forked from rpms/openssl
FIPS mode fixes for TLS
This commit is contained in:
parent
21909a4d4c
commit
836560b322
@ -12018,6 +12018,28 @@ diff -up openssl-1.1.0c/include/openssl/rsa.h.fips openssl-1.1.0c/include/openss
|
|||||||
# define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
|
# define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
|
||||||
# define RSA_R_PADDING_CHECK_FAILED 114
|
# define RSA_R_PADDING_CHECK_FAILED 114
|
||||||
# define RSA_R_PKCS_DECODING_ERROR 159
|
# define RSA_R_PKCS_DECODING_ERROR 159
|
||||||
|
diff -up openssl-1.1.0c/ssl/ssl_ciph.c.fips openssl-1.1.0c/ssl/ssl_ciph.c
|
||||||
|
--- openssl-1.1.0c/ssl/ssl_ciph.c.fips 2016-11-30 15:31:14.000000000 +0100
|
||||||
|
+++ openssl-1.1.0c/ssl/ssl_ciph.c 2016-12-02 16:01:58.250067386 +0100
|
||||||
|
@@ -404,7 +404,8 @@ void ssl_load_ciphers(void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* Make sure we can access MD5 and SHA1 */
|
||||||
|
- OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
|
||||||
|
+ if (!FIPS_mode())
|
||||||
|
+ OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
|
||||||
|
OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
|
||||||
|
|
||||||
|
disabled_mkey_mask = 0;
|
||||||
|
@@ -687,7 +688,7 @@ static void ssl_cipher_collect_ciphers(c
|
||||||
|
/* drop those that use any of that is not available */
|
||||||
|
if (c == NULL || !c->valid)
|
||||||
|
continue;
|
||||||
|
- if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
|
||||||
|
+ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))
|
||||||
|
continue;
|
||||||
|
if ((c->algorithm_mkey & disabled_mkey) ||
|
||||||
|
(c->algorithm_auth & disabled_auth) ||
|
||||||
diff -up openssl-1.1.0c/ssl/ssl_init.c.fips openssl-1.1.0c/ssl/ssl_init.c
|
diff -up openssl-1.1.0c/ssl/ssl_init.c.fips openssl-1.1.0c/ssl/ssl_init.c
|
||||||
--- openssl-1.1.0c/ssl/ssl_init.c.fips 2016-11-10 15:03:46.000000000 +0100
|
--- openssl-1.1.0c/ssl/ssl_init.c.fips 2016-11-10 15:03:46.000000000 +0100
|
||||||
+++ openssl-1.1.0c/ssl/ssl_init.c 2016-11-11 13:31:51.379604771 +0100
|
+++ openssl-1.1.0c/ssl/ssl_init.c 2016-11-11 13:31:51.379604771 +0100
|
||||||
@ -12064,6 +12086,34 @@ diff -up openssl-1.1.0c/ssl/ssl_init.c.fips openssl-1.1.0c/ssl/ssl_init.c
|
|||||||
#ifndef OPENSSL_NO_COMP
|
#ifndef OPENSSL_NO_COMP
|
||||||
# ifdef OPENSSL_INIT_DEBUG
|
# ifdef OPENSSL_INIT_DEBUG
|
||||||
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
|
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
|
||||||
|
diff -up openssl-1.1.0c/ssl/ssl_lib.c.fips openssl-1.1.0c/ssl/ssl_lib.c
|
||||||
|
--- openssl-1.1.0c/ssl/ssl_lib.c.fips 2016-11-30 15:31:14.000000000 +0100
|
||||||
|
+++ openssl-1.1.0c/ssl/ssl_lib.c 2016-12-02 16:31:12.108604595 +0100
|
||||||
|
@@ -2405,13 +2405,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||||
|
if (ret->param == NULL)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
|
||||||
|
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
|
||||||
|
- goto err2;
|
||||||
|
- }
|
||||||
|
- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
|
||||||
|
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
|
||||||
|
- goto err2;
|
||||||
|
+ if (!FIPS_mode()) {
|
||||||
|
+ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
|
||||||
|
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
|
||||||
|
+ goto err2;
|
||||||
|
+ }
|
||||||
|
+ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
|
||||||
|
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
|
||||||
|
+ goto err2;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ ret->min_proto_version = TLS1_VERSION;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL)
|
||||||
diff -up openssl-1.1.0c/test/dsatest.c.fips openssl-1.1.0c/test/dsatest.c
|
diff -up openssl-1.1.0c/test/dsatest.c.fips openssl-1.1.0c/test/dsatest.c
|
||||||
--- openssl-1.1.0c/test/dsatest.c.fips 2016-11-10 15:03:47.000000000 +0100
|
--- openssl-1.1.0c/test/dsatest.c.fips 2016-11-10 15:03:47.000000000 +0100
|
||||||
+++ openssl-1.1.0c/test/dsatest.c 2016-11-11 13:31:51.380604793 +0100
|
+++ openssl-1.1.0c/test/dsatest.c 2016-11-11 13:31:51.380604793 +0100
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.0c
|
Version: 1.1.0c
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -430,6 +430,9 @@ export LD_LIBRARY_PATH
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 2 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-4
|
||||||
|
- FIPS mode fixes for TLS
|
||||||
|
|
||||||
* Wed Nov 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-3
|
* Wed Nov 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-3
|
||||||
- revert SSL_read() behavior change - patch from upstream (#1394677)
|
- revert SSL_read() behavior change - patch from upstream (#1394677)
|
||||||
- fix behavior on client certificate request in renegotiation (#1393579)
|
- fix behavior on client certificate request in renegotiation (#1393579)
|
||||||
|
Loading…
Reference in New Issue
Block a user