diff --git a/openssl.spec b/openssl.spec index cac882d..56068fb 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.0 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -49,7 +49,7 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch # Add FIPS_mode() compatibility macro Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch # Add check to see if fips flag is enabled in kernel -#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch +Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch # Instructions to load legacy provider in openssl.cnf @@ -58,6 +58,10 @@ Patch24: 0024-load-legacy-prov.patch Patch30: 0030-tmp-Fix-rng-seed-double-free.patch # Tmp: test name change Patch31: 0031-tmp-Fix-test-names.patch +# We load FIPS provider and set FIPS properties implicitly +Patch32: 0032-Force-fips.patch +# Embed HMAC into the fips.so +Patch33: 0033-FIPS-embed-hmac.patch # Tmp: coverity Patch100: 0100-coverity.patch @@ -231,18 +235,27 @@ OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_ENABLE_MD5_VERIFY OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE +#embed HMAC into fips provider for test run +LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac +cp providers/fips.so providers/fips.so.orig +objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac +mv providers/fips.so.mac providers/fips.so +#run tests itself make test HARNESS_JOBS=8 # Add generation of HMAC checksum of the final stripped library -#%define __spec_install_post \ -# %{?__debug_package:%{__debug_install_post}} \ -# %{__arch_install_post} \ -# %{__os_install_post} \ -# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \ -# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \ -# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \ -# ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \ -#%{nil} +# We manually copy standard definition of __spec_install_post +# and add hmac calculation/embedding to fips.so +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ + cp $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.orig \ + objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ + mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ + rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ +%{nil} %define __provides_exclude_from %{_libdir}/openssl @@ -382,6 +395,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Nov 18 2021 Dmitry Belyavskiy - 1:3.0.0-4 +- Embed FIPS HMAC in fips.so +- Enforce loading FIPS provider when FIPS kernel flag is on + * Thu Oct 07 2021 Dmitry Belyavskiy - 1:3.0.0-3 - Fix memory leak in s_client - Related: rhbz#1996092