|
 |
fd1438 |
Limit curves defaults in FIPS mode
|
|
|
fd1438 |
|
|
|
fd1438 |
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
|
|
|
fd1438 |
but stunnel defaults to enabling them and then fails to do so.
|
|
|
fd1438 |
|
|
|
fd1438 |
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
|
|
|
fd1438 |
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
|
|
|
fd1438 |
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
|
|
|
fd1438 |
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
|
|
|
fd1438 |
@@ -40,8 +40,10 @@
|
|
|
fd1438 |
|
|
|
fd1438 |
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
|
|
fd1438 |
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
|
|
|
fd1438 |
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
|
|
|
fd1438 |
#else /* OpenSSL version < 1.1.1 */
|
|
|
fd1438 |
#define DEFAULT_CURVES "prime256v1"
|
|
|
fd1438 |
+#define DEFAULT_CURVES_FIPS "prime256v1"
|
|
|
fd1438 |
#endif /* OpenSSL version >= 1.1.1 */
|
|
|
fd1438 |
|
|
|
fd1438 |
#if defined(_WIN32_WCE) && !defined(CONFDIR)
|
|
|
fd1438 |
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
|
|
|
fd1438 |
/* curves */
|
|
|
fd1438 |
switch(cmd) {
|
|
|
fd1438 |
case CMD_SET_DEFAULTS:
|
|
|
fd1438 |
- section->curves=str_dup_detached(DEFAULT_CURVES);
|
|
|
fd1438 |
+ section->curves = NULL;
|
|
|
fd1438 |
break;
|
|
|
fd1438 |
case CMD_SET_COPY:
|
|
|
fd1438 |
section->curves=str_dup_detached(new_service_options.curves);
|
|
|
fd1438 |
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
|
|
|
fd1438 |
section->curves=str_dup_detached(arg);
|
|
|
fd1438 |
return NULL; /* OK */
|
|
|
fd1438 |
case CMD_INITIALIZE:
|
|
|
fd1438 |
+ if(!section->curves) {
|
|
|
fd1438 |
+ /* this is only executed for global options, because
|
|
|
fd1438 |
+ * section->curves is no longer NULL in sections */
|
|
|
fd1438 |
+#ifdef USE_FIPS
|
|
|
fd1438 |
+ if(new_global_options.option.fips)
|
|
|
fd1438 |
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
|
|
|
fd1438 |
+ else
|
|
|
fd1438 |
+#endif /* USE_FIPS */
|
|
|
fd1438 |
+ section->curves=str_dup_detached(DEFAULT_CURVES);
|
|
|
fd1438 |
+ }
|
|
|
fd1438 |
break;
|
|
|
fd1438 |
case CMD_PRINT_DEFAULTS:
|
|
|
fd1438 |
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
|
|
fd1438 |
+ if(fips_available()) {
|
|
|
fd1438 |
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
|
|
fd1438 |
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
|
|
|
fd1438 |
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
|
|
fd1438 |
+ DEFAULT_CURVES, "(with \"fips = no\")");
|
|
|
fd1438 |
+ } else {
|
|
|
fd1438 |
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
|
|
fd1438 |
+ }
|
|
|
fd1438 |
break;
|
|
|
fd1438 |
case CMD_PRINT_HELP:
|
|
|
fd1438 |
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
|