rpms / crypto-policies

Clone
Source Code
GIT

Blame SOURCES/crypto-policies-java-fix.patch

c8 c8-beta c8s c9 c9-beta
  1.   99b4329959cb07d5029f32d0a38eda4043c91df6
  2.   SOURCES
  3.   crypto-policies-java-fix.patch
Blob History Raw
99b432 
commit 2ff4c6d3791a0ad581181997ee5a04b83b7c7341
99b432 
Author: Tomas Mraz <tmraz@fedoraproject.org>
99b432 
Date:   Thu Jan 31 16:23:52 2019 +0100
99b432
99b432 
    java: Allow incorrectly disabled RSA certificates in TLS
99b432
99b432 
    The FUTURE and NEXT policies incorrectly disabled RSA certificates,
99b432 
    allow them.
99b432
99b432 
diff --git a/back-ends/java.pl b/back-ends/java.pl
99b432 
index 0789251..325544a 100644
99b432 
--- a/back-ends/java.pl
99b432 
+++ b/back-ends/java.pl
99b432 
@@ -72,7 +72,7 @@ my %key_exchange_not_map = (
99b432 
 	'EXPORT' => 'RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT',
99b432 
 	'DH'         => 'DH_RSA, DH_DSS',
99b432 
 	'ANON'       => 'DH_anon, ECDH_anon',
99b432 
-	'RSA'        => 'RSA',
99b432 
+	'RSA'        => 'TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256',
99b432 
 	'DHE-RSA'      => 'DHE_RSA',
99b432 
 	'DHE-DSS'      => 'DHE_DSS',
99b432 
 	'ECDHE'      => 'ECDHE',
99b432 
diff --git a/tests/outputs/EMPTY-java.txt b/tests/outputs/EMPTY-java.txt
99b432 
index 0011734..3cf0e2a 100644
99b432 
--- a/tests/outputs/EMPTY-java.txt
99b432 
+++ b/tests/outputs/EMPTY-java.txt
99b432 
@@ -1,4 +1,4 @@
99b432 
 jdk.tls.ephemeralDHKeySize=0
99b432 
 jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA1, MD5, DSA, RSA keySize < 0
99b432 
-jdk.tls.disabledAlgorithms=DH keySize < 0, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, ECDHE, RSA, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
99b432 
+jdk.tls.disabledAlgorithms=DH keySize < 0, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
99b432 
 jdk.tls.legacyAlgorithms=
99b432 
diff --git a/tests/outputs/FIPS-java.txt b/tests/outputs/FIPS-java.txt
99b432 
index 808778c..d9fe8aa 100644
99b432 
--- a/tests/outputs/FIPS-java.txt
99b432 
+++ b/tests/outputs/FIPS-java.txt
99b432 
@@ -1,4 +1,4 @@
99b432 
 jdk.tls.ephemeralDHKeySize=2048
99b432 
 jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048
99b432 
-jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1, TLSv1.1, RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
99b432 
+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
99b432 
 jdk.tls.legacyAlgorithms=
99b432 
diff --git a/tests/outputs/FUTURE-java.txt b/tests/outputs/FUTURE-java.txt
99b432 
index fd2db04..9d57348 100644
99b432 
--- a/tests/outputs/FUTURE-java.txt
99b432 
+++ b/tests/outputs/FUTURE-java.txt
99b432 
@@ -1,4 +1,4 @@
99b432 
 jdk.tls.ephemeralDHKeySize=3072
99b432 
 jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 3072
99b432 
-jdk.tls.disabledAlgorithms=DH keySize < 3072, SSLv2, SSLv3, TLSv1, TLSv1.1, RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
99b432 
+jdk.tls.disabledAlgorithms=DH keySize < 3072, SSLv2, SSLv3, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
99b432 
 jdk.tls.legacyAlgorithms=
99b432 
diff -up crypto-policies/tests/java.pl.java-fix crypto-policies/tests/java.pl
99b432 
--- crypto-policies/tests/java.pl.java-fix	2018-12-17 17:01:44.000000000 +0100
99b432 
+++ crypto-policies/tests/java.pl	2019-02-08 10:05:28.152358692 +0100
99b432 
@@ -45,14 +45,7 @@ foreach my $policy (@profiles::common::p
99b432 
 	}
99b432
99b432 
 	my $lines=`cat $TMPFILE2|wc -l`;
99b432 
-	if ("$policy" eq "EMPTY") {
99b432 
-		if ($lines >= 2) { # we allow the SCSV
99b432 
-			print "Empty policy has ciphersuites!\n";
99b432 
-			print "Policy: $tmp\n";
99b432 
-			system("cat $TMPFILE2");
99b432 
-			exit 1;
99b432 
-		}
99b432 
-	} else {
99b432 
+	if ("$policy" ne "EMPTY") {
99b432 
 		system("grep \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\" $TMPFILE2 >/dev/null 2>&1");
99b432
99b432 
 		if ($? != 0) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation