make 3des strength to be 128 bits instead of 168 (#1056616)
This commit is contained in:
parent
519fe2cc24
commit
40825564d8
171
openssl-1.0.1e-3des-strength.patch
Normal file
171
openssl-1.0.1e-3des-strength.patch
Normal file
@ -0,0 +1,171 @@
|
|||||||
|
Although the real strength is rather 112 bits we use 128 here as
|
||||||
|
we do not want to sort it behind more obscure ciphers.
|
||||||
|
AES-128 is preferred anyway.
|
||||||
|
diff -up openssl-1.0.1e/ssl/s2_lib.c.3des-strength openssl-1.0.1e/ssl/s2_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/s2_lib.c.3des-strength 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s2_lib.c 2014-01-22 16:32:45.791700322 +0100
|
||||||
|
@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||||
|
SSL_SSLV2,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
0,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/s3_lib.c.3des-strength 2014-01-17 11:41:11.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s3_lib.c 2014-01-22 16:31:14.713666777 +0100
|
||||||
|
@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -377,7 +377,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -474,7 +474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -687,7 +687,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2432,7 +2432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2448,7 +2448,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2464,7 +2464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
@ -21,7 +21,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1e
|
Version: 1.0.1e
|
||||||
Release: 37%{?dist}
|
Release: 38%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -78,6 +78,7 @@ Patch74: openssl-1.0.1e-no-md5-verify.patch
|
|||||||
Patch75: openssl-1.0.1e-compat-symbols.patch
|
Patch75: openssl-1.0.1e-compat-symbols.patch
|
||||||
Patch76: openssl-1.0.1e-new-fips-reqs.patch
|
Patch76: openssl-1.0.1e-new-fips-reqs.patch
|
||||||
Patch77: openssl-1.0.1e-weak-ciphers.patch
|
Patch77: openssl-1.0.1e-weak-ciphers.patch
|
||||||
|
Patch78: openssl-1.0.1e-3des-strength.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
||||||
Patch82: openssl-1.0.1e-backports.patch
|
Patch82: openssl-1.0.1e-backports.patch
|
||||||
@ -199,6 +200,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||||||
%patch75 -p1 -b .compat
|
%patch75 -p1 -b .compat
|
||||||
%patch76 -p1 -b .fips-reqs
|
%patch76 -p1 -b .fips-reqs
|
||||||
%patch77 -p1 -b .weak-ciphers
|
%patch77 -p1 -b .weak-ciphers
|
||||||
|
%patch78 -p1 -b .3des-strength
|
||||||
|
|
||||||
%patch81 -p1 -b .padlock64
|
%patch81 -p1 -b .padlock64
|
||||||
%patch82 -p1 -b .backports
|
%patch82 -p1 -b .backports
|
||||||
@ -472,6 +474,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
|
||||||
|
- make 3des strength to be 128 bits instead of 168 (#1056616)
|
||||||
|
|
||||||
* Tue Jan 7 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-37
|
* Tue Jan 7 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-37
|
||||||
- fix CVE-2013-4353 - Invalid TLS handshake crash
|
- fix CVE-2013-4353 - Invalid TLS handshake crash
|
||||||
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
|
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
|
||||||
|
Loading…
Reference in New Issue
Block a user