File openssl-CVE-2016-0800-DROWN-disable-ssl2.patch of Package openssl.4105

Index: openssl-1.0.1i/ssl/ssl_lib.c
===================================================================
--- openssl-1.0.1i.orig/ssl/ssl_lib.c	2016-02-25 12:52:30.918424138 +0100
+++ openssl-1.0.1i/ssl/ssl_lib.c	2016-02-25 12:52:35.458507117 +0100
@@ -1886,6 +1886,10 @@
 	ret->wbuf_freelist->len = 0;
 	ret->wbuf_freelist->head = NULL;
 #endif
+	/* Default is now SSLv2 disabled (CVE-2016-0800 bsc#968046 DROWN) */
+	if (!getenv("OPENSSL_ALLOW_SSL2"))
+		ret->options |= SSL_OP_NO_SSLv2;
+
 #ifndef OPENSSL_NO_ENGINE
 	ret->client_cert_engine = NULL;
 #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
Index: openssl-1.0.1i/ssl/ssl_ciph.c
===================================================================
--- openssl-1.0.1i.orig/ssl/ssl_ciph.c	2016-02-25 12:52:30.918424138 +0100
+++ openssl-1.0.1i/ssl/ssl_ciph.c	2016-02-25 12:52:35.458507117 +0100
@@ -790,6 +790,7 @@
 	{
 	int i, co_list_num;
 	const SSL_CIPHER *c;
+	int support_export = !!getenv("OPENSSL_ALLOW_EXPORT");
 
 	/*
 	 * We have num_of_ciphers descriptions compiled in, depending on the
@@ -805,6 +806,7 @@
 		c = ssl_method->get_cipher(i);
 		/* drop those that use any of that is not available */
 		if ((c != NULL) && c->valid &&
+                    (!(c->algo_strength & SSL_EXPORT) || support_export) &&
 #ifdef OPENSSL_FIPS
 		    (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
 #endif