From 77345cceebfeb6f174556d2d2fd65002f4239bd6 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Mon, 16 May 2016 10:14:54 +0200
Subject: mongo-c-driver: add patch to enforce system crypto policies

---
 mongo-c-driver-crypto.patch | 17 +++++++++++++++++
 mongo-c-driver.spec         | 11 ++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 mongo-c-driver-crypto.patch

diff --git a/mongo-c-driver-crypto.patch b/mongo-c-driver-crypto.patch
new file mode 100644
index 0000000..e3cf7da
--- /dev/null
+++ b/mongo-c-driver-crypto.patch
@@ -0,0 +1,17 @@
+diff -up ./src/mongoc/mongoc-ssl.c.old ./src/mongoc/mongoc-ssl.c
+--- ./src/mongoc/mongoc-ssl.c.old	2016-05-16 10:06:56.592895951 +0200
++++ ./src/mongoc/mongoc-ssl.c	2016-05-16 10:07:57.737182179 +0200
+@@ -405,11 +405,8 @@ _mongoc_ssl_ctx_new (mongoc_ssl_opt_t *o
+     * SSL_OP_NO_SSLv2 - Disable SSL v2 support */
+    SSL_CTX_set_options (ctx, (SSL_OP_ALL | SSL_OP_NO_SSLv2));
+ 
+-   /* HIGH - Enable strong ciphers
+-    * !EXPORT - Disable export ciphers (40/56 bit)
+-    * !aNULL - Disable anonymous auth ciphers
+-    * @STRENGTH - Sort ciphers based on strength */
+-   SSL_CTX_set_cipher_list (ctx, "HIGH:!EXPORT:!aNULL@STRENGTH");
++   /* See https://fedoraproject.org/wiki/Packaging:CryptoPolicies */
++   SSL_CTX_set_cipher_list (ctx, "PROFILE=SYSTEM");
+ 
+    /* If renegotiation is needed, don't return from recv() or send() until it's successful.
+     * Note: this is for blocking sockets only. */
diff --git a/mongo-c-driver.spec b/mongo-c-driver.spec
index a9673ad..2e6f3bf 100644
--- a/mongo-c-driver.spec
+++ b/mongo-c-driver.spec
@@ -23,13 +23,17 @@
 Name:      mongo-c-driver
 Summary:   Client library written in C for MongoDB
 Version:   1.3.5
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   ASL 2.0
 Group:     System Environment/Libraries
 URL:       https://github.com/%{gh_owner}/%{gh_project}
 
 Source0:   https://github.com/%{gh_owner}/%{gh_project}/releases/download/%{version}%{?prever:-%{prever}}/%{gh_project}-%{version}%{?prever:-%{prever}}.tar.gz
 
+# Enforce system crypto policies
+# https://fedoraproject.org/wiki/Packaging:CryptoPolicies
+Patch0:    %{name}-crypto.patch
+
 BuildRequires: pkgconfig(openssl)
 BuildRequires: pkgconfig(libbson-1.0)
 %if 0%{?fedora} > 21 || 0%{?rhel} > 6
@@ -80,6 +84,8 @@ Documentation: http://api.mongodb.org/c/%{version}/
 %prep
 %setup -q -n %{gh_project}-%{version}%{?prever:-%{prever}}
 
+%patch0 -p1 -b .cryptopolicy
+
 rm -r src/libbson
 
 # Ignore check for libbson version = libmongoc version
@@ -171,6 +177,9 @@ exit $ret
 
 
 %changelog
+* Mon May 16 2016 Remi Collet <remi@fedoraproject.org> - 1.3.5-2
+- add patch to enforce system crypto policies
+
 * Thu Mar 31 2016 Remi Collet <remi@fedoraproject.org> - 1.3.5-1
 - update to 1.3.5
 - use --disable-automatic-init-and-cleanup build option
-- 
cgit