public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: - fix non-fips mingw build (patch by Kalev Lember)
Date: Tue, 09 Jun 2026 12:42:02 GMT [thread overview]
Message-ID: <178100892222.1.11790107278900687983.rpms-openssl-e8799f082e57@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : e8799f082e57d39aedbbca0c35fb322a455ffb83
Author : Tomáš Mráz <tmraz@fedoraproject.org>
Date : 2009-12-15T18:12:29+00:00
Stats : +328/-2 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/e8799f082e57d39aedbbca0c35fb322a455ffb83?branch=rebase_40beta
Log:
- fix non-fips mingw build (patch by Kalev Lember)
- add IPV6 fix for DTLS
---
diff --git a/openssl-1.0.0-beta4-dtls-ipv6.patch b/openssl-1.0.0-beta4-dtls-ipv6.patch
new file mode 100644
index 0000000..1173f1a
--- /dev/null
+++ b/openssl-1.0.0-beta4-dtls-ipv6.patch
@@ -0,0 +1,219 @@
+diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c
+--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 2009-11-09 15:09:53.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2009-11-23 08:50:45.000000000 +0100
+@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr)
+ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
+ {
+ OPENSSL_assert(sa.len.s<=sizeof(sa.from));
+- sa.len.i = (unsigned int)sa.len.s;
++ sa.len.i = (int)sa.len.s;
++ /* use sa.len.i from this point */
+ }
+ if (ret == INVALID_SOCKET)
+ {
+diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c
+--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 2009-10-15 19:41:44.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2009-11-23 08:50:45.000000000 +0100
+@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp=
+
+ typedef struct bio_dgram_data_st
+ {
++ union {
++ struct sockaddr sa;
++ struct sockaddr_in sa_in;
+ #if OPENSSL_USE_IPV6
+- struct sockaddr_storage peer;
+-#else
+- struct sockaddr_in peer;
++ struct sockaddr_in6 sa_in6;
+ #endif
++ } peer;
+ unsigned int connected;
+ unsigned int _errno;
+ unsigned int mtu;
+@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out,
+ int ret=0;
+ bio_dgram_data *data = (bio_dgram_data *)b->ptr;
+
++ struct {
++ /*
++ * See commentary in b_sock.c. <appro>
++ */
++ union { size_t s; int i; } len;
++ union {
++ struct sockaddr sa;
++ struct sockaddr_in sa_in;
+ #if OPENSSL_USE_IPV6
+- struct sockaddr_storage peer;
+-#else
+- struct sockaddr_in peer;
++ struct sockaddr_in6 sa_in6;
+ #endif
+- int peerlen = sizeof(peer);
++ } peer;
++ } sa;
++
++ sa.len.s=0;
++ sa.len.i=sizeof(sa.peer);
+
+ if (out != NULL)
+ {
+ clear_socket_error();
+- memset(&peer, 0x00, peerlen);
+- /* Last arg in recvfrom is signed on some platforms and
+- * unsigned on others. It is of type socklen_t on some
+- * but this is not universal. Cast to (void *) to avoid
+- * compiler warnings.
+- */
++ memset(&sa.peer, 0x00, sizeof(sa.peer));
+ dgram_adjust_rcv_timeout(b);
+- ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen);
++ ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len);
++ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
++ {
++ OPENSSL_assert(sa.len.s<=sizeof(sa.peer));
++ sa.len.i = (int)sa.len.s;
++ }
+ dgram_reset_rcv_timeout(b);
+
+ if ( ! data->connected && ret >= 0)
+- BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
++ BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
+
+ BIO_clear_retry_flags(b);
+ if (ret < 0)
+@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha
+ if ( data->connected )
+ ret=writesocket(b->num,in,inl);
+ else
+-#if OPENSSL_USE_IPV6
+- if (data->peer.ss_family == AF_INET)
+ #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
++ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer));
+ #else
+- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#endif
+- else
+-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
+-#else
+- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
+-#endif
+-#else
+-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#else
+- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#endif
++ ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer));
+ #endif
+
+ BIO_clear_retry_flags(b);
+@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd,
+ else
+ {
+ #endif
++ switch (to->sa_family)
++ {
++ case AF_INET:
++ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
++ break;
+ #if OPENSSL_USE_IPV6
+- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
+-#else
+- memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
+-#endif
++ case AF_INET6:
++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
++ break;
++#endif
++ default:
++ memcpy(&data->peer,to,sizeof(data->peer.sa));
++ break;
++ }
+ #if 0
+ }
+ #endif
+@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd,
+ if ( to != NULL)
+ {
+ data->connected = 1;
++ switch (to->sa_family)
++ {
++ case AF_INET:
++ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
++ break;
+ #if OPENSSL_USE_IPV6
+- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
+-#else
+- memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
+-#endif
++ case AF_INET6:
++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
++ break;
++#endif
++ default:
++ memcpy(&data->peer,to,sizeof(data->peer.sa));
++ break;
++ }
+ }
+ else
+ {
+ data->connected = 0;
+-#if OPENSSL_USE_IPV6
+- memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage));
+-#else
+- memset(&(data->peer), 0x00, sizeof(struct sockaddr_in));
+-#endif
++ memset(&(data->peer), 0x00, sizeof(data->peer));
+ }
+ break;
+ case BIO_CTRL_DGRAM_GET_PEER:
+ to = (struct sockaddr *) ptr;
+-
++ switch (to->sa_family)
++ {
++ case AF_INET:
++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in)));
++ break;
+ #if OPENSSL_USE_IPV6
+- memcpy(to, &(data->peer), sizeof(struct sockaddr_storage));
+- ret = sizeof(struct sockaddr_storage);
+-#else
+- memcpy(to, &(data->peer), sizeof(struct sockaddr_in));
+- ret = sizeof(struct sockaddr_in);
+-#endif
++ case AF_INET6:
++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6)));
++ break;
++#endif
++ default:
++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa)));
++ break;
++ }
+ break;
+ case BIO_CTRL_DGRAM_SET_PEER:
+ to = (struct sockaddr *) ptr;
+-
++ switch (to->sa_family)
++ {
++ case AF_INET:
++ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
++ break;
+ #if OPENSSL_USE_IPV6
+- memcpy(&(data->peer), to, sizeof(struct sockaddr_storage));
+-#else
+- memcpy(&(data->peer), to, sizeof(struct sockaddr_in));
+-#endif
++ case AF_INET6:
++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
++ break;
++#endif
++ default:
++ memcpy(&data->peer,to,sizeof(data->peer.sa));
++ break;
++ }
+ break;
+ case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
+ memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));
diff --git a/openssl-1.0.0-beta4-reneg-err.patch b/openssl-1.0.0-beta4-reneg-err.patch
new file mode 100644
index 0000000..271dbe7
--- /dev/null
+++ b/openssl-1.0.0-beta4-reneg-err.patch
@@ -0,0 +1,93 @@
+Better error reporting for unsafe renegotiation.
+diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
+--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100
+@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
+ {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
++{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
++{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
+@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
+ {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
+ {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
++{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
+diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
+--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100
+@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
+ #define SSL_F_SSL_NEW 186
+ #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
++#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
+ #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
++#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
+ #define SSL_F_SSL_PEEK 270
+ #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
+ #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
+@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
+ #define SSL_R_UNKNOWN_SSL_VERSION 254
+ #define SSL_R_UNKNOWN_STATE 255
++#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
+ #define SSL_R_UNSUPPORTED_CIPHER 256
+ #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+ #define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
+diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
+--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100
+@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ goto err;
+ #else
++ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ {
++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
++ goto err;
++ }
+ /* we are talking sslv2 */
+ /* we need to clean up the SSLv3/TLSv1 setup and put in the
+ * sslv2 stuff. */
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100
+@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ {
+ /* We should always see one extension: the renegotiate extension */
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ return 0;
+ }
+ return 1;
+@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ if (s->new_session && !renegotiate_seen
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
++ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
+@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ {
+ /* We should always see one extension: the renegotiate extension */
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ return 0;
+ }
+ #endif
+@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ return 0;
+ }
+ #endif
diff --git a/openssl.spec b/openssl.spec
index 8f1d2ba..2729e7e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
-Release: 0.13.%{beta}%{?dist}
+Release: 0.16.%{beta}%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -66,6 +66,8 @@ Patch60: openssl-1.0.0-beta4-reneg.patch
# This one is not backported but has to be applied after reneg patch
Patch61: openssl-1.0.0-beta4-client-reneg.patch
Patch62: openssl-1.0.0-beta4-backports.patch
+Patch63: openssl-1.0.0-beta4-reneg-err.patch
+Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -148,6 +150,8 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch60 -p1 -b .reneg
%patch61 -p1 -b .client-reneg
%patch62 -p1 -b .backports
+%patch63 -p1 -b .reneg-err
+%patch64 -p1 -b .dtls-ipv6
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -181,7 +185,7 @@ sslarch=linux-alpha-gcc
sslarch="linux-generic32 -DB_ENDIAN"
%endif
%ifarch s390x
-sslarch="linux-generic64 -DB_ENDIAN"
+sslarch="linux-s390x"
%endif
%ifarch %{arm} sh3 sh4
sslarch=linux-generic32
@@ -396,6 +400,16 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig
%changelog
+* Mon Nov 23 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.16.beta4
+- fix non-fips mingw build (patch by Kalev Lember)
+- add IPV6 fix for DTLS
+
+* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.15.beta4
+- add better error reporting for the unsafe renegotiation
+
+* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.14.beta4
+- fix build on s390x
+
* Wed Nov 18 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.13.beta4
- disable enforcement of the renegotiation extension on the client (#537962)
- add fixes from the current upstream snapshot
next reply other threads:[~2026-06-09 12:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 12:42 [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-06-09 12:42 [rpms/openssl] rebase_40beta: - fix non-fips mingw build (patch by Kalev Lember)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100892222.1.11790107278900687983.rpms-openssl-e8799f082e57@fedoraproject.org \
--to=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox