openssl/openssl-1.0.1e-add-suse-default-cipher.patch

Index: openssl-1.0.1g/ssl/ssl_ciph.c
===================================================================
--- openssl-1.0.1g.orig/ssl/ssl_ciph.c
+++ openssl-1.0.1g/ssl/ssl_ciph.c
@@ -1470,7 +1470,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
 	 */
 	ok = 1;
 	rule_p = rule_str;
-	if (strncmp(rule_str,"DEFAULT",7) == 0)
+
+	if (strncmp(rule_str,"DEFAULT_SUSE",12) == 0)
+		{
+		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+			&head, &tail, ca_list);
+		rule_p += 12;
+		if (*rule_p == ':')
+			rule_p++;
+		}
+
+    else if (strncmp(rule_str,"DEFAULT",7) == 0)
 		{
 		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
 			&head, &tail, ca_list);
Index: openssl-1.0.1g/ssl/ssl.h
===================================================================
--- openssl-1.0.1g.orig/ssl/ssl.h
+++ openssl-1.0.1g/ssl/ssl.h
@@ -331,7 +331,10 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
+#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+    "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
 /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
  * throwing out anonymous and unencrypted ciphersuites!
Accepting request 236989 from Base:System NOTE: I submitted perl-Net-SSLeay 1.64 update to devel:languages:perl which fixes its regression. - updated openssl to 1.0.1h (bnc#880891): - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. - openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream - CVE-2014-0198.patch: removed, upstream - 0009-Fix-double-frees.patch: removed, upstream - 0012-Fix-eckey_priv_encode.patch: removed, upstream - 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream - 0018-fix-coverity-issues-966593-966596.patch: removed, upstream - 0020-Initialize-num-properly.patch: removed, upstream - 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream - 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream - 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream - 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream - 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase - openssl-1.0.1c-ipv6-apps.patch: refreshed - openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed - Added new SUSE default cipher suite openssl-1.0.1e-add-suse-default-cipher.patch OBS-URL: https://build.opensuse.org/request/show/236989 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=118 2014-06-18 07:47:41 +02:00			`Index: openssl-1.0.1g/ssl/ssl_ciph.c`
			`===================================================================`
			`--- openssl-1.0.1g.orig/ssl/ssl_ciph.c`
			`+++ openssl-1.0.1g/ssl/ssl_ciph.c`
			`@@ -1470,7 +1470,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_`
			`*/`
			`ok = 1;`
			`rule_p = rule_str;`
			`- if (strncmp(rule_str,"DEFAULT",7) == 0)`
			`+`
			`+ if (strncmp(rule_str,"DEFAULT_SUSE",12) == 0)`
			`+ {`
			`+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,`
			`+ &head, &tail, ca_list);`
			`+ rule_p += 12;`
			`+ if (*rule_p == ':')`
			`+ rule_p++;`
			`+ }`
			`+`
			`+ else if (strncmp(rule_str,"DEFAULT",7) == 0)`
			`{`
			`ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,`
			`&head, &tail, ca_list);`
			`Index: openssl-1.0.1g/ssl/ssl.h`
			`===================================================================`
			`--- openssl-1.0.1g.orig/ssl/ssl.h`
			`+++ openssl-1.0.1g/ssl/ssl.h`
			`@@ -331,7 +331,10 @@ extern "C" {`
			`/* The following cipher list is used by default.`
			`* It also is substituted when an application-defined cipher list string`
			`* starts with 'DEFAULT'. */`
			`-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"`
			`+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"`
			`+#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\`
			`+ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\`
			`+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"`
			`/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always`
			`* starts with a reasonable order, and all we have to do for DEFAULT is`
			`* throwing out anonymous and unencrypted ciphersuites!`