openssl: Update to 1.1.0h

CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:

Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious
input with excessive recursion. This could result in a Denial Of
Service attack. There are no such structures used within SSL/TLS
that come from untrusted sources so this is considered safe.
Reported by OSS-fuzz.

This patch also entirely removes support for SSLv3. The patch to
disable it didn't apply and since nobody has been using this before,
we will not compile it into OpenSSL any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/lfs/openssl b/lfs/openssl
index 7a39f14de610a2af7d1ced3ca2e30fd09cb20645..71f2bc826b3aeaaba62203fdf399cd1e75f7a256 100644 (file)
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.1.0g
+VER        = 1.1.0h
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -51,8 +51,6 @@ CONFIGURE_OPTIONS = \
        enable-md2 \
        enable-seed \
        enable-rfc3779 \
-       enable-ssl3 \
-       enable-ssl3-method \
        no-idea \
        no-mdc2 \
        no-rc5 \
@@ -89,7 +87,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = ba5f1b8b835b88cadbce9b35ed9531a6
+$(DL_FILE)_MD5 = 5271477e4d93f4ea032b665ef095ff24
 
 install : $(TARGET)
 
@@ -119,7 +117,6 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0-disable-ssl3.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0g-weak-ciphers.patch
 
        # Apply our CFLAGS

diff --git a/src/patches/openssl-1.1.0-disable-ssl3.patch b/src/patches/openssl-1.1.0-disable-ssl3.patch
deleted file mode 100644 (file)
index 267c02c..0000000
--- a/src/patches/openssl-1.1.0-disable-ssl3.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
---- openssl-1.1.0f/apps/s_client.c.disable-ssl3        2017-06-05 15:42:44.838853312 +0200
-+++ openssl-1.1.0f/apps/s_client.c     2017-07-17 14:50:06.468821871 +0200
-@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
- 
-+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
-     if (ssl_config) {
-         if (SSL_CTX_config(ctx, ssl_config) == 0) {
-             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
---- openssl-1.1.0f/apps/s_server.c.disable-ssl3        2017-05-25 14:46:18.000000000 +0200
-+++ openssl-1.1.0f/apps/s_server.c     2017-07-17 14:49:50.434447583 +0200
-@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
-     }
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
-+
-+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
-     if (ssl_config) {
-         if (SSL_CTX_config(ctx, ssl_config) == 0) {
-             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3   2016-08-25 17:29:22.000000000 +0200
-+++ openssl-1.1.0/ssl/ssl_lib.c        2016-09-08 11:08:05.252082263 +0200
-@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
-      * or by using the SSL_CONF library.
-      */
-     ret->options |= SSL_OP_NO_COMPRESSION;
-+    /*
-+     * Disable SSLv3 by default.  Applications can
-+     * re-enable it by configuring
-+     * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+     * or by using the SSL_CONF library.
-+     */
-+    ret->options |= SSL_OP_NO_SSLv3;
- 
-     ret->tlsext_status_type = -1;
- 
-diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
---- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
-+++ openssl-1.1.0/test/ssl_test.c      2016-09-08 11:11:44.802005886 +0200
-@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
-             SSL_TEST_SERVERNAME_CB_NONE) {
-             server2_ctx = SSL_CTX_new(TLS_server_method());
-             TEST_check(server2_ctx != NULL);
-+            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
-         }
-         client_ctx = SSL_CTX_new(TLS_client_method());
- 
-@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
-             resume_client_ctx = SSL_CTX_new(TLS_client_method());
-             TEST_check(resume_server_ctx != NULL);
-             TEST_check(resume_client_ctx != NULL);
-+            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
-+            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
-         }
-     }
- 
-     TEST_check(server_ctx != NULL);
-     TEST_check(client_ctx != NULL);
-+    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
- 
-     TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
- 
-diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3      2016-08-25 17:29:23.000000000 +0200
-+++ openssl-1.1.0/test/ssltest_old.c   2016-09-08 11:08:05.253082286 +0200
-@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
-         ERR_print_errors(bio_err);
-         goto end;
-     }
-+
-+    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
-+
-     /*
-      * Since we will use low security ciphersuites and keys for testing set
-      * security level to zero by default. Tests can override this by adding