public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: - disable enforcement of the renegotiation extension on the client
@ 2026-06-09 12:41
0 siblings, 0 replies; 2+ messages in thread
From: @ 2026-06-09 12:41 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : e88edba9c7892c051862775e5ccb323ad088b68d
Author : Tomáš Mráz <tmraz@fedoraproject.org>
Date : 2009-11-18T14:03:10+00:00
Stats : +90/-1 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/e88edba9c7892c051862775e5ccb323ad088b68d?branch=rebase_40beta
Log:
- disable enforcement of the renegotiation extension on the client
(#537962)
- add fixes from the current upstream snapshot
---
diff --git a/openssl-1.0.0-beta4-backports.patch b/openssl-1.0.0-beta4-backports.patch
new file mode 100644
index 0000000..ad4c7e4
--- /dev/null
+++ b/openssl-1.0.0-beta4-backports.patch
@@ -0,0 +1,45 @@
+diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c
+--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100
+@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK
+ }
+ else ret= *a;
+
+- ret->save_type=type;
+- ret->type=EVP_PKEY_type(type);
+- switch (ret->type)
++ if (!EVP_PKEY_set_type(ret, type))
++ {
++ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
++ goto err;
++ }
++
++ switch (EVP_PKEY_id(ret))
+ {
+ #ifndef OPENSSL_NO_RSA
+ case EVP_PKEY_RSA:
+diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c
+--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100
+@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey,
+ #ifndef OPENSSL_NO_ENGINE
+ /* If we have an ENGINE release it */
+ if (pkey->engine)
++ {
+ ENGINE_finish(pkey->engine);
++ pkey->engine = NULL;
++ }
+ #endif
+ }
+ if (str)
+diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c
+--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100
+@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm,
+ offset= -offset;
+ }
+ atm.type=ctm->type;
++ atm.flags = 0;
+ atm.length=sizeof(buff2);
+ atm.data=(unsigned char *)buff2;
+
diff --git a/openssl-1.0.0-beta4-client-reneg.patch b/openssl-1.0.0-beta4-client-reneg.patch
new file mode 100644
index 0000000..11b9ab7
--- /dev/null
+++ b/openssl-1.0.0-beta4-client-reneg.patch
@@ -0,0 +1,35 @@
+Do not enforce the renegotiation extension on the client - too many broken servers remain.
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-18 14:04:19.000000000 +0100
+@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+
+ if (data >= (d+n-2))
+ {
++#if 0
+ /* Because the client does not see any renegotiation during an
+ attack, we must enforce this on all server hellos, even the
+ first */
+@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
++#endif
+ return 1;
+ }
+
+@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ return 0;
+ }
+
++#if 0
+ if (!renegotiate_seen
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
++#endif
+
+ if (!s->hit && tlsext_servername == 1)
+ {
diff --git a/openssl.spec b/openssl.spec
index 62d1c52..8f1d2ba 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
-Release: 0.12.%{beta}%{?dist}
+Release: 0.13.%{beta}%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -63,6 +63,9 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
Patch51: openssl-1.0.0-beta4-version.patch
# Backported fixes including security fixes
Patch60: openssl-1.0.0-beta4-reneg.patch
+# This one is not backported but has to be applied after reneg patch
+Patch61: openssl-1.0.0-beta4-client-reneg.patch
+Patch62: openssl-1.0.0-beta4-backports.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -143,6 +146,8 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch51 -p1 -b .version
%patch60 -p1 -b .reneg
+%patch61 -p1 -b .client-reneg
+%patch62 -p1 -b .backports
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -391,6 +396,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig
%changelog
+* Wed Nov 18 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.13.beta4
+- disable enforcement of the renegotiation extension on the client (#537962)
+- add fixes from the current upstream snapshot
+
* Fri Nov 13 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.12.beta4
- keep the beta status in version number at 3 so we do not have to rebuild
openssh and possibly other dependencies with too strict version check
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [rpms/openssl] rebase_40beta: - disable enforcement of the renegotiation extension on the client
@ 2026-06-09 12:41
0 siblings, 0 replies; 2+ messages in thread
From: @ 2026-06-09 12:41 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 5b761f5986c741b330e72b190d10343e72b8278c
Author : Tomáš Mráz <tmraz@fedoraproject.org>
Date : 2009-11-18T13:14:13+00:00
Stats : +90/-1 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/5b761f5986c741b330e72b190d10343e72b8278c?branch=rebase_40beta
Log:
- disable enforcement of the renegotiation extension on the client
(#537962)
- add fixes from the current upstream snapshot
---
diff --git a/openssl-1.0.0-beta4-backports.patch b/openssl-1.0.0-beta4-backports.patch
new file mode 100644
index 0000000..ad4c7e4
--- /dev/null
+++ b/openssl-1.0.0-beta4-backports.patch
@@ -0,0 +1,45 @@
+diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c
+--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100
+@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK
+ }
+ else ret= *a;
+
+- ret->save_type=type;
+- ret->type=EVP_PKEY_type(type);
+- switch (ret->type)
++ if (!EVP_PKEY_set_type(ret, type))
++ {
++ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
++ goto err;
++ }
++
++ switch (EVP_PKEY_id(ret))
+ {
+ #ifndef OPENSSL_NO_RSA
+ case EVP_PKEY_RSA:
+diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c
+--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100
+@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey,
+ #ifndef OPENSSL_NO_ENGINE
+ /* If we have an ENGINE release it */
+ if (pkey->engine)
++ {
+ ENGINE_finish(pkey->engine);
++ pkey->engine = NULL;
++ }
+ #endif
+ }
+ if (str)
+diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c
+--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100
+@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm,
+ offset= -offset;
+ }
+ atm.type=ctm->type;
++ atm.flags = 0;
+ atm.length=sizeof(buff2);
+ atm.data=(unsigned char *)buff2;
+
diff --git a/openssl-1.0.0-beta4-client-reneg.patch b/openssl-1.0.0-beta4-client-reneg.patch
new file mode 100644
index 0000000..11b9ab7
--- /dev/null
+++ b/openssl-1.0.0-beta4-client-reneg.patch
@@ -0,0 +1,35 @@
+Do not enforce the renegotiation extension on the client - too many broken servers remain.
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-18 14:04:19.000000000 +0100
+@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+
+ if (data >= (d+n-2))
+ {
++#if 0
+ /* Because the client does not see any renegotiation during an
+ attack, we must enforce this on all server hellos, even the
+ first */
+@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
++#endif
+ return 1;
+ }
+
+@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ return 0;
+ }
+
++#if 0
+ if (!renegotiate_seen
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
++#endif
+
+ if (!s->hit && tlsext_servername == 1)
+ {
diff --git a/openssl.spec b/openssl.spec
index 62d1c52..8f1d2ba 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
-Release: 0.12.%{beta}%{?dist}
+Release: 0.13.%{beta}%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -63,6 +63,9 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
Patch51: openssl-1.0.0-beta4-version.patch
# Backported fixes including security fixes
Patch60: openssl-1.0.0-beta4-reneg.patch
+# This one is not backported but has to be applied after reneg patch
+Patch61: openssl-1.0.0-beta4-client-reneg.patch
+Patch62: openssl-1.0.0-beta4-backports.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -143,6 +146,8 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch51 -p1 -b .version
%patch60 -p1 -b .reneg
+%patch61 -p1 -b .client-reneg
+%patch62 -p1 -b .backports
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -391,6 +396,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig
%changelog
+* Wed Nov 18 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.13.beta4
+- disable enforcement of the renegotiation extension on the client (#537962)
+- add fixes from the current upstream snapshot
+
* Fri Nov 13 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.12.beta4
- keep the beta status in version number at 3 so we do not have to rebuild
openssh and possibly other dependencies with too strict version check
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-09 12:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:41 [rpms/openssl] rebase_40beta: - disable enforcement of the renegotiation extension on the client
-- strict thread matches above, loose matches on Subject: below --
2026-06-09 12:41
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox