/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-env-zlib.patch
ViewVC logotype

Contents of /rpms/openssl/sme8/openssl-fips-0.9.8e-env-zlib.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Feb 18 03:03:10 2014 UTC (10 years, 8 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 diff -up openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod
2 --- openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2003-11-29 11:33:25.000000000 +0100
3 +++ openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-25 11:03:48.676136850 +0100
4 @@ -47,6 +47,13 @@ Once the identities of the compression m
5 been standardized, the compression API will most likely be changed. Using
6 it in the current state is not recommended.
7
8 +It is also not recommended to use compression if data transfered contain
9 +untrusted parts that can be manipulated by an attacker as he could then
10 +get information about the encrypted data. See the CRIME attack. For
11 +that reason the default loading of the zlib compression method is
12 +disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
13 +is present during the library initialization.
14 +
15 =head1 RETURN VALUES
16
17 SSL_COMP_add_compression_method() may return the following values:
18 diff -up openssl-fips-0.9.8e/README.env-zlib openssl-fips-0.9.8e/README
19 --- openssl-fips-0.9.8e/README.env-zlib 2007-03-22 01:37:41.000000000 +0100
20 +++ openssl-fips-0.9.8e/README 2013-02-25 11:03:48.675136847 +0100
21 @@ -8,8 +8,22 @@
22 WARNING
23 -------
24
25 - This version of OpenSSL is an initial port of the FIPS 140-2 code to OpenSSL
26 - 0.9.8. See the file README.FIPS for brief usage details.
27 + This version of OpenSSL is based on upstream openssl-fips-1.2.0 code
28 + which is also undergoing FIPS validation.
29 +
30 + However this version contains a few differences from the upstream code
31 + some of which are:
32 + * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
33 + tries to initialize the FIPS mode if it is set to 1 aborting if the
34 + FIPS mode could not be initialized. It is also possible to force the
35 + OpenSSL library to FIPS mode especially for debugging purposes by
36 + setting the environment variable OPENSSL_FORCE_FIPS_MODE.
37 + * If the environment variable OPENSSL_DEFAULT_ZLIB is set the module
38 + will automatically load the built in compression method ZLIB
39 + when initialized. Applications can still explicitely ask for ZLIB
40 + compression method with API calls. Otherwise the compression is not
41 + loaded and used due to protocol vulnerability as described in the
42 + CRIME attack.
43
44 DESCRIPTION
45 -----------
46 diff -up openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib openssl-fips-0.9.8e/ssl/ssl_ciph.c
47 --- openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib 2007-08-13 20:35:04.000000000 +0200
48 +++ openssl-fips-0.9.8e/ssl/ssl_ciph.c 2013-02-25 11:03:48.676136850 +0100
49 @@ -284,7 +284,7 @@ static void load_builtin_compressions(vo
50
51 MemCheck_off();
52 ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
53 - if (ssl_comp_methods != NULL)
54 + if (ssl_comp_methods != NULL && __secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
55 {
56 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
57 if (comp != NULL)

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed