/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-env-zlib.patch
ViewVC logotype

Annotation of /rpms/openssl/sme8/openssl-fips-0.9.8e-env-zlib.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Feb 18 03:03:10 2014 UTC (10 years, 9 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 wellsi 1.1 diff -up openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod
2     --- openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2003-11-29 11:33:25.000000000 +0100
3     +++ openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-25 11:03:48.676136850 +0100
4     @@ -47,6 +47,13 @@ Once the identities of the compression m
5     been standardized, the compression API will most likely be changed. Using
6     it in the current state is not recommended.
7    
8     +It is also not recommended to use compression if data transfered contain
9     +untrusted parts that can be manipulated by an attacker as he could then
10     +get information about the encrypted data. See the CRIME attack. For
11     +that reason the default loading of the zlib compression method is
12     +disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
13     +is present during the library initialization.
14     +
15     =head1 RETURN VALUES
16    
17     SSL_COMP_add_compression_method() may return the following values:
18     diff -up openssl-fips-0.9.8e/README.env-zlib openssl-fips-0.9.8e/README
19     --- openssl-fips-0.9.8e/README.env-zlib 2007-03-22 01:37:41.000000000 +0100
20     +++ openssl-fips-0.9.8e/README 2013-02-25 11:03:48.675136847 +0100
21     @@ -8,8 +8,22 @@
22     WARNING
23     -------
24    
25     - This version of OpenSSL is an initial port of the FIPS 140-2 code to OpenSSL
26     - 0.9.8. See the file README.FIPS for brief usage details.
27     + This version of OpenSSL is based on upstream openssl-fips-1.2.0 code
28     + which is also undergoing FIPS validation.
29     +
30     + However this version contains a few differences from the upstream code
31     + some of which are:
32     + * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
33     + tries to initialize the FIPS mode if it is set to 1 aborting if the
34     + FIPS mode could not be initialized. It is also possible to force the
35     + OpenSSL library to FIPS mode especially for debugging purposes by
36     + setting the environment variable OPENSSL_FORCE_FIPS_MODE.
37     + * If the environment variable OPENSSL_DEFAULT_ZLIB is set the module
38     + will automatically load the built in compression method ZLIB
39     + when initialized. Applications can still explicitely ask for ZLIB
40     + compression method with API calls. Otherwise the compression is not
41     + loaded and used due to protocol vulnerability as described in the
42     + CRIME attack.
43    
44     DESCRIPTION
45     -----------
46     diff -up openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib openssl-fips-0.9.8e/ssl/ssl_ciph.c
47     --- openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib 2007-08-13 20:35:04.000000000 +0200
48     +++ openssl-fips-0.9.8e/ssl/ssl_ciph.c 2013-02-25 11:03:48.676136850 +0100
49     @@ -284,7 +284,7 @@ static void load_builtin_compressions(vo
50    
51     MemCheck_off();
52     ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
53     - if (ssl_comp_methods != NULL)
54     + if (ssl_comp_methods != NULL && __secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
55     {
56     comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
57     if (comp != NULL)

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed