File racoon-no-md5.patch of Package ipsec-tools.2290
Index: ipsec-tools-0.8.0/src/racoon/handler.c
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/handler.c
+++ ipsec-tools-0.8.0/src/racoon/handler.c
@@ -1022,7 +1022,7 @@ check_recvdpkt(remote, local, rbuf)
struct timeval now, diff;
int len, s;
- hash = eay_md5_one(rbuf);
+ hash = eay_sha1_one(rbuf);
if (!hash) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
@@ -1109,7 +1109,7 @@ add_recvdpkt(remote, local, sbuf, rbuf)
return -1;
}
- new->hash = eay_md5_one(rbuf);
+ new->hash = eay_sha1_one(rbuf);
if (!new->hash) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
Index: ipsec-tools-0.8.0/src/racoon/crypto_openssl.c
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/crypto_openssl.c
+++ ipsec-tools-0.8.0/src/racoon/crypto_openssl.c
@@ -2343,6 +2343,35 @@ eay_md5_one(data)
return eay_digest_one(data, EVP_md5());
}
+vchar_t *
+eay_md5fips_one(data)
+ vchar_t *data;
+{
+ EVP_MD_CTX ctx;
+ vchar_t *res;
+ unsigned int i;
+
+ if ((res = vmalloc(EVP_MD_size(EVP_md5()))) == 0)
+ return NULL;
+
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* appeared around openssl 0.9.8k as define, allows usage in FIPS mode. */
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ EVP_DigestInit_ex (&ctx, EVP_md5(), NULL);
+
+ if (!EVP_DigestUpdate(&ctx, (void *) data->v, data->l))
+ {
+ EVP_MD_CTX_cleanup(&ctx);
+ vfree(res);
+ return NULL;
+ }
+ EVP_DigestFinal_ex(&ctx, (void *) res->v, &i);
+ EVP_MD_CTX_cleanup(&ctx);
+ return res;
+}
+
int
eay_md5_hashlen()
{
Index: ipsec-tools-0.8.0/src/racoon/crypto_openssl.h
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/crypto_openssl.h
+++ ipsec-tools-0.8.0/src/racoon/crypto_openssl.h
@@ -202,6 +202,7 @@ extern caddr_t eay_md5_init __P((void));
extern void eay_md5_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_md5_final __P((caddr_t));
extern vchar_t *eay_md5_one __P((vchar_t *));
+extern vchar_t *eay_md5fips_one __P((vchar_t *));
extern int eay_md5_hashlen __P((void));
/* RNG */
Index: ipsec-tools-0.8.0/src/racoon/vendorid.c
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/vendorid.c
+++ ipsec-tools-0.8.0/src/racoon/vendorid.c
@@ -166,7 +166,7 @@ compute_vendorids (void)
vid.v = (char *) all_vendor_ids[i].string;
vid.l = strlen(vid.v);
- all_vendor_ids[i].hash = eay_md5_one(&vid);
+ all_vendor_ids[i].hash = eay_md5fips_one(&vid);
if (all_vendor_ids[i].hash == NULL)
plog(LLV_ERROR, LOCATION, NULL,
"unable to hash vendor ID string\n");