Accepting request 210985 from Base:System
Adjust the installation path; Modify files: README-FIPS.txt openssl.spec (forwarded request 210984 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/210985 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=102
This commit is contained in:
parent
4ed020414f
commit
a4f9e5aa25
241
README-FIPS.txt
Normal file
241
README-FIPS.txt
Normal file
@ -0,0 +1,241 @@
|
|||||||
|
README-FIPS.txt - Roman Drahtmueller <draht@suse.de>, June 16 2012
|
||||||
|
|
||||||
|
NOTE: Finished the adjustment of DSO path and correct the version
|
||||||
|
information for SLE 12. Still need to review about AES-NI optimization.
|
||||||
|
Shawn Chang <shchang@suse.com>, Dec 7 2013.
|
||||||
|
|
||||||
|
NOTE: Outdated currently for openSUSE Factory / SLE 12, needs review
|
||||||
|
and adjustments. But basic settings still are the same.
|
||||||
|
Marcus Meissner <meissner@suse.de>, 2013/Dec/03.
|
||||||
|
|
||||||
|
* general information
|
||||||
|
* FIPS-140-2 mode of operation
|
||||||
|
* overview: openssl subpackages on SLES12
|
||||||
|
==============================================================================
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
* general information
|
||||||
|
==============================================================================
|
||||||
|
|
||||||
|
Dear user of the SUSE Linux Enterprise Server,
|
||||||
|
|
||||||
|
SLES12 comes with openssl of version 1.0.1e, a version upgrade from
|
||||||
|
0.9.8j that came with earlier revisions of SLES11-SP3.
|
||||||
|
|
||||||
|
The new version has support for FIPS-140-2 mode of operation.
|
||||||
|
FIPS is short for Federal Information Processing Standard.
|
||||||
|
For more information on FIPS-140-2, please see
|
||||||
|
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
|
||||||
|
and more publications on the NIST website.
|
||||||
|
|
||||||
|
The openssl shared libraries are used by numerous packages in the
|
||||||
|
SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode,
|
||||||
|
then the binary that links against the library at runtime makes use
|
||||||
|
of FIPS-140-2 validated cryptography as defined in its cryptographic
|
||||||
|
module. By consequence, a large number of packages can make a claim
|
||||||
|
about using FIPS-140-2 validated cryptographical functions.
|
||||||
|
|
||||||
|
Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2
|
||||||
|
mode of operation.
|
||||||
|
Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are
|
||||||
|
supported and used, if the used CPU supports the AES-NI instructions. These
|
||||||
|
assembler optimizations can deliver a substantial performance benefit.
|
||||||
|
To check if your system's CPU(s) has (have) AES-NI support, have a look
|
||||||
|
into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes"
|
||||||
|
flag.
|
||||||
|
AES-NI support can be disabled by setting the environment variable
|
||||||
|
OPENSSL_DISABLE_AESNI before running binaries that link against openssl.
|
||||||
|
The "openssl speed" command can give you an idea for the performance
|
||||||
|
differences.
|
||||||
|
|
||||||
|
|
||||||
|
The cryptographic module as defined for FIPS-140-2 is contained in the files
|
||||||
|
/usr/lib64/.libcrypto.so.1.0.0.hmac
|
||||||
|
/usr/lib64/.libssl.so.1.0.0.hmac
|
||||||
|
/usr/lib64/libcrypto.so.1.0.0
|
||||||
|
/usr/lib64/libssl.so.1.0.0
|
||||||
|
for 64bit operation and
|
||||||
|
/usr/lib/.libcrypto.so.1.0.0.hmac
|
||||||
|
/usr/lib/.libssl.so.1.0.0.hmac
|
||||||
|
/usr/lib/libcrypto.so.1.0.0
|
||||||
|
/usr/lib/libssl.so.1.0.0
|
||||||
|
for 32bit.
|
||||||
|
|
||||||
|
The .hmac files contain a HMAC for the internal integrity checking. They
|
||||||
|
are contained in the package libopenssl1_0_0-hmac, seperate from the
|
||||||
|
libopenssl1_0_0 package. These hashes are produced as one of the last steps
|
||||||
|
during the RPM build process.
|
||||||
|
If the library starts up in FIPS mode, the .hmac files are read, and the
|
||||||
|
checksum is verified against a new self-measurement of the library.
|
||||||
|
Essentially, this means that the FIPS mode of operation is not possible
|
||||||
|
without the .hmac files from the corresponding -hmac package installed.
|
||||||
|
If the library starts up in non-FIPS mode, it checks if the .hmac files
|
||||||
|
exist, and if so, it runs through the self-tests as if it operates in FIPS
|
||||||
|
mode. This self-test in non-FIPS mode is formally mandatory and comes with
|
||||||
|
a heavy CPU footprint. You can avoid this overhead by un-installing the
|
||||||
|
libopenssl1_0_0-hmac package (with the consequence that FIPS mode of
|
||||||
|
operation becomes unavailable).
|
||||||
|
|
||||||
|
The openssl library operates in non-FIPS mode by default.
|
||||||
|
|
||||||
|
|
||||||
|
* FIPS-140-2 mode of operation
|
||||||
|
==============================================================================
|
||||||
|
|
||||||
|
The openssl library operates in non-FIPS mode by default.
|
||||||
|
|
||||||
|
As noted above (* general information), the .hmac files for the integrity
|
||||||
|
self-check of the openssl library are contained in their own package.
|
||||||
|
Unfortunately, the self-test is mandatory even if the library runs in
|
||||||
|
non-FIPS mode, causing a significant CPU consumption during openssl's
|
||||||
|
initialization. You can avoid this overhead by de-installing the -hmac
|
||||||
|
package if you do not need FIPS mode of operation.
|
||||||
|
|
||||||
|
If you DO need to run binaries that are linked against the openssl
|
||||||
|
cryptographic library that runs in FIPS mode, you MUST have the
|
||||||
|
libopenssl1_0_0-hmac package installed.
|
||||||
|
|
||||||
|
!!! If you enable FIPS mode of operation with the methods below, you MUST
|
||||||
|
!!! have the libopenssl1_0_0-hmac package installed. Programs that runtime-link
|
||||||
|
!!! against openssl will abort if the FIPS self-tests (including the
|
||||||
|
!!! integrity check with the .hmac hashes) fail!
|
||||||
|
|
||||||
|
There are three ways to switch the shared libraries listed above to
|
||||||
|
FIPS-140-2 compliant mode:
|
||||||
|
|
||||||
|
1) Start your system with the kernel commandline option "fips=1". To
|
||||||
|
change the configuration for your system on a permanent basis, please
|
||||||
|
add the command line option to the corresponding line in the bootloader
|
||||||
|
configuration, typically /boot/grub/menu.lst .
|
||||||
|
You can check if the kernel has accepted the commandline option at boot
|
||||||
|
by inspecting the content of the file /proc/sys/crypto/fips_enabled .
|
||||||
|
Please note that the fips=1 kernel commandline option switches
|
||||||
|
the kernel's crypto API to FIPS mode operation, too. As a consequence,
|
||||||
|
some of the in-kernel cryptographical functions may become unavailable.
|
||||||
|
As of the writing of this README-FIPS.txt, the kernel's crypto API in
|
||||||
|
the SUSE Linux Enterprise Server was NOT FIPS-140-2 validated!
|
||||||
|
|
||||||
|
|
||||||
|
2) set the environment variable OPENSSL_FORCE_FIPS_MODE to "1":
|
||||||
|
|
||||||
|
export OPENSSL_FORCE_FIPS_MODE=1
|
||||||
|
|
||||||
|
and run your application with this environment variable set.
|
||||||
|
The FIPS-140-2 mode of operation is only given in the context of
|
||||||
|
processes that have OPENSSL_FORCE_FIPS_MODE set, unless the global
|
||||||
|
switch as in 1) above is active.
|
||||||
|
|
||||||
|
|
||||||
|
3) In your program, use the exported function
|
||||||
|
|
||||||
|
int FIPS_mode_set(int onoff);
|
||||||
|
|
||||||
|
to turn on FIPS-140-2 compliant mode. The library will conduct the
|
||||||
|
mandatory self-tests and the integrity check that makes use of the
|
||||||
|
.hmac files mentioned above.
|
||||||
|
The function
|
||||||
|
|
||||||
|
int FIPS_mode(void);
|
||||||
|
|
||||||
|
can be used to check if the library operates in FIPS-140-2 compliant
|
||||||
|
mode. It returns 1 in FIPS mode, 0 otherwise.
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
- An easy way to verify if your openssl cryptography subsystem operates
|
||||||
|
in FIPS-140-2 compliant mode is to look at the output of the
|
||||||
|
|
||||||
|
openssl ciphers
|
||||||
|
|
||||||
|
command. In FIPS-140-2 compliant mode, the output lists fewer
|
||||||
|
algorythms.
|
||||||
|
|
||||||
|
- The startup time of programs that initialize the openssl shared libraries
|
||||||
|
in FIPS-140-2 compliant mode is considerably longer due to the self-tests
|
||||||
|
that are being executed. On fast systems, the startup overhead can be in the
|
||||||
|
range of 0.05-0.3s. The startup time is two orders of a magnitude smaller
|
||||||
|
in non-FIPS mode.
|
||||||
|
Please note that the self-test overhead only occurs during the
|
||||||
|
initialization of the cryptographic module. There is no other
|
||||||
|
performance impact of FIPS-140-2 compliant operation of the library.
|
||||||
|
|
||||||
|
- The environment variable OPENSSL_FIPS can be set to force the
|
||||||
|
/usr/bin/openssl binary to operate in FIPS-140-2 compliant mode:
|
||||||
|
|
||||||
|
OPENSSL_FIPS=1 openssl ciphers
|
||||||
|
|
||||||
|
The variable OPENSSL_FIPS has an effect on the openssl binary only.
|
||||||
|
|
||||||
|
- Services and daemons that make use of the openssl shared libraries in
|
||||||
|
FIPS-140-2 compliant mode need to be configured to use algorythms
|
||||||
|
from the list of permissable algorythms. If an algorythm is requested
|
||||||
|
by an application that is not allowed in FIPS-140-2 compliant mode,
|
||||||
|
the application will terminate (abort(3)).
|
||||||
|
Please see the FIPS-140-2 Security Policy document for the openssl
|
||||||
|
FIPS module on the SUSE Linux Enterprise Server 11 SP1 from the
|
||||||
|
SUSE website at http://www.suse.com/ or the NIST website at
|
||||||
|
http://csrc.nist.gov/ for more details.
|
||||||
|
|
||||||
|
- If you have any questions about the FIPS-140-2 compliant mode of openssl,
|
||||||
|
please send email to security@suse.com.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
* overview: openssl subpackages on SLES12
|
||||||
|
==============================================================================
|
||||||
|
|
||||||
|
The openssl package consists of the following RPM package:
|
||||||
|
|
||||||
|
openssl
|
||||||
|
|
||||||
|
- manual pages
|
||||||
|
- the /etc/ssl configuration directory
|
||||||
|
- the /usr/bin/openssl program
|
||||||
|
- /usr/bin/fips_standalone_hmac, the program used to reproduce
|
||||||
|
the integrity HMAC that is contained in the package:
|
||||||
|
|
||||||
|
libopenssl1_0_0
|
||||||
|
- files:
|
||||||
|
/usr/lib64/libcrypto.so.1.0.0
|
||||||
|
/usr/lib64/libssl.so.1.0.0
|
||||||
|
/usr/lib64/engines
|
||||||
|
/usr/lib64/engines/libcapi.so
|
||||||
|
/usr/lib64/engines/libgmp.so
|
||||||
|
/usr/lib64/engines/libgost.so
|
||||||
|
/usr/lib64/engines/libpadlock.so
|
||||||
|
|
||||||
|
libopenssl1_0_0-hmac
|
||||||
|
- files:
|
||||||
|
/usr/lib64/.libcrypto.so.1.0.0.hmac
|
||||||
|
/usr/lib64/.libssl.so.1.0.0.hmac
|
||||||
|
|
||||||
|
libopenssl1_0_0-32bit
|
||||||
|
- files as in package libopenssl1_0_0, but in /usr/lib/.
|
||||||
|
The .so libraries are for the 32bit compatibility mode of the
|
||||||
|
openssl library.
|
||||||
|
|
||||||
|
libopenssl1_0_0-hmac-32bit
|
||||||
|
- files as in package libopenssl1_0_0-hmac, but in /usr/lib/.
|
||||||
|
|
||||||
|
libopenssl-devel
|
||||||
|
- header files and static libraries for compiling applications with the
|
||||||
|
openssl library. Please note that running binaries that are statically
|
||||||
|
linked against openssl libraries is not supported in terms of FIPS-140-2
|
||||||
|
compliance.
|
||||||
|
|
||||||
|
openssl-doc
|
||||||
|
- more documentation and manual pages.
|
||||||
|
|
||||||
|
openssl-debuginfo
|
||||||
|
openssl-debugsource
|
||||||
|
- packages that provide debugging symbols and debugging source code for
|
||||||
|
running binaries (dynamically) linked against libopenssl1_0_0 in a
|
||||||
|
debugger.
|
||||||
|
|
||||||
|
openssl-certs
|
||||||
|
- CA certificate collection in /etc/ssl/certs
|
||||||
|
The openssl-certs package is not a subpackage of the openssl package,
|
||||||
|
but it merely provides CA certificates where the openssl package
|
||||||
|
finds them.
|
||||||
|
|
@ -3,3 +3,6 @@ libopenssl1_0_0
|
|||||||
libopenssl-devel
|
libopenssl-devel
|
||||||
requires -libopenssl-<targettype>
|
requires -libopenssl-<targettype>
|
||||||
requires "libopenssl1_0_0-<targettype> = <version>"
|
requires "libopenssl1_0_0-<targettype> = <version>"
|
||||||
|
libopenssl1_0_0-hmac
|
||||||
|
requires -libopenssl1_0_0 = <version>
|
||||||
|
requires "libopenssl1_0_0-<targettype> = <version>-%release"
|
||||||
|
184
openssl-1.0.1e-fips-ctor.patch
Normal file
184
openssl-1.0.1e-fips-ctor.patch
Normal file
@ -0,0 +1,184 @@
|
|||||||
|
Index: openssl-1.0.1e/crypto/fips/fips.c
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.0.1e.orig/crypto/fips/fips.c
|
||||||
|
+++ openssl-1.0.1e/crypto/fips/fips.c
|
||||||
|
@@ -60,6 +60,8 @@
|
||||||
|
#include <dlfcn.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
#include "fips_locl.h"
|
||||||
|
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
|
||||||
|
return hex;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#define HMAC_PREFIX "."
|
||||||
|
-#define HMAC_SUFFIX ".hmac"
|
||||||
|
+#define HMAC_PREFIX "."
|
||||||
|
+#ifndef HMAC_SUFFIX
|
||||||
|
+#define HMAC_SUFFIX ".hmac"
|
||||||
|
+#endif
|
||||||
|
#define READ_BUFFER_LENGTH 16384
|
||||||
|
|
||||||
|
static char *
|
||||||
|
@@ -279,19 +283,13 @@ end:
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-FIPSCHECK_verify(const char *libname, const char *symbolname)
|
||||||
|
+FIPSCHECK_verify(const char *path)
|
||||||
|
{
|
||||||
|
- char path[PATH_MAX+1];
|
||||||
|
- int rv;
|
||||||
|
+ int rv = 0;
|
||||||
|
FILE *hf;
|
||||||
|
char *hmacpath, *p;
|
||||||
|
char *hmac = NULL;
|
||||||
|
size_t n;
|
||||||
|
-
|
||||||
|
- rv = get_library_path(libname, symbolname, path, sizeof(path));
|
||||||
|
-
|
||||||
|
- if (rv < 0)
|
||||||
|
- return 0;
|
||||||
|
|
||||||
|
hmacpath = make_hmac_path(path);
|
||||||
|
if (hmacpath == NULL)
|
||||||
|
@@ -341,6 +339,53 @@ end:
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+verify_checksums(void)
|
||||||
|
+ {
|
||||||
|
+ int rv;
|
||||||
|
+ char path[PATH_MAX+1];
|
||||||
|
+ char *p;
|
||||||
|
+
|
||||||
|
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
|
||||||
|
+ are in the same directory */
|
||||||
|
+
|
||||||
|
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
|
||||||
|
+ if (rv < 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ rv = FIPSCHECK_verify(path);
|
||||||
|
+ if (!rv)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* replace libcrypto with libssl */
|
||||||
|
+ while ((p = strstr(path, "libcrypto.so")) != NULL)
|
||||||
|
+ {
|
||||||
|
+ p = stpcpy(p, "libssl");
|
||||||
|
+ memmove(p, p+3, strlen(p+2));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rv = FIPSCHECK_verify(path);
|
||||||
|
+ if (!rv)
|
||||||
|
+ return 0;
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifndef FIPS_MODULE_PATH
|
||||||
|
+#define FIPS_MODULE_PATH "/etc/system-fips"
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+FIPS_module_installed(void)
|
||||||
|
+ {
|
||||||
|
+ int rv;
|
||||||
|
+ rv = access(FIPS_MODULE_PATH, F_OK);
|
||||||
|
+ if (rv < 0 && errno != ENOENT)
|
||||||
|
+ rv = 0;
|
||||||
|
+
|
||||||
|
+ /* Installed == true */
|
||||||
|
+ return !rv;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
int FIPS_module_mode_set(int onoff, const char *auth)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
|
||||||
|
- {
|
||||||
|
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||||
|
- fips_selftest_fail = 1;
|
||||||
|
- ret = 0;
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
|
||||||
|
+ if(!verify_checksums())
|
||||||
|
{
|
||||||
|
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||||
|
fips_selftest_fail = 1;
|
||||||
|
Index: openssl-1.0.1e/crypto/fips/fips.h
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.0.1e.orig/crypto/fips/fips.h
|
||||||
|
+++ openssl-1.0.1e/crypto/fips/fips.h
|
||||||
|
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
|
||||||
|
|
||||||
|
int FIPS_module_mode_set(int onoff, const char *auth);
|
||||||
|
int FIPS_module_mode(void);
|
||||||
|
+int FIPS_module_installed(void);
|
||||||
|
const void *FIPS_rand_check(void);
|
||||||
|
int FIPS_selftest(void);
|
||||||
|
int FIPS_selftest_failed(void);
|
||||||
|
Index: openssl-1.0.1e/crypto/o_init.c
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.0.1e.orig/crypto/o_init.c
|
||||||
|
+++ openssl-1.0.1e/crypto/o_init.c
|
||||||
|
@@ -70,6 +70,9 @@ static void init_fips_mode(void)
|
||||||
|
{
|
||||||
|
char buf[2] = "0";
|
||||||
|
int fd;
|
||||||
|
+
|
||||||
|
+ /* Ensure the selftests always run */
|
||||||
|
+ FIPS_mode_set(1);
|
||||||
|
|
||||||
|
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
||||||
|
{
|
||||||
|
@@ -85,9 +88,15 @@ static void init_fips_mode(void)
|
||||||
|
* otherwise.
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if (buf[0] == '1')
|
||||||
|
+ if (buf[0] != '1')
|
||||||
|
+ {
|
||||||
|
+ /* drop down to non-FIPS mode if it is not requested */
|
||||||
|
+ FIPS_mode_set(0);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
{
|
||||||
|
- FIPS_mode_set(1);
|
||||||
|
+ /* abort if selftest failed */
|
||||||
|
+ FIPS_selftest_check();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -96,13 +105,19 @@ static void init_fips_mode(void)
|
||||||
|
* Currently only sets FIPS callbacks
|
||||||
|
*/
|
||||||
|
|
||||||
|
-void OPENSSL_init_library(void)
|
||||||
|
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
|
||||||
|
{
|
||||||
|
static int done = 0;
|
||||||
|
if (done)
|
||||||
|
return;
|
||||||
|
done = 1;
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
+ /* this should be an option, comment it, temporarily */
|
||||||
|
+ /* if (!FIPS_module_installed())
|
||||||
|
+ {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ */
|
||||||
|
RAND_init_fips();
|
||||||
|
init_fips_mode();
|
||||||
|
if (!FIPS_mode())
|
2054
openssl-1.0.1e-fips-ec.patch
Normal file
2054
openssl-1.0.1e-fips-ec.patch
Normal file
File diff suppressed because it is too large
Load Diff
20494
openssl-1.0.1e-fips.patch
Normal file
20494
openssl-1.0.1e-fips.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,3 +1,34 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Dec 16 04:28:09 UTC 2013 - shchang@suse.com
|
||||||
|
|
||||||
|
- Adjust the installation path.
|
||||||
|
Modify files: README-FIPS.txt openssl.spec
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Dec 6 08:07:06 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- don't own /etc/ssl/certs, it's owned by ca-certificates
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 3 12:51:15 UTC 2013 - meissner@suse.com
|
||||||
|
|
||||||
|
- Actually enable it (in a building way) for openSUSE and SLES,
|
||||||
|
as we intended.
|
||||||
|
- Add README-FIPS.txt from SLE 11.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Dec 2 21:15:41 UTC 2013 - crrodriguez@opensuse.org
|
||||||
|
|
||||||
|
- Restrict the (broken beyond build) FIPS certification code
|
||||||
|
to SLE releases only, it has no value in openSUSE at all.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Nov 23 08:23:59 UTC 2013 - shchang@suse.com
|
||||||
|
|
||||||
|
- Patches for OpenSSL FIPS-140-2/3 certification
|
||||||
|
Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,
|
||||||
|
openssl-1.0.1e-fips-ctor.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 23 02:59:05 UTC 2013 - crrodriguez@opensuse.org
|
Wed Oct 23 02:59:05 UTC 2013 - crrodriguez@opensuse.org
|
||||||
|
|
||||||
|
88
openssl.spec
88
openssl.spec
@ -41,6 +41,7 @@ Source42: http://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
|
|||||||
Source1: openssl.changes
|
Source1: openssl.changes
|
||||||
Source2: baselibs.conf
|
Source2: baselibs.conf
|
||||||
Source10: README.SuSE
|
Source10: README.SuSE
|
||||||
|
Source11: README-FIPS.txt
|
||||||
Patch0: merge_from_0.9.8k.patch
|
Patch0: merge_from_0.9.8k.patch
|
||||||
Patch1: openssl-1.0.0-c_rehash-compat.diff
|
Patch1: openssl-1.0.0-c_rehash-compat.diff
|
||||||
Patch2: bug610223.patch
|
Patch2: bug610223.patch
|
||||||
@ -58,6 +59,10 @@ Patch12: openssl-1.0.1e-bnc822642.patch
|
|||||||
# From Fedora openssl.
|
# From Fedora openssl.
|
||||||
Patch13: openssl-1.0.1c-ipv6-apps.patch
|
Patch13: openssl-1.0.1c-ipv6-apps.patch
|
||||||
Patch14: 0001-libcrypto-Hide-library-private-symbols.patch
|
Patch14: 0001-libcrypto-Hide-library-private-symbols.patch
|
||||||
|
# FIPS patches:
|
||||||
|
Patch15: openssl-1.0.1e-fips.patch
|
||||||
|
Patch16: openssl-1.0.1e-fips-ec.patch
|
||||||
|
Patch17: openssl-1.0.1e-fips-ctor.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -78,6 +83,7 @@ and to use it for commercial and noncommercial purposes.
|
|||||||
|
|
||||||
%package -n libopenssl1_0_0
|
%package -n libopenssl1_0_0
|
||||||
Summary: Secure Sockets and Transport Layer Security
|
Summary: Secure Sockets and Transport Layer Security
|
||||||
|
License: OpenSSL
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Recommends: openssl-certs
|
Recommends: openssl-certs
|
||||||
# bug437293
|
# bug437293
|
||||||
@ -104,6 +110,7 @@ and to use it for commercial and noncommercial purposes.
|
|||||||
|
|
||||||
%package -n libopenssl-devel
|
%package -n libopenssl-devel
|
||||||
Summary: Include Files and Libraries mandatory for Development
|
Summary: Include Files and Libraries mandatory for Development
|
||||||
|
License: OpenSSL
|
||||||
Group: Development/Libraries/C and C++
|
Group: Development/Libraries/C and C++
|
||||||
Obsoletes: openssl-devel < %{version}
|
Obsoletes: openssl-devel < %{version}
|
||||||
Requires: %name = %version
|
Requires: %name = %version
|
||||||
@ -120,8 +127,19 @@ Obsoletes: openssl-devel-64bit
|
|||||||
This package contains all necessary include files and libraries needed
|
This package contains all necessary include files and libraries needed
|
||||||
to develop applications that require these.
|
to develop applications that require these.
|
||||||
|
|
||||||
|
%package -n libopenssl1_0_0-hmac
|
||||||
|
Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries
|
||||||
|
License: BSD-3-Clause
|
||||||
|
Group: Productivity/Networking/Security
|
||||||
|
Requires: libopenssl1_0_0 = %{version}-%{release}
|
||||||
|
|
||||||
|
%description -n libopenssl1_0_0-hmac
|
||||||
|
The FIPS compliant operation of the openssl shared libraries is NOT
|
||||||
|
possible without the HMAC hashes contained in this package!
|
||||||
|
|
||||||
%package doc
|
%package doc
|
||||||
Summary: Additional Package Documentation
|
Summary: Additional Package Documentation
|
||||||
|
License: OpenSSL
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
%if 0%{?suse_version} >= 1140
|
%if 0%{?suse_version} >= 1140
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
@ -148,8 +166,12 @@ this package's base documentation.
|
|||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p1
|
%patch13 -p1
|
||||||
%patch14 -p1
|
%patch14 -p1
|
||||||
|
%patch15 -p1
|
||||||
|
%patch16 -p1
|
||||||
|
%patch17 -p1
|
||||||
|
|
||||||
cp -p %{S:10} .
|
cp -p %{S:10} .
|
||||||
|
cp -p %{S:11} .
|
||||||
echo "adding/overwriting some entries in the 'table' hash in Configure"
|
echo "adding/overwriting some entries in the 'table' hash in Configure"
|
||||||
# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
|
# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
|
||||||
export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
|
export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
|
||||||
@ -194,11 +216,13 @@ export MACHINE=armv6l
|
|||||||
./config --test-sanity
|
./config --test-sanity
|
||||||
#
|
#
|
||||||
config_flags="threads shared no-rc5 no-idea \
|
config_flags="threads shared no-rc5 no-idea \
|
||||||
|
fips \
|
||||||
%ifarch x86_64
|
%ifarch x86_64
|
||||||
enable-ec_nistp_64_gcc_128 \
|
enable-ec_nistp_64_gcc_128 \
|
||||||
%endif
|
%endif
|
||||||
enable-camellia \
|
enable-camellia \
|
||||||
zlib \
|
zlib \
|
||||||
|
no-ec2m \
|
||||||
--prefix=%{_prefix} \
|
--prefix=%{_prefix} \
|
||||||
--libdir=%{_lib} \
|
--libdir=%{_lib} \
|
||||||
--openssldir=%{ssletcdir} \
|
--openssldir=%{ssletcdir} \
|
||||||
@ -245,6 +269,13 @@ $(getconf LFS_CFLAGS) \
|
|||||||
make depend
|
make depend
|
||||||
make
|
make
|
||||||
LD_LIBRARY_PATH=`pwd` make rehash
|
LD_LIBRARY_PATH=`pwd` make rehash
|
||||||
|
# for FIPS mode testing; the same hashes are being created later just before
|
||||||
|
# the wrap-up of the files into the package.
|
||||||
|
# These files are just there for the make test below...
|
||||||
|
crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac
|
||||||
|
crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac
|
||||||
|
|
||||||
|
LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=""
|
||||||
%ifnarch armv4l
|
%ifnarch armv4l
|
||||||
LD_LIBRARY_PATH=`pwd` make test
|
LD_LIBRARY_PATH=`pwd` make test
|
||||||
%endif
|
%endif
|
||||||
@ -258,11 +289,10 @@ grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE
|
|||||||
%install
|
%install
|
||||||
rm -rf $RPM_BUILD_ROOT
|
rm -rf $RPM_BUILD_ROOT
|
||||||
make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
|
make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
|
||||||
install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs
|
cp -a crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac
|
||||||
ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
|
ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
|
||||||
mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
|
mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
|
||||||
mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
|
mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
|
||||||
# ln -s %{ssletcdir}/certs $RPM_BUILD_ROOT/%{_datadir}/ssl/certs
|
|
||||||
# ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private
|
# ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private
|
||||||
# ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
|
# ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
|
||||||
#
|
#
|
||||||
@ -335,21 +365,46 @@ cat AVAILABLE_CIPHERS
|
|||||||
# Do not install demo scripts executable under /usr/share/doc
|
# Do not install demo scripts executable under /usr/share/doc
|
||||||
find demos -type f -perm /111 -exec chmod 644 {} \;
|
find demos -type f -perm /111 -exec chmod 644 {} \;
|
||||||
|
|
||||||
|
# the hmac hashes:
|
||||||
|
#
|
||||||
|
# this is a hack that re-defines the __os_install_post macro
|
||||||
|
# for a simple reason: the macro strips the binaries and thereby
|
||||||
|
# invalidates a HMAC that may have been created earlier.
|
||||||
|
# solution: create the hashes _after_ the macro runs.
|
||||||
|
#
|
||||||
|
# this shows up earlier because otherwise the %expand of
|
||||||
|
# the macro is too late.
|
||||||
|
# remark: This is the same as running
|
||||||
|
# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
|
||||||
|
%{expand:%%global __os_install_post {%__os_install_post
|
||||||
|
|
||||||
|
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
|
||||||
|
$RPM_BUILD_ROOT/%{_libdir}/libssl.so.%{num_version} > \
|
||||||
|
$RPM_BUILD_ROOT/%{_libdir}/.libssl.so.%{num_version}.hmac
|
||||||
|
|
||||||
|
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
|
||||||
|
$RPM_BUILD_ROOT/%{_libdir}/libcrypto.so.%{num_version} > \
|
||||||
|
$RPM_BUILD_ROOT/%{_libdir}/.libcrypto.so.%{num_version}.hmac
|
||||||
|
|
||||||
|
}}
|
||||||
|
|
||||||
#process openssllib
|
#process openssllib
|
||||||
mkdir $RPM_BUILD_ROOT/%{_lib}
|
mkdir $RPM_BUILD_ROOT/%{_lib}
|
||||||
mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
|
#mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
|
||||||
mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
|
#mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
|
||||||
mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
|
#mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
|
||||||
cd $RPM_BUILD_ROOT%{_libdir}/
|
cd $RPM_BUILD_ROOT%{_libdir}/
|
||||||
ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
|
ln -sf /%{_libdir}/libssl.so.%{num_version} ./libssl.so
|
||||||
ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
|
#ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so.%{num_version}
|
||||||
|
ln -sf /%{_libdir}/libcrypto.so.%{num_version} ./libcrypto.so
|
||||||
|
#ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so.%{num_version}
|
||||||
|
|
||||||
for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
|
for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
|
||||||
rm %{buildroot}/%{_lib}/engines/lib$engine.so
|
rm %{buildroot}/%{_libdir}/engines/lib$engine.so
|
||||||
done
|
done
|
||||||
|
|
||||||
%ifnarch %{ix86} x86_64
|
%ifnarch %{ix86} x86_64
|
||||||
rm %{buildroot}/%{_lib}/engines/libpadlock.so
|
rm %{buildroot}/%{_libdir}/engines/libpadlock.so
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%clean
|
%clean
|
||||||
@ -361,9 +416,14 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
|
|||||||
|
|
||||||
%files -n libopenssl1_0_0
|
%files -n libopenssl1_0_0
|
||||||
%defattr(-, root, root)
|
%defattr(-, root, root)
|
||||||
/%{_lib}/libssl.so.%{num_version}
|
/%{_libdir}/libssl.so.%{num_version}
|
||||||
/%{_lib}/libcrypto.so.%{num_version}
|
/%{_libdir}/libcrypto.so.%{num_version}
|
||||||
/%{_lib}/engines
|
/%{_libdir}/engines
|
||||||
|
|
||||||
|
%files -n libopenssl1_0_0-hmac
|
||||||
|
%defattr(-, root, root)
|
||||||
|
%{_libdir}/.libssl.so.%{num_version}.hmac
|
||||||
|
%{_libdir}/.libcrypto.so.%{num_version}.hmac
|
||||||
|
|
||||||
%files -n libopenssl-devel
|
%files -n libopenssl-devel
|
||||||
%defattr(-, root, root)
|
%defattr(-, root, root)
|
||||||
@ -385,14 +445,14 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
|
|||||||
%files -f filelist
|
%files -f filelist
|
||||||
%defattr(-, root, root)
|
%defattr(-, root, root)
|
||||||
%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
|
%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
|
||||||
%doc LICENSE NEWS README README.SuSE
|
%doc LICENSE NEWS README README.SuSE README-FIPS.txt
|
||||||
%dir %{ssletcdir}
|
%dir %{ssletcdir}
|
||||||
%dir %{ssletcdir}/certs
|
|
||||||
%config (noreplace) %{ssletcdir}/openssl.cnf
|
%config (noreplace) %{ssletcdir}/openssl.cnf
|
||||||
%attr(700,root,root) %{ssletcdir}/private
|
%attr(700,root,root) %{ssletcdir}/private
|
||||||
%dir %{_datadir}/ssl
|
%dir %{_datadir}/ssl
|
||||||
%{_datadir}/ssl/misc
|
%{_datadir}/ssl/misc
|
||||||
%{_bindir}/c_rehash
|
%{_bindir}/c_rehash
|
||||||
|
%{_bindir}/fips_standalone_hmac
|
||||||
%{_bindir}/%{name}
|
%{_bindir}/%{name}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
Loading…
Reference in New Issue
Block a user