public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: use 1024 bit DH parameters in s_server as 512 bit is not allowed
Date: Tue, 09 Jun 2026 12:42:44 GMT [thread overview]
Message-ID: <178100896491.1.6167759788396376550.rpms-openssl-b7eb6f4a5f05@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : b7eb6f4a5f05b02a3442354dca5d93c5578b9378
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2012-11-15T21:11:36+01:00
Stats : +68/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/b7eb6f4a5f05b02a3442354dca5d93c5578b9378?branch=rebase_40beta
Log:
use 1024 bit DH parameters in s_server as 512 bit is not allowed
in FIPS mode and it is quite weak anyway
---
diff --git a/openssl-1.0.1c-dh-1024.patch b/openssl-1.0.1c-dh-1024.patch
new file mode 100644
index 0000000..89f0f04
--- /dev/null
+++ b/openssl-1.0.1c-dh-1024.patch
@@ -0,0 +1,61 @@
+diff -up openssl-1.0.1c/apps/s_server.c.dh1024 openssl-1.0.1c/apps/s_server.c
+--- openssl-1.0.1c/apps/s_server.c.dh1024 2012-11-14 20:27:50.000000000 +0100
++++ openssl-1.0.1c/apps/s_server.c 2012-11-15 20:56:15.247774465 +0100
+@@ -222,27 +222,31 @@ static void s_server_init(void);
+ #endif
+
+ #ifndef OPENSSL_NO_DH
+-static unsigned char dh512_p[]={
+- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+- 0x47,0x74,0xE8,0x33,
+- };
+-static unsigned char dh512_g[]={
+- 0x02,
+- };
+-
+-static DH *get_dh512(void)
++static DH *get_dh1024()
+ {
+- DH *dh=NULL;
++ static unsigned char dh1024_p[]={
++ 0x99,0x58,0xFA,0x90,0x53,0x2F,0xE0,0x61,0x83,0x9D,0x54,0x63,
++ 0xBD,0x35,0x5A,0x31,0xF3,0xC6,0x79,0xE5,0xA0,0x0F,0x66,0x79,
++ 0x3C,0xA0,0x7F,0xE8,0xA2,0x5F,0xDF,0x11,0x08,0xA3,0xF0,0x3C,
++ 0xC3,0x3C,0x5D,0x50,0x2C,0xD5,0xD6,0x58,0x12,0xDB,0xC1,0xEF,
++ 0xB4,0x47,0x4A,0x5A,0x39,0x8A,0x4E,0xEB,0x44,0xE2,0x07,0xFB,
++ 0x3D,0xA3,0xC7,0x6E,0x52,0xF3,0x2B,0x7B,0x10,0xA5,0x98,0xE3,
++ 0x38,0x2A,0xE2,0x7F,0xA4,0x8F,0x26,0x87,0x9B,0x66,0x7A,0xED,
++ 0x2D,0x4C,0xE7,0x33,0x77,0x47,0x94,0x43,0xB6,0xAA,0x97,0x23,
++ 0x8A,0xFC,0xA5,0xA6,0x64,0x09,0xC0,0x27,0xC0,0xEF,0xCB,0x05,
++ 0x90,0x9D,0xD5,0x75,0xBA,0x00,0xE0,0xFB,0xA8,0x81,0x52,0xA4,
++ 0xB2,0x83,0x22,0x5B,0xCB,0xD7,0x16,0x93,
++ };
++ static unsigned char dh1024_g[]={
++ 0x02,
++ };
++ DH *dh;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
++ dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
++ dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+ if ((dh->p == NULL) || (dh->g == NULL))
+- return(NULL);
++ { DH_free(dh); return(NULL); }
+ return(dh);
+ }
+ #endif
+@@ -1657,7 +1661,7 @@ bad:
+ else
+ {
+ BIO_printf(bio_s_out,"Using default temp DH parameters\n");
+- dh=get_dh512();
++ dh=get_dh1024();
+ }
+ (void)BIO_flush(bio_s_out);
+
diff --git a/openssl.spec b/openssl.spec
index 5e74218..51453dc 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
Name: openssl
Version: 1.0.1c
# Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 7%{?dist}
+Release: 8%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -67,6 +67,7 @@ Patch65: openssl-1.0.0e-chil-fixes.patch
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
Patch67: openssl-1.0.0-fips-pkcs8.patch
Patch68: openssl-1.0.1c-secure-getenv.patch
+Patch69: openssl-1.0.1c-dh-1024.patch
# Backported fixes including security fixes
Patch81: openssl-1.0.1-beta2-padlock64.patch
Patch82: openssl-1.0.1c-backports.patch
@@ -171,6 +172,7 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch66 -p1 -b .krb5
%patch67 -p1 -b .pkcs8
%patch68 -p1 -b .secure-getenv
+%patch69 -p1 -b .dh1024
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .backports
@@ -429,6 +431,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Thu Nov 15 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-8
+- use 1024 bit DH parameters in s_server as 512 bit is not allowed
+ in FIPS mode and it is quite weak anyway
+
* Mon Sep 10 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-7
- add missing initialization of str in aes_ccm_init_key (#853963)
- add important patches from upstream CVS
reply other threads:[~2026-06-09 12:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100896491.1.6167759788396376550.rpms-openssl-b7eb6f4a5f05@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox