Accepting request 208487 from Base:System

Patches for OpenSSL FIPS-140-2/3 certification; Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,openssl-1.0.1e-fips-ctor.patch (forwarded request 208378 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/208487
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=100

baselibs.conf

@@ -3,3 +3,6 @@ libopenssl1_0_0
 libopenssl-devel
   requires -libopenssl-<targettype>
   requires "libopenssl1_0_0-<targettype> = <version>"
+libopenssl1_0_0-hmac
+  requires -libopenssl1_0_0 = <version>
+  requires "libopenssl1_0_0-<targettype> = <version>-%release"

openssl-1.0.1e-fips-ctor.patch

@@ -0,0 +1,184 @@
+Index: openssl-1.0.1e/crypto/fips/fips.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/fips/fips.c
++++ openssl-1.0.1e/crypto/fips/fips.c
+@@ -60,6 +60,8 @@
+ #include <dlfcn.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
+ #include "fips_locl.h"
+ 
+ #ifdef OPENSSL_FIPS
+@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
+ 	return hex;
+ }
+ 
+-#define HMAC_PREFIX "." 
+-#define HMAC_SUFFIX ".hmac" 
++#define HMAC_PREFIX "."
++#ifndef HMAC_SUFFIX
++#define HMAC_SUFFIX ".hmac"
++#endif
+ #define READ_BUFFER_LENGTH 16384
+ 
+ static char *
+@@ -279,19 +283,13 @@ end:
+ }
+ 
+ static int
+-FIPSCHECK_verify(const char *libname, const char *symbolname)
++FIPSCHECK_verify(const char *path)
+ {
+-	char path[PATH_MAX+1];
+-	int rv;
++	int rv = 0;
+ 	FILE *hf;
+ 	char *hmacpath, *p;
+ 	char *hmac = NULL;
+ 	size_t n;
+-	
+-	rv = get_library_path(libname, symbolname, path, sizeof(path));
+-
+-	if (rv < 0)
+-		return 0;
+ 
+ 	hmacpath = make_hmac_path(path);
+ 	if (hmacpath == NULL)
+@@ -341,6 +339,53 @@ end:
+ 	return 1;	
+ }
+ 
++static int
++verify_checksums(void)
++    {
++       int rv;
++       char path[PATH_MAX+1];
++       char *p;
++
++       /* we need to avoid dlopening libssl, assume both libcrypto and libssl
++          are in the same directory */
++
++       rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
++       if (rv < 0)
++               return 0;
++
++       rv = FIPSCHECK_verify(path);
++       if (!rv)
++               return 0;
++
++       /* replace libcrypto with libssl */
++       while ((p = strstr(path, "libcrypto.so")) != NULL)
++           {
++               p = stpcpy(p, "libssl");
++                memmove(p, p+3, strlen(p+2));
++           }
++
++       rv = FIPSCHECK_verify(path);
++       if (!rv)
++               return 0;
++       return 1;
++    }
++
++#ifndef FIPS_MODULE_PATH
++#define FIPS_MODULE_PATH "/etc/system-fips"
++#endif
++
++int
++FIPS_module_installed(void)
++    {
++    int rv;
++    rv = access(FIPS_MODULE_PATH, F_OK);
++    if (rv < 0 && errno != ENOENT)
++       rv = 0;
++
++    /* Installed == true */
++    return !rv;
++    }
++
+ int FIPS_module_mode_set(int onoff, const char *auth)
+     {
+     int ret = 0;
+@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
+ 	}
+ #endif
+ 
+-	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
+-	    {
+-	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+-	    fips_selftest_fail = 1;
+-	    ret = 0;
+-	    goto end;
+-	    }
+-
+-	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
++       if(!verify_checksums())
+ 	    {
+ 	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ 	    fips_selftest_fail = 1;
+Index: openssl-1.0.1e/crypto/fips/fips.h
+===================================================================
+--- openssl-1.0.1e.orig/crypto/fips/fips.h
++++ openssl-1.0.1e/crypto/fips/fips.h
+@@ -74,6 +74,7 @@ struct hmac_ctx_st;
+ 
+ int FIPS_module_mode_set(int onoff, const char *auth);
+ int FIPS_module_mode(void);
++int FIPS_module_installed(void);
+ const void *FIPS_rand_check(void);
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
+Index: openssl-1.0.1e/crypto/o_init.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/o_init.c
++++ openssl-1.0.1e/crypto/o_init.c
+@@ -70,6 +70,9 @@ static void init_fips_mode(void)
+ 	{
+ 	char buf[2] = "0";
+ 	int fd;
++
++       /* Ensure the selftests always run */
++       FIPS_mode_set(1);
+ 	
+ 	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ 		{
+@@ -85,9 +88,15 @@ static void init_fips_mode(void)
+ 	 * otherwise. 
+ 	 */
+ 	
+-	if (buf[0] == '1')
++	if (buf[0] != '1')
++               {
++               /* drop down to non-FIPS mode if it is not requested */
++               FIPS_mode_set(0);
++               }
++       else
+ 		{
+-		FIPS_mode_set(1);
++               /* abort if selftest failed */
++               FIPS_selftest_check();
+ 		}
+ 	}
+ #endif
+@@ -96,13 +105,19 @@ static void init_fips_mode(void)
+  * Currently only sets FIPS callbacks
+  */
+ 
+-void OPENSSL_init_library(void)
++void __attribute__ ((constructor)) OPENSSL_init_library(void)
+ 	{
+ 	static int done = 0;
+ 	if (done)
+ 		return;
+ 	done = 1;
+ #ifdef OPENSSL_FIPS
++	/* this should be an option, comment it, temporarily */
++      /* if (!FIPS_module_installed())
++               {
++               return;
++               }
++	*/
+ 	RAND_init_fips();
+ 	init_fips_mode();
+ 	if (!FIPS_mode())

openssl.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Nov 23 08:23:59 UTC 2013 - shchang@suse.com
+
+- Patches for OpenSSL FIPS-140-2/3 certification
+  Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,
+  openssl-1.0.1e-fips-ctor.patch
+
 -------------------------------------------------------------------
 Wed Oct 23 02:59:05 UTC 2013 - crrodriguez@opensuse.org
 

openssl.spec

@@ -58,6 +58,10 @@ Patch12:        openssl-1.0.1e-bnc822642.patch
 # From Fedora openssl.
 Patch13:        openssl-1.0.1c-ipv6-apps.patch
 Patch14:        0001-libcrypto-Hide-library-private-symbols.patch
+# FIPS patches
+Patch15:        openssl-1.0.1e-fips.patch
+Patch16:        openssl-1.0.1e-fips-ec.patch
+Patch17:        openssl-1.0.1e-fips-ctor.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -78,6 +82,7 @@ and to use it for commercial and noncommercial purposes.
 
 %package -n libopenssl1_0_0
 Summary:        Secure Sockets and Transport Layer Security
+License:        OpenSSL
 Group:          Productivity/Networking/Security
 Recommends:     openssl-certs
 # bug437293
@@ -104,6 +109,7 @@ and to use it for commercial and noncommercial purposes.
 
 %package -n libopenssl-devel
 Summary:        Include Files and Libraries mandatory for Development
+License:        OpenSSL
 Group:          Development/Libraries/C and C++
 Obsoletes:      openssl-devel < %{version}
 Requires:       %name = %version
@@ -120,8 +126,19 @@ Obsoletes:      openssl-devel-64bit
 This package contains all necessary include files and libraries needed
 to develop applications that require these.
 
+%package -n libopenssl1_0_0-hmac
+Summary:        HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries
+License:        BSD-3-Clause
+Group:          Productivity/Networking/Security
+Requires:       libopenssl1_0_0 = %{version}-%{release}
+
+%description -n libopenssl1_0_0-hmac
+The FIPS compliant operation of the openssl shared libraries is NOT
+possible without the HMAC hashes contained in this package!
+
 %package doc
 Summary:        Additional Package Documentation
+License:        OpenSSL
 Group:          Productivity/Networking/Security
 %if 0%{?suse_version} >= 1140
 BuildArch:      noarch
@@ -148,6 +165,9 @@ this package's base documentation.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
 
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
@@ -193,12 +213,13 @@ export MACHINE=armv6l
 %endif
 ./config --test-sanity 
 #
-config_flags="threads shared no-rc5 no-idea \
+config_flags="threads shared no-rc5 no-idea fips \
 %ifarch x86_64 
 enable-ec_nistp_64_gcc_128 \
 %endif
 enable-camellia \
 zlib \
+no-ec2m \
 --prefix=%{_prefix} \
 --libdir=%{_lib} \
 --openssldir=%{ssletcdir} \
@@ -245,6 +266,15 @@ $(getconf LFS_CFLAGS) \
 	make depend
 	make
 	LD_LIBRARY_PATH=`pwd` make rehash
+
+# for FIPS mode testing; the same hashes are being created later just before
+# the wrap-up of the files into the package.
+# These files are just there for the make test below...
+crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac
+crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac
+
+LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=""
+
 	%ifnarch armv4l
 	LD_LIBRARY_PATH=`pwd` make test
 	%endif
@@ -258,6 +288,7 @@ grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE
 %install
 rm -rf $RPM_BUILD_ROOT
 make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
+cp -a crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac
 install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs
 ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
 mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
@@ -335,6 +366,29 @@ cat AVAILABLE_CIPHERS
 # Do not install demo scripts executable under /usr/share/doc
 find demos -type f -perm /111 -exec chmod 644 {} \;
 
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
+%{expand:%%global __os_install_post {%__os_install_post
+
+$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
+  $RPM_BUILD_ROOT/%{_lib}/libssl.so.%{num_version} > \
+    $RPM_BUILD_ROOT/%{_libdir}/.libssl.so.%{num_version}.hmac
+
+$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
+  $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{num_version} > \
+    $RPM_BUILD_ROOT/%{_libdir}/.libcrypto.so.%{num_version}.hmac
+
+}}
+
 #process openssllib
 mkdir $RPM_BUILD_ROOT/%{_lib}
 mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
@@ -342,7 +396,9 @@ mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}
 mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
 cd $RPM_BUILD_ROOT%{_libdir}/
 ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
+ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so.%{num_version}
 ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
+ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so.%{num_version}
 
 for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
 rm %{buildroot}/%{_lib}/engines/lib$engine.so
@@ -365,6 +421,11 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 /%{_lib}/libcrypto.so.%{num_version}
 /%{_lib}/engines
 
+%files -n libopenssl1_0_0-hmac
+%defattr(-, root, root)
+%{_libdir}/.libssl.so.%{num_version}.hmac
+%{_libdir}/.libcrypto.so.%{num_version}.hmac
+
 %files -n libopenssl-devel
 %defattr(-, root, root)
 %{_includedir}/%{name}/
@@ -372,7 +433,9 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %exclude %{_libdir}/libcrypto.a
 %exclude %{_libdir}/libssl.a
 %{_libdir}/libssl.so
+%{_libdir}/libssl.so.%{num_version}
 %{_libdir}/libcrypto.so
+%{_libdir}/libcrypto.so.%{num_version}
 %_libdir/pkgconfig/libcrypto.pc
 %_libdir/pkgconfig/libssl.pc
 %_libdir/pkgconfig/openssl.pc
@@ -393,6 +456,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %dir %{_datadir}/ssl
 %{_datadir}/ssl/misc
 %{_bindir}/c_rehash
+%{_bindir}/fips_standalone_hmac
 %{_bindir}/%{name}
 
 %changelog