From b9f699b8a8dd3de785236b97650fa9bac3dfdf76 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 29 Jan 2024 17:28:37 +0100 Subject: [PATCH] Use certified FIPS module instead of freshly built one in Red Hat distribution Resolves: RHEL-23474 --- openssl.spec | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/openssl.spec b/openssl.spec index fbf2b6b..20e5027 100644 --- a/openssl.spec +++ b/openssl.spec @@ -230,6 +230,9 @@ BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), BuildRequires: git-core Requires: coreutils Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +%if ( %{defined rhel} && (! %{defined centos}) ) +Requires: openssl-fips-provider +%endif %description The OpenSSL toolkit provides support for secure communications between @@ -393,6 +396,14 @@ make test HARNESS_JOBS=8 # Add generation of HMAC checksum of the final stripped library # We manually copy standard definition of __spec_install_post # and add hmac calculation/embedding to fips.so +%if ( %{defined rhel} && (! %{defined centos}) ) +%define __spec_install_post \ + rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ +%{nil} +%else %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ @@ -402,6 +413,7 @@ make test HARNESS_JOBS=8 mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ %{nil} +%endif %define __provides_exclude_from %{_libdir}/openssl @@ -558,6 +570,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-20249 - Denial of service via null dereference in PKCS#12 Resolves: RHEL-22486 +- Use certified FIPS module instead of freshly built one in Red Hat distribution + Resolves: RHEL-23474 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted