rpms / crypto-policies

Clone
Source Code
GIT

Files

  1.   99b4329959cb07d5029f32d0a38eda4043c91df6
  2.   SOURCES
  3.   crypto-policies-java-fix.patch
Blob Blame History Raw 
commit 2ff4c6d3791a0ad581181997ee5a04b83b7c7341
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date:   Thu Jan 31 16:23:52 2019 +0100

    java: Allow incorrectly disabled RSA certificates in TLS
    
    The FUTURE and NEXT policies incorrectly disabled RSA certificates,
    allow them.

diff --git a/back-ends/java.pl b/back-ends/java.pl
index 0789251..325544a 100644
--- a/back-ends/java.pl
+++ b/back-ends/java.pl
@@ -72,7 +72,7 @@ my %key_exchange_not_map = (
 	'EXPORT' => 'RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT',
 	'DH'         => 'DH_RSA, DH_DSS',
 	'ANON'       => 'DH_anon, ECDH_anon',
-	'RSA'        => 'RSA',
+	'RSA'        => 'TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256',
 	'DHE-RSA'      => 'DHE_RSA',
 	'DHE-DSS'      => 'DHE_DSS',
 	'ECDHE'      => 'ECDHE',
diff --git a/tests/outputs/EMPTY-java.txt b/tests/outputs/EMPTY-java.txt
index 0011734..3cf0e2a 100644
--- a/tests/outputs/EMPTY-java.txt
+++ b/tests/outputs/EMPTY-java.txt
@@ -1,4 +1,4 @@
 jdk.tls.ephemeralDHKeySize=0
 jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA1, MD5, DSA, RSA keySize < 0
-jdk.tls.disabledAlgorithms=DH keySize < 0, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, ECDHE, RSA, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+jdk.tls.disabledAlgorithms=DH keySize < 0, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
 jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/FIPS-java.txt b/tests/outputs/FIPS-java.txt
index 808778c..d9fe8aa 100644
--- a/tests/outputs/FIPS-java.txt
+++ b/tests/outputs/FIPS-java.txt
@@ -1,4 +1,4 @@
 jdk.tls.ephemeralDHKeySize=2048
 jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1, TLSv1.1, RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
 jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/FUTURE-java.txt b/tests/outputs/FUTURE-java.txt
index fd2db04..9d57348 100644
--- a/tests/outputs/FUTURE-java.txt
+++ b/tests/outputs/FUTURE-java.txt
@@ -1,4 +1,4 @@
 jdk.tls.ephemeralDHKeySize=3072
 jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 3072
-jdk.tls.disabledAlgorithms=DH keySize < 3072, SSLv2, SSLv3, TLSv1, TLSv1.1, RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
+jdk.tls.disabledAlgorithms=DH keySize < 3072, SSLv2, SSLv3, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
 jdk.tls.legacyAlgorithms=
diff -up crypto-policies/tests/java.pl.java-fix crypto-policies/tests/java.pl
--- crypto-policies/tests/java.pl.java-fix	2018-12-17 17:01:44.000000000 +0100
+++ crypto-policies/tests/java.pl	2019-02-08 10:05:28.152358692 +0100
@@ -45,14 +45,7 @@ foreach my $policy (@profiles::common::p
 	}
 
 	my $lines=`cat $TMPFILE2|wc -l`;
-	if ("$policy" eq "EMPTY") {
-		if ($lines >= 2) { # we allow the SCSV
-			print "Empty policy has ciphersuites!\n";
-			print "Policy: $tmp\n";
-			system("cat $TMPFILE2");
-			exit 1;
-		}
-	} else {
+	if ("$policy" ne "EMPTY") {
 		system("grep \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\" $TMPFILE2 >/dev/null 2>&1");
 		
 		if ($? != 0) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation