- must also verify checksum of libssl.so in the FIPS mode

- obtain the seed for FIPS rng directly from the kernel device
- drop the temporary symlinks
This commit is contained in:
Tomáš Mráz 2009-02-02 16:46:33 +00:00
parent c7641abc30
commit 07bd81ddaf
3 changed files with 99 additions and 37 deletions

View File

@ -0,0 +1,67 @@
diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8j/crypto/rand/rand_lcl.h
--- openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed 2009-02-02 13:40:37.000000000 +0100
+++ openssl-0.9.8j/crypto/rand/rand_lcl.h 2009-02-02 13:50:42.000000000 +0100
@@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H
#define HEADER_RAND_LCL_H
-#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
diff -up openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed openssl-0.9.8j/fips/rand/fips_rand.c
--- openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed 2008-09-16 12:12:18.000000000 +0200
+++ openssl-0.9.8j/fips/rand/fips_rand.c 2009-02-02 14:06:58.000000000 +0100
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
{
int i;
if (!ctx->keyed)
- return 0;
+ {
+ FIPS_RAND_SIZE_T keylen = 16;
+
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
+ return 0;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ seedlen -= keylen;
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
+ }
/* In test mode seed is just supplied data */
if (ctx->test_mode)
{
diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c
--- openssl-0.9.8j/fips/fips.c.rng-seed 2009-02-02 13:40:38.000000000 +0100
+++ openssl-0.9.8j/fips/fips.c 2009-02-02 13:49:32.000000000 +0100
@@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
goto end;
}
+ /* now switch into FIPS mode */
+ fips_set_rand_check(FIPS_rand_method());
+ RAND_set_rand_method(FIPS_rand_method());
+
/* automagically seed PRNG if not already seeded */
if(!FIPS_rand_status())
{
- if(RAND_bytes(buf,sizeof buf) <= 0)
+ RAND_poll();
+ if (!FIPS_rand_status())
{
fips_selftest_fail = 1;
ret = 0;
goto end;
}
- FIPS_rand_set_key(buf,32);
- FIPS_rand_seed(buf+32,16);
}
- /* now switch into FIPS mode */
- fips_set_rand_check(FIPS_rand_method());
- RAND_set_rand_method(FIPS_rand_method());
if(FIPS_selftest())
fips_set_mode(1);
else

View File

@ -1,8 +1,6 @@
Use fipscheck compatible way of verification of the integrity of the libcrypto
shared library.
diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
--- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100 --- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100
+++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100 +++ openssl-0.9.8j/test/Makefile 2009-02-02 13:24:36.000000000 +0100
@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$ @@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
if [ "$(FIPSCANLIB)" = "libfips" ]; then \ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
LIBRARIES="-L$(TOP) -lfips"; \ LIBRARIES="-L$(TOP) -lfips"; \
@ -24,8 +22,8 @@ diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
$(MAKE) -f $(TOP)/Makefile.shared -e \ $(MAKE) -f $(TOP)/Makefile.shared -e \
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
--- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100 --- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-02-02 13:24:36.000000000 +0100
+++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100 +++ openssl-0.9.8j/Makefile.org 2009-02-02 13:24:36.000000000 +0100
@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA @@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
$(AR) libcrypto.a fips/fipscanister.o ; \ $(AR) libcrypto.a fips/fipscanister.o ; \
@ -59,7 +57,7 @@ diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
Makefile: Makefile.org Configure config Makefile: Makefile.org Configure config
diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
--- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200 --- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
+++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100 +++ openssl-0.9.8j/fips/fips.c 2009-02-02 13:31:53.000000000 +0100
@@ -47,6 +47,7 @@ @@ -47,6 +47,7 @@
* *
*/ */
@ -100,7 +98,7 @@ diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
+ void *dl, *sym; + void *dl, *sym;
+ int rv = -1; + int rv = -1;
+ +
+ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY); + dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) { + if (dl == NULL) {
+ return -1; + return -1;
+ } + }
@ -293,26 +291,28 @@ diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
int FIPS_mode_set(int onoff) int FIPS_mode_set(int onoff)
{ {
@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff) @@ -280,16 +485,17 @@ int FIPS_mode_set(int onoff)
} }
#endif #endif
- if(fips_signature_witness() != FIPS_signature) - if(fips_signature_witness() != FIPS_signature)
- { + if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
{
- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); - FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
- fips_selftest_fail = 1; + FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- ret = 0; fips_selftest_fail = 1;
- goto end; ret = 0;
- } goto end;
- }
- if(!FIPS_check_incore_fingerprint()) - if(!FIPS_check_incore_fingerprint())
+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set")) + if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
{ {
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1; fips_selftest_fail = 1;
ret = 0; ret = 0;
goto end; goto end;
@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void) @@ -405,11 +611,13 @@ int fips_clear_owning_thread(void)
return ret; return ret;
} }
@ -327,8 +327,8 @@ diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
/* Generalized public key test routine. Signs and verifies the data /* Generalized public key test routine. Signs and verifies the data
* supplied in tbs using mesage digest md and setting option digest * supplied in tbs using mesage digest md and setting option digest
diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
--- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100 --- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-02-02 13:24:36.000000000 +0100
+++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100 +++ openssl-0.9.8j/fips/Makefile 2009-02-02 13:24:36.000000000 +0100
@@ -62,9 +62,9 @@ testapps: @@ -62,9 +62,9 @@ testapps:
all: all:
@ -371,7 +371,7 @@ diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
@target=lint; $(RECURSIVE_MAKE) @target=lint; $(RECURSIVE_MAKE)
diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h
--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200 --- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
+++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100 +++ openssl-0.9.8j/fips/fips_locl.h 2009-02-02 13:24:36.000000000 +0100
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void); @@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
int fips_set_owning_thread(void); int fips_set_owning_thread(void);
void fips_set_selftest_fail(void); void fips_set_selftest_fail(void);

View File

@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation Summary: A general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 0.9.8j Version: 0.9.8j
Release: 6%{?dist} Release: 7%{?dist}
# We remove certain patented algorithms from the openssl source tarball # We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below. # with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2 Source: openssl-%{version}-usa.tar.bz2
@ -64,6 +64,7 @@ Patch46: openssl-0.9.8j-eap-fast.patch
Patch47: openssl-0.9.8j-readme-warning.patch Patch47: openssl-0.9.8j-readme-warning.patch
Patch48: openssl-0.9.8j-bad-mime.patch Patch48: openssl-0.9.8j-bad-mime.patch
Patch49: openssl-0.9.8j-fips-no-pairwise.patch Patch49: openssl-0.9.8j-fips-no-pairwise.patch
Patch50: openssl-0.9.8j-fips-rng-seed.patch
# Backported fixes including security fixes # Backported fixes including security fixes
License: OpenSSL License: OpenSSL
@ -74,15 +75,6 @@ BuildRequires: mktemp, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp
BuildRequires: /usr/bin/rename BuildRequires: /usr/bin/rename
Requires: mktemp, ca-certificates >= 2008-5 Requires: mktemp, ca-certificates >= 2008-5
# Temporary hack
Requires(post): /sbin/ldconfig coreutils
Requires(postun): /sbin/ldconfig
%ifarch ppc64 s390x sparc64 x86_64
Provides: libcrypto.so.7()(64bit) libssl.so.7()(64bit)
%else
Provides: libcrypto.so.7 libssl.so.7
%endif
%description %description
The OpenSSL toolkit provides support for secure communications between The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared machines. OpenSSL includes a certificate management tool and shared
@ -147,6 +139,7 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch47 -p1 -b .warning %patch47 -p1 -b .warning
%patch48 -p1 -b .bad-mime %patch48 -p1 -b .bad-mime
%patch49 -p1 -b .no-pairwise %patch49 -p1 -b .no-pairwise
%patch50 -p1 -b .rng-seed
# Modify the various perl scripts to reference perl in the right location. # Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}` perl util/perlpath.pl `dirname %{__perl}`
@ -232,6 +225,8 @@ make -C test apps tests
%{__os_install_post} \ %{__os_install_post} \
fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \ fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \ ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libssl.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{version}.hmac \
ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{soversion}.hmac \
%{nil} %{nil}
%install %install
@ -251,8 +246,6 @@ for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do
chmod 755 ${lib} chmod 755 ${lib}
ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}` ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion} ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion}
# temporary hack
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.7
rm -f $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion} rm -f $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done done
@ -375,8 +368,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%attr(0755,root,root) /%{_lib}/*.so.%{version} %attr(0755,root,root) /%{_lib}/*.so.%{version}
%attr(0755,root,root) /%{_lib}/*.so.%{soversion} %attr(0755,root,root) /%{_lib}/*.so.%{soversion}
%attr(0644,root,root) /%{_lib}/.libcrypto.so.*.hmac %attr(0644,root,root) /%{_lib}/.libcrypto.so.*.hmac
# temporary hack %attr(0644,root,root) /%{_lib}/.libssl.so.*.hmac
%attr(0755,root,root) /%{_lib}/*.so.7
%attr(0755,root,root) %{_libdir}/openssl %attr(0755,root,root) %{_libdir}/openssl
%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]* %attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*
%attr(0644,root,root) %{_mandir}/man5*/* %attr(0644,root,root) %{_mandir}/man5*/*
@ -399,13 +391,16 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%{_sysconfdir}/pki/tls/misc/*.pl %{_sysconfdir}/pki/tls/misc/*.pl
%endif %endif
%post %post -p /sbin/ldconfig
/sbin/ldconfig -X
%postun %postun -p /sbin/ldconfig
/sbin/ldconfig -X
%changelog %changelog
* Mon Feb 2 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-7
- must also verify checksum of libssl.so in the FIPS mode
- obtain the seed for FIPS rng directly from the kernel device
- drop the temporary symlinks
* Mon Jan 26 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-6 * Mon Jan 26 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-6
- drop the temporary triggerpostun and symlinking in post - drop the temporary triggerpostun and symlinking in post
- fix the pkgconfig files and drop the unnecessary buildrequires - fix the pkgconfig files and drop the unnecessary buildrequires