You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by mt...@apache.org on 2014/04/16 14:52:16 UTC

svn commit: r1587896 - in /tomcat/native/branches/1.1.x: native/src/ssl.c xdocs/miscellaneous/changelog.xml

Author: mturk
Date: Wed Apr 16 12:52:16 2014
New Revision: 1587896

URL: http://svn.apache.org/r1587896
Log:
Fix Bz56396. Be tolerant on RSA keys < 1024 bits

Modified:
    tomcat/native/branches/1.1.x/native/src/ssl.c
    tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml

Modified: tomcat/native/branches/1.1.x/native/src/ssl.c
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/ssl.c?rev=1587896&r1=1587895&r2=1587896&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/src/ssl.c (original)
+++ tomcat/native/branches/1.1.x/native/src/ssl.c Wed Apr 16 12:52:16 2014
@@ -221,6 +221,14 @@ static const jint supported_ssl_opts = 0
 
 static int ssl_tmp_key_init_rsa(int bits, int idx)
 {
+#ifdef OPENSSL_FIPS
+    /**
+     * With FIPS mode short RSA keys cannot be
+     * generated.
+     */
+    if (bits < 1024)
+        return 0;
+#endif
     if (!(SSL_temp_keys[idx] =
           RSA_generate_key(bits, RSA_F4, NULL, NULL)))
         return 1;

Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=1587896&r1=1587895&r2=1587896&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Wed Apr 16 12:52:16 2014
@@ -36,6 +36,14 @@
   new documentation project for Tomcat Native was started.
   </p>
 </section>
+<section name="Changes between 1.1.30 and 1.1.31">
+  <changelog>
+    <fix>
+      <bug>56396</bug>: Do not create RSA keys shorter the 1024 bits
+      if inside FIPS mode. (mturk)
+    </fix>      
+  </changelog>
+</section>
 <section name="Changes between 1.1.29 and 1.1.30">
   <changelog>
     <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1587896 - in /tomcat/native/branches/1.1.x: native/src/ssl.c xdocs/miscellaneous/changelog.xml

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Mladen,

On 4/16/14, 8:52 AM, mturk@apache.org wrote:
> Author: mturk
> Date: Wed Apr 16 12:52:16 2014
> New Revision: 1587896
> 
> URL: http://svn.apache.org/r1587896
> Log:
> Fix Bz56396. Be tolerant on RSA keys < 1024 bits
> 
> Modified:
>     tomcat/native/branches/1.1.x/native/src/ssl.c
>     tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
> 
> Modified: tomcat/native/branches/1.1.x/native/src/ssl.c
> URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/ssl.c?rev=1587896&r1=1587895&r2=1587896&view=diff
> ==============================================================================
> --- tomcat/native/branches/1.1.x/native/src/ssl.c (original)
> +++ tomcat/native/branches/1.1.x/native/src/ssl.c Wed Apr 16 12:52:16 2014
> @@ -221,6 +221,14 @@ static const jint supported_ssl_opts = 0
>  
>  static int ssl_tmp_key_init_rsa(int bits, int idx)
>  {
> +#ifdef OPENSSL_FIPS
> +    /**
> +     * With FIPS mode short RSA keys cannot be
> +     * generated.
> +     */
> +    if (bits < 1024)
> +        return 0;
> +#endif

Why not fix this by removing the actual call to
ssl_tmp_key_init_rsa(512) instead of modifying the behavior of the function?

-chris