File racoon-no-md5.patch of Package ipsec-tools.2290

Index: ipsec-tools-0.8.0/src/racoon/handler.c
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/handler.c
+++ ipsec-tools-0.8.0/src/racoon/handler.c
@@ -1022,7 +1022,7 @@ check_recvdpkt(remote, local, rbuf)
 	struct timeval now, diff;
 	int len, s;
 
-	hash = eay_md5_one(rbuf);
+	hash = eay_sha1_one(rbuf);
 	if (!hash) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to allocate buffer.\n");
@@ -1109,7 +1109,7 @@ add_recvdpkt(remote, local, sbuf, rbuf)
 		return -1;
 	}
 
-	new->hash = eay_md5_one(rbuf);
+	new->hash = eay_sha1_one(rbuf);
 	if (!new->hash) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to allocate buffer.\n");
Index: ipsec-tools-0.8.0/src/racoon/crypto_openssl.c
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/crypto_openssl.c
+++ ipsec-tools-0.8.0/src/racoon/crypto_openssl.c
@@ -2343,6 +2343,35 @@ eay_md5_one(data)
 	return eay_digest_one(data, EVP_md5());
 }
 
+vchar_t *
+eay_md5fips_one(data)
+	vchar_t *data;
+{
+	EVP_MD_CTX	ctx;
+	vchar_t *res;
+	unsigned int i;
+
+	if ((res = vmalloc(EVP_MD_size(EVP_md5()))) == 0)
+		return NULL;
+
+	EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	/* appeared around openssl 0.9.8k as define, allows usage in FIPS mode. */
+	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	EVP_DigestInit_ex (&ctx, EVP_md5(), NULL);
+
+	if (!EVP_DigestUpdate(&ctx, (void *) data->v, data->l))
+	{
+		EVP_MD_CTX_cleanup(&ctx);
+		vfree(res);
+		return NULL;
+	}
+	EVP_DigestFinal_ex(&ctx, (void *) res->v, &i);
+	EVP_MD_CTX_cleanup(&ctx);
+	return res;
+}
+
 int
 eay_md5_hashlen()
 {
Index: ipsec-tools-0.8.0/src/racoon/crypto_openssl.h
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/crypto_openssl.h
+++ ipsec-tools-0.8.0/src/racoon/crypto_openssl.h
@@ -202,6 +202,7 @@ extern caddr_t eay_md5_init __P((void));
 extern void eay_md5_update __P((caddr_t, vchar_t *));
 extern vchar_t *eay_md5_final __P((caddr_t));
 extern vchar_t *eay_md5_one __P((vchar_t *));
+extern vchar_t *eay_md5fips_one __P((vchar_t *));
 extern int eay_md5_hashlen __P((void));
 
 /* RNG */
Index: ipsec-tools-0.8.0/src/racoon/vendorid.c
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/vendorid.c
+++ ipsec-tools-0.8.0/src/racoon/vendorid.c
@@ -166,7 +166,7 @@ compute_vendorids (void)
 		vid.v = (char *) all_vendor_ids[i].string;
 		vid.l = strlen(vid.v);
 
-		all_vendor_ids[i].hash = eay_md5_one(&vid);
+		all_vendor_ids[i].hash = eay_md5fips_one(&vid);
 		if (all_vendor_ids[i].hash == NULL)
 			plog(LLV_ERROR, LOCATION, NULL,
 			    "unable to hash vendor ID string\n");
openSUSE Build Service is sponsored by