| 1 |
wellsi |
1.1 |
diff -up openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod |
| 2 |
|
|
--- openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2003-11-29 11:33:25.000000000 +0100 |
| 3 |
|
|
+++ openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-25 11:03:48.676136850 +0100 |
| 4 |
|
|
@@ -47,6 +47,13 @@ Once the identities of the compression m |
| 5 |
|
|
been standardized, the compression API will most likely be changed. Using |
| 6 |
|
|
it in the current state is not recommended. |
| 7 |
|
|
|
| 8 |
|
|
+It is also not recommended to use compression if data transfered contain |
| 9 |
|
|
+untrusted parts that can be manipulated by an attacker as he could then |
| 10 |
|
|
+get information about the encrypted data. See the CRIME attack. For |
| 11 |
|
|
+that reason the default loading of the zlib compression method is |
| 12 |
|
|
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB> |
| 13 |
|
|
+is present during the library initialization. |
| 14 |
|
|
+ |
| 15 |
|
|
=head1 RETURN VALUES |
| 16 |
|
|
|
| 17 |
|
|
SSL_COMP_add_compression_method() may return the following values: |
| 18 |
|
|
diff -up openssl-fips-0.9.8e/README.env-zlib openssl-fips-0.9.8e/README |
| 19 |
|
|
--- openssl-fips-0.9.8e/README.env-zlib 2007-03-22 01:37:41.000000000 +0100 |
| 20 |
|
|
+++ openssl-fips-0.9.8e/README 2013-02-25 11:03:48.675136847 +0100 |
| 21 |
|
|
@@ -8,8 +8,22 @@ |
| 22 |
|
|
WARNING |
| 23 |
|
|
------- |
| 24 |
|
|
|
| 25 |
|
|
- This version of OpenSSL is an initial port of the FIPS 140-2 code to OpenSSL |
| 26 |
|
|
- 0.9.8. See the file README.FIPS for brief usage details. |
| 27 |
|
|
+ This version of OpenSSL is based on upstream openssl-fips-1.2.0 code |
| 28 |
|
|
+ which is also undergoing FIPS validation. |
| 29 |
|
|
+ |
| 30 |
|
|
+ However this version contains a few differences from the upstream code |
| 31 |
|
|
+ some of which are: |
| 32 |
|
|
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and |
| 33 |
|
|
+ tries to initialize the FIPS mode if it is set to 1 aborting if the |
| 34 |
|
|
+ FIPS mode could not be initialized. It is also possible to force the |
| 35 |
|
|
+ OpenSSL library to FIPS mode especially for debugging purposes by |
| 36 |
|
|
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE. |
| 37 |
|
|
+ * If the environment variable OPENSSL_DEFAULT_ZLIB is set the module |
| 38 |
|
|
+ will automatically load the built in compression method ZLIB |
| 39 |
|
|
+ when initialized. Applications can still explicitely ask for ZLIB |
| 40 |
|
|
+ compression method with API calls. Otherwise the compression is not |
| 41 |
|
|
+ loaded and used due to protocol vulnerability as described in the |
| 42 |
|
|
+ CRIME attack. |
| 43 |
|
|
|
| 44 |
|
|
DESCRIPTION |
| 45 |
|
|
----------- |
| 46 |
|
|
diff -up openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib openssl-fips-0.9.8e/ssl/ssl_ciph.c |
| 47 |
|
|
--- openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib 2007-08-13 20:35:04.000000000 +0200 |
| 48 |
|
|
+++ openssl-fips-0.9.8e/ssl/ssl_ciph.c 2013-02-25 11:03:48.676136850 +0100 |
| 49 |
|
|
@@ -284,7 +284,7 @@ static void load_builtin_compressions(vo |
| 50 |
|
|
|
| 51 |
|
|
MemCheck_off(); |
| 52 |
|
|
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); |
| 53 |
|
|
- if (ssl_comp_methods != NULL) |
| 54 |
|
|
+ if (ssl_comp_methods != NULL && __secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) |
| 55 |
|
|
{ |
| 56 |
|
|
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); |
| 57 |
|
|
if (comp != NULL) |
Parent Directory
| 
Revision Log
| 
Revision Graph
