resolve bugzilla 319901 (phew! only took 6 years & 9 days)

2013-10-15 02:14:11 +01:00 · 2013-10-15 02:14:11 +01:00 · 4d56d16496
commit 4d56d16496
parent 8c28623e94
6 changed files with 2458 additions and 299 deletions
--- a/17
+++ b/17
@ -7,39 +7,30 @@ set -e
 # MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
 # IDEA:  5,214,703 07/01/2012 - expired, we do not remove it anymore
 # RC5:   5,724,428 01/11/2015
 # EC:    ????????? ??/??/2020
 # SRP:   ????????? ??/??/20??
 # Remove assembler portions of IDEA, MDC2, and RC5.
 (find crypto/rc5/asm -type f | xargs -r rm -fv)
-# RC5, EC, SRP.
+# RC5, SRP.
-for a in rc5 ec ecdh ecdsa srp; do
+for a in rc5 srp; do
  for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
 	echo Destroying $c
 	> $c
  done
 done
-for c in `find crypto/evp -name "*_rc5.c" -o -name "*_ecdsa.c"`; do
+for c in `find crypto/evp -name "*_rc5.c"`; do
 	echo Destroying $c
 	> $c
 done
 for c in `find crypto/bn -name "*gf2m.c"`; do
 	echo Destroying $c
 	> $c
 done
 for h in `find crypto ssl apps test -name "*.h"` ; do
-	echo Removing RC5, SRP and EC references from $h
+	echo Removing RC5, SRP references from $h
 	cat $h | \
 	awk    'BEGIN {ech=1;} \
 		/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
 		/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
 		/^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
 		/^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
 		/^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \
                /^#[ \t]*if/ {if(ech < 1) ech--;} \
 		{if(ech>0) {;print $0};} \
 		/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
--- a/openssl-1.0.1e-fips-ctor.patch
+++ b/openssl-1.0.1e-fips-ctor.patch
@ -1,6 +1,6 @@
 diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor	2013-09-02 14:20:26.853925144 +0200
+--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor	2013-09-23 18:05:15.731136863 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.c	2013-09-02 14:22:18.082370680 +0200
+++ openssl-1.0.1e/crypto/fips/fips.c	2013-09-23 18:18:27.953969770 +0200
@@ -60,6 +60,8 @@
 #include <dlfcn.h>
 #include <stdio.h>
@ -23,11 +23,65 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/
 #define READ_BUFFER_LENGTH 16384
 static char *
-@@ -341,6 +345,32 @@ end:
+@@ -279,19 +283,13 @@ end:
 }
 static int
 -FIPSCHECK_verify(const char *libname, const char *symbolname)
 +FIPSCHECK_verify(const char *path)
 {
 -	char path[PATH_MAX+1];
 -	int rv;
 +	int rv = 0;
 	FILE *hf;
 	char *hmacpath, *p;
 	char *hmac = NULL;
 	size_t n;
 -	
 -	rv = get_library_path(libname, symbolname, path, sizeof(path));
 -
 -	if (rv < 0)
 -		return 0;
 	hmacpath = make_hmac_path(path);
 	if (hmacpath == NULL)
@@ -341,6 +339,64 @@ end:
 	return 1;	
 }
-+int FIPS_module_installed(void)
+static int
 +verify_checksums(void)
 +    {
 +	int rv;
 +	char path[PATH_MAX+1];
 +	char *p;
 +
 +	/* we need to avoid dlopening libssl, assume both libcrypto and libssl
 +	   are in the same directory */
 +
 +	rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
 +	if (rv < 0)
 +		return 0;
 +
 +	rv = FIPSCHECK_verify(path);
 +	if (!rv)
 +		return 0;
 +
 +	/* replace libcrypto with libssl */
 +	while ((p = strstr(path, "libcrypto.so")) != NULL)
 +	    {
 +		p = stpcpy(p, "libssl");
 +                memmove(p, p+3, strlen(p+2));
 +	    }
 +
 +	rv = FIPSCHECK_verify(path);
 +	if (!rv)
 +		return 0;
 +	return 1;
 +    }
 +
 +int
 +FIPS_module_installed(void)
 +    {
 +	char path[PATH_MAX+1];
 +	int rv;
@ -56,9 +110,26 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/
 int FIPS_module_mode_set(int onoff, const char *auth)
     {
     int ret = 0;
@@ -379,15 +435,7 @@ int FIPS_module_mode_set(int onoff, cons
 	}
 #endif
 -	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
 -	    {
 -	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
 -	    fips_selftest_fail = 1;
 -	    ret = 0;
 -	    goto end;
 -	    }
 -
 -	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
 +	if(!verify_checksums())
 	    {
 	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
 	    fips_selftest_fail = 1;
 diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor	2013-09-02 14:20:26.857925232 +0200
+--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor	2013-09-23 18:05:15.734136931 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.h	2013-09-02 14:20:26.915926507 +0200
+++ openssl-1.0.1e/crypto/fips/fips.h	2013-09-23 18:05:15.775137854 +0200
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
 int FIPS_module_mode_set(int onoff, const char *auth);
@ -68,8 +139,8 @@ diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/
 int FIPS_selftest(void);
 int FIPS_selftest_failed(void);
 diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor	2013-09-02 14:20:26.894926046 +0200
+--- openssl-1.0.1e/crypto/o_init.c.fips-ctor	2013-09-23 18:05:15.762137561 +0200
-+++ openssl-1.0.1e/crypto/o_init.c	2013-09-02 14:20:26.916926529 +0200
+++ openssl-1.0.1e/crypto/o_init.c	2013-09-23 18:05:15.776137876 +0200
@@ -73,6 +73,10 @@ static void init_fips_mode(void)
 	char buf[2] = "0";
 	int fd;
--- a/openssl-1.0.1e-fips-ec.patch
+++ b/openssl-1.0.1e-fips-ec.patch
--- a/openssl-1.0.1e-fips.patch
+++ b/openssl-1.0.1e-fips.patch
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 23%{?dist}
+Release: 27%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -77,6 +77,7 @@ Patch82: openssl-1.0.1e-backports.patch
 Patch83: openssl-1.0.1e-bad-mac.patch
 Patch84: openssl-1.0.1e-trusted-first.patch
 Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
 Patch86: openssl-1.0.1e-fips-ec.patch
 License: OpenSSL
 Group: System Environment/Libraries
@ -197,6 +198,7 @@ OpenSSL FIPS module.
 %patch83 -p1 -b .bad-mac
 %patch84 -p1 -b .trusted-first
 %patch85 -p1 -b .armcap
 %patch86 -p1 -b .fips-ec
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -251,7 +253,7 @@ sslarch=linux-ppc64
 ./Configure \
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
 	zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
-	enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa no-srp \
+	enable-cms enable-md2 no-mdc2 no-rc5 no-srp \
 	--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
 	--with-krb5-dir=/usr shared  ${sslarch} %{?!nofips:fips}
@ -473,6 +475,19 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || :
 %changelog
 * Mon Oct 14 2013 Tom Callaway <spot@fedoraproject.org> - 1.0.1e-27
 - resolve bugzilla 319901 (phew! only took 6 years & 9 days)
 * Fri Sep 27 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-26
 - make DTLS1 work in FIPS mode
 - avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
 * Mon Sep 23 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-25
 - avoid dlopening libssl.so from libcrypto (#1010357)
 * Fri Sep 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-24
 - fix small memory leak in FIPS aes selftest
 * Thu Sep 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-23
 - fix segfault in openssl speed hmac in the FIPS mode
--- a/2
+++ b/2
@ -1 +1 @@
-641677c116865e60601677329b514e2d  openssl-1.0.1e-usa.tar.xz
+3b0845cfbbb2af350ef3b026f8dfcd5f  openssl-1.0.1e-usa.tar.xz
`@ -1 +1 @@`
	`641677c116865e60601677329b514e2d openssl-1.0.1e-usa.tar.xz`	`3b0845cfbbb2af350ef3b026f8dfcd5f openssl-1.0.1e-usa.tar.xz`