| 1 |
diff -up openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod |
| 2 |
--- openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2003-11-29 11:33:25.000000000 +0100 |
| 3 |
+++ openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-25 11:03:48.676136850 +0100 |
| 4 |
@@ -47,6 +47,13 @@ Once the identities of the compression m |
| 5 |
been standardized, the compression API will most likely be changed. Using |
| 6 |
it in the current state is not recommended. |
| 7 |
|
| 8 |
+It is also not recommended to use compression if data transfered contain |
| 9 |
+untrusted parts that can be manipulated by an attacker as he could then |
| 10 |
+get information about the encrypted data. See the CRIME attack. For |
| 11 |
+that reason the default loading of the zlib compression method is |
| 12 |
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB> |
| 13 |
+is present during the library initialization. |
| 14 |
+ |
| 15 |
=head1 RETURN VALUES |
| 16 |
|
| 17 |
SSL_COMP_add_compression_method() may return the following values: |
| 18 |
diff -up openssl-fips-0.9.8e/README.env-zlib openssl-fips-0.9.8e/README |
| 19 |
--- openssl-fips-0.9.8e/README.env-zlib 2007-03-22 01:37:41.000000000 +0100 |
| 20 |
+++ openssl-fips-0.9.8e/README 2013-02-25 11:03:48.675136847 +0100 |
| 21 |
@@ -8,8 +8,22 @@ |
| 22 |
WARNING |
| 23 |
------- |
| 24 |
|
| 25 |
- This version of OpenSSL is an initial port of the FIPS 140-2 code to OpenSSL |
| 26 |
- 0.9.8. See the file README.FIPS for brief usage details. |
| 27 |
+ This version of OpenSSL is based on upstream openssl-fips-1.2.0 code |
| 28 |
+ which is also undergoing FIPS validation. |
| 29 |
+ |
| 30 |
+ However this version contains a few differences from the upstream code |
| 31 |
+ some of which are: |
| 32 |
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and |
| 33 |
+ tries to initialize the FIPS mode if it is set to 1 aborting if the |
| 34 |
+ FIPS mode could not be initialized. It is also possible to force the |
| 35 |
+ OpenSSL library to FIPS mode especially for debugging purposes by |
| 36 |
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE. |
| 37 |
+ * If the environment variable OPENSSL_DEFAULT_ZLIB is set the module |
| 38 |
+ will automatically load the built in compression method ZLIB |
| 39 |
+ when initialized. Applications can still explicitely ask for ZLIB |
| 40 |
+ compression method with API calls. Otherwise the compression is not |
| 41 |
+ loaded and used due to protocol vulnerability as described in the |
| 42 |
+ CRIME attack. |
| 43 |
|
| 44 |
DESCRIPTION |
| 45 |
----------- |
| 46 |
diff -up openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib openssl-fips-0.9.8e/ssl/ssl_ciph.c |
| 47 |
--- openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib 2007-08-13 20:35:04.000000000 +0200 |
| 48 |
+++ openssl-fips-0.9.8e/ssl/ssl_ciph.c 2013-02-25 11:03:48.676136850 +0100 |
| 49 |
@@ -284,7 +284,7 @@ static void load_builtin_compressions(vo |
| 50 |
|
| 51 |
MemCheck_off(); |
| 52 |
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); |
| 53 |
- if (ssl_comp_methods != NULL) |
| 54 |
+ if (ssl_comp_methods != NULL && __secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) |
| 55 |
{ |
| 56 |
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); |
| 57 |
if (comp != NULL) |
Parent Directory
| 
Revision Log
| 
Revision Graph
