public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Use the well known DH groups in TLS
@ 2026-06-09 12:44 Tomas Mraz
0 siblings, 0 replies; only message in thread
From: Tomas Mraz @ 2026-06-09 12:44 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 9833eff277926e0c2ad4654814bca992d4dd0747
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2020-05-26T09:28:42+02:00
Stats : +123/-23 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/9833eff277926e0c2ad4654814bca992d4dd0747?branch=rebase_40beta
Log:
Use the well known DH groups in TLS
---
diff --git a/openssl-1.1.1-fips-dh.patch b/openssl-1.1.1-fips-dh.patch
index a42fa44..cf59ca5 100644
--- a/openssl-1.1.1-fips-dh.patch
+++ b/openssl-1.1.1-fips-dh.patch
@@ -1,6 +1,6 @@
diff -up openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh openssl-1.1.1g/crypto/bn/bn_const.c
--- openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/bn/bn_const.c 2020-05-25 18:26:46.551079694 +0200
++++ openssl-1.1.1g/crypto/bn/bn_const.c 2020-05-25 18:41:00.478262334 +0200
@@ -1,13 +1,17 @@
/*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
@@ -479,7 +479,7 @@ diff -up openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh openssl-1.1.1g/crypto/bn/bn
}
diff -up openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1g/crypto/bn/bn_dh.c
--- openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/bn/bn_dh.c 2020-05-25 18:26:46.552079703 +0200
++++ openssl-1.1.1g/crypto/bn/bn_dh.c 2020-05-25 18:41:00.480262350 +0200
@@ -1,7 +1,7 @@
/*
- * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved.
@@ -1958,7 +1958,7 @@ diff -up openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1g/crypto/bn/bn_dh
+#endif /* OPENSSL_NO_DH */
diff -up openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh openssl-1.1.1g/crypto/dh/dh_check.c
--- openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_check.c 2020-05-25 18:30:28.767949811 +0200
++++ openssl-1.1.1g/crypto/dh/dh_check.c 2020-05-25 18:41:00.481262359 +0200
@@ -10,6 +10,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
@@ -1999,8 +1999,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh openssl-1.1.1g/crypto/dh/dh
if (ctx == NULL)
goto err;
diff -up openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1g/crypto/dh/dh_gen.c
---- openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh 2020-05-25 18:26:46.474079046 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_gen.c 2020-05-25 18:31:23.679411590 +0200
+--- openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh 2020-05-25 18:41:00.255260458 +0200
++++ openssl-1.1.1g/crypto/dh/dh_gen.c 2020-05-25 18:41:00.481262359 +0200
@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i
BN_GENCB *cb)
{
@@ -2031,8 +2031,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1g/crypto/dh/dh_g
if (ctx == NULL)
goto err;
diff -up openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh openssl-1.1.1g/crypto/dh/dh_key.c
---- openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh 2020-05-25 18:26:46.474079046 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_key.c 2020-05-25 18:34:27.954961317 +0200
+--- openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh 2020-05-25 18:41:00.255260458 +0200
++++ openssl-1.1.1g/crypto/dh/dh_key.c 2020-05-25 18:41:00.482262367 +0200
@@ -100,10 +100,18 @@ static int generate_key(DH *dh)
BIGNUM *pub_key = NULL, *priv_key = NULL;
@@ -2075,7 +2075,7 @@ diff -up openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh openssl-1.1.1g/crypto/dh/dh_k
goto err;
diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_lib.c
--- openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_lib.c 2020-05-25 18:26:46.552079703 +0200
++++ openssl-1.1.1g/crypto/dh/dh_lib.c 2020-05-25 18:41:00.482262367 +0200
@@ -86,6 +86,8 @@ DH *DH_new_method(ENGINE *engine)
goto err;
}
@@ -2097,8 +2097,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_l
}
diff -up openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh openssl-1.1.1g/crypto/dh/dh_local.h
---- openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh 2020-05-25 18:26:46.235077034 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_local.h 2020-05-25 18:26:46.552079703 +0200
+--- openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh 2020-05-25 18:40:59.396253234 +0200
++++ openssl-1.1.1g/crypto/dh/dh_local.h 2020-05-25 18:41:00.482262367 +0200
@@ -35,6 +35,7 @@ struct dh_st {
const DH_METHOD *meth;
ENGINE *engine;
@@ -2115,7 +2115,7 @@ diff -up openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh openssl-1.1.1g/crypto/dh/dh
+void dh_cache_nid(DH *dh);
diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/dh_rfc7919.c
--- openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_rfc7919.c 2020-05-25 18:37:58.593732734 +0200
++++ openssl-1.1.1g/crypto/dh/dh_rfc7919.c 2020-05-25 18:41:00.483262376 +0200
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
@@ -2281,8 +2281,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/
+ }
+}
diff -up openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1g/crypto/objects/obj_dat.h
---- openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh 2020-05-25 18:26:46.542079618 +0200
-+++ openssl-1.1.1g/crypto/objects/obj_dat.h 2020-05-25 18:26:46.553079711 +0200
+--- openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh 2020-05-25 18:41:00.452262115 +0200
++++ openssl-1.1.1g/crypto/objects/obj_dat.h 2020-05-25 18:41:00.485262392 +0200
@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
};
@@ -2345,8 +2345,8 @@ diff -up openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1g/crypto/o
173, /* "name" */
681, /* "onBasis" */
diff -up openssl-1.1.1g/crypto/objects/objects.txt.fips-dh openssl-1.1.1g/crypto/objects/objects.txt
---- openssl-1.1.1g/crypto/objects/objects.txt.fips-dh 2020-05-25 18:26:46.542079618 +0200
-+++ openssl-1.1.1g/crypto/objects/objects.txt 2020-05-25 18:26:46.553079711 +0200
+--- openssl-1.1.1g/crypto/objects/objects.txt.fips-dh 2020-05-25 18:41:00.453262123 +0200
++++ openssl-1.1.1g/crypto/objects/objects.txt 2020-05-25 18:41:00.486262401 +0200
@@ -1657,6 +1657,13 @@ id-pkinit 5 : pkInit
: ffdhe4096
: ffdhe6144
@@ -2362,8 +2362,8 @@ diff -up openssl-1.1.1g/crypto/objects/objects.txt.fips-dh openssl-1.1.1g/crypto
# OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17)
diff -up openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1g/crypto/objects/obj_mac.num
---- openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh 2020-05-25 18:26:46.542079618 +0200
-+++ openssl-1.1.1g/crypto/objects/obj_mac.num 2020-05-25 18:26:46.553079711 +0200
+--- openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh 2020-05-25 18:41:00.453262123 +0200
++++ openssl-1.1.1g/crypto/objects/obj_mac.num 2020-05-25 18:41:00.486262401 +0200
@@ -1196,3 +1196,9 @@ sshkdf 1195
kbkdf 1196
krb5kdf 1197
@@ -2376,7 +2376,7 @@ diff -up openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1g/crypto
+modp_8192 1204
diff -up openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1g/doc/man3/DH_new_by_nid.pod
--- openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/doc/man3/DH_new_by_nid.pod 2020-05-25 18:26:46.554079719 +0200
++++ openssl-1.1.1g/doc/man3/DH_new_by_nid.pod 2020-05-25 18:41:00.487262409 +0200
@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find
#include <openssl/dh.h>
@@ -2397,7 +2397,7 @@ diff -up openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1g/doc/ma
any named set. It returns the NID corresponding to the matching parameters or
diff -up openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod
--- openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod 2020-05-25 18:26:46.554079719 +0200
++++ openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod 2020-05-25 18:41:00.487262409 +0200
@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets
If B<pad> is zero (the default) then no padding is performed.
@@ -2416,7 +2416,7 @@ diff -up openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1g/do
The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are
diff -up openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh openssl-1.1.1g/include/crypto/bn_dh.h
--- openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/include/crypto/bn_dh.h 2020-05-25 18:26:46.554079719 +0200
++++ openssl-1.1.1g/include/crypto/bn_dh.h 2020-05-25 18:41:00.488262418 +0200
@@ -1,7 +1,7 @@
/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
@@ -2466,8 +2466,8 @@ diff -up openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh openssl-1.1.1g/include/cr
+extern const BIGNUM _bignum_modp_6144_q;
+extern const BIGNUM _bignum_modp_8192_q;
diff -up openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh openssl-1.1.1g/include/openssl/obj_mac.h
---- openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh 2020-05-25 18:26:46.543079627 +0200
-+++ openssl-1.1.1g/include/openssl/obj_mac.h 2020-05-25 18:26:46.554079719 +0200
+--- openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh 2020-05-25 18:41:00.458262165 +0200
++++ openssl-1.1.1g/include/openssl/obj_mac.h 2020-05-25 18:41:00.489262426 +0200
@@ -5115,6 +5115,24 @@
#define SN_ffdhe8192 "ffdhe8192"
#define NID_ffdhe8192 1130
@@ -2493,3 +2493,100 @@ diff -up openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh openssl-1.1.1g/include
#define SN_ISO_UA "ISO-UA"
#define NID_ISO_UA 1150
#define OBJ_ISO_UA OBJ_member_body,804L
+diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
+--- openssl-1.1.1g/ssl/s3_lib.c.fips-dh 2020-05-25 18:41:00.318260988 +0200
++++ openssl-1.1.1g/ssl/s3_lib.c 2020-05-26 08:52:28.102535244 +0200
+@@ -4858,13 +4858,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey
+ EVP_PKEY *ssl_dh_to_pkey(DH *dh)
+ {
+ EVP_PKEY *ret;
++ DH *dhp = NULL;
++
+ if (dh == NULL)
+ return NULL;
++
++ if (FIPS_mode() && DH_get_nid(dh) == NID_undef) {
++ int bits = DH_bits(dh);
++ BIGNUM *p, *g;
++
++ dhp = DH_new();
++ if (dhp == NULL)
++ return NULL;
++ g = BN_new();
++ if (g == NULL || !BN_set_word(g, 2)) {
++ DH_free(dhp);
++ BN_free(g);
++ return NULL;
++ }
++
++ if (bits >= 7000)
++ p = BN_get_rfc3526_prime_8192(NULL);
++ else if (bits >= 5000)
++ p = BN_get_rfc3526_prime_6144(NULL);
++ else if (bits >= 3800)
++ p = BN_get_rfc3526_prime_4096(NULL);
++ else if (bits >= 2500)
++ p = BN_get_rfc3526_prime_3072(NULL);
++ else
++ p = BN_get_rfc3526_prime_2048(NULL);
++ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
++ DH_free(dhp);
++ BN_free(p);
++ BN_free(g);
++ return NULL;
++ }
++ dh = dhp;
++ }
++
+ ret = EVP_PKEY_new();
+ if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
++ DH_free(dhp);
+ EVP_PKEY_free(ret);
+ return NULL;
+ }
++ DH_free(dhp);
+ return ret;
+ }
+ #endif
+diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-05-25 18:41:00.470262266 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-26 08:48:55.619713737 +0200
+@@ -2482,7 +2482,7 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
+ DH *ssl_get_auto_dh(SSL *s)
+ {
+ int dh_secbits = 80;
+- if (s->cert->dh_tmp_auto == 2)
++ if (!FIPS_mode() && s->cert->dh_tmp_auto == 2)
+ return DH_get_1024_160();
+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
+ if (s->s3->tmp.new_cipher->strength_bits == 256)
+@@ -2495,7 +2495,7 @@ DH *ssl_get_auto_dh(SSL *s)
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ }
+
+- if (dh_secbits >= 128) {
++ if (dh_secbits >= 112 || FIPS_mode()) {
+ DH *dhp = DH_new();
+ BIGNUM *p, *g;
+ if (dhp == NULL)
+@@ -2508,8 +2508,10 @@ DH *ssl_get_auto_dh(SSL *s)
+ }
+ if (dh_secbits >= 192)
+ p = BN_get_rfc3526_prime_8192(NULL);
+- else
++ else if (dh_secbits >= 128)
+ p = BN_get_rfc3526_prime_3072(NULL);
++ else
++ p = BN_get_rfc3526_prime_2048(NULL);
+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+ DH_free(dhp);
+ BN_free(p);
+@@ -2518,8 +2520,6 @@ DH *ssl_get_auto_dh(SSL *s)
+ }
+ return dhp;
+ }
+- if (dh_secbits >= 112)
+- return DH_get_2048_224();
+ return DH_get_1024_160();
+ }
+ #endif
diff --git a/openssl.spec b/openssl.spec
index 13e5ada..714b1d0 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1g
-Release: 6%{?dist}
+Release: 7%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -467,6 +467,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
+* Tue May 28 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
+- Use the well known DH groups in TLS
+
* Mon May 25 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
- Allow only well known DH groups in the FIPS mode
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:44 [rpms/openssl] rebase_40beta: Use the well known DH groups in TLS Tomas Mraz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox