Accepting request 210985 from Base:System

Adjust the installation path; Modify files: README-FIPS.txt openssl.spec (forwarded request 210984 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/210985
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=102

README-FIPS.txt

@@ -0,0 +1,241 @@
+README-FIPS.txt - Roman Drahtmueller <draht@suse.de>, June 16 2012
+
+NOTE: Finished the adjustment of DSO path and correct the version
+information for SLE 12. Still need to review about AES-NI optimization.
+Shawn Chang <shchang@suse.com>, Dec 7 2013.
+
+NOTE: Outdated currently for openSUSE Factory / SLE 12, needs review
+and adjustments. But basic settings still are the same.
+Marcus Meissner <meissner@suse.de>, 2013/Dec/03.
+
+* general information
+* FIPS-140-2 mode of operation
+* overview: openssl subpackages on SLES12
+==============================================================================
+
+
+
+* general information
+==============================================================================
+
+Dear user of the SUSE Linux Enterprise Server,
+
+SLES12 comes with openssl of version 1.0.1e, a version upgrade from
+0.9.8j that came with earlier revisions of SLES11-SP3.
+
+The new version has support for FIPS-140-2 mode of operation.
+FIPS is short for Federal Information Processing Standard.
+For more information on FIPS-140-2, please see
+http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
+and more publications on the NIST website.
+
+The openssl shared libraries are used by numerous packages in the
+SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode,
+then the binary that links against the library at runtime makes use
+of FIPS-140-2 validated cryptography as defined in its cryptographic
+module. By consequence, a large number of packages can make a claim
+about using FIPS-140-2 validated cryptographical functions.
+
+Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2
+mode of operation.
+Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are
+supported and used, if the used CPU supports the AES-NI instructions. These
+assembler optimizations can deliver a substantial performance benefit.
+To check if your system's CPU(s) has (have) AES-NI support, have a look 
+into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes"
+flag.
+AES-NI support can be disabled by setting the environment variable
+OPENSSL_DISABLE_AESNI before running binaries that link against openssl.
+The "openssl speed" command can give you an idea for the performance
+differences.
+
+
+The cryptographic module as defined for FIPS-140-2 is contained in the files
+   /usr/lib64/.libcrypto.so.1.0.0.hmac
+   /usr/lib64/.libssl.so.1.0.0.hmac
+   /usr/lib64/libcrypto.so.1.0.0
+   /usr/lib64/libssl.so.1.0.0
+for 64bit operation and
+   /usr/lib/.libcrypto.so.1.0.0.hmac
+   /usr/lib/.libssl.so.1.0.0.hmac
+   /usr/lib/libcrypto.so.1.0.0
+   /usr/lib/libssl.so.1.0.0
+for 32bit.
+
+  The .hmac files contain a HMAC for the internal integrity checking. They 
+are contained in the package libopenssl1_0_0-hmac, seperate from the 
+libopenssl1_0_0 package. These hashes are produced as one of the last steps 
+during the RPM build process.
+  If the library starts up in FIPS mode, the .hmac files are read, and the 
+checksum is verified against a new self-measurement of the library. 
+Essentially, this means that the FIPS mode of operation is not possible
+without the .hmac files from the corresponding -hmac package installed.
+  If the library starts up in non-FIPS mode, it checks if the .hmac files 
+exist, and if so, it runs through the self-tests as if it operates in FIPS 
+mode. This self-test in non-FIPS mode is formally mandatory and comes with
+a heavy CPU footprint. You can avoid this overhead by un-installing the 
+libopenssl1_0_0-hmac package (with the consequence that FIPS mode of 
+operation becomes unavailable).
+
+The openssl library operates in non-FIPS mode by default.
+
+
+* FIPS-140-2 mode of operation
+==============================================================================
+
+The openssl library operates in non-FIPS mode by default. 
+
+As noted above (* general information), the .hmac files for the integrity 
+self-check of the openssl library are contained in their own package. 
+Unfortunately, the self-test is mandatory even if the library runs in 
+non-FIPS mode, causing a significant CPU consumption during openssl's 
+initialization. You can avoid this overhead by de-installing the -hmac 
+package if you do not need FIPS mode of operation.
+
+If you DO need to run binaries that are linked against the openssl 
+cryptographic library that runs in FIPS mode, you MUST have the 
+libopenssl1_0_0-hmac package installed.
+
+!!! If you enable FIPS mode of operation with the methods below, you MUST 
+!!! have the libopenssl1_0_0-hmac package installed. Programs that runtime-link 
+!!! against openssl will abort if the FIPS self-tests (including the 
+!!! integrity check with the .hmac hashes) fail!
+
+There are three ways to switch the shared libraries listed above to
+FIPS-140-2 compliant mode:
+
+1) Start your system with the kernel commandline option "fips=1". To
+   change the configuration for your system on a permanent basis, please
+   add the command line option to the corresponding line in the bootloader
+   configuration, typically /boot/grub/menu.lst .
+   You can check if the kernel has accepted the commandline option at boot
+   by inspecting the content of the file /proc/sys/crypto/fips_enabled .
+     Please note that the fips=1 kernel commandline option switches
+   the kernel's crypto API to FIPS mode operation, too. As a consequence,
+   some of the in-kernel cryptographical functions may become unavailable.
+     As of the writing of this README-FIPS.txt, the kernel's crypto API in
+   the SUSE Linux Enterprise Server was NOT FIPS-140-2 validated!
+
+
+2) set the environment variable OPENSSL_FORCE_FIPS_MODE to "1":
+
+	export OPENSSL_FORCE_FIPS_MODE=1
+
+   and run your application with this environment variable set.
+   The FIPS-140-2 mode of operation is only given in the context of
+   processes that have OPENSSL_FORCE_FIPS_MODE set, unless the global
+   switch as in 1) above is active.
+
+
+3) In your program, use the exported function
+
+	int FIPS_mode_set(int onoff);
+
+   to turn on FIPS-140-2 compliant mode. The library will conduct the
+   mandatory self-tests and the integrity check that makes use of the
+   .hmac files mentioned above.
+   The function
+
+	int FIPS_mode(void);
+
+   can be used to check if the library operates in FIPS-140-2 compliant
+   mode. It returns 1 in FIPS mode, 0 otherwise.
+
+Notes:
+
+- An easy way to verify if your openssl cryptography subsystem operates
+  in FIPS-140-2 compliant mode is to look at the output of the
+
+	openssl ciphers
+
+  command. In FIPS-140-2 compliant mode, the output lists fewer
+  algorythms.
+
+- The startup time of programs that initialize the openssl shared libraries
+  in FIPS-140-2 compliant mode is considerably longer due to the self-tests
+  that are being executed. On fast systems, the startup overhead can be in the 
+  range of 0.05-0.3s. The startup time is two orders of a magnitude smaller
+  in non-FIPS mode.
+  Please note that the self-test overhead only occurs during the 
+  initialization of the cryptographic module. There is no other 
+  performance impact of FIPS-140-2 compliant operation of the library.
+
+- The environment variable OPENSSL_FIPS can be set to force the 
+  /usr/bin/openssl binary to operate in FIPS-140-2 compliant mode:
+
+	OPENSSL_FIPS=1 openssl ciphers
+
+  The variable OPENSSL_FIPS has an effect on the openssl binary only.
+
+- Services and daemons that make use of the openssl shared libraries in
+  FIPS-140-2 compliant mode need to be configured to use algorythms
+  from the list of permissable algorythms. If an algorythm is requested
+  by an application that is not allowed in FIPS-140-2 compliant mode,
+  the application will terminate (abort(3)).
+  Please see the FIPS-140-2 Security Policy document for the openssl
+  FIPS module on the SUSE Linux Enterprise Server 11 SP1 from the
+  SUSE website at http://www.suse.com/ or the NIST website at 
+  http://csrc.nist.gov/ for more details.
+
+- If you have any questions about the FIPS-140-2 compliant mode of openssl,
+  please send email to security@suse.com.
+
+
+
+* overview: openssl subpackages on SLES12
+==============================================================================
+
+The openssl package consists of the following RPM package:
+
+openssl
+
+ - manual pages
+ - the /etc/ssl configuration directory
+ - the /usr/bin/openssl program
+ - /usr/bin/fips_standalone_hmac, the program used to reproduce
+   the integrity HMAC that is contained in the package:
+
+libopenssl1_0_0
+ - files:
+   /usr/lib64/libcrypto.so.1.0.0
+   /usr/lib64/libssl.so.1.0.0
+   /usr/lib64/engines
+   /usr/lib64/engines/libcapi.so
+   /usr/lib64/engines/libgmp.so
+   /usr/lib64/engines/libgost.so
+   /usr/lib64/engines/libpadlock.so
+
+libopenssl1_0_0-hmac
+- files:
+   /usr/lib64/.libcrypto.so.1.0.0.hmac
+   /usr/lib64/.libssl.so.1.0.0.hmac
+
+libopenssl1_0_0-32bit
+ - files as in package libopenssl1_0_0, but in /usr/lib/.
+   The .so libraries are for the 32bit compatibility mode of the
+   openssl library.
+
+libopenssl1_0_0-hmac-32bit
+- files as in package libopenssl1_0_0-hmac, but in /usr/lib/.
+
+libopenssl-devel
+ - header files and static libraries for compiling applications with the
+   openssl library. Please note that running binaries that are statically
+   linked against openssl libraries is not supported in terms of FIPS-140-2
+   compliance.
+
+openssl-doc
+ - more documentation and manual pages.
+
+openssl-debuginfo
+openssl-debugsource
+ - packages that provide debugging symbols and debugging source code for
+   running binaries (dynamically) linked against libopenssl1_0_0 in a
+   debugger.
+
+openssl-certs
+ - CA certificate collection in /etc/ssl/certs
+   The openssl-certs package is not a subpackage of the openssl package,
+   but it merely provides CA certificates where the openssl package
+   finds them.
+

baselibs.conf

@@ -3,3 +3,6 @@ libopenssl1_0_0
 libopenssl-devel
   requires -libopenssl-<targettype>
   requires "libopenssl1_0_0-<targettype> = <version>"
+libopenssl1_0_0-hmac
+  requires -libopenssl1_0_0 = <version>
+  requires "libopenssl1_0_0-<targettype> = <version>-%release"

openssl-1.0.1e-fips-ctor.patch

@@ -0,0 +1,184 @@
+Index: openssl-1.0.1e/crypto/fips/fips.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/fips/fips.c
++++ openssl-1.0.1e/crypto/fips/fips.c
+@@ -60,6 +60,8 @@
+ #include <dlfcn.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
+ #include "fips_locl.h"
+ 
+ #ifdef OPENSSL_FIPS
+@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
+ 	return hex;
+ }
+ 
+-#define HMAC_PREFIX "." 
+-#define HMAC_SUFFIX ".hmac" 
++#define HMAC_PREFIX "."
++#ifndef HMAC_SUFFIX
++#define HMAC_SUFFIX ".hmac"
++#endif
+ #define READ_BUFFER_LENGTH 16384
+ 
+ static char *
+@@ -279,19 +283,13 @@ end:
+ }
+ 
+ static int
+-FIPSCHECK_verify(const char *libname, const char *symbolname)
++FIPSCHECK_verify(const char *path)
+ {
+-	char path[PATH_MAX+1];
+-	int rv;
++	int rv = 0;
+ 	FILE *hf;
+ 	char *hmacpath, *p;
+ 	char *hmac = NULL;
+ 	size_t n;
+-	
+-	rv = get_library_path(libname, symbolname, path, sizeof(path));
+-
+-	if (rv < 0)
+-		return 0;
+ 
+ 	hmacpath = make_hmac_path(path);
+ 	if (hmacpath == NULL)
+@@ -341,6 +339,53 @@ end:
+ 	return 1;	
+ }
+ 
++static int
++verify_checksums(void)
++    {
++       int rv;
++       char path[PATH_MAX+1];
++       char *p;
++
++       /* we need to avoid dlopening libssl, assume both libcrypto and libssl
++          are in the same directory */
++
++       rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
++       if (rv < 0)
++               return 0;
++
++       rv = FIPSCHECK_verify(path);
++       if (!rv)
++               return 0;
++
++       /* replace libcrypto with libssl */
++       while ((p = strstr(path, "libcrypto.so")) != NULL)
++           {
++               p = stpcpy(p, "libssl");
++                memmove(p, p+3, strlen(p+2));
++           }
++
++       rv = FIPSCHECK_verify(path);
++       if (!rv)
++               return 0;
++       return 1;
++    }
++
++#ifndef FIPS_MODULE_PATH
++#define FIPS_MODULE_PATH "/etc/system-fips"
++#endif
++
++int
++FIPS_module_installed(void)
++    {
++    int rv;
++    rv = access(FIPS_MODULE_PATH, F_OK);
++    if (rv < 0 && errno != ENOENT)
++       rv = 0;
++
++    /* Installed == true */
++    return !rv;
++    }
++
+ int FIPS_module_mode_set(int onoff, const char *auth)
+     {
+     int ret = 0;
+@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
+ 	}
+ #endif
+ 
+-	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
+-	    {
+-	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+-	    fips_selftest_fail = 1;
+-	    ret = 0;
+-	    goto end;
+-	    }
+-
+-	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
++       if(!verify_checksums())
+ 	    {
+ 	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ 	    fips_selftest_fail = 1;
+Index: openssl-1.0.1e/crypto/fips/fips.h
+===================================================================
+--- openssl-1.0.1e.orig/crypto/fips/fips.h
++++ openssl-1.0.1e/crypto/fips/fips.h
+@@ -74,6 +74,7 @@ struct hmac_ctx_st;
+ 
+ int FIPS_module_mode_set(int onoff, const char *auth);
+ int FIPS_module_mode(void);
++int FIPS_module_installed(void);
+ const void *FIPS_rand_check(void);
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
+Index: openssl-1.0.1e/crypto/o_init.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/o_init.c
++++ openssl-1.0.1e/crypto/o_init.c
+@@ -70,6 +70,9 @@ static void init_fips_mode(void)
+ 	{
+ 	char buf[2] = "0";
+ 	int fd;
++
++       /* Ensure the selftests always run */
++       FIPS_mode_set(1);
+ 	
+ 	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ 		{
+@@ -85,9 +88,15 @@ static void init_fips_mode(void)
+ 	 * otherwise. 
+ 	 */
+ 	
+-	if (buf[0] == '1')
++	if (buf[0] != '1')
++               {
++               /* drop down to non-FIPS mode if it is not requested */
++               FIPS_mode_set(0);
++               }
++       else
+ 		{
+-		FIPS_mode_set(1);
++               /* abort if selftest failed */
++               FIPS_selftest_check();
+ 		}
+ 	}
+ #endif
+@@ -96,13 +105,19 @@ static void init_fips_mode(void)
+  * Currently only sets FIPS callbacks
+  */
+ 
+-void OPENSSL_init_library(void)
++void __attribute__ ((constructor)) OPENSSL_init_library(void)
+ 	{
+ 	static int done = 0;
+ 	if (done)
+ 		return;
+ 	done = 1;
+ #ifdef OPENSSL_FIPS
++	/* this should be an option, comment it, temporarily */
++      /* if (!FIPS_module_installed())
++               {
++               return;
++               }
++	*/
+ 	RAND_init_fips();
+ 	init_fips_mode();
+ 	if (!FIPS_mode())

openssl.changes

@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Mon Dec 16 04:28:09 UTC 2013 - shchang@suse.com
+
+- Adjust the installation path.
+  Modify files: README-FIPS.txt openssl.spec
+
+-------------------------------------------------------------------
+Fri Dec  6 08:07:06 UTC 2013 - lnussel@suse.de
+
+- don't own /etc/ssl/certs, it's owned by ca-certificates
+
+-------------------------------------------------------------------
+Tue Dec  3 12:51:15 UTC 2013 - meissner@suse.com
+
+- Actually enable it (in a building way) for openSUSE and SLES,
+  as we intended.
+- Add README-FIPS.txt from SLE 11.
+
+-------------------------------------------------------------------
+Mon Dec  2 21:15:41 UTC 2013 - crrodriguez@opensuse.org
+
+- Restrict the (broken beyond build) FIPS certification code
+  to SLE releases only, it has no value in openSUSE at all.
+
+-------------------------------------------------------------------
+Sat Nov 23 08:23:59 UTC 2013 - shchang@suse.com
+
+- Patches for OpenSSL FIPS-140-2/3 certification
+  Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,
+  openssl-1.0.1e-fips-ctor.patch
+
 -------------------------------------------------------------------
 Wed Oct 23 02:59:05 UTC 2013 - crrodriguez@opensuse.org
 

openssl.spec

@@ -41,6 +41,7 @@ Source42:       http://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
 Source1:        openssl.changes
 Source2:        baselibs.conf
 Source10:       README.SuSE
+Source11:       README-FIPS.txt
 Patch0:         merge_from_0.9.8k.patch
 Patch1:         openssl-1.0.0-c_rehash-compat.diff
 Patch2:         bug610223.patch
@@ -58,6 +59,10 @@ Patch12:        openssl-1.0.1e-bnc822642.patch
 # From Fedora openssl.
 Patch13:        openssl-1.0.1c-ipv6-apps.patch
 Patch14:        0001-libcrypto-Hide-library-private-symbols.patch
+# FIPS patches:
+Patch15:        openssl-1.0.1e-fips.patch
+Patch16:        openssl-1.0.1e-fips-ec.patch
+Patch17:        openssl-1.0.1e-fips-ctor.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -78,6 +83,7 @@ and to use it for commercial and noncommercial purposes.
 
 %package -n libopenssl1_0_0
 Summary:        Secure Sockets and Transport Layer Security
+License:        OpenSSL
 Group:          Productivity/Networking/Security
 Recommends:     openssl-certs
 # bug437293
@@ -104,6 +110,7 @@ and to use it for commercial and noncommercial purposes.
 
 %package -n libopenssl-devel
 Summary:        Include Files and Libraries mandatory for Development
+License:        OpenSSL
 Group:          Development/Libraries/C and C++
 Obsoletes:      openssl-devel < %{version}
 Requires:       %name = %version
@@ -120,8 +127,19 @@ Obsoletes:      openssl-devel-64bit
 This package contains all necessary include files and libraries needed
 to develop applications that require these.
 
+%package -n libopenssl1_0_0-hmac
+Summary:        HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries
+License:        BSD-3-Clause
+Group:          Productivity/Networking/Security
+Requires:       libopenssl1_0_0 = %{version}-%{release}
+
+%description -n libopenssl1_0_0-hmac
+The FIPS compliant operation of the openssl shared libraries is NOT
+possible without the HMAC hashes contained in this package!
+
 %package doc
 Summary:        Additional Package Documentation
+License:        OpenSSL
 Group:          Productivity/Networking/Security
 %if 0%{?suse_version} >= 1140
 BuildArch:      noarch
@@ -148,8 +166,12 @@ this package's base documentation.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
 
 cp -p %{S:10} .
+cp -p %{S:11} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
 # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
 export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
@@ -194,11 +216,13 @@ export MACHINE=armv6l
 ./config --test-sanity 
 #
 config_flags="threads shared no-rc5 no-idea \
+fips \
 %ifarch x86_64 
 enable-ec_nistp_64_gcc_128 \
 %endif
 enable-camellia \
 zlib \
+no-ec2m \
 --prefix=%{_prefix} \
 --libdir=%{_lib} \
 --openssldir=%{ssletcdir} \
@@ -245,6 +269,13 @@ $(getconf LFS_CFLAGS) \
 	make depend
 	make
 	LD_LIBRARY_PATH=`pwd` make rehash
+# for FIPS mode testing; the same hashes are being created later just before
+# the wrap-up of the files into the package.
+# These files are just there for the make test below...
+crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac
+crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac
+
+LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=""
 	%ifnarch armv4l
 	LD_LIBRARY_PATH=`pwd` make test
 	%endif
@@ -258,11 +289,10 @@ grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE
 %install
 rm -rf $RPM_BUILD_ROOT
 make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
-install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs
+cp -a crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac
 ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
 mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
 mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
-# ln -s %{ssletcdir}/certs 	$RPM_BUILD_ROOT/%{_datadir}/ssl/certs
 # ln -s %{ssletcdir}/private 	$RPM_BUILD_ROOT/%{_datadir}/ssl/private
 # ln -s %{ssletcdir}/openssl.cnf 	$RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
 #
@@ -335,21 +365,46 @@ cat AVAILABLE_CIPHERS
 # Do not install demo scripts executable under /usr/share/doc
 find demos -type f -perm /111 -exec chmod 644 {} \;
 
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
+%{expand:%%global __os_install_post {%__os_install_post
+
+$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
+  $RPM_BUILD_ROOT/%{_libdir}/libssl.so.%{num_version} > \
+    $RPM_BUILD_ROOT/%{_libdir}/.libssl.so.%{num_version}.hmac
+
+$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
+  $RPM_BUILD_ROOT/%{_libdir}/libcrypto.so.%{num_version} > \
+    $RPM_BUILD_ROOT/%{_libdir}/.libcrypto.so.%{num_version}.hmac
+
+}}
+
 #process openssllib
 mkdir $RPM_BUILD_ROOT/%{_lib}
-mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
-mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
-mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
+#mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
+#mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
+#mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
 cd $RPM_BUILD_ROOT%{_libdir}/
-ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
-ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
+ln -sf /%{_libdir}/libssl.so.%{num_version} ./libssl.so
+#ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so.%{num_version}
+ln -sf /%{_libdir}/libcrypto.so.%{num_version} ./libcrypto.so
+#ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so.%{num_version}
 
 for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
-rm %{buildroot}/%{_lib}/engines/lib$engine.so
+rm %{buildroot}/%{_libdir}/engines/lib$engine.so
 done
 
 %ifnarch %{ix86} x86_64
-rm %{buildroot}/%{_lib}/engines/libpadlock.so
+rm %{buildroot}/%{_libdir}/engines/libpadlock.so
 %endif
 
 %clean
@@ -361,9 +416,14 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 
 %files -n libopenssl1_0_0
 %defattr(-, root, root)
-/%{_lib}/libssl.so.%{num_version}
-/%{_lib}/libcrypto.so.%{num_version}
-/%{_lib}/engines
+/%{_libdir}/libssl.so.%{num_version}
+/%{_libdir}/libcrypto.so.%{num_version}
+/%{_libdir}/engines
+
+%files -n libopenssl1_0_0-hmac
+%defattr(-, root, root)
+%{_libdir}/.libssl.so.%{num_version}.hmac
+%{_libdir}/.libcrypto.so.%{num_version}.hmac
 
 %files -n libopenssl-devel
 %defattr(-, root, root)
@@ -385,14 +445,14 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %files -f filelist
 %defattr(-, root, root)
 %doc CHANGE* INSTAL* AVAILABLE_CIPHERS
-%doc LICENSE NEWS README README.SuSE
+%doc LICENSE NEWS README README.SuSE README-FIPS.txt
 %dir %{ssletcdir}
-%dir %{ssletcdir}/certs
 %config (noreplace) %{ssletcdir}/openssl.cnf
 %attr(700,root,root) %{ssletcdir}/private
 %dir %{_datadir}/ssl
 %{_datadir}/ssl/misc
 %{_bindir}/c_rehash
+%{_bindir}/fips_standalone_hmac
 %{_bindir}/%{name}
 
 %changelog