openssl: Update to version 1.1.1a

Disabled MD2 and Aria cipher. TLSv1.3 is now available with: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 TLS_AES_256_GCM_SHA384 TLSv1.3 TLS_AES_128_GCM_SHA256 TLSv1.3 Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-14 04:52:59 +02:00 · 2019-01-15 15:43:01 +01:00
parent 06ac824331
commit 32ba431458
3 changed files with 1424 additions and 124 deletions
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@

 include Config

-VER        = 1.1.0j
+VER        = 1.1.1a

 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -48,13 +48,13 @@ CONFIGURE_OPTIONS = \
 	shared \
 	zlib-dynamic \
 	enable-camellia \
-	enable-md2 \
 	enable-seed \
 	enable-rfc3779 \
 	no-idea \
 	no-mdc2 \
 	no-rc5 \
 	no-srp \
+	no-aria \
 	$(OPENSSL_ARCH)

 ifeq "$(IS_64BIT)" "1"
@@ -87,7 +87,7 @@ objects = $(DL_FILE)

 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = b4ca5b78ae6ae79da80790b30dbedbdc
+$(DL_FILE)_MD5 = 963deb2272d6be7d4c2458afd2517b73

 install : $(TARGET)

@@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0g-weak-ciphers.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1a-default-cipherlist.patch

 	# Apply our CFLAGS
 	cd $(DIR_APP) && sed -i Configure \
--- a/src/patches/openssl-1.1.1a-default-cipherlist.patch
+++ b/src/patches/openssl-1.1.1a-default-cipherlist.patch
@@ -0,0 +1,18 @@
+--- openssl-1.1.1.orig/include/openssl/ssl.h	2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/include/openssl/ssl.h	2018-11-05 16:55:03.935513159 +0100
+@@ -170,11 +170,11 @@
+  * an application-defined cipher list string starts with 'DEFAULT'.
+  * This applies to ciphersuites for TLSv1.2 and below.
+  */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+kRSA:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM"
+ /* This is the default set of TLSv1.3 ciphersuites */
+ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+-#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+-                                   "TLS_CHACHA20_POLY1305_SHA256:" \
+#  define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+                                   "TLS_AES_256_GCM_SHA384:" \
+                                    "TLS_AES_128_GCM_SHA256"
+ # else
+ #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+