From f620abe9c93510ab65e372be40cb4765465eec947f986385cd2399ec088f7973 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Tue, 17 Mar 2015 13:51:53 +0000 Subject: [PATCH] - Add patch to use proper SSL exponent bnc#922571 * cfengine-fips.patch OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/cfengine?expand=0&rev=117 --- cfengine-fips.patch | 66 +++++++++++++++++++++++++++++++++++++++++++++ cfengine.changes | 6 +++++ cfengine.spec | 3 +++ 3 files changed, 75 insertions(+) create mode 100644 cfengine-fips.patch diff --git a/cfengine-fips.patch b/cfengine-fips.patch new file mode 100644 index 0000000..81b1b0f --- /dev/null +++ b/cfengine-fips.patch @@ -0,0 +1,66 @@ +Index: core-3.6.5/cf-key/cf-key-functions.c +=================================================================== +--- core-3.6.5.orig/cf-key/cf-key-functions.c ++++ core-3.6.5/cf-key/cf-key-functions.c +@@ -243,11 +243,11 @@ void KeepKeyPromises(const char *public_ + printf("Making a key pair for cfengine, please wait, this could take a minute...\n"); + + #ifdef OPENSSL_NO_DEPRECATED +- BN_set_word(rsa_bignum, 35); ++ BN_set_word(rsa_bignum, RSA_F4); + + if (!RSA_generate_key_ex(pair, 2048, rsa_bignum, NULL)) + #else +- pair = RSA_generate_key(2048, 35, NULL, NULL); ++ pair = RSA_generate_key(2048, 65537, NULL, NULL); + + if (pair == NULL) + #endif +Index: core-3.6.5/tests/unit/hash_test.c +=================================================================== +--- core-3.6.5.orig/tests/unit/hash_test.c ++++ core-3.6.5/tests/unit/hash_test.c +@@ -52,7 +52,7 @@ void tests_setup() + initialized = 0; + return; + } +- BN_set_word(bn, 3); ++ BN_set_word(bn, RSA_F4); + RSA_generate_key_ex(rsa, 1024, bn, NULL); + BN_free(bn); + } +Index: core-3.6.5/tests/unit/key_test.c +=================================================================== +--- core-3.6.5.orig/tests/unit/key_test.c ++++ core-3.6.5/tests/unit/key_test.c +@@ -25,7 +25,7 @@ void test_setup() + initialized = 0; + return; + } +- BN_set_word(bn, 3); ++ BN_set_word(bn, RSA_F4); + RSA_generate_key_ex(rsa, 1024, bn, NULL); + BN_free(bn); + } +Index: core-3.6.5/tests/unit/tls_generic_test.c +=================================================================== +--- core-3.6.5.orig/tests/unit/tls_generic_test.c ++++ core-3.6.5/tests/unit/tls_generic_test.c +@@ -54,7 +54,7 @@ static bool init_test_server() + int ret; + RSA *key = RSA_new(); + BIGNUM *bignum = BN_new(); +- BN_set_word(bignum, 17); ++ BN_set_word(bignum, RSA_F4); + ret = RSA_generate_key_ex(key, 1024, bignum, NULL); + if (!ret) + { +@@ -450,7 +450,7 @@ static bool init_test_client() + int ret; + RSA *key = RSA_new(); + BIGNUM *bignum = BN_new(); +- BN_set_word(bignum, 17); ++ BN_set_word(bignum, RSA_F4); + ret = RSA_generate_key_ex(key, 1024, bignum, NULL); + if (!ret) + { diff --git a/cfengine.changes b/cfengine.changes index 93f3895..e4053ca 100644 --- a/cfengine.changes +++ b/cfengine.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 17 13:51:18 UTC 2015 - tchvatal@suse.com + +- Add patch to use proper SSL exponent bnc#922571 + * cfengine-fips.patch + ------------------------------------------------------------------- Tue Mar 17 13:41:26 UTC 2015 - tchvatal@suse.com diff --git a/cfengine.spec b/cfengine.spec index 5fb3df6..1d29690 100644 --- a/cfengine.spec +++ b/cfengine.spec @@ -64,6 +64,8 @@ Patch5: 0001-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch # set cfengine's notion of bindir to /usr/sbin instead of /var/cfengine/bin # kkaempf@suse.de Patch6: 0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch +# PATCH-FIX-UPSTREAM: Use ssl exponent of 65537 for FIPS bnc#922571 +Patch7: cfengine-fips.patch BuildRequires: bison BuildRequires: db-devel BuildRequires: flex @@ -186,6 +188,7 @@ Lots of examples promises for CFEngine. %endif %patch5 -p1 %patch6 -p1 +%patch7 -p1 ##### rpmlint #### wrong-file-end-of-line-encoding