Re: [patch]: SSL_OP_NO_RENEGOTIATION vs SSL_OP_NO_CLIENT_RENEGOTIATION inconsistency

Ashlen Sun, 05 Feb 2023 15:06:37 -0800

Here's the other way of patching it. I don't like this way as much because it
requires more work in the future (when updating unbound/nsd and ports).


Index: usr.sbin/nsd/nsd-control.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-control.c,v
retrieving revision 1.17
diff -u -p -u -p -r1.17 nsd-control.c
--- usr.sbin/nsd/nsd-control.c  30 Jun 2022 10:49:39 -0000      1.17
+++ usr.sbin/nsd/nsd-control.c  5 Feb 2023 21:55:14 -0000
@@ -184,11 +184,11 @@ setup_ctx(struct nsd_options* cfg)
         if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
                != SSL_OP_NO_SSLv3)
                ssl_err("could not set SSL_OP_NO_SSLv3");
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
        /* disable client renegotiation */
-       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
-               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
-               ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+               SSL_OP_NO_CLIENT_RENEGOTIATION) != 
SSL_OP_NO_CLIENT_RENEGOTIATION)
+               ssl_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
 #endif
        if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM))
                ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
Index: usr.sbin/nsd/server.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/server.c,v
retrieving revision 1.49
diff -u -p -u -p -r1.49 server.c
--- usr.sbin/nsd/server.c       14 Nov 2022 21:09:32 -0000      1.49
+++ usr.sbin/nsd/server.c       5 Feb 2023 21:55:15 -0000
@@ -2003,11 +2003,11 @@ server_tls_ctx_setup(char* key, char* pe
                return 0;
        }
 #endif
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
        /* disable client renegotiation */
-       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
-               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
-               log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+               SSL_OP_NO_CLIENT_RENEGOTIATION) != 
SSL_OP_NO_CLIENT_RENEGOTIATION) {
+               log_crypto_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
                SSL_CTX_free(ctx);
                return 0;
        }
Index: usr.sbin/unbound/smallapp/unbound-control.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-control.c,v
retrieving revision 1.25
diff -u -p -u -p -r1.25 unbound-control.c
--- usr.sbin/unbound/smallapp/unbound-control.c 20 Oct 2022 08:26:14 -0000      
1.25
+++ usr.sbin/unbound/smallapp/unbound-control.c 5 Feb 2023 21:55:15 -0000
@@ -538,11 +538,11 @@ setup_ctx(struct config_file* cfg)
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
                != SSL_OP_NO_SSLv3)
                ssl_err("could not set SSL_OP_NO_SSLv3");
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
        /* disable client renegotiation */
-       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
-               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
-               ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+               SSL_OP_NO_CLIENT_RENEGOTIATION) != 
SSL_OP_NO_CLIENT_RENEGOTIATION)
+               ssl_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
 #endif
        if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
                ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
Index: usr.sbin/unbound/util/net_help.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/net_help.c,v
retrieving revision 1.28
diff -u -p -u -p -r1.28 net_help.c
--- usr.sbin/unbound/util/net_help.c    20 Oct 2022 08:26:14 -0000      1.28
+++ usr.sbin/unbound/util/net_help.c    5 Feb 2023 21:55:15 -0000
@@ -989,11 +989,11 @@ listen_sslctx_setup(void* ctxt)
                return 0;
        }
 #endif
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
        /* disable client renegotiation */
-       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
-               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
-               log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+               SSL_OP_NO_CLIENT_RENEGOTIATION) != 
SSL_OP_NO_CLIENT_RENEGOTIATION) {
+               log_crypto_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
                return 0;
        }
 #endif
@@ -1225,11 +1225,11 @@ void* connect_sslctx_create(char* key, c
                SSL_CTX_free(ctx);
                return NULL;
        }
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
        /* disable client renegotiation */
-       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
-               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
-               log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+               SSL_OP_NO_CLIENT_RENEGOTIATION) != 
SSL_OP_NO_CLIENT_RENEGOTIATION) {
+               log_crypto_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
                SSL_CTX_free(ctx);
                return 0;
        }
Index: sbin/unwind/libunbound/util/net_help.c
===================================================================
RCS file: /cvs/src/sbin/unwind/libunbound/util/net_help.c,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 net_help.c
--- sbin/unwind/libunbound/util/net_help.c      22 Oct 2022 16:37:57 -0000      
1.16
+++ sbin/unwind/libunbound/util/net_help.c      5 Feb 2023 21:55:15 -0000
@@ -989,11 +989,11 @@ listen_sslctx_setup(void* ctxt)
                return 0;
        }
 #endif
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
        /* disable client renegotiation */
-       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
-               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
-               log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+               SSL_OP_NO_CLIENT_RENEGOTIATION) != 
SSL_OP_NO_CLIENT_RENEGOTIATION) {
+               log_crypto_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
                return 0;
        }
 #endif
@@ -1225,11 +1225,11 @@ void* connect_sslctx_create(char* key, c
                SSL_CTX_free(ctx);
                return NULL;
        }
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
        /* disable client renegotiation */
-       if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
-               SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
-               log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+               SSL_OP_NO_CLIENT_RENEGOTIATION) != 
SSL_OP_NO_CLIENT_RENEGOTIATION) {
+               log_crypto_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
                SSL_CTX_free(ctx);
                return 0;
        }

Re: [patch]: SSL_OP_NO_RENEGOTIATION vs SSL_OP_NO_CLIENT_RENEGOTIATION inconsistency

Reply via email to