- add -x931 parameter to openssl genrsa command to use the ANSI X9.31
key generation method - use FIPS-186-3 method for DSA parameter generation - add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable to allow using MD5 when the system is in the maintenance state even if the /proc fips flag is on - make openssl pkcs12 command work by default in the FIPS mode
This commit is contained in:
parent
15fad7109b
commit
65ebbaecc7
25
openssl-1.0.0c-pkcs12-fips-default.patch
Normal file
25
openssl-1.0.0c-pkcs12-fips-default.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c
|
||||||
|
--- openssl-1.0.0c/apps/pkcs12.c.fips-default 2009-07-27 23:08:45.000000000 +0200
|
||||||
|
+++ openssl-1.0.0c/apps/pkcs12.c 2011-02-04 15:25:38.000000000 +0100
|
||||||
|
@@ -67,6 +67,9 @@
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
#include <openssl/pkcs12.h>
|
||||||
|
+#ifdef OPENSSL_FIPS
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#define PROG pkcs12_main
|
||||||
|
|
||||||
|
@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
|
||||||
|
|
||||||
|
apps_startup();
|
||||||
|
|
||||||
|
+#ifdef OPENSSL_FIPS
|
||||||
|
+ if (FIPS_mode())
|
||||||
|
+ cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
enc = EVP_des_ede3_cbc();
|
||||||
|
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
|
||||||
|
|
@ -67,6 +67,7 @@ Patch55: openssl-1.0.0c-apps-ipv6listen.patch
|
|||||||
Patch56: openssl-1.0.0c-rsa-x931.patch
|
Patch56: openssl-1.0.0c-rsa-x931.patch
|
||||||
Patch57: openssl-1.0.0c-fips186-3.patch
|
Patch57: openssl-1.0.0c-fips186-3.patch
|
||||||
Patch58: openssl-1.0.0c-fips-md5-allow.patch
|
Patch58: openssl-1.0.0c-fips-md5-allow.patch
|
||||||
|
Patch59: openssl-1.0.0c-pkcs12-fips-default.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
@ -154,6 +155,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
%patch56 -p1 -b .x931
|
%patch56 -p1 -b .x931
|
||||||
%patch57 -p1 -b .fips186-3
|
%patch57 -p1 -b .fips186-3
|
||||||
%patch58 -p1 -b .md5-allow
|
%patch58 -p1 -b .md5-allow
|
||||||
|
%patch59 -p1 -b .fips-default
|
||||||
|
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
@ -410,6 +412,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
|
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
|
||||||
to allow using MD5 when the system is in the maintenance state
|
to allow using MD5 when the system is in the maintenance state
|
||||||
even if the /proc fips flag is on
|
even if the /proc fips flag is on
|
||||||
|
- make openssl pkcs12 command work by default in the FIPS mode
|
||||||
|
|
||||||
* Mon Jan 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0c-2
|
* Mon Jan 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0c-2
|
||||||
- listen on ipv6 wildcard in s_server so we accept connections
|
- listen on ipv6 wildcard in s_server so we accept connections
|
||||||
|
Loading…
Reference in New Issue
Block a user