Embed correct HMAC into fips provider

We have stripped production version and unstripped version for tests.
Related: rhbz#1985362
This commit is contained in:
Dmitry Belyavskiy 2021-11-22 11:20:40 +01:00
parent 5c4e10ac26
commit 3ff0db7558

View File

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.0 Version: 3.0.0
Release: 3%{?dist} Release: 4%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -49,7 +49,7 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
# Add FIPS_mode() compatibility macro # Add FIPS_mode() compatibility macro
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
# Add check to see if fips flag is enabled in kernel # Add check to see if fips flag is enabled in kernel
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# remove unsupported EC curves # remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch Patch11: 0011-Remove-EC-curves.patch
# Instructions to load legacy provider in openssl.cnf # Instructions to load legacy provider in openssl.cnf
@ -58,6 +58,10 @@ Patch24: 0024-load-legacy-prov.patch
Patch30: 0030-tmp-Fix-rng-seed-double-free.patch Patch30: 0030-tmp-Fix-rng-seed-double-free.patch
# Tmp: test name change # Tmp: test name change
Patch31: 0031-tmp-Fix-test-names.patch Patch31: 0031-tmp-Fix-test-names.patch
# We load FIPS provider and set FIPS properties implicitly
Patch32: 0032-Force-fips.patch
# Embed HMAC into the fips.so
Patch33: 0033-FIPS-embed-hmac.patch
# Tmp: coverity # Tmp: coverity
Patch100: 0100-coverity.patch Patch100: 0100-coverity.patch
@ -231,18 +235,27 @@ OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY export OPENSSL_ENABLE_MD5_VERIFY
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
#embed HMAC into fips provider for test run
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
cp providers/fips.so providers/fips.so.orig
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
mv providers/fips.so.mac providers/fips.so
#run tests itself
make test HARNESS_JOBS=8 make test HARNESS_JOBS=8
# Add generation of HMAC checksum of the final stripped library # Add generation of HMAC checksum of the final stripped library
#%define __spec_install_post \ # We manually copy standard definition of __spec_install_post
# %{?__debug_package:%{__debug_install_post}} \ # and add hmac calculation/embedding to fips.so
# %{__arch_install_post} \ %define __spec_install_post \
# %{__os_install_post} \ %{?__debug_package:%{__debug_install_post}} \
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \ %{__arch_install_post} \
# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \ %{__os_install_post} \
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \ LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
# ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \ cp $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.orig \
#%{nil} objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
%{nil}
%define __provides_exclude_from %{_libdir}/openssl %define __provides_exclude_from %{_libdir}/openssl
@ -382,6 +395,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Thu Nov 18 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-4
- Embed FIPS HMAC in fips.so
- Enforce loading FIPS provider when FIPS kernel flag is on
* Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3 * Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
- Fix memory leak in s_client - Fix memory leak in s_client
- Related: rhbz#1996092 - Related: rhbz#1996092