[rpms/openssl] rebase_40beta: - add -x931 parameter to openssl genrsa command to use the ANSI X9.31

[Tomas Mraz <tmraz@fedoraproject.org>]

            A new commit has been pushed.

            Repo   : rpms/openssl
            Branch : rebase_40beta
            Commit : 65ebbaecc744b4901110add61ef741bc562722cd
            Author : Tomas Mraz <tmraz@fedoraproject.org>
            Date   : 2011-02-04T15:27:28+01:00
            Stats  : +28/-0 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/openssl/c/65ebbaecc744b4901110add61ef741bc562722cd?branch=rebase_40beta

            Log:
            - add -x931 parameter to openssl genrsa command to use the ANSI X9.31
  key generation method
- use FIPS-186-3 method for DSA parameter generation
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
  to allow using MD5 when the system is in the maintenance state
  even if the /proc fips flag is on
- make openssl pkcs12 command work by default in the FIPS mode

---
diff --git a/openssl-1.0.0c-pkcs12-fips-default.patch b/openssl-1.0.0c-pkcs12-fips-default.patch
new file mode 100644
index 0000000..a671722
--- /dev/null
+++ b/openssl-1.0.0c-pkcs12-fips-default.patch
@@ -0,0 +1,25 @@
+diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c
+--- openssl-1.0.0c/apps/pkcs12.c.fips-default	2009-07-27 23:08:45.000000000 +0200
++++ openssl-1.0.0c/apps/pkcs12.c	2011-02-04 15:25:38.000000000 +0100
+@@ -67,6 +67,9 @@
+ #include <openssl/err.h>
+ #include <openssl/pem.h>
+ #include <openssl/pkcs12.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+ 
+ #define PROG pkcs12_main
+ 
+@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
+ 
+     apps_startup();
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode())
++	cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
++#endif
++
+     enc = EVP_des_ede3_cbc();
+     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+ 

diff --git a/openssl.spec b/openssl.spec
index 4816e8a..5e606ca 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -67,6 +67,7 @@ Patch55: openssl-1.0.0c-apps-ipv6listen.patch
 Patch56: openssl-1.0.0c-rsa-x931.patch
 Patch57: openssl-1.0.0c-fips186-3.patch
 Patch58: openssl-1.0.0c-fips-md5-allow.patch
+Patch59: openssl-1.0.0c-pkcs12-fips-default.patch
 # Backported fixes including security fixes
 
 License: OpenSSL
@@ -154,6 +155,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch56 -p1 -b .x931
 %patch57 -p1 -b .fips186-3
 %patch58 -p1 -b .md5-allow
+%patch59 -p1 -b .fips-default
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -410,6 +412,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 - add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
   to allow using MD5 when the system is in the maintenance state
   even if the /proc fips flag is on
+- make openssl pkcs12 command work by default in the FIPS mode
 
 * Mon Jan 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0c-2
 - listen on ipv6 wildcard in s_server so we accept connections