You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mt...@apache.org on 2014/04/16 14:52:16 UTC
svn commit: r1587896 - in /tomcat/native/branches/1.1.x: native/src/ssl.c
xdocs/miscellaneous/changelog.xml
Author: mturk
Date: Wed Apr 16 12:52:16 2014
New Revision: 1587896
URL: http://svn.apache.org/r1587896
Log:
Fix Bz56396. Be tolerant on RSA keys < 1024 bits
Modified:
tomcat/native/branches/1.1.x/native/src/ssl.c
tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/branches/1.1.x/native/src/ssl.c
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/ssl.c?rev=1587896&r1=1587895&r2=1587896&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/src/ssl.c (original)
+++ tomcat/native/branches/1.1.x/native/src/ssl.c Wed Apr 16 12:52:16 2014
@@ -221,6 +221,14 @@ static const jint supported_ssl_opts = 0
static int ssl_tmp_key_init_rsa(int bits, int idx)
{
+#ifdef OPENSSL_FIPS
+ /**
+ * With FIPS mode short RSA keys cannot be
+ * generated.
+ */
+ if (bits < 1024)
+ return 0;
+#endif
if (!(SSL_temp_keys[idx] =
RSA_generate_key(bits, RSA_F4, NULL, NULL)))
return 1;
Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=1587896&r1=1587895&r2=1587896&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Wed Apr 16 12:52:16 2014
@@ -36,6 +36,14 @@
new documentation project for Tomcat Native was started.
</p>
</section>
+<section name="Changes between 1.1.30 and 1.1.31">
+ <changelog>
+ <fix>
+ <bug>56396</bug>: Do not create RSA keys shorter the 1024 bits
+ if inside FIPS mode. (mturk)
+ </fix>
+ </changelog>
+</section>
<section name="Changes between 1.1.29 and 1.1.30">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1587896 - in /tomcat/native/branches/1.1.x: native/src/ssl.c
xdocs/miscellaneous/changelog.xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mladen,
On 4/16/14, 8:52 AM, mturk@apache.org wrote:
> Author: mturk
> Date: Wed Apr 16 12:52:16 2014
> New Revision: 1587896
>
> URL: http://svn.apache.org/r1587896
> Log:
> Fix Bz56396. Be tolerant on RSA keys < 1024 bits
>
> Modified:
> tomcat/native/branches/1.1.x/native/src/ssl.c
> tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
>
> Modified: tomcat/native/branches/1.1.x/native/src/ssl.c
> URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/ssl.c?rev=1587896&r1=1587895&r2=1587896&view=diff
> ==============================================================================
> --- tomcat/native/branches/1.1.x/native/src/ssl.c (original)
> +++ tomcat/native/branches/1.1.x/native/src/ssl.c Wed Apr 16 12:52:16 2014
> @@ -221,6 +221,14 @@ static const jint supported_ssl_opts = 0
>
> static int ssl_tmp_key_init_rsa(int bits, int idx)
> {
> +#ifdef OPENSSL_FIPS
> + /**
> + * With FIPS mode short RSA keys cannot be
> + * generated.
> + */
> + if (bits < 1024)
> + return 0;
> +#endif
Why not fix this by removing the actual call to
ssl_tmp_key_init_rsa(512) instead of modifying the behavior of the function?
-chris