File openssh-fips-moduli-skip-filtering-nonfips.patch of Package openssh-testuser.26950

Overview Repositories Revisions Requests Users Attributes Meta

File openssh-fips-moduli-skip-filtering-nonfips.patch of Package openssh-testuser.26950

From 6d0cf94866a10d7b73a63195ad2ec512e5615ced Mon Sep 17 00:00:00 2001
From: Hans Petter Jansson <hpj@suse.com>
Date: Wed, 26 Oct 2022 10:01:28 +0200
Subject: [PATCH] openssh-fips-moduli-skip-filtering-nonfips

commit 1f8aa004e3a2dcd0b64d4b8446e3971257fd8e54
Author: Hans Petter Jansson <hpj@hpjansson.org>
Date:   Fri Nov 27 17:14:48 2020 +0100

Skip filtering outside FIPS mode. We need this because openssl's
    DH_check() takes a long time to run when FIPS is disabled -- it
    won't filter by a predefined list then, but instead applies
    safe-prime checks. These typically add up to several minutes of
    run time for the default moduli file.
---
 dh.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/dh.c b/dh.c
index 13e7c189..b254be72 100644
--- a/dh.c
+++ b/dh.c
@@ -152,6 +152,15 @@ dhg_is_approved(const struct dhgroup *dhg)
 	int dh_status;
 	int is_ok = 0;
 
+	/* Skip filtering outside FIPS mode. We need this because openssl's
+	 * DH_check() takes a long time to run when FIPS is disabled -- it
+	 * won't filter by a predefined list then, but instead applies
+	 * safe-prime checks. These typically add up to several minutes of
+	 * run time for the default moduli file. */
+	if (!fips_mode()) {
+		return 1;
+	}
+
 	/* DH_set0_pqg() transfers ownership of the bignums, so we
 	 * make temporary copies here for simplicity. */
 	g = BN_dup(dhg->g);
-- 
2.38.0

Places

File openssh-fips-moduli-skip-filtering-nonfips.patch of Package openssh-testuser.26950

Places