[rpms/openssl] rebase_40beta: use 1024 bit DH parameters in s

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/openssl] rebase_40beta: use 1024 bit DH parameters in s_server as 512 bit is not allowed
@ 2026-06-09 12:42 Tomas Mraz
  0 siblings, 0 replies; only message in thread
From: Tomas Mraz @ 2026-06-09 12:42 UTC (permalink / raw)
  To: git-commits

          A new commit has been pushed.

          Repo   : rpms/openssl
          Branch : rebase_40beta
          Commit : b7eb6f4a5f05b02a3442354dca5d93c5578b9378
          Author : Tomas Mraz <tmraz@fedoraproject.org>
          Date   : 2012-11-15T21:11:36+01:00
          Stats  : +68/-1 in 2 file(s)
          URL    : https://src.fedoraproject.org/rpms/openssl/c/b7eb6f4a5f05b02a3442354dca5d93c5578b9378?branch=rebase_40beta

          Log:
          use 1024 bit DH parameters in s_server as 512 bit is not allowed

in FIPS mode and it is quite weak anyway

---
diff --git a/openssl-1.0.1c-dh-1024.patch b/openssl-1.0.1c-dh-1024.patch
new file mode 100644
index 0000000..89f0f04
--- /dev/null
+++ b/openssl-1.0.1c-dh-1024.patch
@@ -0,0 +1,61 @@
+diff -up openssl-1.0.1c/apps/s_server.c.dh1024 openssl-1.0.1c/apps/s_server.c
+--- openssl-1.0.1c/apps/s_server.c.dh1024	2012-11-14 20:27:50.000000000 +0100
++++ openssl-1.0.1c/apps/s_server.c	2012-11-15 20:56:15.247774465 +0100
+@@ -222,27 +222,31 @@ static void s_server_init(void);
+ #endif
+ 
+ #ifndef OPENSSL_NO_DH
+-static unsigned char dh512_p[]={
+-	0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+-	0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+-	0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+-	0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+-	0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+-	0x47,0x74,0xE8,0x33,
+-	};
+-static unsigned char dh512_g[]={
+-	0x02,
+-	};
+-
+-static DH *get_dh512(void)
++static DH *get_dh1024()
+ 	{
+-	DH *dh=NULL;
++	static unsigned char dh1024_p[]={
++		0x99,0x58,0xFA,0x90,0x53,0x2F,0xE0,0x61,0x83,0x9D,0x54,0x63,
++		0xBD,0x35,0x5A,0x31,0xF3,0xC6,0x79,0xE5,0xA0,0x0F,0x66,0x79,
++		0x3C,0xA0,0x7F,0xE8,0xA2,0x5F,0xDF,0x11,0x08,0xA3,0xF0,0x3C,
++		0xC3,0x3C,0x5D,0x50,0x2C,0xD5,0xD6,0x58,0x12,0xDB,0xC1,0xEF,
++		0xB4,0x47,0x4A,0x5A,0x39,0x8A,0x4E,0xEB,0x44,0xE2,0x07,0xFB,
++		0x3D,0xA3,0xC7,0x6E,0x52,0xF3,0x2B,0x7B,0x10,0xA5,0x98,0xE3,
++		0x38,0x2A,0xE2,0x7F,0xA4,0x8F,0x26,0x87,0x9B,0x66,0x7A,0xED,
++		0x2D,0x4C,0xE7,0x33,0x77,0x47,0x94,0x43,0xB6,0xAA,0x97,0x23,
++		0x8A,0xFC,0xA5,0xA6,0x64,0x09,0xC0,0x27,0xC0,0xEF,0xCB,0x05,
++		0x90,0x9D,0xD5,0x75,0xBA,0x00,0xE0,0xFB,0xA8,0x81,0x52,0xA4,
++		0xB2,0x83,0x22,0x5B,0xCB,0xD7,0x16,0x93,
++		};
++	static unsigned char dh1024_g[]={
++		0x02,
++		};
++	DH *dh;
+ 
+ 	if ((dh=DH_new()) == NULL) return(NULL);
+-	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+-	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
++	dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
++	dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+ 	if ((dh->p == NULL) || (dh->g == NULL))
+-		return(NULL);
++		{ DH_free(dh); return(NULL); }
+ 	return(dh);
+ 	}
+ #endif
+@@ -1657,7 +1661,7 @@ bad:
+ 		else
+ 			{
+ 			BIO_printf(bio_s_out,"Using default temp DH parameters\n");
+-			dh=get_dh512();
++			dh=get_dh1024();
+ 			}
+ 		(void)BIO_flush(bio_s_out);
+ 

diff --git a/openssl.spec b/openssl.spec
index 5e74218..51453dc 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
 Name: openssl
 Version: 1.0.1c
 # Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 7%{?dist}
+Release: 8%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -67,6 +67,7 @@ Patch65: openssl-1.0.0e-chil-fixes.patch
 Patch66: openssl-1.0.1-pkgconfig-krb5.patch
 Patch67: openssl-1.0.0-fips-pkcs8.patch
 Patch68: openssl-1.0.1c-secure-getenv.patch
+Patch69: openssl-1.0.1c-dh-1024.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.1-beta2-padlock64.patch
 Patch82: openssl-1.0.1c-backports.patch
@@ -171,6 +172,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch66 -p1 -b .krb5
 %patch67 -p1 -b .pkcs8
 %patch68 -p1 -b .secure-getenv
+%patch69 -p1 -b .dh1024
 
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .backports
@@ -429,6 +431,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Nov 15 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-8
+- use 1024 bit DH parameters in s_server as 512 bit is not allowed
+  in FIPS mode and it is quite weak anyway
+
 * Mon Sep 10 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-7
 - add missing initialization of str in aes_ccm_init_key (#853963)
 - add important patches from upstream CVS

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-09 12:42 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:42 [rpms/openssl] rebase_40beta: use 1024 bit DH parameters in s_server as 512 bit is not allowed Tomas Mraz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox