Also add Debian patch to mark Triple DES and RC4 as weak ciphers. Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com> --- .../0001-debian-targets.patch | 6 +- .../0002-engines-path.patch | 12 +- .../0003-no-rpath.patch | 0 .../0004-no-symbolic.patch | 0 .../0005-pic.patch | 0 .../0006-valgrind.patch | 0 .../0007-shared-lib-ext.patch | 4 +- .../0008-block_diginotar.patch | 0 .../0009-block_digicert_malaysia.patch | 0 .../0010-Disable-the-freelist.patch | 2 +- .../0011-soname.patch | 2 +- .../0012-Mark-3DES-and-RC4-ciphers-as-weak.patch | 427 +++++++++++++++++++++ ...-don-t-ask-dpkg-buildflags-for-more-flags.patch | 0 .../0101-fix-parallel-building.patch | 0 patches/{openssl-1.0.2j => openssl-1.0.2k}/series | 3 +- rules/openssl.make | 4 +- 16 files changed, 444 insertions(+), 16 deletions(-) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0001-debian-targets.patch (98%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0002-engines-path.patch (94%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0003-no-rpath.patch (100%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0004-no-symbolic.patch (100%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0005-pic.patch (100%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0006-valgrind.patch (100%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0007-shared-lib-ext.patch (91%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0008-block_diginotar.patch (100%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0009-block_digicert_malaysia.patch (100%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0010-Disable-the-freelist.patch (96%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0011-soname.patch (94%) create mode 100644 patches/openssl-1.0.2k/0012-Mark-3DES-and-RC4-ciphers-as-weak.patch rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch (100%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/0101-fix-parallel-building.patch (100%) rename patches/{openssl-1.0.2j => openssl-1.0.2k}/series (81%)
diff --git a/patches/openssl-1.0.2j/0001-debian-targets.patch b/patches/openssl-1.0.2k/0001-debian-targets.patch similarity index 98% rename from patches/openssl-1.0.2j/0001-debian-targets.patch rename to patches/openssl-1.0.2k/0001-debian-targets.patch index a3a0895fb..ea3b557e5 100644 --- a/patches/openssl-1.0.2j/0001-debian-targets.patch +++ b/patches/openssl-1.0.2k/0001-debian-targets.patch @@ -10,10 +10,10 @@ Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> 1 file changed, 54 insertions(+) diff --git a/Configure b/Configure -index c39f71a17910..738cee34030f 100755 +index 5da7cadbf332..300a314fbd39 100755 --- a/Configure +++ b/Configure -@@ -131,6 +131,10 @@ my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers +@@ -133,6 +133,10 @@ my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers # Warn that "make depend" should be run? my $warn_make_depend = 0; @@ -24,7 +24,7 @@ index c39f71a17910..738cee34030f 100755 my $strict_warnings = 0; my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; -@@ -367,6 +371,56 @@ my %table=( +@@ -369,6 +373,56 @@ my %table=( "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so", diff --git a/patches/openssl-1.0.2j/0002-engines-path.patch b/patches/openssl-1.0.2k/0002-engines-path.patch similarity index 94% rename from patches/openssl-1.0.2j/0002-engines-path.patch rename to patches/openssl-1.0.2k/0002-engines-path.patch index 054e0c0d8..751ca6539 100644 --- a/patches/openssl-1.0.2j/0002-engines-path.patch +++ b/patches/openssl-1.0.2k/0002-engines-path.patch @@ -13,10 +13,10 @@ Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Configure b/Configure -index 738cee34030f..fe3c3c70181c 100755 +index 300a314fbd39..92e1ce9d74b9 100755 --- a/Configure +++ b/Configure -@@ -1969,7 +1969,7 @@ while (<IN>) +@@ -1979,7 +1979,7 @@ while (<IN>) } elsif (/^#define\s+ENGINESDIR/) { @@ -26,10 +26,10 @@ index 738cee34030f..fe3c3c70181c 100755 print OUT "#define ENGINESDIR \"$foo\"\n"; } diff --git a/Makefile.org b/Makefile.org -index 2377f5029187..4c92e2167ecd 100644 +index 61a329b4f20f..910692d4a4c2 100644 --- a/Makefile.org +++ b/Makefile.org -@@ -368,7 +368,7 @@ libcrypto.pc: Makefile +@@ -369,7 +369,7 @@ libcrypto.pc: Makefile echo 'exec_prefix=$${prefix}'; \ echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ echo 'includedir=$${prefix}/include'; \ @@ -38,7 +38,7 @@ index 2377f5029187..4c92e2167ecd 100644 echo ''; \ echo 'Name: OpenSSL-libcrypto'; \ echo 'Description: OpenSSL cryptography library'; \ -@@ -536,7 +536,7 @@ install: all install_docs install_sw +@@ -537,7 +537,7 @@ install: all install_docs install_sw install_sw: @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ @@ -82,7 +82,7 @@ index 2058ff405afe..df7def6174fd 100644 fi @target=install; $(RECURSIVE_MAKE) diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile -index 17e1efbdff30..d59a350fd50f 100644 +index f378530c8642..b42a64162730 100644 --- a/engines/ccgost/Makefile +++ b/engines/ccgost/Makefile @@ -47,7 +47,7 @@ install: diff --git a/patches/openssl-1.0.2j/0003-no-rpath.patch b/patches/openssl-1.0.2k/0003-no-rpath.patch similarity index 100% rename from patches/openssl-1.0.2j/0003-no-rpath.patch rename to patches/openssl-1.0.2k/0003-no-rpath.patch diff --git a/patches/openssl-1.0.2j/0004-no-symbolic.patch b/patches/openssl-1.0.2k/0004-no-symbolic.patch similarity index 100% rename from patches/openssl-1.0.2j/0004-no-symbolic.patch rename to patches/openssl-1.0.2k/0004-no-symbolic.patch diff --git a/patches/openssl-1.0.2j/0005-pic.patch b/patches/openssl-1.0.2k/0005-pic.patch similarity index 100% rename from patches/openssl-1.0.2j/0005-pic.patch rename to patches/openssl-1.0.2k/0005-pic.patch diff --git a/patches/openssl-1.0.2j/0006-valgrind.patch b/patches/openssl-1.0.2k/0006-valgrind.patch similarity index 100% rename from patches/openssl-1.0.2j/0006-valgrind.patch rename to patches/openssl-1.0.2k/0006-valgrind.patch diff --git a/patches/openssl-1.0.2j/0007-shared-lib-ext.patch b/patches/openssl-1.0.2k/0007-shared-lib-ext.patch similarity index 91% rename from patches/openssl-1.0.2j/0007-shared-lib-ext.patch rename to patches/openssl-1.0.2k/0007-shared-lib-ext.patch index 314f89898..d1f282a2d 100644 --- a/patches/openssl-1.0.2j/0007-shared-lib-ext.patch +++ b/patches/openssl-1.0.2k/0007-shared-lib-ext.patch @@ -10,10 +10,10 @@ Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Configure b/Configure -index fe3c3c70181c..bf0da9cd950b 100755 +index 92e1ce9d74b9..d859e12733ad 100755 --- a/Configure +++ b/Configure -@@ -1835,7 +1835,8 @@ while (<IN>) +@@ -1837,7 +1837,8 @@ while (<IN>) elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; diff --git a/patches/openssl-1.0.2j/0008-block_diginotar.patch b/patches/openssl-1.0.2k/0008-block_diginotar.patch similarity index 100% rename from patches/openssl-1.0.2j/0008-block_diginotar.patch rename to patches/openssl-1.0.2k/0008-block_diginotar.patch diff --git a/patches/openssl-1.0.2j/0009-block_digicert_malaysia.patch b/patches/openssl-1.0.2k/0009-block_digicert_malaysia.patch similarity index 100% rename from patches/openssl-1.0.2j/0009-block_digicert_malaysia.patch rename to patches/openssl-1.0.2k/0009-block_digicert_malaysia.patch diff --git a/patches/openssl-1.0.2j/0010-Disable-the-freelist.patch b/patches/openssl-1.0.2k/0010-Disable-the-freelist.patch similarity index 96% rename from patches/openssl-1.0.2j/0010-Disable-the-freelist.patch rename to patches/openssl-1.0.2k/0010-Disable-the-freelist.patch index 0ca35f946..dc5cf4bde 100644 --- a/patches/openssl-1.0.2j/0010-Disable-the-freelist.patch +++ b/patches/openssl-1.0.2k/0010-Disable-the-freelist.patch @@ -28,7 +28,7 @@ index 054ded1c9903..bb0085cf2ec0 100644 /*- * On some platforms, malloc() performance is bad enough that you can't just diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 42b980ac26a0..da721a9ac559 100644 +index f8054dae6b6b..0c3bafb52814 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -162,6 +162,8 @@ diff --git a/patches/openssl-1.0.2j/0011-soname.patch b/patches/openssl-1.0.2k/0011-soname.patch similarity index 94% rename from patches/openssl-1.0.2j/0011-soname.patch rename to patches/openssl-1.0.2k/0011-soname.patch index de9c6fa93..93c046003 100644 --- a/patches/openssl-1.0.2j/0011-soname.patch +++ b/patches/openssl-1.0.2k/0011-soname.patch @@ -10,7 +10,7 @@ Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/opensslv.h b/crypto/opensslv.h -index 88faad652259..2ceb66313cc6 100644 +index 645dd0793f32..976423292855 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -88,7 +88,7 @@ extern "C" { diff --git a/patches/openssl-1.0.2k/0012-Mark-3DES-and-RC4-ciphers-as-weak.patch b/patches/openssl-1.0.2k/0012-Mark-3DES-and-RC4-ciphers-as-weak.patch new file mode 100644 index 000000000..719f17225 --- /dev/null +++ b/patches/openssl-1.0.2k/0012-Mark-3DES-and-RC4-ciphers-as-weak.patch @@ -0,0 +1,427 @@ +From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +Date: Sun, 18 Dec 2016 15:37:52 +0100 +Subject: [PATCH] Mark 3DES and RC4 ciphers as weak + +This disables RC4 and 3DES in our build + +Imported from openssl_1.0.2k-1~bpo8+1.debian.tar.xz + +Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com> +--- + ssl/s3_lib.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 58 insertions(+), 1 deletion(-) + +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index 0385e039c8d4..cf785f994917 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -216,6 +216,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 04 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_RSA_RC4_128_MD5, +@@ -230,8 +231,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 05 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_RSA_RC4_128_SHA, +@@ -246,7 +249,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, +- ++#endif + /* Cipher 06 */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { +@@ -320,6 +323,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 0A */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_RSA_DES_192_CBC3_SHA, +@@ -334,6 +338,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* The DH ciphers */ + /* Cipher 0B */ +@@ -373,6 +378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 0D */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, +@@ -387,6 +393,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 0E */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -425,6 +432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 10 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, +@@ -439,6 +447,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* The Ephemeral DH ciphers */ + /* Cipher 11 */ +@@ -478,6 +487,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 13 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, +@@ -492,6 +502,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 14 */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -530,6 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 16 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, +@@ -544,6 +556,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 17 */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -564,6 +577,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 18 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_ADH_RC4_128_MD5, +@@ -578,6 +592,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 19 */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -616,6 +631,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + #endif + + /* Cipher 1B */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_ADH_DES_192_CBC_SHA, +@@ -630,6 +646,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Fortezza ciphersuite from SSL 3.0 spec */ + #if 0 +@@ -703,6 +720,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + # endif + + /* Cipher 1F */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_SHA, +@@ -717,8 +735,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 20 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_KRB5_RC4_128_SHA, +@@ -733,6 +753,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 21 */ + { +@@ -769,6 +790,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + # endif + + /* Cipher 23 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_MD5, +@@ -783,8 +805,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 24 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_KRB5_RC4_128_MD5, +@@ -799,6 +823,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 25 */ + { +@@ -1418,6 +1443,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + # endif + + /* Cipher 66 */ ++# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, +@@ -1433,6 +1459,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + }, + #endif ++#endif + + /* TLS v1.2 ciphersuites */ + /* Cipher 67 */ +@@ -1703,6 +1730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + + #ifndef OPENSSL_NO_PSK + /* Cipher 8A */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_PSK_WITH_RC4_128_SHA, +@@ -1717,8 +1745,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher 8B */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA, +@@ -1733,6 +1763,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher 8C */ + { +@@ -2095,6 +2126,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C002 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, +@@ -2109,8 +2141,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C003 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, +@@ -2125,6 +2159,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C004 */ + { +@@ -2175,6 +2210,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C007 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, +@@ -2189,8 +2225,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C008 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, +@@ -2205,6 +2243,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C009 */ + { +@@ -2255,6 +2294,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C00C */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, +@@ -2269,8 +2309,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C00D */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, +@@ -2285,6 +2327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C00E */ + { +@@ -2335,6 +2378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C011 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, +@@ -2349,8 +2393,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C012 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, +@@ -2365,6 +2411,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C013 */ + { +@@ -2415,6 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + }, + + /* Cipher C016 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, +@@ -2429,8 +2477,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 128, + 128, + }, ++#endif + + /* Cipher C017 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, +@@ -2445,6 +2495,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C018 */ + { +@@ -2481,6 +2532,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + + #ifndef OPENSSL_NO_SRP + /* Cipher C01A */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA, +@@ -2495,8 +2547,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C01B */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, +@@ -2511,8 +2565,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C01C */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, +@@ -2527,6 +2583,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { + 112, + 168, + }, ++#endif + + /* Cipher C01D */ + { diff --git a/patches/openssl-1.0.2j/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch b/patches/openssl-1.0.2k/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch similarity index 100% rename from patches/openssl-1.0.2j/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch rename to patches/openssl-1.0.2k/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch diff --git a/patches/openssl-1.0.2j/0101-fix-parallel-building.patch b/patches/openssl-1.0.2k/0101-fix-parallel-building.patch similarity index 100% rename from patches/openssl-1.0.2j/0101-fix-parallel-building.patch rename to patches/openssl-1.0.2k/0101-fix-parallel-building.patch diff --git a/patches/openssl-1.0.2j/series b/patches/openssl-1.0.2k/series similarity index 81% rename from patches/openssl-1.0.2j/series rename to patches/openssl-1.0.2k/series index 01b9069cb..9aff52098 100644 --- a/patches/openssl-1.0.2j/series +++ b/patches/openssl-1.0.2k/series @@ -12,7 +12,8 @@ 0009-block_digicert_malaysia.patch 0010-Disable-the-freelist.patch 0011-soname.patch +0012-Mark-3DES-and-RC4-ciphers-as-weak.patch #tag:ptx --start-number 100 0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch 0101-fix-parallel-building.patch -# f8cea4ba1a426b33140d363dc76fa6d2 - git-ptx-patches magic +# e678378891be1b4edd294761e63d3a68 - git-ptx-patches magic diff --git a/rules/openssl.make b/rules/openssl.make index a6e643418..9ee02819f 100644 --- a/rules/openssl.make +++ b/rules/openssl.make @@ -19,9 +19,9 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl # Paths and names # OPENSSL_BASE := 1.0.2 -OPENSSL_BUGFIX := j +OPENSSL_BUGFIX := k OPENSSL_VERSION := $(OPENSSL_BASE)$(OPENSSL_BUGFIX) -OPENSSL_MD5 := 96322138f0b69e61b7212bc53d5e912b +OPENSSL_MD5 := f965fc0bf01bf882b31314b61391ae65 OPENSSL := openssl-$(OPENSSL_VERSION) OPENSSL_SUFFIX := tar.gz OPENSSL_URL := \ -- 2.11.1 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de