File openssl-1.0.1e-deprecate-algos.patch of Package openssl
diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.deprecate-algos openssl-1.0.1e/crypto/asn1/a_verify.c
--- openssl-1.0.1e/crypto/asn1/a_verify.c.deprecate-algos 2016-10-04 16:12:30.409090041 +0200
+++ openssl-1.0.1e/crypto/asn1/a_verify.c 2016-10-04 18:23:16.987823859 +0200
@@ -56,6 +56,9 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
+
#include <stdio.h>
#include <time.h>
@@ -136,6 +139,32 @@ err:
#endif
+static int legacy_mds[] = { NID_md5, NID_sha, NID_md4, NID_md2, 0 };
+extern int private_ossl_allowed_legacy_mds[];
+
+static int is_md_legacy_disallowed(int mdnid)
+ {
+ int i;
+
+ if (mdnid == NID_md5 && __secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") != NULL)
+ return 0;
+
+ for (i = 0; legacy_mds[i] != 0; ++i)
+ {
+ if (mdnid == legacy_mds[i])
+ {
+ int j;
+
+ for (j = 0; private_ossl_allowed_legacy_mds[j] != 0; ++j)
+ {
+ if (mdnid == private_ossl_allowed_legacy_mds[j])
+ return 0;
+ }
+ return 1;
+ }
+ }
+ return 0;
+ }
int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
@@ -183,6 +212,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
goto err;
ret = -1;
}
+ else if (is_md_legacy_disallowed(mdnid))
+ {
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+ goto err;
+ }
else
{
const EVP_MD *type;
diff -up openssl-1.0.1e/crypto/o_init.c.deprecate-algos openssl-1.0.1e/crypto/o_init.c
--- openssl-1.0.1e/crypto/o_init.c.deprecate-algos 2016-10-04 16:12:30.342088500 +0200
+++ openssl-1.0.1e/crypto/o_init.c 2016-10-05 11:32:16.562259001 +0200
@@ -61,11 +61,22 @@
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <strings.h>
+#include <ctype.h>
#include <openssl/fips.h>
#include <openssl/rand.h>
+#include <openssl/dh.h>
+#include <openssl/objects.h>
#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+#define LEGACY_SETTINGS_FILE "/etc/pki/tls/legacy-settings"
+
+#define NUM_MAX_LEGACY_MDS 8
+
+
static void init_fips_mode(void)
{
char buf[2] = "0";
@@ -101,6 +112,138 @@ static void init_fips_mode(void)
}
#endif
+int private_ossl_allowed_legacy_mds[NUM_MAX_LEGACY_MDS+1]; /* zero terminated */
+
+int private_ossl_minimum_dh_bits;
+
+static void parse_legacy_mds(char *p)
+ {
+ int idx = 0;
+ char *e = p;
+
+ while (p[0] != '\0')
+ {
+ while (e[0] != '\0' && !isspace(e[0]) && e[0] != ',')
+ {
+ ++e;
+ }
+ if (e[0] != '\0')
+ {
+ e[0] = '\0';
+ ++e;
+ }
+
+ if (strcasecmp(p, "md5") == 0)
+ {
+ private_ossl_allowed_legacy_mds[idx++] = NID_md5;
+ }
+ else if (strcasecmp(p, "md4") == 0)
+ {
+ private_ossl_allowed_legacy_mds[idx++] = NID_md4;
+ }
+ else if (strcasecmp(p, "sha") == 0)
+ {
+ private_ossl_allowed_legacy_mds[idx++] = NID_sha;
+ }
+ else if (strcasecmp(p, "md2") == 0)
+ {
+ private_ossl_allowed_legacy_mds[idx++] = NID_md2;
+ }
+
+ if (idx >= sizeof(private_ossl_allowed_legacy_mds)/sizeof(private_ossl_allowed_legacy_mds[0]))
+ {
+ break;
+ }
+
+ while (e[0] == ',' || isspace(e[0]))
+ {
+ ++e;
+ }
+
+ p = e;
+ }
+ }
+
+static void parse_minimum_dh_bits(char *p)
+ {
+ private_ossl_minimum_dh_bits = strtol(p, NULL, 10);
+ if (private_ossl_minimum_dh_bits < 512 || private_ossl_minimum_dh_bits > OPENSSL_DH_MAX_MODULUS_BITS)
+ {
+ /* use default */
+ private_ossl_minimum_dh_bits = 0;
+ }
+ }
+
+static void load_legacy_settings(void)
+ {
+ FILE *f;
+ char *line = NULL;
+ size_t len = 0;
+
+ if ((f = fopen(LEGACY_SETTINGS_FILE, "r")) == NULL)
+ {
+ return;
+ }
+
+ while (getline(&line, &len, f) > 0)
+ {
+ char *p = line, *e, *val;
+
+ /* skip initial whitespace */
+ while (isspace(p[0]))
+ {
+ ++p;
+ }
+
+ e = p;
+
+ while (e[0] != '\0' && !isspace(e[0]))
+ {
+ ++e;
+ }
+
+ /* terminate name, skip whitespace between name and value */
+ if (e[0] != '\0')
+ {
+ e[0] = '\0';
+ ++e;
+ while (isspace(e[0]))
+ {
+ ++e;
+ }
+ }
+
+ val = e;
+
+ e = e + strlen(val);
+
+ /* trim terminating whitespace */
+ while (e > val)
+ {
+ --e;
+ if (isspace(e[0]))
+ {
+ e[0] = '\0';
+ }
+ else
+ {
+ break;
+ }
+ }
+
+ if (strcasecmp(p, "LegacySigningMDs") == 0)
+ {
+ parse_legacy_mds(val);
+ }
+ else if (strcasecmp(line, "MinimumDHBits") == 0)
+ {
+ parse_minimum_dh_bits(val);
+ }
+ /* simply skip other unrecognized lines */
+ }
+ (void)fclose(f);
+ }
+
/* Perform any essential OpenSSL initialization operations.
* Currently only sets FIPS callbacks
*/
@@ -111,6 +254,7 @@ void __attribute__ ((constructor)) OPENS
if (done)
return;
done = 1;
+ load_legacy_settings();
#ifdef OPENSSL_FIPS
if (!FIPS_module_installed())
{
diff -up openssl-1.0.1e/ssl/s3_clnt.c.deprecate-algos openssl-1.0.1e/ssl/s3_clnt.c
--- openssl-1.0.1e/ssl/s3_clnt.c.deprecate-algos 2016-10-04 16:12:30.466091352 +0200
+++ openssl-1.0.1e/ssl/s3_clnt.c 2016-10-04 16:12:30.468091397 +0200
@@ -3238,6 +3238,8 @@ int ssl3_send_client_certificate(SSL *s)
#define has_bits(i,m) (((i)&(m)) == (m))
+extern int private_ossl_minimum_dh_bits;
+
int ssl3_check_cert_and_algorithm(SSL *s)
{
int i,idx;
@@ -3338,8 +3340,7 @@ int ssl3_check_cert_and_algorithm(SSL *s
if (alg_k & SSL_kEDH)
{
int dh_size = BN_num_bits(dh->p);
- if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512))
+ if (dh_size < (private_ossl_minimum_dh_bits ? private_ossl_minimum_dh_bits : 1024))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
goto f_err;
diff -up openssl-1.0.1e/ssl/s3_lib.c.deprecate-algos openssl-1.0.1e/ssl/s3_lib.c
--- openssl-1.0.1e/ssl/s3_lib.c.deprecate-algos 2016-10-04 16:12:30.399089811 +0200
+++ openssl-1.0.1e/ssl/s3_lib.c 2016-10-04 16:12:30.469091420 +0200
@@ -203,6 +203,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
},
/* Cipher 03 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC4_40_MD5,
@@ -217,6 +218,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
128,
},
+#endif
/* Cipher 04 */
{
@@ -251,6 +253,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
},
/* Cipher 06 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC2_40_MD5,
@@ -265,6 +268,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
128,
},
+#endif
/* Cipher 07 */
#ifndef OPENSSL_NO_IDEA
@@ -285,6 +289,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
#endif
/* Cipher 08 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_DES_40_CBC_SHA,
@@ -299,8 +304,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
56,
},
+#endif
/* Cipher 09 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_DES_64_CBC_SHA,
@@ -315,6 +322,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 0A */
{
@@ -334,6 +342,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
/* The DH ciphers */
/* Cipher 0B */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
0,
SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
@@ -348,8 +357,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
56,
},
+#endif
/* Cipher 0C */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
@@ -364,6 +375,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 0D */
{
@@ -382,6 +394,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
},
/* Cipher 0E */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
@@ -396,8 +409,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
56,
},
+#endif
/* Cipher 0F */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
@@ -412,6 +427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 10 */
{
@@ -431,6 +447,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
/* The Ephemeral DH ciphers */
/* Cipher 11 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
@@ -445,8 +462,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
56,
},
+#endif
/* Cipher 12 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
@@ -461,6 +480,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 13 */
{
@@ -479,6 +499,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
},
/* Cipher 14 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
@@ -493,8 +514,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
56,
},
+#endif
/* Cipher 15 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
@@ -509,6 +532,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 16 */
{
@@ -527,6 +551,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
},
/* Cipher 17 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_ADH_RC4_40_MD5,
@@ -541,6 +566,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
128,
},
+#endif
/* Cipher 18 */
{
@@ -559,6 +585,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
},
/* Cipher 19 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_ADH_DES_40_CBC_SHA,
@@ -573,8 +600,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
128,
},
+#endif
/* Cipher 1A */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_ADH_DES_64_CBC_SHA,
@@ -589,6 +618,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 1B */
{
@@ -660,6 +690,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
#ifndef OPENSSL_NO_KRB5
/* The Kerberos ciphers*/
/* Cipher 1E */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_KRB5_DES_64_CBC_SHA,
@@ -674,6 +705,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 1F */
{
@@ -724,6 +756,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
},
/* Cipher 22 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_KRB5_DES_64_CBC_MD5,
@@ -738,6 +771,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 23 */
{
@@ -788,6 +822,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
},
/* Cipher 26 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_KRB5_DES_40_CBC_SHA,
@@ -802,8 +837,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
56,
},
+#endif
/* Cipher 27 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_KRB5_RC2_40_CBC_SHA,
@@ -818,8 +855,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
128,
},
+#endif
/* Cipher 28 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_KRB5_RC4_40_SHA,
@@ -834,8 +873,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
128,
},
+#endif
/* Cipher 29 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_KRB5_DES_40_CBC_MD5,
@@ -850,8 +891,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
56,
},
+#endif
/* Cipher 2A */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_KRB5_RC2_40_CBC_MD5,
@@ -866,8 +909,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
128,
},
+#endif
/* Cipher 2B */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_KRB5_RC4_40_MD5,
@@ -882,6 +927,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
40,
128,
},
+#endif
#endif /* OPENSSL_NO_KRB5 */
/* New AES ciphersuites */
@@ -1305,6 +1351,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
#endif
/* Cipher 62 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
@@ -1319,8 +1366,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 63 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
@@ -1335,8 +1384,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
56,
},
+#endif
/* Cipher 64 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
@@ -1351,8 +1402,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
128,
},
+#endif
/* Cipher 65 */
+#ifdef OPENSSL_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
@@ -1367,6 +1420,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
56,
128,
},
+#endif
/* Cipher 66 */
{
