It seems to mostly replace all "md5_..." stuff with "sha1_..." functions
(looks very much like find-and-replace to me...) *and* it adds a special
fips function call that allows MD5 in certain circumstances...
+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+ * to be used anywhere else */
+ if(kt == EVP_md5() && prf_use)
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
The main usage we have for md5 is the PUSH_OPTION hash comparison - which
is really not a "crypto" thing, just a "hash that is around to be used",
and it's a local thing - so changing that all to sha1_* will not harm
interoperability.
gert
I browsed through the opensuse patch and it appeared to match up with the
source files for openvpn 2.3.11 so I applied the patch. I am now successfully
connecting the tunnel in FIPS MODE!!
Thanks for the assistance!
Peter
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
