rpms/gnutls
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

negotiate only FIPS approved algorithms in the FIPS mode (#871826)

Browse Source
This commit is contained in:
Tomas Mraz 2012-11-01 11:28:44 +01:00
parent 471a3d6fac
commit b89d89dd0a
2 changed files with 196 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
gnutls-2.12.20-fips-algorithms.patch Normal file
View File

@ -0,0 +1,189 @@
diff -up gnutls-2.12.20/lib/gcrypt/init.c.fips gnutls-2.12.20/lib/gcrypt/init.c
--- gnutls-2.12.20/lib/gcrypt/init.c.fips 2012-01-06 20:06:23.000000000 +0100
+++ gnutls-2.12.20/lib/gcrypt/init.c 2012-11-01 11:00:34.954835974 +0100
@@ -43,6 +43,8 @@ static struct gcry_thread_cbs gct = {
.recvmsg = NULL,
};
+int gnutls_gcrypt_fips;
+
int
gnutls_crypto_init (void)
{
@@ -72,6 +74,8 @@ gnutls_crypto_init (void)
return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;
}
+ gnutls_gcrypt_fips = gcry_fips_mode_active();
+
/* for gcrypt in order to be able to allocate memory */
gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0);
diff -up gnutls-2.12.20/lib/gnutls_priority.c.fips gnutls-2.12.20/lib/gnutls_priority.c
--- gnutls-2.12.20/lib/gnutls_priority.c.fips 2012-01-06 20:06:23.000000000 +0100
+++ gnutls-2.12.20/lib/gnutls_priority.c 2012-11-01 11:02:52.505807199 +0100
@@ -30,6 +30,7 @@
#include "gnutls_algorithms.h"
#include "gnutls_errors.h"
#include <gnutls_num.h>
+#include <gcrypt.h>
static void
break_comma_list (char *etag,
@@ -223,6 +224,13 @@ static const int protocol_priority[] = {
0
};
+static const int protocol_priority_fips[] = {
+ GNUTLS_TLS1_2,
+ GNUTLS_TLS1_1,
+ GNUTLS_TLS1_0,
+ 0
+};
+
static const int kx_priority_performance[] = {
GNUTLS_KX_RSA,
GNUTLS_KX_DHE_RSA,
@@ -269,6 +277,13 @@ static const int cipher_priority_perform
0
};
+static const int cipher_priority_performance_fips[] = {
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_3DES_CBC,
+ GNUTLS_CIPHER_AES_256_CBC,
+ 0
+};
+
static const int cipher_priority_normal[] = {
GNUTLS_CIPHER_AES_128_CBC,
#ifdef ENABLE_CAMELLIA
@@ -284,6 +299,13 @@ static const int cipher_priority_normal[
0
};
+static const int cipher_priority_normal_fips[] = {
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_AES_256_CBC,
+ GNUTLS_CIPHER_3DES_CBC,
+ 0
+};
+
static const int cipher_priority_secure128[] = {
GNUTLS_CIPHER_AES_128_CBC,
#ifdef ENABLE_CAMELLIA
@@ -295,6 +317,11 @@ static const int cipher_priority_secure1
0
};
+static const int cipher_priority_secure128_fips[] = {
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_3DES_CBC,
+ 0
+};
static const int cipher_priority_secure256[] = {
GNUTLS_CIPHER_AES_256_CBC,
@@ -311,6 +338,13 @@ static const int cipher_priority_secure2
0
};
+static const int cipher_priority_secure256_fips[] = {
+ GNUTLS_CIPHER_AES_256_CBC,
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_3DES_CBC,
+ 0
+};
+
/* The same as cipher_priority_security_normal + arcfour-40. */
static const int cipher_priority_export[] = {
GNUTLS_CIPHER_AES_128_CBC,
@@ -362,6 +396,12 @@ static const int mac_priority_normal[] =
0
};
+static const int mac_priority_normal_fips[] = {
+ GNUTLS_MAC_SHA1,
+ GNUTLS_MAC_SHA256,
+ 0
+};
+
static const int mac_priority_secure[] = {
GNUTLS_MAC_SHA256,
@@ -462,6 +502,8 @@ gnutls_priority_set (gnutls_session_t se
#define MAX_ELEMENTS 48
+extern int gnutls_gcrypt_fips;
+
/**
* gnutls_priority_init:
* @priority_cache: is a #gnutls_prioritity_t structure.
@@ -561,7 +603,7 @@ gnutls_priority_init (gnutls_priority_t
*/
if (strcasecmp (broken_list[0], "NONE") != 0)
{
- _set_priority (&(*priority_cache)->protocol, protocol_priority);
+ _set_priority (&(*priority_cache)->protocol, gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);
_set_priority (&(*priority_cache)->compression, comp_priority);
_set_priority (&(*priority_cache)->cert_type, cert_type_priority_default);
_set_priority (&(*priority_cache)->sign_algo, sign_priority_default);
@@ -577,17 +619,17 @@ gnutls_priority_init (gnutls_priority_t
if (strcasecmp (broken_list[i], "PERFORMANCE") == 0)
{
_set_priority (&(*priority_cache)->cipher,
- cipher_priority_performance);
+ gnutls_gcrypt_fips?cipher_priority_performance_fips:cipher_priority_performance);
_set_priority (&(*priority_cache)->kx, kx_priority_performance);
- _set_priority (&(*priority_cache)->mac, mac_priority_normal);
+ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);
_set_priority (&(*priority_cache)->sign_algo,
sign_priority_default);
}
else if (strcasecmp (broken_list[i], "NORMAL") == 0)
{
- _set_priority (&(*priority_cache)->cipher, cipher_priority_normal);
+ _set_priority (&(*priority_cache)->cipher, gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);
_set_priority (&(*priority_cache)->kx, kx_priority_secure);
- _set_priority (&(*priority_cache)->mac, mac_priority_normal);
+ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);
_set_priority (&(*priority_cache)->sign_algo,
sign_priority_default);
}
@@ -595,7 +637,7 @@ gnutls_priority_init (gnutls_priority_t
|| strcasecmp (broken_list[i], "SECURE") == 0)
{
_set_priority (&(*priority_cache)->cipher,
- cipher_priority_secure256);
+ gnutls_gcrypt_fips?cipher_priority_secure256_fips:cipher_priority_secure256);
_set_priority (&(*priority_cache)->kx, kx_priority_secure);
_set_priority (&(*priority_cache)->mac, mac_priority_secure);
_set_priority (&(*priority_cache)->sign_algo,
@@ -604,7 +646,7 @@ gnutls_priority_init (gnutls_priority_t
else if (strcasecmp (broken_list[i], "SECURE128") == 0)
{
_set_priority (&(*priority_cache)->cipher,
- cipher_priority_secure128);
+ gnutls_gcrypt_fips?cipher_priority_secure128_fips:cipher_priority_secure128);
_set_priority (&(*priority_cache)->kx, kx_priority_secure);
_set_priority (&(*priority_cache)->mac, mac_priority_secure);
_set_priority (&(*priority_cache)->sign_algo,
@@ -646,7 +688,7 @@ gnutls_priority_init (gnutls_priority_t
if (strncasecmp (&broken_list[i][1], "VERS-TLS-ALL", 12) == 0)
{
bulk_fn (&(*priority_cache)->protocol,
- protocol_priority);
+ gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);
}
else
{
@@ -718,7 +760,7 @@ gnutls_priority_init (gnutls_priority_t
else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0)
{
bulk_fn (&(*priority_cache)->cipher,
- cipher_priority_normal);
+ gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);
}
else
goto error;

8
gnutls.spec
View File

@ -1,7 +1,7 @@
Summary: A TLS protocol implementation
Name: gnutls
Version: 2.12.20
Release: 3%{?dist}
Release: 4%{?dist}
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
License: GPLv3+ and LGPLv2+
Group: System Environment/Libraries
@ -25,6 +25,8 @@ Patch4: gnutls-2.12.7-dsa-skiptests.patch
Patch5: gnutls-2.12.20-build.patch
# Fix the gnutls-cli-debug manpage
Patch6: gnutls-2.12.20-cli-debug-manpage.patch
# Use only FIPS approved ciphers in the FIPS mode
Patch7: gnutls-2.12.20-fips-algorithms.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: libgcrypt >= 1.2.2
@ -97,6 +99,7 @@ This package contains Guile bindings for the library.
%patch4 -p1 -b .skiptests
%patch5 -p1 -b .build
%patch6 -p1 -b .cli-debug
%patch7 -p1 -b .fips
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i
@ -198,6 +201,9 @@ fi
%{_datadir}/guile/site/gnutls.scm
%changelog
* Thu Nov 1 2012 Tomas Mraz <tmraz@redhat.com> 2.12.20-4
- negotiate only FIPS approved algorithms in the FIPS mode (#871826)
* Wed Aug 8 2012 Tomas Mraz <tmraz@redhat.com> 2.12.20-3
- fix the gnutls-cli-debug manpage - patch by Peter Schiffer