forked from rpms/openssl
Embed correct HMAC into fips provider
We have stripped production version and unstripped version for tests. Related: rhbz#1985362
This commit is contained in:
parent
5c4e10ac26
commit
3ff0db7558
39
openssl.spec
39
openssl.spec
@ -15,7 +15,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -49,7 +49,7 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||
# Add FIPS_mode() compatibility macro
|
||||
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
|
||||
# Add check to see if fips flag is enabled in kernel
|
||||
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
# remove unsupported EC curves
|
||||
Patch11: 0011-Remove-EC-curves.patch
|
||||
# Instructions to load legacy provider in openssl.cnf
|
||||
@ -58,6 +58,10 @@ Patch24: 0024-load-legacy-prov.patch
|
||||
Patch30: 0030-tmp-Fix-rng-seed-double-free.patch
|
||||
# Tmp: test name change
|
||||
Patch31: 0031-tmp-Fix-test-names.patch
|
||||
# We load FIPS provider and set FIPS properties implicitly
|
||||
Patch32: 0032-Force-fips.patch
|
||||
# Embed HMAC into the fips.so
|
||||
Patch33: 0033-FIPS-embed-hmac.patch
|
||||
# Tmp: coverity
|
||||
Patch100: 0100-coverity.patch
|
||||
|
||||
@ -231,18 +235,27 @@ OPENSSL_ENABLE_MD5_VERIFY=
|
||||
export OPENSSL_ENABLE_MD5_VERIFY
|
||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||
#embed HMAC into fips provider for test run
|
||||
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
|
||||
cp providers/fips.so providers/fips.so.orig
|
||||
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
|
||||
mv providers/fips.so.mac providers/fips.so
|
||||
#run tests itself
|
||||
make test HARNESS_JOBS=8
|
||||
|
||||
# Add generation of HMAC checksum of the final stripped library
|
||||
#%define __spec_install_post \
|
||||
# %{?__debug_package:%{__debug_install_post}} \
|
||||
# %{__arch_install_post} \
|
||||
# %{__os_install_post} \
|
||||
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
|
||||
# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
|
||||
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
|
||||
# ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
|
||||
#%{nil}
|
||||
# We manually copy standard definition of __spec_install_post
|
||||
# and add hmac calculation/embedding to fips.so
|
||||
%define __spec_install_post \
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
%{__arch_install_post} \
|
||||
%{__os_install_post} \
|
||||
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
||||
cp $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.orig \
|
||||
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
|
||||
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
|
||||
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
||||
%{nil}
|
||||
|
||||
%define __provides_exclude_from %{_libdir}/openssl
|
||||
|
||||
@ -382,6 +395,10 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Thu Nov 18 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-4
|
||||
- Embed FIPS HMAC in fips.so
|
||||
- Enforce loading FIPS provider when FIPS kernel flag is on
|
||||
|
||||
* Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
|
||||
- Fix memory leak in s_client
|
||||
- Related: rhbz#1996092
|
||||
|
Loading…
Reference in New Issue
Block a user