rpms/openssl/devel openssl-0.9.8k-fips-rng-seed.patch, NONE, 1.1 Makefile.certificate, 1.4, 1.5 make-dummy-cert, 1.1, 1.2 openssl-0.9.8a-defaults.patch, 1.1, 1.2 openssl-0.9.8j-ca-dir.patch, 1.1, 1.2 openssl.spec, 1.130, 1.131 openssl-0.9.8j-fips-rng-seed.patch, 1.1, NONE
Tomáš Mráz
tmraz at fedoraproject.org
Tue Jun 30 11:18:15 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19000
Modified Files:
Makefile.certificate make-dummy-cert
openssl-0.9.8a-defaults.patch openssl-0.9.8j-ca-dir.patch
openssl.spec
Added Files:
openssl-0.9.8k-fips-rng-seed.patch
Removed Files:
openssl-0.9.8j-fips-rng-seed.patch
Log Message:
* Tue Jun 30 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8k-6
- abort if selftests failed and random number generator is polled
- mention EVP_aes and EVP_sha2xx routines in the manpages
- add README.FIPS
- make CA dir absolute path (#445344)
- change default length for RSA key generation to 2048 (#484101)
openssl-0.9.8k-fips-rng-seed.patch:
--- NEW FILE openssl-0.9.8k-fips-rng-seed.patch ---
diff -up openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8k/crypto/rand/rand_lcl.h
--- openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed 2009-04-21 11:43:58.000000000 +0200
+++ openssl-0.9.8k/crypto/rand/rand_lcl.h 2009-04-21 11:44:01.000000000 +0200
@@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H
#define HEADER_RAND_LCL_H
-#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
diff -up openssl-0.9.8k/fips/fips.c.rng-seed openssl-0.9.8k/fips/fips.c
--- openssl-0.9.8k/fips/fips.c.rng-seed 2009-04-21 11:44:01.000000000 +0200
+++ openssl-0.9.8k/fips/fips.c 2009-04-21 11:44:02.000000000 +0200
@@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
goto end;
}
+ /* now switch into FIPS mode */
+ fips_set_rand_check(FIPS_rand_method());
+ RAND_set_rand_method(FIPS_rand_method());
+
/* automagically seed PRNG if not already seeded */
if(!FIPS_rand_status())
{
- if(RAND_bytes(buf,sizeof buf) <= 0)
+ RAND_poll();
+ if (!FIPS_rand_status())
{
fips_selftest_fail = 1;
ret = 0;
goto end;
}
- FIPS_rand_set_key(buf,32);
- FIPS_rand_seed(buf+32,16);
}
- /* now switch into FIPS mode */
- fips_set_rand_check(FIPS_rand_method());
- RAND_set_rand_method(FIPS_rand_method());
if(FIPS_selftest())
fips_set_mode(1);
else
diff -up openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed openssl-0.9.8k/fips/rand/fips_rand.c
--- openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed 2008-09-16 12:12:18.000000000 +0200
+++ openssl-0.9.8k/fips/rand/fips_rand.c 2009-06-30 12:00:53.000000000 +0200
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
{
int i;
if (!ctx->keyed)
- return 0;
+ {
+ FIPS_RAND_SIZE_T keylen = 16;
+
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
+ return 0;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ seedlen -= keylen;
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
+ }
/* In test mode seed is just supplied data */
if (ctx->test_mode)
{
@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
unsigned char tmp[AES_BLOCK_LENGTH];
int i;
+ FIPS_selftest_check();
if (ctx->error)
{
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
Index: Makefile.certificate
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/Makefile.certificate,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- Makefile.certificate 27 Apr 2005 10:48:43 -0000 1.4
+++ Makefile.certificate 30 Jun 2009 11:17:44 -0000 1.5
@@ -38,7 +38,7 @@ usage:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
- /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+ /usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
@@ -46,7 +46,7 @@ usage:
%.key:
umask 77 ; \
- /usr/bin/openssl genrsa -des3 1024 > $@
+ /usr/bin/openssl genrsa -aes128 2048 > $@
%.csr: %.key
umask 77 ; \
Index: make-dummy-cert
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/make-dummy-cert,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- make-dummy-cert 9 Sep 2004 09:39:08 -0000 1.1
+++ make-dummy-cert 30 Jun 2009 11:17:44 -0000 1.2
@@ -20,7 +20,7 @@ for target in $@ ; do
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
trap "rm -f $PEM1 $PEM2" SIGINT
- answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+ answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
cat $PEM1 > ${target}
echo "" >> ${target}
cat $PEM2 >> ${target}
openssl-0.9.8a-defaults.patch:
Index: openssl-0.9.8a-defaults.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl-0.9.8a-defaults.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- openssl-0.9.8a-defaults.patch 8 Nov 2005 13:52:29 -0000 1.1
+++ openssl-0.9.8a-defaults.patch 30 Jun 2009 11:17:44 -0000 1.2
@@ -1,9 +1,10 @@
--- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200
+++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100
-@@ -99,6 +99,7 @@
+@@ -99,7 +99,8 @@
####################################################################
[ req ]
- default_bits = 1024
+-default_bits = 1024
++default_bits = 2048
+default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
openssl-0.9.8j-ca-dir.patch:
Index: openssl-0.9.8j-ca-dir.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl-0.9.8j-ca-dir.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- openssl-0.9.8j-ca-dir.patch 15 Jan 2009 09:10:25 -0000 1.1
+++ openssl-0.9.8j-ca-dir.patch 30 Jun 2009 11:17:44 -0000 1.2
@@ -6,7 +6,7 @@ diff -up openssl-0.9.8j/apps/openssl.cnf
[ CA_default ]
-dir = ./demoCA # Where everything is kept
-+dir = ../../CA # Where everything is kept
++dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
@@ -18,7 +18,7 @@ diff -up openssl-0.9.8j/apps/CA.sh.ca-di
X509="$OPENSSL x509"
-CATOP=./demoCA
-+CATOP=../../CA
++CATOP=/etc/pki/CA
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
@@ -30,7 +30,7 @@ diff -up openssl-0.9.8j/apps/CA.pl.in.ca
$PKCS12="$openssl pkcs12";
-$CATOP="./demoCA";
-+$CATOP="../../CA";
++$CATOP="/etc/pki/CA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.130
retrieving revision 1.131
diff -u -p -r1.130 -r1.131
--- openssl.spec 21 May 2009 16:30:42 -0000 1.130
+++ openssl.spec 30 Jun 2009 11:17:45 -0000 1.131
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 0.9.8k
-Release: 5%{?dist}
+Release: 6%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2
@@ -33,6 +33,7 @@ Source6: make-dummy-cert
Source8: openssl-thread-test.c
Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
+Source11: README.FIPS
# Build changes
Patch0: openssl-0.9.8j-redhat.patch
Patch1: openssl-0.9.8a-defaults.patch
@@ -63,10 +64,11 @@ Patch46: openssl-0.9.8j-eap-fast.patch
Patch47: openssl-0.9.8j-readme-warning.patch
Patch48: openssl-0.9.8j-bad-mime.patch
Patch49: openssl-0.9.8j-fips-no-pairwise.patch
-Patch50: openssl-0.9.8j-fips-rng-seed.patch
+Patch50: openssl-0.9.8k-fips-rng-seed.patch
Patch51: openssl-0.9.8k-multi-crl.patch
Patch52: openssl-0.9.8k-dtls-compat.patch
Patch53: openssl-0.9.8k-dtls-dos.patch
+Patch54: openssl-0.9.8k-algo-doc.patch
# Backported fixes including security fixes
License: OpenSSL
@@ -154,6 +156,7 @@ from other formats to the formats used b
%patch51 -p1 -b .multi-crl
%patch52 -p1 -b .dtls-compat
%patch53 -p1 -b .dtls-dos
+%patch54 -p1 -b .algo-doc
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -212,6 +215,9 @@ make all
# Generate hashes for the included certs.
make rehash
+# Overwrite FIPS README
+cp -f %{SOURCE11} .
+
%check
# Verify that what was compiled actually works.
@@ -364,6 +370,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
%doc doc/c-indentation.el doc/openssl.txt
%doc doc/openssl_button.html doc/openssl_button.gif
%doc doc/ssleay.txt
+%doc README.FIPS
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%{_sysconfdir}/pki/tls/certs/make-dummy-cert
@@ -412,6 +419,13 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
%postun -p /sbin/ldconfig
%changelog
+* Tue Jun 30 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8k-6
+- abort if selftests failed and random number generator is polled
+- mention EVP_aes and EVP_sha2xx routines in the manpages
+- add README.FIPS
+- make CA dir absolute path (#445344)
+- change default length for RSA key generation to 2048 (#484101)
+
* Thu May 21 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8k-5
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
(DTLS DoS problems) (#501253, #501254, #501572)
--- openssl-0.9.8j-fips-rng-seed.patch DELETED ---
More information about the fedora-extras-commits
mailing list