff --git a/lfs/elinks b/lfs/elinks
index 2727423f02..8d39269672 100644
--- a/lfs/elinks
+++ b/lfs/elinks
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = elinks
-PAK_VER    = 5
+PAK_VER    = 6
 
 DEPS       = ""
 
@@ -78,6 +78,8 @@ dist:
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/elinks-0.12pre6-openssl11.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/elinks-0.11.0-ssl-noegd.patch
 	cd $(DIR_APP) && ./configure
 	cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
 	cd $(DIR_APP) && make install
diff --git a/src/patches/elinks-0.11.0-ssl-noegd.patch b/src/patches/elinks-0.11.0-ssl-noegd.patch
new file mode 100644
index 0000000000..5818734615
--- /dev/null
+++ b/src/patches/elinks-0.11.0-ssl-noegd.patch
@@ -0,0 +1,21 @@
+--- elinks-0.11.0/src/network/ssl/ssl.c.noegd	2006-01-10 09:24:50.000000000 +0100
++++ elinks-0.11.0/src/network/ssl/ssl.c	2006-01-10 09:25:01.000000000 +0100
+@@ -44,18 +44,6 @@ SSL_CTX *context = NULL;
+ static void
+ init_openssl(struct module *module)
+ {
+-	unsigned char f_randfile[PATH_MAX];
+-
+-	/* In a nutshell, on OS's without a /dev/urandom, the OpenSSL library
+-	 * cannot initialize the PRNG and so every attempt to use SSL fails.
+-	 * It's actually an OpenSSL FAQ, and according to them, it's up to the
+-	 * application coders to seed the RNG. -- William Yodlowsky */
+-	if (RAND_egd(RAND_file_name(f_randfile, sizeof(f_randfile))) < 0) {
+-		/* Not an EGD, so read and write to it */
+-		if (RAND_load_file(f_randfile, -1))
+-			RAND_write_file(f_randfile);
+-	}
+-
+ 	SSLeay_add_ssl_algorithms();
+ 	context = SSL_CTX_new(SSLv23_client_method());
+ 	SSL_CTX_set_options(context, SSL_OP_ALL);
diff --git a/src/patches/elinks-0.12pre6-openssl11.patch b/src/patches/elinks-0.12pre6-openssl11.patch
new file mode 100644
index 0000000000..210af635e2
--- /dev/null
+++ b/src/patches/elinks-0.12pre6-openssl11.patch
@@ -0,0 +1,73 @@
+From d83c0edf4c6ae42359ff856d7a879ecba5769595 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 17 Feb 2017 16:51:41 +0100
+Subject: [PATCH 1/2] fix compatibility with OpenSSL 1.1
+
+---
+ src/network/ssl/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
+index c9e2be4..467fc48 100644
+--- a/src/network/ssl/socket.c
++++ b/src/network/ssl/socket.c
+@@ -83,7 +83,7 @@ static void
+ ssl_set_no_tls(struct socket *socket)
+ {
+ #ifdef CONFIG_OPENSSL
+-	((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
++	SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
+ #elif defined(CONFIG_GNUTLS)
+ 	{
+ 		/* GnuTLS does not support SSLv2 because it is "insecure".
+@@ -419,7 +419,7 @@ ssl_connect(struct socket *socket)
+ 		}
+ 
+ 		if (client_cert) {
+-			SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx;
++			SSL_CTX *ctx = SSL_get_SSL_CTX((SSL *) socket->ssl);
+ 
+ 			SSL_CTX_use_certificate_chain_file(ctx, client_cert);
+ 			SSL_CTX_use_PrivateKey_file(ctx, client_cert,
+-- 
+2.7.4
+
+
+From ec952cc5b79973bee73fcfc813159d40c22b7228 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 17 Feb 2017 16:44:11 +0100
+Subject: [PATCH 2/2] drop disablement of TLS1.0 on second attempt to connect
+
+It would not work correctly anyway and the code does not build
+with OpenSSL-1.1.0.
+---
+ src/network/ssl/socket.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
+index 467fc48..b981c1e 100644
+--- a/src/network/ssl/socket.c
++++ b/src/network/ssl/socket.c
+@@ -82,6 +82,11 @@
+ static void
+ ssl_set_no_tls(struct socket *socket)
+ {
++#if 0
++/* This implements the insecure renegotiation, which should not be used.
++ * The code also would not work on current Fedora (>= Fedora 23) anyway,
++ * because it would just switch off TLS 1.0 keeping TLS 1.1 and 1.2 enabled.
++ */
+ #ifdef CONFIG_OPENSSL
+ 	SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
+ #elif defined(CONFIG_GNUTLS)
+@@ -96,6 +101,7 @@ ssl_set_no_tls(struct socket *socket)
+ 		gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority);
+ 	}
+ #endif
++#endif
+ }
+ 
+ #ifdef USE_OPENSSL
+-- 
+2.7.4
+
-- 
2.39.5