Hi, On Fri, Jul 08, 2016 at 06:18:08PM +0200, Jan Just Keijser wrote: > https://build.opensuse.org/package/view_file/network:vpn/openvpn/openvpn-fips140-2.3.2.patch?expand=1
It seems to mostly replace all "md5_..." stuff with "sha1_..." functions
(looks very much like find-and-replace to me...) *and* it adds a special
fips function call that allows MD5 in certain circumstances...
+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+ * to be used anywhere else */
+ if(kt == EVP_md5() && prf_use)
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
The main usage we have for md5 is the PUSH_OPTION hash comparison - which
is really not a "crypto" thing, just a "hash that is around to be used",
and it's a local thing - so changing that all to sha1_* will not harm
interoperability.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
signature.asc
Description: PGP signature
