Richard W.M. Jones wrote:
> ACKed and applied to the Mercurial repository.
in the meantime there is a newer native version:-(
and here is the patches for this.
--
Levente "Si vis pacem para bellum!"
diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed
openssl-0.9.8j/crypto/rand/rand_lcl.h
--- openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed 2009-02-02
13:40:37.000000000 +0100
+++ openssl-0.9.8j/crypto/rand/rand_lcl.h 2009-02-02 13:50:42.000000000
+0100
@@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H
#define HEADER_RAND_LCL_H
-#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) &&
!defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
diff -up openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed
openssl-0.9.8j/fips/rand/fips_rand.c
--- openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed 2008-09-16
12:12:18.000000000 +0200
+++ openssl-0.9.8j/fips/rand/fips_rand.c 2009-02-02 14:06:58.000000000
+0100
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
{
int i;
if (!ctx->keyed)
- return 0;
+ {
+ FIPS_RAND_SIZE_T keylen = 16;
+
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
+ return 0;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ seedlen -= keylen;
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
+ }
/* In test mode seed is just supplied data */
if (ctx->test_mode)
{
diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c
--- openssl-0.9.8j/fips/fips.c.rng-seed 2009-02-02 13:40:38.000000000 +0100
+++ openssl-0.9.8j/fips/fips.c 2009-02-02 13:49:32.000000000 +0100
@@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
goto end;
}
+ /* now switch into FIPS mode */
+ fips_set_rand_check(FIPS_rand_method());
+ RAND_set_rand_method(FIPS_rand_method());
+
/* automagically seed PRNG if not already seeded */
if(!FIPS_rand_status())
{
- if(RAND_bytes(buf,sizeof buf) <= 0)
+ RAND_poll();
+ if (!FIPS_rand_status())
{
fips_selftest_fail = 1;
ret = 0;
goto end;
}
- FIPS_rand_set_key(buf,32);
- FIPS_rand_seed(buf+32,16);
}
- /* now switch into FIPS mode */
- fips_set_rand_check(FIPS_rand_method());
- RAND_set_rand_method(FIPS_rand_method());
if(FIPS_selftest())
fips_set_mode(1);
else
diff -r 9f58deb1a4f9 openssl/mingw32-openssl.spec
--- a/openssl/mingw32-openssl.spec Mon Feb 02 19:08:07 2009 +0000
+++ b/openssl/mingw32-openssl.spec Mon Feb 02 22:32:15 2009 +0100
@@ -27,7 +27,7 @@
Name: mingw32-openssl
Version: 0.9.8j
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: MinGW port of the OpenSSL toolkit
License: OpenSSL
@@ -77,6 +77,7 @@
Patch47: openssl-0.9.8j-readme-warning.patch
Patch48: openssl-0.9.8j-bad-mime.patch
Patch49: openssl-0.9.8j-fips-no-pairwise.patch
+Patch50: openssl-0.9.8j-fips-rng-seed.patch
# Backported fixes including security fixes
# MinGW-specific patches.
@@ -166,6 +167,7 @@
%patch47 -p1 -b .warning
%patch48 -p1 -b .bad-mime
%patch49 -p1 -b .no-pairwise
+%patch50 -p1 -b .rng-seed
%patch100 -p1 -b .mingw-header-files
%patch101 -p1 -b .mingw-configure
@@ -261,6 +263,8 @@
# %{__os_install_post} \
# fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version}
>$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
# ln -sf .libcrypto.so.%{version}.hmac
$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
+# fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libssl.so.%{version}
>$RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{version}.hmac \
+# ln -sf .libssl.so.%{version}.hmac
$RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{soversion}.hmac \
#%{nil}
if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then
@@ -320,6 +324,7 @@
%{_mingw32_bindir}/libcrypto-%{soversion}.dll
%{_mingw32_bindir}/libssl-%{soversion}.dll
#{_mingw32_bindir}/.libcrypto*.hmac
+#{_mingw32_bindir}/.libssl*.hmac
%{_mingw32_libdir}/libcrypto.dll.a
%{_mingw32_libdir}/libssl.dll.a
%{_mingw32_libdir}/engines
_______________________________________________
fedora-mingw mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/fedora-mingw
