File openvpn-fips140-2.3.2.patch of Package openvpn.27882

Overview Repositories Revisions Requests Users Attributes Meta

File openvpn-fips140-2.3.2.patch of Package openvpn.27882

From a33c0d811ad976561e5cb5bfc8431c1a286e796b Mon Sep 17 00:00:00 2001
From: Nirmoy Das <ndas@suse.de>
Date: Fri, 23 Jun 2017 11:00:08 +0200
Subject: [PATCH] fips-140

--- src/openvpn/crypto.c.orig
+++ src/openvpn/crypto.c
@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
     if (kt->digest && kt->hmac_length > 0)
     {
         ctx->hmac = hmac_ctx_new();
-        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
+        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
 
         msg(D_HANDSHAKE,
             "%s: Using %d bit message hash '%s' for HMAC authentication",
--- src/openvpn/crypto_backend.h.orig
+++ src/openvpn/crypto_backend.h
@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
  * @param key           The key to use for the HMAC
  * @param key_len       The key length to use
  * @param kt            Static message digest parameters
+ * @param prf_use          Intended use for PRF in TLS protocol
  *
  */
 void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
-                   const md_kt_t *kt);
+                   const md_kt_t *kt, bool prf_use);
 
 /*
  * Free the given HMAC context.
--- src/openvpn/crypto_openssl.c.orig
+++ src/openvpn/crypto_openssl.c
@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx)
 
 void
 hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
-              const EVP_MD *kt)
+              const EVP_MD *kt, bool prf_use)
 {
     ASSERT(NULL != kt && NULL != ctx);
 
     HMAC_CTX_reset(ctx);
+	/* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+	 * * to be used anywhere else */
+	if(kt == EVP_md5() && prf_use)
+		HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
     HMAC_Init_ex(ctx, key, key_len, kt, NULL);
 
     /* make sure we used a big enough key */
--- src/openvpn/ntlm.c.orig
+++ src/openvpn/ntlm.c
@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
     const md_kt_t *md5_kt = md_kt_get("MD5");
     hmac_ctx_t *hmac_ctx = hmac_ctx_new();
 
-    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
+    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
     hmac_ctx_update(hmac_ctx, data, data_len);
     hmac_ctx_final(hmac_ctx, result);
     hmac_ctx_cleanup(hmac_ctx);
--- src/openvpn/options.c.orig
+++ src/openvpn/options.c
@@ -850,6 +850,10 @@ init_options(struct options *o, const bo
     o->tcp_queue_limit = 64;
     o->max_clients = 1024;
     o->max_routes_per_client = 256;
+#ifdef OPENSSL_FIPS
+	if(FIPS_mode())
+		o->ciphername = "AES-256-CBC";
+#endif
     o->stale_routes_check_interval = 0;
     o->ifconfig_pool_persist_refresh_freq = 600;
 #if P2MP
@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option
         if (!o->ciphername)
         {
             o->ciphername = "BF-CBC";
+#ifdef OPENSSL_FIPS
+	    if (FIPS_mode())
+	    {
+	       o->ciphername = "AES-256-CBC";
+	    }
+#endif
         }
         return;
     }
@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option
         /* We still need to set the ciphername to BF-CBC since various other
          * parts of OpenVPN assert that the ciphername is set */
         o->ciphername = "BF-CBC";
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode())
+	{
+	   o->ciphername = "AES-256-CBC";
+	}
+#endif
     }
     else if (!o->enable_ncp_fallback
              && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
--- src/openvpn/ssl.c.orig
+++ src/openvpn/ssl.c
@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt,
     int chunk = md_kt_size(md_kt);
     unsigned int A1_len = md_kt_size(md_kt);
 
-    hmac_ctx_init(ctx, sec, sec_len, md_kt);
-    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
+    hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
+    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
 
     hmac_ctx_update(ctx,seed,seed_len);
     hmac_ctx_final(ctx, A1);

Places

File openvpn-fips140-2.3.2.patch of Package openvpn.27882

Places