[rpms/openssl] rebase_40beta: disable SSLv2 support altogether (without ABI break)

[Tomas Mraz <tmraz@fedoraproject.org>]

A new commit has been pushed.

Repo   : rpms/openssl
Branch : rebase_40beta
Commit : 0a6d0e5ddca93ab78e034d8752aab531938b66d0
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date   : 2016-03-29T15:47:40+02:00
Stats  : +35/-3 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl/c/0a6d0e5ddca93ab78e034d8752aab531938b66d0?branch=rebase_40beta

Log:
disable SSLv2 support altogether (without ABI break)

---
diff --git a/openssl-1.0.2g-remove-ssl2.patch b/openssl-1.0.2g-remove-ssl2.patch
new file mode 100644
index 0000000..1812cde
--- /dev/null
+++ b/openssl-1.0.2g-remove-ssl2.patch
@@ -0,0 +1,27 @@
+diff -up openssl-1.0.2g/ssl/ssl.h.remove-ssl2 openssl-1.0.2g/ssl/ssl.h
+--- openssl-1.0.2g/ssl/ssl.h.remove-ssl2	2016-03-02 09:26:24.000000000 +0100
++++ openssl-1.0.2g/ssl/ssl.h	2016-03-29 15:24:01.471422525 +0200
+@@ -2283,7 +2283,7 @@ const char *SSL_get_version(const SSL *s
+ /* This sets the 'default' SSL version that SSL_new() will create */
+ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
+ 
+-# ifndef OPENSSL_NO_SSL2
++# ifndef OPENSSL_NO_SSL2_METHOD
+ const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
+ const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
+ const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
+diff -up openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 openssl-1.0.2g/ssl/s2_meth.c
+--- openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2	2016-01-28 14:38:31.000000000 +0100
++++ openssl-1.0.2g/ssl/s2_meth.c	2016-03-29 15:19:49.319654216 +0200
+@@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method,
+                          ssl2_accept, ssl2_connect, ssl2_get_method)
+ #else                           /* !OPENSSL_NO_SSL2 */
+ 
+-# if PEDANTIC
+-static void *dummy = &dummy;
+-# endif
++const SSL_METHOD *SSLv2_method(void) { return NULL; }
++const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
++const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
+ 
+ #endif

diff --git a/openssl.spec b/openssl.spec
index 54e1001..01f2eb3 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.2g
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -88,6 +88,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
 Patch80: openssl-1.0.2e-wrap-pad.patch
 Patch81: openssl-1.0.2a-padlock64.patch
 Patch82: openssl-1.0.2c-trusted-first-doc.patch
+Patch83: openssl-1.0.2g-remove-ssl2.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -212,6 +213,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch80 -p1 -b .wrap
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .trusted-first
+%patch83 -p1 -b .remove-ssl2
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -287,8 +289,8 @@ sslflags=enable-ec_nistp_64_gcc_128
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
 	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
 	zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \
-	enable-cms enable-md2 enable-ssl2 \
-	no-mdc2 enable-rc5 no-ec2m no-gost no-srp \
+	enable-cms enable-md2 enable-rc5 \
+	no-mdc2 no-ec2m no-gost no-srp \
 	--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
 	--with-krb5-dir=/usr shared  ${sslarch} %{?!nofips:fips}
 
@@ -502,6 +504,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Tue Mar 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2g-4
+- disable SSLv2 support altogether (without ABI break)
+
 * Mon Mar  7 2016 Tom Callaway <spot@fedoraproject.org> - 1.0.2g-3
 - enable RC5