From 8a1cd142f2531f0dc97ebeb06f1b1f0d10435ca5 Mon Sep 17 00:00:00 2001 From: Gerhard Rieger Date: Thu, 2 Apr 2015 16:29:14 +0200 Subject: [PATCH] FIPS requires 1024 bit DH prime --- CHANGES | 3 +++ xio-openssl.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 9aa3997..c1eaf68 100644 --- a/CHANGES +++ b/CHANGES @@ -204,6 +204,9 @@ corrections: Fixed a few minor bugs with OpenSSL in configure and with messages + Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime + is required. Thanks to Zhigang Wang for reporting and sending a patch. + porting: Red Hat issue 1020203: configure checks fail with some compilers. Use case: clang diff --git a/xio-openssl.c b/xio-openssl.c index c17aa32..a031e35 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -1045,15 +1045,20 @@ int } { - static unsigned char dh512_p[] = { - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, + static unsigned char dh1024_p[] = { + 0xCC,0x17,0xF2,0xDC,0x96,0xDF,0x59,0xA4,0x46,0xC5,0x3E,0x0E, + 0xB8,0x26,0x55,0x0C,0xE3,0x88,0xC1,0xCE,0xA7,0xBC,0xB3,0xBF, + 0x16,0x94,0xD8,0xA9,0x45,0xA2,0xCE,0xA9,0x5B,0x22,0x25,0x5F, + 0x92,0x59,0x94,0x1C,0x22,0xBF,0xCB,0xC8,0xC8,0x57,0xCB,0xBF, + 0xBC,0x0E,0xE8,0x40,0xF9,0x87,0x03,0xBF,0x60,0x9B,0x08,0xC6, + 0x8E,0x99,0xC6,0x05,0xFC,0x00,0xD6,0x6D,0x90,0xA8,0xF5,0xF8, + 0xD3,0x8D,0x43,0xC8,0x8F,0x7A,0xBD,0xBB,0x28,0xAC,0x04,0x69, + 0x4A,0x0B,0x86,0x73,0x37,0xF0,0x6D,0x4F,0x04,0xF6,0xF5,0xAF, + 0xBF,0xAB,0x8E,0xCE,0x75,0x53,0x4D,0x7F,0x7D,0x17,0x78,0x0E, + 0x12,0x46,0x4A,0xAF,0x95,0x99,0xEF,0xBC,0xA6,0xC5,0x41,0x77, + 0x43,0x7A,0xB9,0xEC,0x8E,0x07,0x3C,0x6D, }; - static unsigned char dh512_g[] = { + static unsigned char dh1024_g[] = { 0x02, }; DH *dh; @@ -1066,8 +1071,8 @@ int } Error("DH_new() failed"); } else { - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); + dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); if ((dh->p == NULL) || (dh->g == NULL)) { while (err = ERR_get_error()) { Warn1("BN_bin2bn(): %s", @@ -1362,7 +1367,6 @@ static bool openssl_check_peername(X509_NAME *name, const char *peername) { return openssl_check_name((const char *)text, peername); } -/* retrieves certificate provided by peer, sets env vars containing /* retrieves certificate provided by peer, sets env vars containing certificates field values, and checks peername if provided by calling function */