From 105eb2ce8f4bebccb9970719724b41e06939ff0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Sat, 17 Jan 2009 19:31:29 +0000 Subject: [PATCH] - no pairwise key tests in non-fips mode (#479817) --- openssl-0.9.8j-fips-no-pairwise.patch | 24 ++++++++++++++++++++++++ openssl.spec | 7 ++++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 openssl-0.9.8j-fips-no-pairwise.patch diff --git a/openssl-0.9.8j-fips-no-pairwise.patch b/openssl-0.9.8j-fips-no-pairwise.patch new file mode 100644 index 0000000..e6c2f73 --- /dev/null +++ b/openssl-0.9.8j-fips-no-pairwise.patch @@ -0,0 +1,24 @@ +diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c +--- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100 ++++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100 +@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (fips_rsa_pairwise_fail) + BN_add_word(rsa->n, 1); + +- if(!fips_check_rsa(rsa)) ++ if(FIPS_mode() && !fips_check_rsa(rsa)) + goto err; + + ok=1; +diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c +--- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200 ++++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100 +@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa) + dsa->pub_key=pub_key; + if (fips_dsa_pairwise_fail) + BN_add_word(dsa->pub_key, 1); +- if(!fips_check_dsa(dsa)) ++ if(FIPS_mode() && !fips_check_dsa(dsa)) + goto err; + ok=1; + diff --git a/openssl.spec b/openssl.spec index 13d07c4..a95e063 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl Version: 0.9.8j -Release: 3%{?dist} +Release: 4%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-usa.tar.bz2 @@ -63,6 +63,7 @@ Patch45: openssl-0.9.8j-env-nozlib.patch Patch46: openssl-0.9.8j-eap-fast.patch Patch47: openssl-0.9.8j-readme-warning.patch Patch48: openssl-0.9.8j-bad-mime.patch +Patch49: openssl-0.9.8j-fips-no-pairwise.patch # Backported fixes including security fixes License: OpenSSL @@ -146,6 +147,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch46 -p1 -b .eap-fast %patch47 -p1 -b .warning %patch48 -p1 -b .bad-mime +%patch49 -p1 -b .no-pairwise # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -412,6 +414,9 @@ fi /sbin/ldconfig -X %changelog +* Sat Jan 16 2009 Tomas Mraz 0.9.8j-4 +- no pairwise key tests in non-fips mode (#479817) + * Fri Jan 16 2009 Tomas Mraz 0.9.8j-3 - even more robust test for the temporary symlinks