package/qpid-proton/0002-PROTON-1326-restore-anonymous-cyphers-by-lowering-Op.patch - buildroot - Git at Google

 From 8c54c62516671375de4068158ccaa0bc1dba0a4a Mon Sep 17 00:00:00 2001
 From: Cliff Jansen <cjansen@redhat.com>
 Date: Wed, 2 Aug 2017 16:34:39 -0700
 Subject: [PATCH] PROTON-1326: restore anonymous cyphers by lowering OpenSSL
  v1.1 security level just for the PN_SSL_ANONYMOUS_PEER verification mode

 Upstream: https://github.com/apache/qpid-proton/commit/8c54c62516671375de4068158ccaa0bc1dba0a4a

 Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
 ---
  proton-c/src/ssl/openssl.c | 14 ++++++++++++++
  1 file changed, 14 insertions(+)

 diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c
 index 8cb4e7b..f37cf49 100644
 --- a/proton-c/src/ssl/openssl.c
 +++ b/proton-c/src/ssl/openssl.c
 @@ -72,6 +72,9 @@ struct pn_ssl_domain_t {
    char *trusted_CAs;

    int   ref_count;
 +#if OPENSSL_VERSION_NUMBER >= 0x10100000
 +  int default_seclevel;
 +#endif
    pn_ssl_mode_t mode;
    pn_ssl_verify_mode_t verify_mode;

 @@ -524,6 +527,9 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode )
    // Mitigate the CRIME vulnerability
    SSL_CTX_set_options(domain->ctx, SSL_OP_NO_COMPRESSION);
  #endif
 +#if OPENSSL_VERSION_NUMBER >= 0x10100000
 +    domain->default_seclevel = SSL_CTX_get_security_level(domain->ctx);
 +#endif

    // by default, allow anonymous ciphers so certificates are not required 'out of the box'
    if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {
 @@ -647,6 +653,10 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
    case PN_SSL_VERIFY_PEER:
    case PN_SSL_VERIFY_PEER_NAME:

 +#if OPENSSL_VERSION_NUMBER >= 0x10100000
 +    SSL_CTX_set_security_level(domain->ctx, domain->default_seclevel);
 +#endif
 +
      if (!domain->has_ca_db) {
        pn_transport_logf(NULL, "Error: cannot verify peer without a trusted CA configured.\n"
                   "       Use pn_ssl_domain_set_trusted_ca_db()");
 @@ -685,6 +695,10 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
      break;

    case PN_SSL_ANONYMOUS_PEER:   // hippie free love mode... :)
 +#if OPENSSL_VERSION_NUMBER >= 0x10100000
 +    // Must use lowest OpenSSL security level to enable anonymous ciphers.
 +    SSL_CTX_set_security_level(domain->ctx, 0);
 +#endif
      SSL_CTX_set_verify( domain->ctx, SSL_VERIFY_NONE, NULL );
      break;

 --
 1.9.1
	From 8c54c62516671375de4068158ccaa0bc1dba0a4a Mon Sep 17 00:00:00 2001
	From: Cliff Jansen <cjansen@redhat.com>
	Date: Wed, 2 Aug 2017 16:34:39 -0700
	Subject: [PATCH] PROTON-1326: restore anonymous cyphers by lowering OpenSSL
	v1.1 security level just for the PN_SSL_ANONYMOUS_PEER verification mode

	Upstream: https://github.com/apache/qpid-proton/commit/8c54c62516671375de4068158ccaa0bc1dba0a4a

	Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
	---
	proton-c/src/ssl/openssl.c \| 14 ++++++++++++++
	1 file changed, 14 insertions(+)

	diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c
	index 8cb4e7b..f37cf49 100644
	--- a/proton-c/src/ssl/openssl.c
	+++ b/proton-c/src/ssl/openssl.c
	@@ -72,6 +72,9 @@ struct pn_ssl_domain_t {
	char *trusted_CAs;

	int ref_count;
	+#if OPENSSL_VERSION_NUMBER >= 0x10100000
	+ int default_seclevel;
	+#endif
	pn_ssl_mode_t mode;
	pn_ssl_verify_mode_t verify_mode;

	@@ -524,6 +527,9 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode )
	// Mitigate the CRIME vulnerability
	SSL_CTX_set_options(domain->ctx, SSL_OP_NO_COMPRESSION);
	#endif
	+#if OPENSSL_VERSION_NUMBER >= 0x10100000
	+ domain->default_seclevel = SSL_CTX_get_security_level(domain->ctx);
	+#endif

	// by default, allow anonymous ciphers so certificates are not required 'out of the box'
	if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {
	@@ -647,6 +653,10 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
	case PN_SSL_VERIFY_PEER:
	case PN_SSL_VERIFY_PEER_NAME:

	+#if OPENSSL_VERSION_NUMBER >= 0x10100000
	+ SSL_CTX_set_security_level(domain->ctx, domain->default_seclevel);
	+#endif
	+
	if (!domain->has_ca_db) {
	pn_transport_logf(NULL, "Error: cannot verify peer without a trusted CA configured.\n"
	" Use pn_ssl_domain_set_trusted_ca_db()");
	@@ -685,6 +695,10 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
	break;

	case PN_SSL_ANONYMOUS_PEER: // hippie free love mode... :)
	+#if OPENSSL_VERSION_NUMBER >= 0x10100000
	+ // Must use lowest OpenSSL security level to enable anonymous ciphers.
	+ SSL_CTX_set_security_level(domain->ctx, 0);
	+#endif
	SSL_CTX_set_verify( domain->ctx, SSL_VERIFY_NONE, NULL );
	break;

	--
	1.9.1