Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
openssl
openssl-fips-dont-fall-back-to-default-digest.p...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-fips-dont-fall-back-to-default-digest.patch of Package openssl
Index: openssl-1.0.1i/apps/dgst.c =================================================================== --- openssl-1.0.1i.orig/apps/dgst.c 2016-04-28 17:03:42.236194100 +0200 +++ openssl-1.0.1i/apps/dgst.c 2016-04-28 17:04:29.820980047 +0200 @@ -147,7 +147,7 @@ int MAIN(int argc, char **argv) /* first check the program name */ program_name(argv[0],pname,sizeof pname); - md=EVP_get_digestbyname(pname); + md = EVP_get_digestbyname_fips_disabled(pname); argc--; argv++; @@ -250,7 +250,7 @@ int MAIN(int argc, char **argv) if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) break; } - else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) + else if ((m=EVP_get_digestbyname_fips_disabled(&((*argv)[1]))) != NULL) md=m; else break; Index: openssl-1.0.1i/apps/apps.c =================================================================== --- openssl-1.0.1i.orig/apps/apps.c 2016-04-28 17:03:40.969173173 +0200 +++ openssl-1.0.1i/apps/apps.c 2016-04-28 17:03:42.236194100 +0200 @@ -3096,3 +3096,45 @@ int raw_write_stdout(const void *buf,int int raw_write_stdout(const void *buf,int siz) { return write(fileno(stdout),buf,siz); } #endif + + +const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name) + { + int saved_fips_mode = FIPS_mode(); + EVP_MD *md; + + if (saved_fips_mode) + FIPS_mode_set(0); + + OpenSSL_add_all_digests(); + md=EVP_get_digestbyname(name); + + if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + EXIT(1); + } + + return md; + } + +const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name) + { + int saved_fips_mode = FIPS_mode(); + EVP_CIPHER *ciph; + + if (saved_fips_mode) + FIPS_mode_set(0); + + OpenSSL_add_all_ciphers(); + ciph=EVP_get_cipherbyname(name); + + if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + EXIT(1); + } + + return ciph; + } + Index: openssl-1.0.1i/apps/apps.h =================================================================== --- openssl-1.0.1i.orig/apps/apps.h 2016-04-28 17:03:42.237194116 +0200 +++ openssl-1.0.1i/apps/apps.h 2016-04-28 17:05:12.893691488 +0200 @@ -337,6 +337,9 @@ void jpake_server_auth(BIO *out, BIO *co unsigned char *next_protos_parse(unsigned short *outlen, const char *in); #endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ +const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name); +const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name); + #define FORMAT_UNDEF 0 #define FORMAT_ASN1 1 #define FORMAT_TEXT 2 Index: openssl-1.0.1i/apps/enc.c =================================================================== --- openssl-1.0.1i.orig/apps/enc.c 2016-04-28 17:03:40.970173189 +0200 +++ openssl-1.0.1i/apps/enc.c 2016-04-28 17:07:31.388979155 +0200 @@ -151,7 +151,7 @@ int MAIN(int argc, char **argv) do_zlib=1; #endif - cipher=EVP_get_cipherbyname(pname); + cipher=EVP_get_cipherbyname_fips_disabled(pname); #ifdef ZLIB if (!do_zlib && !base64 && (cipher == NULL) && (strcmp(pname,"enc") != 0)) @@ -287,7 +287,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-non-fips-allow") == 0) non_fips_allow = 1; else if ((argv[0][0] == '-') && - ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) + ((c=EVP_get_cipherbyname_fips_disabled(&(argv[0][1]))) != NULL)) { cipher=c; } @@ -329,6 +329,10 @@ bad: argv++; } + /* drop out of fips mode if we should allow non-fips algos */ + if (non_fips_allow) + FIPS_mode_set(0); + #ifndef OPENSSL_NO_ENGINE setup_engine(bio_err, engine, 0); #endif @@ -345,7 +349,7 @@ bad: goto end; } - if (md && (dgst=EVP_get_digestbyname(md)) == NULL) + if (md && (dgst=EVP_get_digestbyname_fips_disabled(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); goto end;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor