rpms/openssl/devel openssl-0.9.8j-fips-rng-seed.patch, NONE, 1.1 openssl-0.9.8j-use-fipscheck.patch, 1.1, 1.2 openssl.spec, 1.120, 1.121
Tomáš Mráz
tmraz at fedoraproject.org
Mon Feb 2 16:46:34 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25517
Modified Files:
openssl-0.9.8j-use-fipscheck.patch openssl.spec
Added Files:
openssl-0.9.8j-fips-rng-seed.patch
Log Message:
* Mon Feb 2 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8j-7
- must also verify checksum of libssl.so in the FIPS mode
- obtain the seed for FIPS rng directly from the kernel device
- drop the temporary symlinks
openssl-0.9.8j-fips-rng-seed.patch:
--- NEW FILE openssl-0.9.8j-fips-rng-seed.patch ---
diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8j/crypto/rand/rand_lcl.h
--- openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed 2009-02-02 13:40:37.000000000 +0100
+++ openssl-0.9.8j/crypto/rand/rand_lcl.h 2009-02-02 13:50:42.000000000 +0100
@@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H
#define HEADER_RAND_LCL_H
-#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
diff -up openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed openssl-0.9.8j/fips/rand/fips_rand.c
--- openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed 2008-09-16 12:12:18.000000000 +0200
+++ openssl-0.9.8j/fips/rand/fips_rand.c 2009-02-02 14:06:58.000000000 +0100
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
{
int i;
if (!ctx->keyed)
- return 0;
+ {
+ FIPS_RAND_SIZE_T keylen = 16;
+
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
+ return 0;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ seedlen -= keylen;
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
+ }
/* In test mode seed is just supplied data */
if (ctx->test_mode)
{
diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c
--- openssl-0.9.8j/fips/fips.c.rng-seed 2009-02-02 13:40:38.000000000 +0100
+++ openssl-0.9.8j/fips/fips.c 2009-02-02 13:49:32.000000000 +0100
@@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
goto end;
}
+ /* now switch into FIPS mode */
+ fips_set_rand_check(FIPS_rand_method());
+ RAND_set_rand_method(FIPS_rand_method());
+
/* automagically seed PRNG if not already seeded */
if(!FIPS_rand_status())
{
- if(RAND_bytes(buf,sizeof buf) <= 0)
+ RAND_poll();
+ if (!FIPS_rand_status())
{
fips_selftest_fail = 1;
ret = 0;
goto end;
}
- FIPS_rand_set_key(buf,32);
- FIPS_rand_seed(buf+32,16);
}
- /* now switch into FIPS mode */
- fips_set_rand_check(FIPS_rand_method());
- RAND_set_rand_method(FIPS_rand_method());
if(FIPS_selftest())
fips_set_mode(1);
else
openssl-0.9.8j-use-fipscheck.patch:
Index: openssl-0.9.8j-use-fipscheck.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl-0.9.8j-use-fipscheck.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openssl-0.9.8j-use-fipscheck.patch 15 Jan 2009 09:10:25 -0000 1.1
+++ openssl-0.9.8j-use-fipscheck.patch 2 Feb 2009 16:46:33 -0000 1.2
@@ -1,8 +1,6 @@
-Use fipscheck compatible way of verification of the integrity of the libcrypto
-shared library.
diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
--- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100
-+++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100
++++ openssl-0.9.8j/test/Makefile 2009-02-02 13:24:36.000000000 +0100
@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
LIBRARIES="-L$(TOP) -lfips"; \
@@ -24,8 +22,8 @@
$(MAKE) -f $(TOP)/Makefile.shared -e \
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
---- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100
-+++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100
+--- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-02-02 13:24:36.000000000 +0100
++++ openssl-0.9.8j/Makefile.org 2009-02-02 13:24:36.000000000 +0100
@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
$(AR) libcrypto.a fips/fipscanister.o ; \
@@ -59,7 +57,7 @@
Makefile: Makefile.org Configure config
diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
--- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
-+++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100
++++ openssl-0.9.8j/fips/fips.c 2009-02-02 13:31:53.000000000 +0100
@@ -47,6 +47,7 @@
*
*/
@@ -100,7 +98,7 @@
+ void *dl, *sym;
+ int rv = -1;
+
-+ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
++ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) {
+ return -1;
+ }
@@ -293,26 +291,28 @@
int FIPS_mode_set(int onoff)
{
-@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff)
+@@ -280,16 +485,17 @@ int FIPS_mode_set(int onoff)
}
#endif
- if(fips_signature_witness() != FIPS_signature)
-- {
++ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
+ {
- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
-- fips_selftest_fail = 1;
-- ret = 0;
-- goto end;
-- }
--
++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
- if(!FIPS_check_incore_fingerprint())
-+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
++ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
{
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
ret = 0;
goto end;
-@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void)
+@@ -405,11 +611,13 @@ int fips_clear_owning_thread(void)
return ret;
}
@@ -327,8 +327,8 @@
/* Generalized public key test routine. Signs and verifies the data
* supplied in tbs using mesage digest md and setting option digest
diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
---- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100
-+++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100
+--- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-02-02 13:24:36.000000000 +0100
++++ openssl-0.9.8j/fips/Makefile 2009-02-02 13:24:36.000000000 +0100
@@ -62,9 +62,9 @@ testapps:
all:
@@ -371,7 +371,7 @@
@target=lint; $(RECURSIVE_MAKE)
diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h
--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
-+++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100
++++ openssl-0.9.8j/fips/fips_locl.h 2009-02-02 13:24:36.000000000 +0100
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
int fips_set_owning_thread(void);
void fips_set_selftest_fail(void);
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.120
retrieving revision 1.121
diff -u -r1.120 -r1.121
--- openssl.spec 26 Jan 2009 21:07:21 -0000 1.120
+++ openssl.spec 2 Feb 2009 16:46:33 -0000 1.121
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 0.9.8j
-Release: 6%{?dist}
+Release: 7%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2
@@ -64,6 +64,7 @@
Patch47: openssl-0.9.8j-readme-warning.patch
Patch48: openssl-0.9.8j-bad-mime.patch
Patch49: openssl-0.9.8j-fips-no-pairwise.patch
+Patch50: openssl-0.9.8j-fips-rng-seed.patch
# Backported fixes including security fixes
License: OpenSSL
@@ -74,15 +75,6 @@
BuildRequires: /usr/bin/rename
Requires: mktemp, ca-certificates >= 2008-5
-# Temporary hack
-Requires(post): /sbin/ldconfig coreutils
-Requires(postun): /sbin/ldconfig
-%ifarch ppc64 s390x sparc64 x86_64
-Provides: libcrypto.so.7()(64bit) libssl.so.7()(64bit)
-%else
-Provides: libcrypto.so.7 libssl.so.7
-%endif
-
%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
@@ -147,6 +139,7 @@
%patch47 -p1 -b .warning
%patch48 -p1 -b .bad-mime
%patch49 -p1 -b .no-pairwise
+%patch50 -p1 -b .rng-seed
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -232,6 +225,8 @@
%{__os_install_post} \
fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
+ fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libssl.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{version}.hmac \
+ ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{soversion}.hmac \
%{nil}
%install
@@ -251,8 +246,6 @@
chmod 755 ${lib}
ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion}
-# temporary hack
- ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.7
rm -f $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done
@@ -375,8 +368,7 @@
%attr(0755,root,root) /%{_lib}/*.so.%{version}
%attr(0755,root,root) /%{_lib}/*.so.%{soversion}
%attr(0644,root,root) /%{_lib}/.libcrypto.so.*.hmac
-# temporary hack
-%attr(0755,root,root) /%{_lib}/*.so.7
+%attr(0644,root,root) /%{_lib}/.libssl.so.*.hmac
%attr(0755,root,root) %{_libdir}/openssl
%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*
%attr(0644,root,root) %{_mandir}/man5*/*
@@ -399,13 +391,16 @@
%{_sysconfdir}/pki/tls/misc/*.pl
%endif
-%post
-/sbin/ldconfig -X
+%post -p /sbin/ldconfig
-%postun
-/sbin/ldconfig -X
+%postun -p /sbin/ldconfig
%changelog
+* Mon Feb 2 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8j-7
+- must also verify checksum of libssl.so in the FIPS mode
+- obtain the seed for FIPS rng directly from the kernel device
+- drop the temporary symlinks
+
* Mon Jan 26 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8j-6
- drop the temporary triggerpostun and symlinking in post
- fix the pkgconfig files and drop the unnecessary buildrequires
More information about the fedora-extras-commits
mailing list