Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
curl.9200
curl-allow_md4_and_md5_in_fips_mode.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-allow_md4_and_md5_in_fips_mode.patch of Package curl.9200
From 3d4dea9b4a8ea0f4a4b12523e528b889fbfd6044 Mon Sep 17 00:00:00 2001 From: Marcus Meissner <meissner@suse.de> Date: Tue, 3 Feb 2015 08:58:21 +0100 Subject: [PATCH] The usage of MD5 and MD4 is not allowed by default in FIPS mode. Still valid usages must be flagged accordingly. NTLM uses MD4 and MD5. HTTP Digest auth uses MD5. We could disallow both methods in FIPS mode, but it is currently probably better to add allowance for those methods. --- lib/curl_ntlm_core.c | 14 ++++++++++---- lib/md5.c | 28 +++++++++++++++++++++++----- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index 1bdc823..280cb4d 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -534,10 +534,16 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct SessionHandle *data, { /* Create NT hashed password. */ #ifdef USE_SSLEAY - MD4_CTX MD4pw; - MD4_Init(&MD4pw); - MD4_Update(&MD4pw, pw, 2 * len); - MD4_Final(ntbuffer, &MD4pw); + EVP_MD_CTX MD4pw; + + EVP_MD_CTX_init(&MD4pw); + /* we will be using MD4, which is not allowed under FIPS */ +#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW + EVP_MD_CTX_set_flags(&MD4pw, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); +#endif + EVP_DigestInit_ex(&MD4pw, EVP_md4(), NULL); + EVP_DigestUpdate(&MD4pw, pw, 2 * len); + EVP_DigestFinal(&MD4pw, ntbuffer, NULL); #elif defined(USE_GNUTLS_NETTLE) struct md4_ctx MD4pw; md4_init(&MD4pw); diff --git a/lib/md5.c b/lib/md5.c index af39fd4..bd2fe9f 100644 --- a/lib/md5.c +++ b/lib/md5.c @@ -84,11 +84,29 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX * ctx) #elif defined(USE_SSLEAY) /* When OpenSSL is available we use the MD5-function from OpenSSL */ -# ifdef USE_OPENSSL -# include <openssl/md5.h> -# else -# include <md5.h> -# endif +#include <openssl/evp.h> + +/* fips hack */ +#define MD5_CTX EVP_MD_CTX +static void MD5_Init(MD5_CTX *ctx) +{ + EVP_MD_CTX_init(ctx); + /* we will be using MD5, which is not allowed under FIPS */ +#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); +#endif + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); +} + +static void MD5_Update(MD5_CTX *ctx, const void *data, size_t len) +{ + EVP_DigestUpdate(ctx, data, len); +} + +static void MD5_Final(unsigned char *md, MD5_CTX *ctx) +{ + EVP_DigestFinal(ctx,md,NULL); +} #elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor