openssl: Update to 1.1.0h

CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:

Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious
input with excessive recursion. This could result in a Denial Of
Service attack. There are no such structures used within SSL/TLS
that come from untrusted sources so this is considered safe.
Reported by OSS-fuzz.

This patch also entirely removes support for SSLv3. The patch to
disable it didn't apply and since nobody has been using this before,
we will not compile it into OpenSSL any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lfs/openssl

@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.1.0g
+VER        = 1.1.0h
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -51,8 +51,6 @@ CONFIGURE_OPTIONS = \
 	enable-md2 \
 	enable-seed \
 	enable-rfc3779 \
-	enable-ssl3 \
-	enable-ssl3-method \
 	no-idea \
 	no-mdc2 \
 	no-rc5 \
@@ -89,7 +87,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = ba5f1b8b835b88cadbce9b35ed9531a6
+$(DL_FILE)_MD5 = 5271477e4d93f4ea032b665ef095ff24
 
 install : $(TARGET)
 
@@ -119,7 +117,6 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0-disable-ssl3.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0g-weak-ciphers.patch
 
 	# Apply our CFLAGS

src/patches/openssl-1.1.0-disable-ssl3.patch

@@ -1,86 +0,0 @@
-diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
---- openssl-1.1.0f/apps/s_client.c.disable-ssl3	2017-06-05 15:42:44.838853312 +0200
-+++ openssl-1.1.0f/apps/s_client.c	2017-07-17 14:50:06.468821871 +0200
-@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
- 
-+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
-     if (ssl_config) {
-         if (SSL_CTX_config(ctx, ssl_config) == 0) {
-             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
---- openssl-1.1.0f/apps/s_server.c.disable-ssl3	2017-05-25 14:46:18.000000000 +0200
-+++ openssl-1.1.0f/apps/s_server.c	2017-07-17 14:49:50.434447583 +0200
-@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
-     }
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
-+
-+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
-     if (ssl_config) {
-         if (SSL_CTX_config(ctx, ssl_config) == 0) {
-             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3	2016-08-25 17:29:22.000000000 +0200
-+++ openssl-1.1.0/ssl/ssl_lib.c	2016-09-08 11:08:05.252082263 +0200
-@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
-      * or by using the SSL_CONF library.
-      */
-     ret->options |= SSL_OP_NO_COMPRESSION;
-+    /*
-+     * Disable SSLv3 by default.  Applications can
-+     * re-enable it by configuring
-+     * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+     * or by using the SSL_CONF library.
-+     */
-+    ret->options |= SSL_OP_NO_SSLv3;
- 
-     ret->tlsext_status_type = -1;
- 
-diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
---- openssl-1.1.0/test/ssl_test.c.disable-ssl3	2016-09-08 11:08:05.252082263 +0200
-+++ openssl-1.1.0/test/ssl_test.c	2016-09-08 11:11:44.802005886 +0200
-@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
-             SSL_TEST_SERVERNAME_CB_NONE) {
-             server2_ctx = SSL_CTX_new(TLS_server_method());
-             TEST_check(server2_ctx != NULL);
-+            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
-         }
-         client_ctx = SSL_CTX_new(TLS_client_method());
- 
-@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
-             resume_client_ctx = SSL_CTX_new(TLS_client_method());
-             TEST_check(resume_server_ctx != NULL);
-             TEST_check(resume_client_ctx != NULL);
-+            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
-+            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
-         }
-     }
- 
-     TEST_check(server_ctx != NULL);
-     TEST_check(client_ctx != NULL);
-+    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
- 
-     TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
- 
-diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3	2016-08-25 17:29:23.000000000 +0200
-+++ openssl-1.1.0/test/ssltest_old.c	2016-09-08 11:08:05.253082286 +0200
-@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
-         ERR_print_errors(bio_err);
-         goto end;
-     }
-+
-+    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
-+
-     /*
-      * Since we will use low security ciphersuites and keys for testing set
-      * security level to zero by default. Tests can override this by adding