File openssl-CVE-2016-0800-DROWN-disable-ssl2.patch of Package compat-openssl098.14113

Index: openssl-0.9.8j/ssl/ssl_lib.c
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl_lib.c	2016-02-26 14:03:36.256178000 +0100
+++ openssl-0.9.8j/ssl/ssl_lib.c	2016-02-26 14:03:38.248196881 +0100
@@ -1612,6 +1612,10 @@
 	 */
 	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
 
+	/* Default is now SSLv2 disabled (CVE-2016-0800 bsc#968046 DROWN) */
+	if (!getenv("OPENSSL_ALLOW_SSL2"))
+		ret->options |= SSL_OP_NO_SSLv2;
+        
 #ifndef OPENSSL_NO_ENGINE
 	ret->client_cert_engine = NULL;
 #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
Index: openssl-0.9.8j/ssl/ssl_ciph.c
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl_ciph.c	2016-02-26 14:03:36.256178000 +0100
+++ openssl-0.9.8j/ssl/ssl_ciph.c	2016-02-26 14:03:38.248196881 +0100
@@ -512,6 +512,7 @@
 	{
 	int i, co_list_num;
 	SSL_CIPHER *c;
+	int support_export = !!getenv("OPENSSL_ALLOW_EXPORT");
 
 	/*
 	 * We have num_of_ciphers descriptions compiled in, depending on the
@@ -527,12 +528,11 @@
 		c = ssl_method->get_cipher(i);
 #define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
 		/* drop those that use any of that is not available */
+		if ((c != NULL) && c->valid && !IS_MASKED(c) &&
 #ifdef OPENSSL_FIPS
-		if ((c != NULL) && c->valid && !IS_MASKED(c)
-			&& (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
-#else
-		if ((c != NULL) && c->valid && !IS_MASKED(c))
+			(!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
 #endif
+			(!(c->algo_strength & SSL_EXPORT) || support_export))
 			{
 			co_list[co_list_num].cipher = c;
 			co_list[co_list_num].next = NULL;
openSUSE Build Service is sponsored by