Hello community, here is the log from the commit of package ipsec-tools for openSUSE:Factory checked in at 2015-05-10 10:46:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ipsec-tools (Old) and /work/SRC/openSUSE:Factory/.ipsec-tools.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ipsec-tools" Changes: -------- --- /work/SRC/openSUSE:Factory/ipsec-tools/ipsec-tools.changes 2015-01-24 22:20:43.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.ipsec-tools.new/ipsec-tools.changes 2015-05-10 10:46:46.000000000 +0200 @@ -1,0 +2,9 @@ +Thu Apr 23 11:07:44 UTC 2015 - [email protected] + +- racoon-fips-rsa.patch: Use a default exponent of at least 65537 + (minimum FIPS required public exponent) +- racoon-no-md5.patch: replace one md5 usage by sha1 in an internal + hash table. Allow md5 usage for an external visible interface, + as it is also hashing only. + +------------------------------------------------------------------- New: ---- racoon-fips-rsa.patch racoon-no-md5.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ipsec-tools.spec ++++++ --- /var/tmp/diff_new_pack.DSbebL/_old 2015-05-10 10:46:47.000000000 +0200 +++ /var/tmp/diff_new_pack.DSbebL/_new 2015-05-10 10:46:47.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package ipsec-tools # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,6 +35,8 @@ Patch2: ipsec-tools-0.7.3-linkerflag.patch Patch3: ipsec-tools-0.8.0-nodevel.patch Patch4: ipsec-tools-0.8.0-certasn1txtbroken.patch +Patch5: racoon-fips-rsa.patch +Patch6: racoon-no-md5.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %insserv_prereq %fillup_prereq BuildRequires: bison @@ -75,6 +77,8 @@ %patch2 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 ./bootstrap sed -i 's|-Werror||g' configure ++++++ racoon-fips-rsa.patch ++++++ Index: ipsec-tools-0.8.0/src/racoon/plainrsa-gen.8 =================================================================== --- ipsec-tools-0.8.0.orig/src/racoon/plainrsa-gen.8 +++ ipsec-tools-0.8.0/src/racoon/plainrsa-gen.8 @@ -74,7 +74,7 @@ Note that generating longer keys takes l .It Fl e Ar pubexp value of RSA public exponent. Default is -.Li 0x3 . +.Li 0x10001 . Don't change this unless you really know what you are doing! .It Fl f Ar outfile .Ar outfile Index: ipsec-tools-0.8.0/src/racoon/plainrsa-gen.c =================================================================== --- ipsec-tools-0.8.0.orig/src/racoon/plainrsa-gen.c +++ ipsec-tools-0.8.0/src/racoon/plainrsa-gen.c @@ -72,7 +72,7 @@ usage (char *argv0) fprintf(stderr, "Usage: %s [options]\n", argv0); fprintf(stderr, "\n"); fprintf(stderr, " -b bits Generate <bits> long RSA key (default=1024)\n"); - fprintf(stderr, " -e pubexp Public exponent to use (default=0x3)\n"); + fprintf(stderr, " -e pubexp Public exponent to use (default=%d)\n", RSA_F4); fprintf(stderr, " -f filename Filename to store the key to (default=stdout)\n"); fprintf(stderr, " -i filename Input source for format conversion\n"); fprintf(stderr, " -h Help\n"); @@ -222,7 +222,7 @@ main (int argc, char *argv[]) { FILE *fp = stdout, *fpin = NULL; size_t bits = 1024; - unsigned int pubexp = 0x3; + unsigned int pubexp = RSA_F4; struct stat st; extern char *optarg; extern int optind; ++++++ racoon-no-md5.patch ++++++ Index: ipsec-tools-0.8.0/src/racoon/handler.c =================================================================== --- ipsec-tools-0.8.0.orig/src/racoon/handler.c +++ ipsec-tools-0.8.0/src/racoon/handler.c @@ -1022,7 +1022,7 @@ check_recvdpkt(remote, local, rbuf) struct timeval now, diff; int len, s; - hash = eay_md5_one(rbuf); + hash = eay_sha1_one(rbuf); if (!hash) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate buffer.\n"); @@ -1109,7 +1109,7 @@ add_recvdpkt(remote, local, sbuf, rbuf) return -1; } - new->hash = eay_md5_one(rbuf); + new->hash = eay_sha1_one(rbuf); if (!new->hash) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate buffer.\n"); Index: ipsec-tools-0.8.0/src/racoon/crypto_openssl.c =================================================================== --- ipsec-tools-0.8.0.orig/src/racoon/crypto_openssl.c +++ ipsec-tools-0.8.0/src/racoon/crypto_openssl.c @@ -2343,6 +2343,35 @@ eay_md5_one(data) return eay_digest_one(data, EVP_md5()); } +vchar_t * +eay_md5fips_one(data) + vchar_t *data; +{ + EVP_MD_CTX ctx; + vchar_t *res; + unsigned int i; + + if ((res = vmalloc(EVP_MD_size(EVP_md5()))) == 0) + return NULL; + + EVP_MD_CTX_init(&ctx); +#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW + /* appeared around openssl 0.9.8k as define, allows usage in FIPS mode. */ + EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); +#endif + EVP_DigestInit_ex (&ctx, EVP_md5(), NULL); + + if (!EVP_DigestUpdate(&ctx, (void *) data->v, data->l)) + { + EVP_MD_CTX_cleanup(&ctx); + vfree(res); + return NULL; + } + EVP_DigestFinal_ex(&ctx, (void *) res->v, &i); + EVP_MD_CTX_cleanup(&ctx); + return res; +} + int eay_md5_hashlen() { Index: ipsec-tools-0.8.0/src/racoon/crypto_openssl.h =================================================================== --- ipsec-tools-0.8.0.orig/src/racoon/crypto_openssl.h +++ ipsec-tools-0.8.0/src/racoon/crypto_openssl.h @@ -202,6 +202,7 @@ extern caddr_t eay_md5_init __P((void)); extern void eay_md5_update __P((caddr_t, vchar_t *)); extern vchar_t *eay_md5_final __P((caddr_t)); extern vchar_t *eay_md5_one __P((vchar_t *)); +extern vchar_t *eay_md5fips_one __P((vchar_t *)); extern int eay_md5_hashlen __P((void)); /* RNG */ Index: ipsec-tools-0.8.0/src/racoon/vendorid.c =================================================================== --- ipsec-tools-0.8.0.orig/src/racoon/vendorid.c +++ ipsec-tools-0.8.0/src/racoon/vendorid.c @@ -166,7 +166,7 @@ compute_vendorids (void) vid.v = (char *) all_vendor_ids[i].string; vid.l = strlen(vid.v); - all_vendor_ids[i].hash = eay_md5_one(&vid); + all_vendor_ids[i].hash = eay_md5fips_one(&vid); if (all_vendor_ids[i].hash == NULL) plog(LLV_ERROR, LOCATION, NULL, "unable to hash vendor ID string\n");
