Merge branch 'fifteen' of ssh://git.ipfire.org/pub/git/ipfire-2.x into fifteen
authorArne Fitzenreiter <arne_f@ipfire.org>
Mon, 30 Dec 2013 09:35:25 +0000 (10:35 +0100)
committerArne Fitzenreiter <arne_f@ipfire.org>
Mon, 30 Dec 2013 09:35:25 +0000 (10:35 +0100)
lfs/openssl
lfs/openssl-compat
src/patches/openssl-1.0.1e-weak-ciphers.patch [new file with mode: 0644]

index 3452b7198a80285865bb565b5c9157642bf58ca5..e75101f1623de72f045492d45de67fa0872cb2a9 100644 (file)
@@ -86,6 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_pod_syntax-1.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch
 
        cd $(DIR_APP) && find crypto/ -name Makefile -exec \
                sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
index 75dd4a2fca4285463557c4c14e1df8c1e7399f98..d2ae6a0e909d412a639d1d38157e710502591a1b 100644 (file)
@@ -71,6 +71,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-0.9.8u-cryptodev.patch
+
        cd $(DIR_APP) && sed -i -e 's/mcpu/march/' config
        cd $(DIR_APP) && sed -i -e 's/-O3/-O2/' -e 's/-march=i486/-march=i586/' Configure
 
@@ -83,7 +85,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
                shared linux-elf \
                zlib-dynamic \
                no-engines \
-               no-asm 386
+               no-asm 386 \
+               -DSSL_FORBID_ENULL \
+               -DHAVE_CRYPTODEV \
+               -DUSE_CRYPTODEV_DIGEST
 
        cd $(DIR_APP) && make depend
        cd $(DIR_APP) && make
diff --git a/src/patches/openssl-1.0.1e-weak-ciphers.patch b/src/patches/openssl-1.0.1e-weak-ciphers.patch
new file mode 100644 (file)
index 0000000..8657345
--- /dev/null
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/ssl/ssl.h.weak-ciphers openssl-1.0.1e/ssl/ssl.h
+--- openssl-1.0.1e/ssl/ssl.h.weak-ciphers      2013-12-18 15:50:40.881620314 +0100
++++ openssl-1.0.1e/ssl/ssl.h   2013-12-18 14:25:25.596566704 +0100
+@@ -331,7 +331,7 @@ extern "C" {
+ /* The following cipher list is used by default.
+  * It also is substituted when an application-defined cipher list string
+  * starts with 'DEFAULT'. */
+-#define SSL_DEFAULT_CIPHER_LIST       "ALL:!aNULL:!eNULL:!SSLv2"
++#define SSL_DEFAULT_CIPHER_LIST       "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
+ /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+  * starts with a reasonable order, and all we have to do for DEFAULT is
+  * throwing out anonymous and unencrypted ciphersuites!