Backport "Don't enable new TLS versions by default"

7 years ago · bca9d9121b
parent 5f366f19be
commit bca9d9121b
3 changed files with 89 additions and 3 deletions
--- a/0001-stream-ssl-Don-t-enable-new-TLS-versions-by-default.patch
+++ b/0001-stream-ssl-Don-t-enable-new-TLS-versions-by-default.patch
@ -0,0 +1,40 @@
+From a6869520061696cb115afb7de0021556068d1134 Mon Sep 17 00:00:00 2001
+From: Timothy Redaelli <tredaelli@redhat.com>
+Date: Fri, 27 Jul 2018 16:29:40 +0200
+Subject: [PATCH 1/2] stream-ssl: Don't enable new TLS versions by default
+
+Currently protocol_flags is populated by the list of SSL and TLS
+protocols by hand. This means that when a new TLS version is added to
+openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
+ovsdb-server automatically enable support to it with the default ciphers.
+This can be a security problem (since other ciphers can be enabled) and it
+also makes a test (SSL db: implementation) to fail.
+
+This commit changes the 'protocol_flags' to use the list of all protocol
+flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
+need to keep the list updated by hand.
+
+Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+(cherry picked from commit ab16d2c2871b82d1f71c652657791acd9ca51161)
+---
+ lib/stream-ssl.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
+index 278468083..95b0f106e 100644
+--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
+@@ -1186,8 +1186,7 @@ stream_ssl_set_protocols(const char *arg)
+     }
+ 
+     /* Start with all the flags off and turn them on as requested. */
+-    long protocol_flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
+-    protocol_flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
+    long protocol_flags = SSL_OP_NO_SSL_MASK;
+ 
+     char *s = xstrdup(arg);
+     char *save_ptr = NULL;
+-- 
+2.17.1
+
--- a/0002-stream-ssl-Define-SSL_OP_NO_SSL_MASK-for-OpenSSL-ver.patch
+++ b/0002-stream-ssl-Define-SSL_OP_NO_SSL_MASK-for-OpenSSL-ver.patch
@ -0,0 +1,40 @@
+From 74f34a896ddaebce7eba66022be8868dd3b44d0a Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@ovn.org>
+Date: Mon, 6 Aug 2018 15:39:44 -0700
+Subject: [PATCH 2/2] stream-ssl: Define SSL_OP_NO_SSL_MASK for OpenSSL
+ versions that lack it.
+
+10 of the travis builds are failing such as
+TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.
+
+Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by default")
+CC: Timothy Redaelli <tredaelli@redhat.com>
+Signed-off-by: Darrell Ball <dlu998@gmail.com>
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+Acked-by: Han Zhou <hzhou8@ebay.com>
+Acked-by: Darrell Ball <dlu998@gmail.com>
+(cherry picked from commit ce679280889f0eb4ebc95b62558a20a7a5f7c0fb)
+---
+ lib/stream-ssl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
+index 95b0f106e..c64bb8f19 100644
+--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
+@@ -1186,6 +1186,12 @@ stream_ssl_set_protocols(const char *arg)
+     }
+ 
+     /* Start with all the flags off and turn them on as requested. */
+#ifndef SSL_OP_NO_SSL_MASK
+    /* For old OpenSSL without this macro, this is the correct value.  */
+#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \
+                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
+                            SSL_OP_NO_TLSv1_2)
+#endif
+     long protocol_flags = SSL_OP_NO_SSL_MASK;
+ 
+     char *s = xstrdup(arg);
+-- 
+2.17.1
+
--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -40,7 +40,7 @@ Name: openvswitch
 Summary: Open vSwitch daemon/database/utilities
 URL: http://www.openvswitch.org/
 Version: 2.9.2
-Release: 4%{?commit0:.%{date}git%{shortcommit0}}%{?dist}
+Release: 5%{?commit0:.%{date}git%{shortcommit0}}%{?dist}

 # Nearly all of openvswitch is ASL 2.0.  The bugtool is LGPLv2+, and the
 # lib/sflow*.[ch] files are SISSL
@ -71,6 +71,9 @@ Patch41: 0002-netdev-tc-offloads-Add-support-for-IP-fragmentation.patch
 Patch42: 0001-lib-netdev-tc-offloads-Fix-frag-first-later-translat.patch
 Patch43: 0002-lib-tc-Fix-sparse-warnings.patch

+# Don't enable new TLS versions by default (needed since OpenSSL 1.1.1)
+Patch310: 0001-stream-ssl-Don-t-enable-new-TLS-versions-by-default.patch
+Patch311: 0002-stream-ssl-Define-SSL_OP_NO_SSL_MASK-for-OpenSSL-ver.patch

 BuildRequires: gcc-c++
 BuildRequires: gcc
@ -290,9 +293,9 @@ install -p -m 0755 rhel/etc_sysconfig_network-scripts_ifdown-ovs \
 install -p -m 0755 rhel/etc_sysconfig_network-scripts_ifup-ovs \
        $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/network-scripts/ifup-ovs

-install -d -m 0755 $RPM_BUILD_ROOT%{python_sitelib}
+install -d -m 0755 $RPM_BUILD_ROOT%{python2_sitelib}
 cp -a $RPM_BUILD_ROOT/%{_datadir}/openvswitch/python/ovstest \
-        $RPM_BUILD_ROOT%{python_sitelib}
+        $RPM_BUILD_ROOT%{python2_sitelib}

 # Build the JSON C extension for the Python lib (#1417738)
 pushd python
@ -653,6 +656,9 @@ chown -R openvswitch:openvswitch /etc/openvswitch
 %{_unitdir}/ovn-controller-vtep.service

 %changelog
+* Mon Aug 13 2018 Timothy Redaelli <tredaelli@redhat.com> - 2.9.2-5
+- Backport "Don't enable new TLS versions by default"
+
 * Mon Aug 06 2018 Lubomir Rintel <lkundrak@v3.sk> - 2.9.2-4
 - Split out the network-scripts