diff options
author | anthraxx | 2016-11-13 02:25:51 +0100 |
---|---|---|
committer | anthraxx | 2016-11-13 02:25:51 +0100 |
commit | af09ebc0ddac775029af8a1028d4888327f6e438 (patch) | |
tree | e9c22012ad024b0ad66e9b5a3bc9cae7d48b3c83 /no_sslv3.patch | |
parent | f51eb5fb7246fd897ce3ff2177a556f03241039d (diff) | |
download | aur-af09ebc0ddac775029af8a1028d4888327f6e438.tar.gz |
upgpkg: tlsdate-git 1:0.0.13-1 (ssl3 patch)
Diffstat (limited to 'no_sslv3.patch')
-rw-r--r-- | no_sslv3.patch | 232 |
1 files changed, 209 insertions, 23 deletions
diff --git a/no_sslv3.patch b/no_sslv3.patch index 7d7cb0b690e8..d009103cbf8b 100644 --- a/no_sslv3.patch +++ b/no_sslv3.patch @@ -1,5 +1,28 @@ +From b1afb00818c8d269c52d4b914e62fd5a9985df69 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Wed, 27 Apr 2016 21:10:03 +0200 +Subject: [PATCH] Drop explicit support SSLv3 and TLSv1 + +There is no addedd value in using only SSLv3 or TLSv1. With current openssl +implementation the sslv3 functions can be disabled and TLSv1 functions may be +removed as well. Further the TLSv1 function offers the TLSv1 protocol while +we have today upto TLSv1.2. + +Therefore I remove the explicit SSLv3 and TLSv1 functions and use only SSLv23 +function which is the only one which supports multiple SSL versions. + +Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +--- + man/tlsdate.1 | 4 +--- + src/tlsdate-helper-plan9.c | 38 ++++++++++++-------------------------- + src/tlsdate-helper.c | 44 +++++++++++++++----------------------------- + src/tlsdate-helper.h | 2 -- + src/tlsdate.c | 6 +----- + src/tlsdate.h | 2 -- + 6 files changed, 29 insertions(+), 67 deletions(-) + diff --git a/man/tlsdate.1 b/man/tlsdate.1 -index b052e48..b2ea687 100644 +index b052e48..fce06cd 100644 --- a/man/tlsdate.1 +++ b/man/tlsdate.1 @@ -5,7 +5,7 @@ @@ -7,59 +30,222 @@ index b052e48..b2ea687 100644 tlsdate \- secure parasitic rdate replacement .SH SYNOPSIS -.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] [\-P [sslv23|sslv3|tlsv1]] \ -+.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] [\-P [sslv23|tlsv1]] \ ++.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] \ [\-\-certdir [dirname]] [\-x [\-\-proxy] proxy\-type://proxyhost:proxyport] .SH DESCRIPTION .B tlsdate -@@ -30,7 +30,7 @@ Set remote hostname (default: 'google.com') +@@ -30,8 +30,6 @@ Set remote hostname (default: 'google.com') Do not set the system clock to the time of the remote server .IP "\-p | \-\-port [port]" Set remote port (default: '443') -.IP "\-P | \-\-protocol [sslv23|sslv3|tlsv1]" -+.IP "\-P | \-\-protocol [sslv23|tlsv1]" - Set protocol to use when communicating with server (default: 'tlsv1') +-Set protocol to use when communicating with server (default: 'tlsv1') .IP "\-C | \-\-certdir [dirname]" Set the local directory where certificates are located + (default: '/etc/ssl/certs') diff --git a/src/tlsdate-helper-plan9.c b/src/tlsdate-helper-plan9.c -index 3c532aa..bd79cf5 100644 +index 3c532aa..369d168 100644 --- a/src/tlsdate-helper-plan9.c +++ b/src/tlsdate-helper-plan9.c -@@ -978,10 +978,6 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion) - { - verb ("V: using SSLv23_client_method()\n"); - ctx = SSL_CTX_new(SSLv23_client_method()); +@@ -974,23 +974,10 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion) + SSL_library_init(); + + ctx = NULL; +- if (0 == strcmp("sslv23", protocol)) +- { +- verb ("V: using SSLv23_client_method()\n"); +- ctx = SSL_CTX_new(SSLv23_client_method()); - } else if (0 == strcmp("sslv3", protocol)) - { - verb ("V: using SSLv3_client_method()\n"); - ctx = SSL_CTX_new(SSLv3_client_method()); - } else if (0 == strcmp("tlsv1", protocol)) +- } else if (0 == strcmp("tlsv1", protocol)) +- { +- verb ("V: using TLSv1_client_method()\n"); +- ctx = SSL_CTX_new(TLSv1_client_method()); +- } else +- die("Unsupported protocol `%s'\n", protocol); +- ++ verb ("V: using SSLv23_client_method()\n"); ++ ctx = SSL_CTX_new(SSLv23_client_method()); + if (ctx == NULL) +- die("OpenSSL failed to support protocol `%s'\n", protocol); ++ die("OpenSSL failed to support protocol `sslv23'\n"); + + verb("V: Using OpenSSL for SSL\n"); + if (ca_racket) +@@ -1077,20 +1064,19 @@ main(int argc, char **argv) + int timewarp; + int leap; + +- if (argc != 12) ++ if (argc != 11) + return 1; + host = argv[1]; + hostname_to_verify = argv[1]; + port = argv[2]; +- protocol = argv[3]; +- ca_cert_container = argv[6]; +- ca_racket = (0 != strcmp ("unchecked", argv[4])); +- verbose = (0 != strcmp ("quiet", argv[5])); +- setclock = (0 == strcmp ("setclock", argv[7])); +- showtime = (0 == strcmp ("showtime", argv[8])); +- timewarp = (0 == strcmp ("timewarp", argv[9])); +- leap = (0 == strcmp ("leapaway", argv[10])); +- proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]); ++ ca_cert_container = argv[5]; ++ ca_racket = (0 != strcmp ("unchecked", argv[3])); ++ verbose = (0 != strcmp ("quiet", argv[4])); ++ setclock = (0 == strcmp ("setclock", argv[6])); ++ showtime = (0 == strcmp ("showtime", argv[7])); ++ timewarp = (0 == strcmp ("timewarp", argv[8])); ++ leap = (0 == strcmp ("leapaway", argv[9])); ++ proxy = (0 == strcmp ("none", argv[10]) ? NULL : argv[10]); + + if (timewarp) { - verb ("V: using TLSv1_client_method()\n"); diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c -index 877c67e..ba115e7 100644 +index 877c67e..1fe48d9 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c -@@ -1133,10 +1133,6 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) - { - verb ("V: using SSLv23_client_method()"); - ctx = SSL_CTX_new(SSLv23_client_method()); +@@ -1129,23 +1129,10 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) + SSL_library_init(); + + ctx = NULL; +- if (0 == strcmp("sslv23", protocol)) +- { +- verb ("V: using SSLv23_client_method()"); +- ctx = SSL_CTX_new(SSLv23_client_method()); - } else if (0 == strcmp("sslv3", protocol)) - { - verb ("V: using SSLv3_client_method()"); - ctx = SSL_CTX_new(SSLv3_client_method()); - } else if (0 == strcmp("tlsv1", protocol)) - { - verb ("V: using TLSv1_client_method()"); +- } else if (0 == strcmp("tlsv1", protocol)) +- { +- verb ("V: using TLSv1_client_method()"); +- ctx = SSL_CTX_new(TLSv1_client_method()); +- } else +- die("Unsupported protocol `%s'", protocol); +- ++ verb ("V: using SSLv23_client_method()"); ++ ctx = SSL_CTX_new(SSLv23_client_method()); + if (ctx == NULL) +- die("OpenSSL failed to support protocol `%s'", protocol); ++ die("OpenSSL failed to support protocol `sslv23'"); + + verb("V: Using OpenSSL for SSL"); + if (ca_racket) +@@ -1257,23 +1244,22 @@ main(int argc, char **argv) + int leap; + int http; + +- if (argc != 13) ++ if (argc != 12) + return 1; + host = argv[1]; + hostname_to_verify = argv[1]; + port = argv[2]; +- protocol = argv[3]; +- ca_cert_container = argv[6]; +- ca_racket = (0 != strcmp ("unchecked", argv[4])); +- verbose = (0 != strcmp ("quiet", argv[5])); +- verbose_debug = (0 != strcmp ("verbose", argv[5])); +- setclock = (0 == strcmp ("setclock", argv[7])); +- showtime = (0 == strcmp ("showtime", argv[8])); +- showtime_raw = (0 == strcmp ("showtime=raw", argv[8])); +- timewarp = (0 == strcmp ("timewarp", argv[9])); +- leap = (0 == strcmp ("leapaway", argv[10])); +- proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]); +- http = (0 == (strcmp("http", argv[12]))); ++ ca_cert_container = argv[5]; ++ ca_racket = (0 != strcmp ("unchecked", argv[3])); ++ verbose = (0 != strcmp ("quiet", argv[4])); ++ verbose_debug = (0 != strcmp ("verbose", argv[4])); ++ setclock = (0 == strcmp ("setclock", argv[6])); ++ showtime = (0 == strcmp ("showtime", argv[7])); ++ showtime_raw = (0 == strcmp ("showtime=raw", argv[7])); ++ timewarp = (0 == strcmp ("timewarp", argv[8])); ++ leap = (0 == strcmp ("leapaway", argv[9])); ++ proxy = (0 == strcmp ("none", argv[10]) ? NULL : argv[10]); ++ http = (0 == (strcmp("http", argv[11]))); + + /* Initalize warp_time with RECENT_COMPILE_DATE */ + clock_init_time(&warp_time, RECENT_COMPILE_DATE, 0); +diff --git a/src/tlsdate-helper.h b/src/tlsdate-helper.h +index 64e4092..810ee7e 100644 +--- a/src/tlsdate-helper.h ++++ b/src/tlsdate-helper.h +@@ -118,8 +118,6 @@ static const char *hostname_to_verify; + + static const char *port; + +-static const char *protocol; +- + static char *proxy; + + static const char *ca_cert_container; diff --git a/src/tlsdate.c b/src/tlsdate.c -index dd7f993..b4404d7 100644 +index dd7f993..c85ca35 100644 --- a/src/tlsdate.c +++ b/src/tlsdate.c -@@ -88,7 +88,7 @@ usage (void) +@@ -88,7 +88,6 @@ usage (void) " [-n|--dont-set-clock]\n" " [-H|--host] [hostname|ip]\n" " [-p|--port] [port number]\n" - " [-P|--protocol] [sslv23|sslv3|tlsv1]\n" -+ " [-P|--protocol] [sslv23|tlsv1]\n" " [-C|--certcontainer] [dirname|filename]\n" " [-v|--verbose]\n" " [-V|--showtime] [human|raw]\n" +@@ -108,7 +107,6 @@ main (int argc, char **argv) + int setclock; + const char *host; + const char *port; +- const char *protocol; + const char *ca_cert_container; + int timewarp; + int leap; +@@ -117,7 +115,6 @@ main (int argc, char **argv) + + host = DEFAULT_HOST; + port = DEFAULT_PORT; +- protocol = DEFAULT_PROTOCOL; + ca_cert_container = DEFAULT_CERTFILE; + verbose = 0; + ca_racket = 1; +@@ -176,7 +173,7 @@ main (int argc, char **argv) + port = optarg; + break; + case 'P': +- protocol = optarg; ++ /* ignore for compatibility */ + break; + case 'n': + setclock = 0; +@@ -219,7 +216,6 @@ main (int argc, char **argv) + "tlsdate", + host, + port, +- protocol, + (ca_racket ? "racket" : "unchecked"), + (verbose ? "verbose" : "quiet"), + ca_cert_container, +diff --git a/src/tlsdate.h b/src/tlsdate.h +index 52305eb..d236b67 100644 +--- a/src/tlsdate.h ++++ b/src/tlsdate.h +@@ -27,7 +27,6 @@ + #define DEFAULT_HOST "google.com" + #define DEFAULT_PORT "443" + #define DEFAULT_PROXY "none" +-#define DEFAULT_PROTOCOL "tlsv1" + #define DEFAULT_CERTDIR "/etc/ssl/certs" + #define DEFAULT_CERTFILE TLSDATE_CERTFILE + #define DEFAULT_DAEMON_CACHEDIR "/var/cache/tlsdated" +@@ -239,7 +238,6 @@ typedef struct + time_t manual_time; + char *host; + char *port; +- char *protocol; + } tlsdate_options_t; + + #endif /* TLSDATE_H */ |