Accepting request 778004 from home:vitezslav_cizek:branches:security:tls

- Use the newly build libcrypto shared library when computing the hmac checksums in order to avoid a bootstrapping issue by BuildRequiring libopenssl1_1 (bsc#1164102) - Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) * add openssl-fips_fix_selftests_return_value.patch OBS-URL: https://build.opensuse.org/request/show/778004 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=61
2020-02-21 15:33:18 +00:00 · 2020-02-21 15:33:18 +00:00 · 92e6fcbee3
commit 92e6fcbee3
parent 97fb15d08d
3 changed files with 55 additions and 4 deletions
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Feb 21 08:03:05 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Use the newly build libcrypto shared library when computing the hmac
+  checksums in order to avoid a bootstrapping issue by BuildRequiring
+  libopenssl1_1 (bsc#1164102)
+
+-------------------------------------------------------------------
+Thu Feb 20 13:35:05 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569)
+  * add openssl-fips_fix_selftests_return_value.patch
+
 -------------------------------------------------------------------
 Tue Feb 18 22:49:46 UTC 2020 - Jason Sikes <jsikes@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -82,10 +82,11 @@ Patch40:        openssl-fips-selftests_in_nonfips_mode.patch
 Patch41:        openssl-fips-clearerror.patch
 Patch42:        openssl-fips-ignore_broken_atexit_test.patch
 Patch43:        openssl-keep_EVP_KDF_functions_version.patch
+Patch44:        openssl-fips_fix_selftests_return_value.patch
+Patch45:        openssl-fips-add-SHA3-selftest.patch
 # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto)
-Patch44:        openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
-Patch45:        openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
-Patch46:        openssl-fips-add-SHA3-selftest.patch
+Patch50:        openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
+Patch51:        openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
 BuildRequires:  pkgconfig
 Conflicts:      ssl
 Provides:       ssl
@ -269,13 +270,23 @@ cp %{SOURCE5} .
 #   openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
 %{expand:%%global __os_install_post {%__os_install_post

+# Point linker to the newly installed libcrypto in order to avoid BuildRequiring itself (libopenssl1_1)
+export LD_LIBRARY_PATH="%{buildroot}%{_libdir}"
+
 %{buildroot}%{_bindir}/fips_standalone_hmac \
  %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \
    %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac

+# As fips_standalone_hmac now uses the very same library it checksums,
+# the libcrypto hmac needs to be saved to a temporary file, otherwise
+# the library will detect the empty hmac and abort due to a wrong checksum
 %{buildroot}%{_bindir}/fips_standalone_hmac \
  %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \
-    %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
+    %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac
+
+# rename the temporary checksum to its proper name
+mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
+unset LD_LIBRARY_PATH

 }}

--- a/openssl-fips_fix_selftests_return_value.patch
+++ b/openssl-fips_fix_selftests_return_value.patch
@ -0,0 +1,27 @@
+Index: openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/fips/fips_dsa_selftest.c	2020-02-17 10:40:18.006796026 +0100
+++ openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c	2020-02-17 10:40:18.946801354 +0100
+@@ -150,7 +150,7 @@ int FIPS_selftest_dsa()
+ {
+     DSA *dsa = NULL;
+     EVP_PKEY *pk = NULL;
+-    int ret = -1;
+    int ret = 0;
+     BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;
+ 
+     fips_load_key_component(p, dsa_test_2048);
+Index: openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/fips/fips_ecdh_selftest.c	2020-02-17 10:40:18.006796026 +0100
+++ openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c	2020-02-17 10:40:18.950801378 +0100
+@@ -221,6 +221,9 @@ int FIPS_selftest_ecdh(void)
+     }
+ 
+  err:
+    if (rv == -1) {
+        rv = 0;
+    }
+ 
+     if (x)
+         BN_clear_free(x);