diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 2ff6e9b..9141669 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Feb 21 08:03:05 UTC 2020 - Vítězslav Čížek + +- Use the newly build libcrypto shared library when computing the hmac + checksums in order to avoid a bootstrapping issue by BuildRequiring + libopenssl1_1 (bsc#1164102) + +------------------------------------------------------------------- +Thu Feb 20 13:35:05 UTC 2020 - Vítězslav Čížek + +- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) + * add openssl-fips_fix_selftests_return_value.patch + ------------------------------------------------------------------- Tue Feb 18 22:49:46 UTC 2020 - Jason Sikes diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 6dba246..8823061 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -82,10 +82,11 @@ Patch40: openssl-fips-selftests_in_nonfips_mode.patch Patch41: openssl-fips-clearerror.patch Patch42: openssl-fips-ignore_broken_atexit_test.patch Patch43: openssl-keep_EVP_KDF_functions_version.patch +Patch44: openssl-fips_fix_selftests_return_value.patch +Patch45: openssl-fips-add-SHA3-selftest.patch # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto) -Patch44: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch -Patch45: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch -Patch46: openssl-fips-add-SHA3-selftest.patch +Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch +Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch BuildRequires: pkgconfig Conflicts: ssl Provides: ssl @@ -269,13 +270,23 @@ cp %{SOURCE5} . # openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' %{expand:%%global __os_install_post {%__os_install_post +# Point linker to the newly installed libcrypto in order to avoid BuildRequiring itself (libopenssl1_1) +export LD_LIBRARY_PATH="%{buildroot}%{_libdir}" + %{buildroot}%{_bindir}/fips_standalone_hmac \ %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \ %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac +# As fips_standalone_hmac now uses the very same library it checksums, +# the libcrypto hmac needs to be saved to a temporary file, otherwise +# the library will detect the empty hmac and abort due to a wrong checksum %{buildroot}%{_bindir}/fips_standalone_hmac \ %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \ - %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac + %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac + +# rename the temporary checksum to its proper name +mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac +unset LD_LIBRARY_PATH }} diff --git a/openssl-fips_fix_selftests_return_value.patch b/openssl-fips_fix_selftests_return_value.patch new file mode 100644 index 0000000..1598f9a --- /dev/null +++ b/openssl-fips_fix_selftests_return_value.patch @@ -0,0 +1,27 @@ +Index: openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/fips_dsa_selftest.c 2020-02-17 10:40:18.006796026 +0100 ++++ openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c 2020-02-17 10:40:18.946801354 +0100 +@@ -150,7 +150,7 @@ int FIPS_selftest_dsa() + { + DSA *dsa = NULL; + EVP_PKEY *pk = NULL; +- int ret = -1; ++ int ret = 0; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; + + fips_load_key_component(p, dsa_test_2048); +Index: openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/fips_ecdh_selftest.c 2020-02-17 10:40:18.006796026 +0100 ++++ openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c 2020-02-17 10:40:18.950801378 +0100 +@@ -221,6 +221,9 @@ int FIPS_selftest_ecdh(void) + } + + err: ++ if (rv == -1) { ++ rv = 0; ++ } + + if (x) + BN_clear_free(x);