forked from rpms/openssl
Embed correct HMAC into fips provider
We have stripped production version and unstripped version for tests. Related: rhbz#1985362
This commit is contained in:
parent
5c4e10ac26
commit
3ff0db7558
39
openssl.spec
39
openssl.spec
@ -15,7 +15,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.0.0
|
Version: 3.0.0
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -49,7 +49,7 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
|||||||
# Add FIPS_mode() compatibility macro
|
# Add FIPS_mode() compatibility macro
|
||||||
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
|
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
|
||||||
# Add check to see if fips flag is enabled in kernel
|
# Add check to see if fips flag is enabled in kernel
|
||||||
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||||
# remove unsupported EC curves
|
# remove unsupported EC curves
|
||||||
Patch11: 0011-Remove-EC-curves.patch
|
Patch11: 0011-Remove-EC-curves.patch
|
||||||
# Instructions to load legacy provider in openssl.cnf
|
# Instructions to load legacy provider in openssl.cnf
|
||||||
@ -58,6 +58,10 @@ Patch24: 0024-load-legacy-prov.patch
|
|||||||
Patch30: 0030-tmp-Fix-rng-seed-double-free.patch
|
Patch30: 0030-tmp-Fix-rng-seed-double-free.patch
|
||||||
# Tmp: test name change
|
# Tmp: test name change
|
||||||
Patch31: 0031-tmp-Fix-test-names.patch
|
Patch31: 0031-tmp-Fix-test-names.patch
|
||||||
|
# We load FIPS provider and set FIPS properties implicitly
|
||||||
|
Patch32: 0032-Force-fips.patch
|
||||||
|
# Embed HMAC into the fips.so
|
||||||
|
Patch33: 0033-FIPS-embed-hmac.patch
|
||||||
# Tmp: coverity
|
# Tmp: coverity
|
||||||
Patch100: 0100-coverity.patch
|
Patch100: 0100-coverity.patch
|
||||||
|
|
||||||
@ -231,18 +235,27 @@ OPENSSL_ENABLE_MD5_VERIFY=
|
|||||||
export OPENSSL_ENABLE_MD5_VERIFY
|
export OPENSSL_ENABLE_MD5_VERIFY
|
||||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||||
|
#embed HMAC into fips provider for test run
|
||||||
|
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
|
||||||
|
cp providers/fips.so providers/fips.so.orig
|
||||||
|
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
|
||||||
|
mv providers/fips.so.mac providers/fips.so
|
||||||
|
#run tests itself
|
||||||
make test HARNESS_JOBS=8
|
make test HARNESS_JOBS=8
|
||||||
|
|
||||||
# Add generation of HMAC checksum of the final stripped library
|
# Add generation of HMAC checksum of the final stripped library
|
||||||
#%define __spec_install_post \
|
# We manually copy standard definition of __spec_install_post
|
||||||
# %{?__debug_package:%{__debug_install_post}} \
|
# and add hmac calculation/embedding to fips.so
|
||||||
# %{__arch_install_post} \
|
%define __spec_install_post \
|
||||||
# %{__os_install_post} \
|
%{?__debug_package:%{__debug_install_post}} \
|
||||||
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
|
%{__arch_install_post} \
|
||||||
# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
|
%{__os_install_post} \
|
||||||
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
|
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
||||||
# ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
|
cp $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.orig \
|
||||||
#%{nil}
|
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
|
||||||
|
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
|
||||||
|
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
%define __provides_exclude_from %{_libdir}/openssl
|
%define __provides_exclude_from %{_libdir}/openssl
|
||||||
|
|
||||||
@ -382,6 +395,10 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 18 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-4
|
||||||
|
- Embed FIPS HMAC in fips.so
|
||||||
|
- Enforce loading FIPS provider when FIPS kernel flag is on
|
||||||
|
|
||||||
* Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
|
* Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
|
||||||
- Fix memory leak in s_client
|
- Fix memory leak in s_client
|
||||||
- Related: rhbz#1996092
|
- Related: rhbz#1996092
|
||||||
|
Loading…
Reference in New Issue
Block a user