File curl-allow_md4_and_md5_in_fips_mode.patch of Package curl

Overview Repositories Revisions Requests Users Attributes Meta

File curl-allow_md4_and_md5_in_fips_mode.patch of Package curl

From 3d4dea9b4a8ea0f4a4b12523e528b889fbfd6044 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Tue, 3 Feb 2015 08:58:21 +0100
Subject: [PATCH] The usage of MD5 and MD4 is not allowed by default in FIPS
 mode.

Still valid usages must be flagged accordingly.

NTLM uses MD4 and MD5.
HTTP Digest auth uses MD5.

We could disallow both methods in FIPS mode, but it is currently probably
better to add allowance for those methods.
---
 lib/curl_ntlm_core.c | 14 ++++++++++----
 lib/md5.c            | 28 +++++++++++++++++++++++-----
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
index 1bdc823..280cb4d 100644
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -534,10 +534,16 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct SessionHandle *data,
   {
     /* Create NT hashed password. */
 #ifdef USE_SSLEAY
-    MD4_CTX MD4pw;
-    MD4_Init(&MD4pw);
-    MD4_Update(&MD4pw, pw, 2 * len);
-    MD4_Final(ntbuffer, &MD4pw);
+    EVP_MD_CTX MD4pw;
+
+    EVP_MD_CTX_init(&MD4pw);
+    /* we will be using MD4, which is not allowed under FIPS */
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+    EVP_MD_CTX_set_flags(&MD4pw, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+    EVP_DigestInit_ex(&MD4pw, EVP_md4(), NULL);
+    EVP_DigestUpdate(&MD4pw, pw, 2 * len);
+    EVP_DigestFinal(&MD4pw, ntbuffer, NULL);
 #elif defined(USE_GNUTLS_NETTLE)
     struct md4_ctx MD4pw;
     md4_init(&MD4pw);
diff --git a/lib/md5.c b/lib/md5.c
index af39fd4..bd2fe9f 100644
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -84,11 +84,29 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX * ctx)
 #elif defined(USE_SSLEAY)
 /* When OpenSSL is available we use the MD5-function from OpenSSL */
 
-#  ifdef USE_OPENSSL
-#    include <openssl/md5.h>
-#  else
-#    include <md5.h>
-#  endif
+#include <openssl/evp.h>
+
+/* fips hack */
+#define MD5_CTX EVP_MD_CTX
+static void MD5_Init(MD5_CTX *ctx) 
+{
+	EVP_MD_CTX_init(ctx);
+	/* we will be using MD5, which is not allowed under FIPS */
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+}
+
+static void MD5_Update(MD5_CTX *ctx, const void *data, size_t len)
+{
+	EVP_DigestUpdate(ctx, data, len);
+}
+
+static void MD5_Final(unsigned char *md, MD5_CTX *ctx)
+{
+	EVP_DigestFinal(ctx,md,NULL);
+}
 
 #elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
               (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \

Places

File curl-allow_md4_and_md5_in_fips_mode.patch of Package curl

Places