Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2013-12-17 10:02:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-11-30
18:01:22.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-12-17
10:02:18.000000000 +0100
@@ -1,0 +2,31 @@
+Mon Dec 16 04:28:09 UTC 2013 - shch...@suse.com
+
+- Adjust the installation path.
+ Modify files: README-FIPS.txt openssl.spec
+
+-------------------------------------------------------------------
+Fri Dec 6 08:07:06 UTC 2013 - lnus...@suse.de
+
+- don't own /etc/ssl/certs, it's owned by ca-certificates
+
+-------------------------------------------------------------------
+Tue Dec 3 12:51:15 UTC 2013 - meiss...@suse.com
+
+- Actually enable it (in a building way) for openSUSE and SLES,
+ as we intended.
+- Add README-FIPS.txt from SLE 11.
+
+-------------------------------------------------------------------
+Mon Dec 2 21:15:41 UTC 2013 - crrodrig...@opensuse.org
+
+- Restrict the (broken beyond build) FIPS certification code
+ to SLE releases only, it has no value in openSUSE at all.
+
+-------------------------------------------------------------------
+Sat Nov 23 08:23:59 UTC 2013 - shch...@suse.com
+
+- Patches for OpenSSL FIPS-140-2/3 certification
+ Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,
+ openssl-1.0.1e-fips-ctor.patch
+
+-------------------------------------------------------------------
New:
----
README-FIPS.txt
openssl-1.0.1e-fips-ctor.patch
openssl-1.0.1e-fips-ec.patch
openssl-1.0.1e-fips.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl.spec ++++++
--- /var/tmp/diff_new_pack.ZUW3ST/_old 2013-12-17 10:02:19.000000000 +0100
+++ /var/tmp/diff_new_pack.ZUW3ST/_new 2013-12-17 10:02:19.000000000 +0100
@@ -41,6 +41,7 @@
Source1: openssl.changes
Source2: baselibs.conf
Source10: README.SuSE
+Source11: README-FIPS.txt
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
@@ -58,6 +59,10 @@
# From Fedora openssl.
Patch13: openssl-1.0.1c-ipv6-apps.patch
Patch14: 0001-libcrypto-Hide-library-private-symbols.patch
+# FIPS patches:
+Patch15: openssl-1.0.1e-fips.patch
+Patch16: openssl-1.0.1e-fips-ec.patch
+Patch17: openssl-1.0.1e-fips-ctor.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -78,6 +83,7 @@
%package -n libopenssl1_0_0
Summary: Secure Sockets and Transport Layer Security
+License: OpenSSL
Group: Productivity/Networking/Security
Recommends: openssl-certs
# bug437293
@@ -104,6 +110,7 @@
%package -n libopenssl-devel
Summary: Include Files and Libraries mandatory for Development
+License: OpenSSL
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel < %{version}
Requires: %name = %version
@@ -120,8 +127,19 @@
This package contains all necessary include files and libraries needed
to develop applications that require these.
+%package -n libopenssl1_0_0-hmac
+Summary: HMAC files for FIPS-140-2 integrity checking of the openssl
shared libraries
+License: BSD-3-Clause
+Group: Productivity/Networking/Security
+Requires: libopenssl1_0_0 = %{version}-%{release}
+
+%description -n libopenssl1_0_0-hmac
+The FIPS compliant operation of the openssl shared libraries is NOT
+possible without the HMAC hashes contained in this package!
+
%package doc
Summary: Additional Package Documentation
+License: OpenSSL
Group: Productivity/Networking/Security
%if 0%{?suse_version} >= 1140
BuildArch: noarch
@@ -148,8 +166,12 @@
%patch12 -p1
%patch13 -p1
%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
cp -p %{S:10} .
+cp -p %{S:11} .
echo "adding/overwriting some entries in the 'table' hash in Configure"
#
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
export
DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
@@ -194,11 +216,13 @@
./config --test-sanity
#
config_flags="threads shared no-rc5 no-idea \
+fips \
%ifarch x86_64
enable-ec_nistp_64_gcc_128 \
%endif
enable-camellia \
zlib \
+no-ec2m \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
@@ -245,6 +269,13 @@
make depend
make
LD_LIBRARY_PATH=`pwd` make rehash
+# for FIPS mode testing; the same hashes are being created later just before
+# the wrap-up of the files into the package.
+# These files are just there for the make test below...
+crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac
+crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac
+
+LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=""
%ifnarch armv4l
LD_LIBRARY_PATH=`pwd` make test
%endif
@@ -258,11 +289,10 @@
%install
rm -rf $RPM_BUILD_ROOT
make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
-install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs
+cp -a crypto/fips/fips_standalone_hmac
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac
ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
-# ln -s %{ssletcdir}/certs $RPM_BUILD_ROOT/%{_datadir}/ssl/certs
# ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private
# ln -s %{ssletcdir}/openssl.cnf
$RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
#
@@ -335,21 +365,46 @@
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} \;
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %expand of
+# the macro is too late.
+# remark: This is the same as running
+# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
+%{expand:%%global __os_install_post {%__os_install_post
+
+$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
+ $RPM_BUILD_ROOT/%{_libdir}/libssl.so.%{num_version} > \
+ $RPM_BUILD_ROOT/%{_libdir}/.libssl.so.%{num_version}.hmac
+
+$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
+ $RPM_BUILD_ROOT/%{_libdir}/libcrypto.so.%{num_version} > \
+ $RPM_BUILD_ROOT/%{_libdir}/.libcrypto.so.%{num_version}.hmac
+
+}}
+
#process openssllib
mkdir $RPM_BUILD_ROOT/%{_lib}
-mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
-mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version}
$RPM_BUILD_ROOT/%{_lib}/
-mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
+#mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
+#mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version}
$RPM_BUILD_ROOT/%{_lib}/
+#mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
cd $RPM_BUILD_ROOT%{_libdir}/
-ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
-ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
+ln -sf /%{_libdir}/libssl.so.%{num_version} ./libssl.so
+#ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so.%{num_version}
+ln -sf /%{_libdir}/libcrypto.so.%{num_version} ./libcrypto.so
+#ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so.%{num_version}
for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
-rm %{buildroot}/%{_lib}/engines/lib$engine.so
+rm %{buildroot}/%{_libdir}/engines/lib$engine.so
done
%ifnarch %{ix86} x86_64
-rm %{buildroot}/%{_lib}/engines/libpadlock.so
+rm %{buildroot}/%{_libdir}/engines/libpadlock.so
%endif
%clean
@@ -361,9 +416,14 @@
%files -n libopenssl1_0_0
%defattr(-, root, root)
-/%{_lib}/libssl.so.%{num_version}
-/%{_lib}/libcrypto.so.%{num_version}
-/%{_lib}/engines
+/%{_libdir}/libssl.so.%{num_version}
+/%{_libdir}/libcrypto.so.%{num_version}
+/%{_libdir}/engines
+
+%files -n libopenssl1_0_0-hmac
+%defattr(-, root, root)
+%{_libdir}/.libssl.so.%{num_version}.hmac
+%{_libdir}/.libcrypto.so.%{num_version}.hmac
%files -n libopenssl-devel
%defattr(-, root, root)
@@ -385,14 +445,14 @@
%files -f filelist
%defattr(-, root, root)
%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
-%doc LICENSE NEWS README README.SuSE
+%doc LICENSE NEWS README README.SuSE README-FIPS.txt
%dir %{ssletcdir}
-%dir %{ssletcdir}/certs
%config (noreplace) %{ssletcdir}/openssl.cnf
%attr(700,root,root) %{ssletcdir}/private
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%{_bindir}/c_rehash
+%{_bindir}/fips_standalone_hmac
%{_bindir}/%{name}
%changelog
++++++ README-FIPS.txt ++++++
README-FIPS.txt - Roman Drahtmueller <dr...@suse.de>, June 16 2012
NOTE: Finished the adjustment of DSO path and correct the version
information for SLE 12. Still need to review about AES-NI optimization.
Shawn Chang <shch...@suse.com>, Dec 7 2013.
NOTE: Outdated currently for openSUSE Factory / SLE 12, needs review
and adjustments. But basic settings still are the same.
Marcus Meissner <meiss...@suse.de>, 2013/Dec/03.
* general information
* FIPS-140-2 mode of operation
* overview: openssl subpackages on SLES12
==============================================================================
* general information
==============================================================================
Dear user of the SUSE Linux Enterprise Server,
SLES12 comes with openssl of version 1.0.1e, a version upgrade from
0.9.8j that came with earlier revisions of SLES11-SP3.
The new version has support for FIPS-140-2 mode of operation.
FIPS is short for Federal Information Processing Standard.
For more information on FIPS-140-2, please see
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
and more publications on the NIST website.
The openssl shared libraries are used by numerous packages in the
SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode,
then the binary that links against the library at runtime makes use
of FIPS-140-2 validated cryptography as defined in its cryptographic
module. By consequence, a large number of packages can make a claim
about using FIPS-140-2 validated cryptographical functions.
Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2
mode of operation.
Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are
supported and used, if the used CPU supports the AES-NI instructions. These
assembler optimizations can deliver a substantial performance benefit.
To check if your system's CPU(s) has (have) AES-NI support, have a look
into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes"
flag.
AES-NI support can be disabled by setting the environment variable
OPENSSL_DISABLE_AESNI before running binaries that link against openssl.
The "openssl speed" command can give you an idea for the performance
differences.
The cryptographic module as defined for FIPS-140-2 is contained in the files
/usr/lib64/.libcrypto.so.1.0.0.hmac
/usr/lib64/.libssl.so.1.0.0.hmac
/usr/lib64/libcrypto.so.1.0.0
/usr/lib64/libssl.so.1.0.0
for 64bit operation and
/usr/lib/.libcrypto.so.1.0.0.hmac
/usr/lib/.libssl.so.1.0.0.hmac
/usr/lib/libcrypto.so.1.0.0
/usr/lib/libssl.so.1.0.0
for 32bit.
The .hmac files contain a HMAC for the internal integrity checking. They
are contained in the package libopenssl1_0_0-hmac, seperate from the
libopenssl1_0_0 package. These hashes are produced as one of the last steps
during the RPM build process.
If the library starts up in FIPS mode, the .hmac files are read, and the
checksum is verified against a new self-measurement of the library.
Essentially, this means that the FIPS mode of operation is not possible
without the .hmac files from the corresponding -hmac package installed.
If the library starts up in non-FIPS mode, it checks if the .hmac files
exist, and if so, it runs through the self-tests as if it operates in FIPS
mode. This self-test in non-FIPS mode is formally mandatory and comes with
a heavy CPU footprint. You can avoid this overhead by un-installing the
libopenssl1_0_0-hmac package (with the consequence that FIPS mode of
operation becomes unavailable).
The openssl library operates in non-FIPS mode by default.
* FIPS-140-2 mode of operation
==============================================================================
The openssl library operates in non-FIPS mode by default.
As noted above (* general information), the .hmac files for the integrity
self-check of the openssl library are contained in their own package.
Unfortunately, the self-test is mandatory even if the library runs in
non-FIPS mode, causing a significant CPU consumption during openssl's
initialization. You can avoid this overhead by de-installing the -hmac
package if you do not need FIPS mode of operation.
If you DO need to run binaries that are linked against the openssl
cryptographic library that runs in FIPS mode, you MUST have the
libopenssl1_0_0-hmac package installed.
!!! If you enable FIPS mode of operation with the methods below, you MUST
!!! have the libopenssl1_0_0-hmac package installed. Programs that runtime-link
!!! against openssl will abort if the FIPS self-tests (including the
!!! integrity check with the .hmac hashes) fail!
There are three ways to switch the shared libraries listed above to
FIPS-140-2 compliant mode:
1) Start your system with the kernel commandline option "fips=1". To
change the configuration for your system on a permanent basis, please
add the command line option to the corresponding line in the bootloader
configuration, typically /boot/grub/menu.lst .
You can check if the kernel has accepted the commandline option at boot
by inspecting the content of the file /proc/sys/crypto/fips_enabled .
Please note that the fips=1 kernel commandline option switches
the kernel's crypto API to FIPS mode operation, too. As a consequence,
some of the in-kernel cryptographical functions may become unavailable.
As of the writing of this README-FIPS.txt, the kernel's crypto API in
the SUSE Linux Enterprise Server was NOT FIPS-140-2 validated!
2) set the environment variable OPENSSL_FORCE_FIPS_MODE to "1":
export OPENSSL_FORCE_FIPS_MODE=1
and run your application with this environment variable set.
The FIPS-140-2 mode of operation is only given in the context of
processes that have OPENSSL_FORCE_FIPS_MODE set, unless the global
switch as in 1) above is active.
3) In your program, use the exported function
int FIPS_mode_set(int onoff);
to turn on FIPS-140-2 compliant mode. The library will conduct the
mandatory self-tests and the integrity check that makes use of the
.hmac files mentioned above.
The function
int FIPS_mode(void);
can be used to check if the library operates in FIPS-140-2 compliant
mode. It returns 1 in FIPS mode, 0 otherwise.
Notes:
- An easy way to verify if your openssl cryptography subsystem operates
in FIPS-140-2 compliant mode is to look at the output of the
openssl ciphers
command. In FIPS-140-2 compliant mode, the output lists fewer
algorythms.
- The startup time of programs that initialize the openssl shared libraries
in FIPS-140-2 compliant mode is considerably longer due to the self-tests
that are being executed. On fast systems, the startup overhead can be in the
range of 0.05-0.3s. The startup time is two orders of a magnitude smaller
in non-FIPS mode.
Please note that the self-test overhead only occurs during the
initialization of the cryptographic module. There is no other
performance impact of FIPS-140-2 compliant operation of the library.
- The environment variable OPENSSL_FIPS can be set to force the
/usr/bin/openssl binary to operate in FIPS-140-2 compliant mode:
OPENSSL_FIPS=1 openssl ciphers
The variable OPENSSL_FIPS has an effect on the openssl binary only.
- Services and daemons that make use of the openssl shared libraries in
FIPS-140-2 compliant mode need to be configured to use algorythms
from the list of permissable algorythms. If an algorythm is requested
by an application that is not allowed in FIPS-140-2 compliant mode,
the application will terminate (abort(3)).
Please see the FIPS-140-2 Security Policy document for the openssl
FIPS module on the SUSE Linux Enterprise Server 11 SP1 from the
SUSE website at http://www.suse.com/ or the NIST website at
http://csrc.nist.gov/ for more details.
- If you have any questions about the FIPS-140-2 compliant mode of openssl,
please send email to secur...@suse.com.
* overview: openssl subpackages on SLES12
==============================================================================
The openssl package consists of the following RPM package:
openssl
- manual pages
- the /etc/ssl configuration directory
- the /usr/bin/openssl program
- /usr/bin/fips_standalone_hmac, the program used to reproduce
the integrity HMAC that is contained in the package:
libopenssl1_0_0
- files:
/usr/lib64/libcrypto.so.1.0.0
/usr/lib64/libssl.so.1.0.0
/usr/lib64/engines
/usr/lib64/engines/libcapi.so
/usr/lib64/engines/libgmp.so
/usr/lib64/engines/libgost.so
/usr/lib64/engines/libpadlock.so
libopenssl1_0_0-hmac
- files:
/usr/lib64/.libcrypto.so.1.0.0.hmac
/usr/lib64/.libssl.so.1.0.0.hmac
libopenssl1_0_0-32bit
- files as in package libopenssl1_0_0, but in /usr/lib/.
The .so libraries are for the 32bit compatibility mode of the
openssl library.
libopenssl1_0_0-hmac-32bit
- files as in package libopenssl1_0_0-hmac, but in /usr/lib/.
libopenssl-devel
- header files and static libraries for compiling applications with the
openssl library. Please note that running binaries that are statically
linked against openssl libraries is not supported in terms of FIPS-140-2
compliance.
openssl-doc
- more documentation and manual pages.
openssl-debuginfo
openssl-debugsource
- packages that provide debugging symbols and debugging source code for
running binaries (dynamically) linked against libopenssl1_0_0 in a
debugger.
openssl-certs
- CA certificate collection in /etc/ssl/certs
The openssl-certs package is not a subpackage of the openssl package,
but it merely provides CA certificates where the openssl package
finds them.
++++++ baselibs.conf ++++++
--- /var/tmp/diff_new_pack.ZUW3ST/_old 2013-12-17 10:02:19.000000000 +0100
+++ /var/tmp/diff_new_pack.ZUW3ST/_new 2013-12-17 10:02:19.000000000 +0100
@@ -3,3 +3,6 @@
libopenssl-devel
requires -libopenssl-<targettype>
requires "libopenssl1_0_0-<targettype> = <version>"
+libopenssl1_0_0-hmac
+ requires -libopenssl1_0_0 = <version>
+ requires "libopenssl1_0_0-<targettype> = <version>-%release"
++++++ openssl-1.0.1e-fips-ctor.patch ++++++
Index: openssl-1.0.1e/crypto/fips/fips.c
===================================================================
--- openssl-1.0.1e.orig/crypto/fips/fips.c
+++ openssl-1.0.1e/crypto/fips/fips.c
@@ -60,6 +60,8 @@
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
#include "fips_locl.h"
#ifdef OPENSSL_FIPS
@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
return hex;
}
-#define HMAC_PREFIX "."
-#define HMAC_SUFFIX ".hmac"
+#define HMAC_PREFIX "."
+#ifndef HMAC_SUFFIX
+#define HMAC_SUFFIX ".hmac"
+#endif
#define READ_BUFFER_LENGTH 16384
static char *
@@ -279,19 +283,13 @@ end:
}
static int
-FIPSCHECK_verify(const char *libname, const char *symbolname)
+FIPSCHECK_verify(const char *path)
{
- char path[PATH_MAX+1];
- int rv;
+ int rv = 0;
FILE *hf;
char *hmacpath, *p;
char *hmac = NULL;
size_t n;
-
- rv = get_library_path(libname, symbolname, path, sizeof(path));
-
- if (rv < 0)
- return 0;
hmacpath = make_hmac_path(path);
if (hmacpath == NULL)
@@ -341,6 +339,53 @@ end:
return 1;
}
+static int
+verify_checksums(void)
+ {
+ int rv;
+ char path[PATH_MAX+1];
+ char *p;
+
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
+ are in the same directory */
+
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
"FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ return 0;
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+
+ /* replace libcrypto with libssl */
+ while ((p = strstr(path, "libcrypto.so")) != NULL)
+ {
+ p = stpcpy(p, "libssl");
+ memmove(p, p+3, strlen(p+2));
+ }
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+ return 1;
+ }
+
+#ifndef FIPS_MODULE_PATH
+#define FIPS_MODULE_PATH "/etc/system-fips"
+#endif
+
+int
+FIPS_module_installed(void)
+ {
+ int rv;
+ rv = access(FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ /* Installed == true */
+ return !rv;
+ }
+
int FIPS_module_mode_set(int onoff, const char *auth)
{
int ret = 0;
@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
}
#endif
- if(!FIPSCHECK_verify("libcrypto.so."
SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
- {
-
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
- }
-
- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
+ if(!verify_checksums())
{
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
Index: openssl-1.0.1e/crypto/fips/fips.h
===================================================================
--- openssl-1.0.1e.orig/crypto/fips/fips.h
+++ openssl-1.0.1e/crypto/fips/fips.h
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
int FIPS_module_mode_set(int onoff, const char *auth);
int FIPS_module_mode(void);
+int FIPS_module_installed(void);
const void *FIPS_rand_check(void);
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
Index: openssl-1.0.1e/crypto/o_init.c
===================================================================
--- openssl-1.0.1e.orig/crypto/o_init.c
+++ openssl-1.0.1e/crypto/o_init.c
@@ -70,6 +70,9 @@ static void init_fips_mode(void)
{
char buf[2] = "0";
int fd;
+
+ /* Ensure the selftests always run */
+ FIPS_mode_set(1);
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
{
@@ -85,9 +88,15 @@ static void init_fips_mode(void)
* otherwise.
*/
- if (buf[0] == '1')
+ if (buf[0] != '1')
+ {
+ /* drop down to non-FIPS mode if it is not requested */
+ FIPS_mode_set(0);
+ }
+ else
{
- FIPS_mode_set(1);
+ /* abort if selftest failed */
+ FIPS_selftest_check();
}
}
#endif
@@ -96,13 +105,19 @@ static void init_fips_mode(void)
* Currently only sets FIPS callbacks
*/
-void OPENSSL_init_library(void)
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
{
static int done = 0;
if (done)
return;
done = 1;
#ifdef OPENSSL_FIPS
+ /* this should be an option, comment it, temporarily */
+ /* if (!FIPS_module_installed())
+ {
+ return;
+ }
+ */
RAND_init_fips();
init_fips_mode();
if (!FIPS_mode())
++++++ openssl-1.0.1e-fips-ec.patch ++++++
++++ 2054 lines (skipped)
++++++ openssl-1.0.1e-fips.patch ++++++
++++ 20494 lines (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
