common/patches/048-weak-ciphers.patch

# Remove MD2, MD4: some functions need to be stubbed
# Deprecate DES, RC2, RC4, and MD5
# Patch developed in-house. Solaris-specific; not suitable for upstream.
--- openssl-1.x/crypto/des/des.h    Thu Feb 25 07:42:06 2016
+++ openssl-1.x/crypto/des/des.h.new    Thu Feb 25 08:37:40 2016
@@ -132,24 +132,38 @@
 void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
                       DES_key_schedule *ks1, DES_key_schedule *ks2,
                       DES_key_schedule *ks3, int enc);
+
+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
+
+/* Mark DES functions deprecated */
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
 DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output,
                        long length, DES_key_schedule *schedule,
                        const_DES_cblock *ivec);
 /* DES_cbc_encrypt does not update the IV!  Use DES_ncbc_encrypt instead. */
-void DES_cbc_encrypt(const unsigned char *input, unsigned char *output,
+DEPRECATED void DES_cbc_encrypt(const unsigned char *input, unsigned char *output,
                      long length, DES_key_schedule *schedule,
                      DES_cblock *ivec, int enc);
-void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output,
+DEPRECATED void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output,
                       long length, DES_key_schedule *schedule,
                       DES_cblock *ivec, int enc);
-void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output,
+DEPRECATED void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output,
                       long length, DES_key_schedule *schedule,
                       DES_cblock *ivec, const_DES_cblock *inw,
                       const_DES_cblock *outw, int enc);
-void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
+DEPRECATED void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                      long length, DES_key_schedule *schedule,
                      DES_cblock *ivec, int enc);
-void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
+DEPRECATED void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
                      DES_key_schedule *ks, int enc);

 /*
@@ -204,19 +218,19 @@
                        DES_cblock *out_white);
 # endif

-int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
+DEPRECATED int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
                  DES_cblock *iv);
-int DES_enc_write(int fd, const void *buf, int len, DES_key_schedule *sched,
+DEPRECATED int DES_enc_write(int fd, const void *buf, int len, DES_key_schedule *sched,
                   DES_cblock *iv);
-char *DES_fcrypt(const char *buf, const char *salt, char *ret);
-char *DES_crypt(const char *buf, const char *salt);
-void DES_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
+DEPRECATED char *DES_fcrypt(const char *buf, const char *salt, char *ret);
+DEPRECATED char *DES_crypt(const char *buf, const char *salt);
+DEPRECATED void DES_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                      long length, DES_key_schedule *schedule,
                      DES_cblock *ivec);
-void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output,
+DEPRECATED void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output,
                       long length, DES_key_schedule *schedule,
                       DES_cblock *ivec, int enc);
-DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[],
+DEPRECATED DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[],
                         long length, int out_count, DES_cblock *seed);
 int DES_random_key(DES_cblock *ret);
 void DES_set_odd_parity(DES_cblock *key);
@@ -237,10 +251,10 @@
 # endif
 void DES_string_to_key(const char *str, DES_cblock *key);
 void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2);
-void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+DEPRECATED void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
                        long length, DES_key_schedule *schedule,
                        DES_cblock *ivec, int *num, int enc);
-void DES_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+DEPRECATED void DES_ofb64_encrypt(const unsigned char *in, unsigned char *out,
                        long length, DES_key_schedule *schedule,
                        DES_cblock *ivec, int *num);

--- openssl-1.x/crypto/md5/md5.h    Thu Feb 25 07:42:06 2016
+++ openssl-1.x/crypto/md5/md5.h.new    Thu Feb 25 08:39:36 2016
@@ -104,14 +104,28 @@
     unsigned int num;
 } MD5_CTX;

+
+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
+
+/* Mark MD5 functions deprecated */
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
 # ifdef OPENSSL_FIPS
 int private_MD5_Init(MD5_CTX *c);
 # endif
-int MD5_Init(MD5_CTX *c);
-int MD5_Update(MD5_CTX *c, const void *data, size_t len);
-int MD5_Final(unsigned char *md, MD5_CTX *c);
-unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md);
-void MD5_Transform(MD5_CTX *c, const unsigned char *b);
+DEPRECATED int MD5_Init(MD5_CTX *c);
+DEPRECATED int MD5_Update(MD5_CTX *c, const void *data, size_t len);
+DEPRECATED int MD5_Final(unsigned char *md, MD5_CTX *c);
+DEPRECATED unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md);
+DEPRECATED void MD5_Transform(MD5_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }
 #endif
--- openssl-1.x/crypto/rc4/rc4.h    Thu Feb 25 07:42:06 2016
+++ openssl-1.x/crypto/rc4/rc4.h.new    Thu Feb 25 08:38:33 2016
@@ -75,10 +75,23 @@
     RC4_INT data[256];
 } RC4_KEY;

-const char *RC4_options(void);
-void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
-void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
-void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
+
+/* Mark RC4 functions deprecated */
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
+DEPRECATED const char *RC4_options(void);
+DEPRECATED void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+DEPRECATED void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+DEPRECATED void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
          unsigned char *outdata);

 #ifdef  __cplusplus
--- openssl-1.x/crypto/pem/pem.h    Fri Sep 11 00:42:09 2015
+++ openssl-1.x/crypto/pem/pem.h.new    Thu Feb 25 08:47:04 2016
@@ -520,9 +520,24 @@
 EVP_PKEY *b2i_PublicKey_bio(BIO *in);
 int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk);
 int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk);
+
+
+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
+
+/* Mark RC4 functions deprecated */
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
 # ifndef OPENSSL_NO_RC4
-EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u);
-int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
+DEPRECATED EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u);
+DEPRECATED int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
                 pem_password_cb *cb, void *u);
 # endif

--- openssl-1.x/crypto/rsa/rsa.h    Fri Sep 11 00:42:09 2015
+++ openssl-1.x/crypto/rsa/rsa.h.new    Thu Feb 25 08:47:08 2016
@@ -387,18 +387,31 @@
 int RSA_print(BIO *bp, const RSA *r, int offset);
 # endif

+
+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
+
+/* Mark RC4 functions deprecated */
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
 # ifndef OPENSSL_NO_RC4
-int i2d_RSA_NET(const RSA *a, unsigned char **pp,
+DEPRECATED int i2d_RSA_NET(const RSA *a, unsigned char **pp,
                 int (*cb) (char *buf, int len, const char *prompt,
                            int verify), int sgckey);
-RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
+DEPRECATED RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
                  int (*cb) (char *buf, int len, const char *prompt,
                             int verify), int sgckey);
-
-int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
+DEPRECATED int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
                      int (*cb) (char *buf, int len, const char *prompt,
                                 int verify));
-RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
+DEPRECATED RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
                       int (*cb) (char *buf, int len, const char *prompt,
                                  int verify));
 # endif
--- openssl-1.x/crypto/x509/x509.h  Fri Sep 11 00:42:09 2015
+++ openssl-1.x/crypto/x509/x509.h.new  Thu Feb 25 08:47:12 2016
@@ -970,9 +970,22 @@
 int X509_subject_name_cmp(const X509 *a, const X509 *b);
 unsigned long X509_subject_name_hash(X509 *x);

+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
+
+/* Mark MD5 functions deprecated */
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
 # ifndef OPENSSL_NO_MD5
-unsigned long X509_issuer_name_hash_old(X509 *a);
-unsigned long X509_subject_name_hash_old(X509 *x);
+DEPRECATED unsigned long X509_issuer_name_hash_old(X509 *a);
+DEPRECATED unsigned long X509_subject_name_hash_old(X509 *x);
 # endif

 int X509_cmp(const X509 *a, const X509 *b);
$ diff -ru e_rc2.c e_rc2.c.new
--- a/crypto/rc2/rc2.h.orig Thu Apr 14 12:23:50 2016
+++ b/crypto/rc2/rc2.h  Thu Apr 14 12:27:16 2016
@@ -82,17 +82,32 @@
 void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
                          int bits);
 # endif
-void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits);
-void RC2_ecb_encrypt(const unsigned char *in, unsigned char *out,
+
+
+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
+
+/* Mark RC2 functions deprecated */
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
+DEPRECATED void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits);
+DEPRECATED void RC2_ecb_encrypt(const unsigned char *in, unsigned char *out,
                      RC2_KEY *key, int enc);
-void RC2_encrypt(unsigned long *data, RC2_KEY *key);
-void RC2_decrypt(unsigned long *data, RC2_KEY *key);
-void RC2_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+DEPRECATED void RC2_encrypt(unsigned long *data, RC2_KEY *key);
+DEPRECATED void RC2_decrypt(unsigned long *data, RC2_KEY *key);
+DEPRECATED void RC2_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
                      RC2_KEY *ks, unsigned char *iv, int enc);
-void RC2_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+DEPRECATED void RC2_cfb64_encrypt(const unsigned char *in, unsigned char *out,
                        long length, RC2_KEY *schedule, unsigned char *ivec,
                        int *num, int enc);
-void RC2_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+DEPRECATED void RC2_ofb64_encrypt(const unsigned char *in, unsigned char *out,
                        long length, RC2_KEY *schedule, unsigned char *ivec,
                        int *num);

--- old/crypto/md4/md4.h    Thu Apr 21 09:34:15 2016
+++ new/crypto/md4/md4.h    Thu Apr 21 09:36:51 2016
@@ -104,14 +104,30 @@
     unsigned int num;
 } MD4_CTX;

+/*
+ * Deprecate MD4
+ */
+#ifndef    __has_attribute
+# define __has_attribute(x)    0
+#endif
+
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
+
 # ifdef OPENSSL_FIPS
-int private_MD4_Init(MD4_CTX *c);
+DEPRECATED int private_MD4_Init(MD4_CTX *c);
 # endif
-int MD4_Init(MD4_CTX *c);
-int MD4_Update(MD4_CTX *c, const void *data, size_t len);
-int MD4_Final(unsigned char *md, MD4_CTX *c);
-unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md);
-void MD4_Transform(MD4_CTX *c, const unsigned char *b);
+DEPRECATED int MD4_Init(MD4_CTX *c);
+DEPRECATED int MD4_Update(MD4_CTX *c, const void *data, size_t len);
+DEPRECATED int MD4_Final(unsigned char *md, MD4_CTX *c);
+DEPRECATED unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md);
+DEPRECATED void MD4_Transform(MD4_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }
 #endif
--- old/crypto/evp/evp.h    Tue Mar  1 05:35:53 2016
+++ new/crypto/evp/evp.h    Thu Apr 21 09:35:07 2016
@@ -705,15 +705,31 @@
                     const unsigned char *i, int enc);
 # endif

+
+/*
+ * Deprecate MD4, MD5, RC2, RC4, and DES
+ */
+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
+
+#if __has_attribute(deprecated) \
+    || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
+    || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
+# define DEPRECATED __attribute__((deprecated))
+#else
+# define DEPRECATED
+#endif
+
 const EVP_MD *EVP_md_null(void);
 # ifndef OPENSSL_NO_MD2
 const EVP_MD *EVP_md2(void);
 # endif
 # ifndef OPENSSL_NO_MD4
-const EVP_MD *EVP_md4(void);
+DEPRECATED const EVP_MD *EVP_md4(void);
 # endif
 # ifndef OPENSSL_NO_MD5
-const EVP_MD *EVP_md5(void);
+DEPRECATED const EVP_MD *EVP_md5(void);
 # endif
 # ifndef OPENSSL_NO_SHA
 const EVP_MD *EVP_sha(void);
@@ -741,16 +757,16 @@
 # endif
 const EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */
 # ifndef OPENSSL_NO_DES
-const EVP_CIPHER *EVP_des_ecb(void);
-const EVP_CIPHER *EVP_des_ede(void);
+DEPRECATED const EVP_CIPHER *EVP_des_ecb(void);
+DEPRECATED const EVP_CIPHER *EVP_des_ede(void);
 const EVP_CIPHER *EVP_des_ede3(void);
-const EVP_CIPHER *EVP_des_ede_ecb(void);
+DEPRECATED const EVP_CIPHER *EVP_des_ede_ecb(void);
 const EVP_CIPHER *EVP_des_ede3_ecb(void);
-const EVP_CIPHER *EVP_des_cfb64(void);
+DEPRECATED const EVP_CIPHER *EVP_des_cfb64(void);
 #  define EVP_des_cfb EVP_des_cfb64
-const EVP_CIPHER *EVP_des_cfb1(void);
-const EVP_CIPHER *EVP_des_cfb8(void);
-const EVP_CIPHER *EVP_des_ede_cfb64(void);
+DEPRECATED const EVP_CIPHER *EVP_des_cfb1(void);
+DEPRECATED const EVP_CIPHER *EVP_des_cfb8(void);
+DEPRECATED const EVP_CIPHER *EVP_des_ede_cfb64(void);
 #  define EVP_des_ede_cfb EVP_des_ede_cfb64
 #  if 0
 const EVP_CIPHER *EVP_des_ede_cfb1(void);
@@ -760,13 +776,13 @@
 #  define EVP_des_ede3_cfb EVP_des_ede3_cfb64
 const EVP_CIPHER *EVP_des_ede3_cfb1(void);
 const EVP_CIPHER *EVP_des_ede3_cfb8(void);
-const EVP_CIPHER *EVP_des_ofb(void);
-const EVP_CIPHER *EVP_des_ede_ofb(void);
+DEPRECATED const EVP_CIPHER *EVP_des_ofb(void);
+DEPRECATED const EVP_CIPHER *EVP_des_ede_ofb(void);
 const EVP_CIPHER *EVP_des_ede3_ofb(void);
-const EVP_CIPHER *EVP_des_cbc(void);
-const EVP_CIPHER *EVP_des_ede_cbc(void);
+DEPRECATED const EVP_CIPHER *EVP_des_cbc(void);
+DEPRECATED const EVP_CIPHER *EVP_des_ede_cbc(void);
 const EVP_CIPHER *EVP_des_ede3_cbc(void);
-const EVP_CIPHER *EVP_desx_cbc(void);
+DEPRECATED const EVP_CIPHER *EVP_desx_cbc(void);
 const EVP_CIPHER *EVP_des_ede3_wrap(void);
 /*
  * This should now be supported through the dev_crypto ENGINE. But also, why
@@ -782,10 +798,10 @@
 #  endif
 # endif
 # ifndef OPENSSL_NO_RC4
-const EVP_CIPHER *EVP_rc4(void);
-const EVP_CIPHER *EVP_rc4_40(void);
+DEPRECATED const EVP_CIPHER *EVP_rc4(void);
+DEPRECATED const EVP_CIPHER *EVP_rc4_40(void);
 #  ifndef OPENSSL_NO_MD5
-const EVP_CIPHER *EVP_rc4_hmac_md5(void);
+DEPRECATED const EVP_CIPHER *EVP_rc4_hmac_md5(void);
 #  endif
 # endif
 # ifndef OPENSSL_NO_IDEA
@@ -796,13 +812,13 @@
 const EVP_CIPHER *EVP_idea_cbc(void);
 # endif
 # ifndef OPENSSL_NO_RC2
-const EVP_CIPHER *EVP_rc2_ecb(void);
-const EVP_CIPHER *EVP_rc2_cbc(void);
-const EVP_CIPHER *EVP_rc2_40_cbc(void);
-const EVP_CIPHER *EVP_rc2_64_cbc(void);
-const EVP_CIPHER *EVP_rc2_cfb64(void);
+DEPRECATED const EVP_CIPHER *EVP_rc2_ecb(void);
+DEPRECATED const EVP_CIPHER *EVP_rc2_cbc(void);
+DEPRECATED const EVP_CIPHER *EVP_rc2_40_cbc(void);
+DEPRECATED const EVP_CIPHER *EVP_rc2_64_cbc(void);
+DEPRECATED const EVP_CIPHER *EVP_rc2_cfb64(void);
 #  define EVP_rc2_cfb EVP_rc2_cfb64
-const EVP_CIPHER *EVP_rc2_ofb(void);
+DEPRECATED const EVP_CIPHER *EVP_rc2_ofb(void);
 # endif
 # ifndef OPENSSL_NO_BF
 const EVP_CIPHER *EVP_bf_ecb(void);