From 65ebbaecc744b4901110add61ef741bc562722cd Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 4 Feb 2011 15:27:28 +0100 Subject: [PATCH] - add -x931 parameter to openssl genrsa command to use the ANSI X9.31 key generation method - use FIPS-186-3 method for DSA parameter generation - add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable to allow using MD5 when the system is in the maintenance state even if the /proc fips flag is on - make openssl pkcs12 command work by default in the FIPS mode --- openssl-1.0.0c-pkcs12-fips-default.patch | 25 ++++++++++++++++++++++++ openssl.spec | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 openssl-1.0.0c-pkcs12-fips-default.patch diff --git a/openssl-1.0.0c-pkcs12-fips-default.patch b/openssl-1.0.0c-pkcs12-fips-default.patch new file mode 100644 index 0000000..a671722 --- /dev/null +++ b/openssl-1.0.0c-pkcs12-fips-default.patch @@ -0,0 +1,25 @@ +diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c +--- openssl-1.0.0c/apps/pkcs12.c.fips-default 2009-07-27 23:08:45.000000000 +0200 ++++ openssl-1.0.0c/apps/pkcs12.c 2011-02-04 15:25:38.000000000 +0100 +@@ -67,6 +67,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif + + #define PROG pkcs12_main + +@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv) + + apps_startup(); + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */ ++#endif ++ + enc = EVP_des_ede3_cbc(); + if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); + diff --git a/openssl.spec b/openssl.spec index 4816e8a..5e606ca 100644 --- a/openssl.spec +++ b/openssl.spec @@ -67,6 +67,7 @@ Patch55: openssl-1.0.0c-apps-ipv6listen.patch Patch56: openssl-1.0.0c-rsa-x931.patch Patch57: openssl-1.0.0c-fips186-3.patch Patch58: openssl-1.0.0c-fips-md5-allow.patch +Patch59: openssl-1.0.0c-pkcs12-fips-default.patch # Backported fixes including security fixes License: OpenSSL @@ -154,6 +155,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch56 -p1 -b .x931 %patch57 -p1 -b .fips186-3 %patch58 -p1 -b .md5-allow +%patch59 -p1 -b .fips-default # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -410,6 +412,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* - add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable to allow using MD5 when the system is in the maintenance state even if the /proc fips flag is on +- make openssl pkcs12 command work by default in the FIPS mode * Mon Jan 24 2011 Tomas Mraz 1.0.0c-2 - listen on ipv6 wildcard in s_server so we accept connections