resolve bugzilla 319901 (phew! only took 6 years & 9 days)

2013-10-15 02:14:11 +01:00 · 2013-10-15 02:14:11 +01:00 · 4d56d16496
parent 8c28623e94
commit 4d56d16496
6 changed files with 2458 additions and 299 deletions
--- a/17
+++ b/17
@ -7,39 +7,30 @@ set -e
 # MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
 # IDEA:  5,214,703 07/01/2012 - expired, we do not remove it anymore
 # RC5:   5,724,428 01/11/2015
-# EC:    ????????? ??/??/2020
 # SRP:   ????????? ??/??/20??

 # Remove assembler portions of IDEA, MDC2, and RC5.
 (find crypto/rc5/asm -type f | xargs -r rm -fv)

-# RC5, EC, SRP.
-for a in rc5 ec ecdh ecdsa srp; do
+# RC5, SRP.
+for a in rc5 srp; do
  for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
 	echo Destroying $c
 	> $c
  done
 done

-for c in `find crypto/evp -name "*_rc5.c" -o -name "*_ecdsa.c"`; do
-	echo Destroying $c
-	> $c
-done
-
-for c in `find crypto/bn -name "*gf2m.c"`; do
+for c in `find crypto/evp -name "*_rc5.c"`; do
 	echo Destroying $c
 	> $c
 done

 for h in `find crypto ssl apps test -name "*.h"` ; do
-	echo Removing RC5, SRP and EC references from $h
+	echo Removing RC5, SRP references from $h
 	cat $h | \
 	awk    'BEGIN {ech=1;} \
 		/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
 		/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
-		/^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
-		/^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
-		/^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \
                /^#[ \t]*if/ {if(ech < 1) ech--;} \
 		{if(ech>0) {;print $0};} \
 		/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
--- a/openssl-1.0.1e-fips-ctor.patch
+++ b/openssl-1.0.1e-fips-ctor.patch
@ -1,6 +1,6 @@
 diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor	2013-09-02 14:20:26.853925144 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.c	2013-09-02 14:22:18.082370680 +0200
+--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor	2013-09-23 18:05:15.731136863 +0200
+++ openssl-1.0.1e/crypto/fips/fips.c	2013-09-23 18:18:27.953969770 +0200
@@ -60,6 +60,8 @@
 #include <dlfcn.h>
 #include <stdio.h>
@ -23,11 +23,65 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/
 #define READ_BUFFER_LENGTH 16384
 
 static char *
-@@ -341,6 +345,32 @@ end:
+@@ -279,19 +283,13 @@ end:
+ }
+ 
+ static int
+-FIPSCHECK_verify(const char *libname, const char *symbolname)
+FIPSCHECK_verify(const char *path)
+ {
+-	char path[PATH_MAX+1];
+-	int rv;
+	int rv = 0;
+ 	FILE *hf;
+ 	char *hmacpath, *p;
+ 	char *hmac = NULL;
+ 	size_t n;
+-	
+-	rv = get_library_path(libname, symbolname, path, sizeof(path));
+-
+-	if (rv < 0)
+-		return 0;
+ 
+ 	hmacpath = make_hmac_path(path);
+ 	if (hmacpath == NULL)
+@@ -341,6 +339,64 @@ end:
 	return 1;	
 }
 
-+int FIPS_module_installed(void)
+static int
+verify_checksums(void)
+    {
+	int rv;
+	char path[PATH_MAX+1];
+	char *p;
+
+	/* we need to avoid dlopening libssl, assume both libcrypto and libssl
+	   are in the same directory */
+
+	rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
+	if (rv < 0)
+		return 0;
+
+	rv = FIPSCHECK_verify(path);
+	if (!rv)
+		return 0;
+
+	/* replace libcrypto with libssl */
+	while ((p = strstr(path, "libcrypto.so")) != NULL)
+	    {
+		p = stpcpy(p, "libssl");
+                memmove(p, p+3, strlen(p+2));
+	    }
+
+	rv = FIPSCHECK_verify(path);
+	if (!rv)
+		return 0;
+	return 1;
+    }
+
+int
+FIPS_module_installed(void)
 +    {
 +	char path[PATH_MAX+1];
 +	int rv;
@ -56,9 +110,26 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/
 int FIPS_module_mode_set(int onoff, const char *auth)
     {
     int ret = 0;
+@@ -379,15 +435,7 @@ int FIPS_module_mode_set(int onoff, cons
+ 	}
+ #endif
+ 
+-	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
+-	    {
+-	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+-	    fips_selftest_fail = 1;
+-	    ret = 0;
+-	    goto end;
+-	    }
+-
+-	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
+	if(!verify_checksums())
+ 	    {
+ 	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ 	    fips_selftest_fail = 1;
 diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor	2013-09-02 14:20:26.857925232 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.h	2013-09-02 14:20:26.915926507 +0200
+--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor	2013-09-23 18:05:15.734136931 +0200
+++ openssl-1.0.1e/crypto/fips/fips.h	2013-09-23 18:05:15.775137854 +0200
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
 
 int FIPS_module_mode_set(int onoff, const char *auth);
@ -68,8 +139,8 @@ diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/
 int FIPS_selftest(void);
 int FIPS_selftest_failed(void);
 diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor	2013-09-02 14:20:26.894926046 +0200
-+++ openssl-1.0.1e/crypto/o_init.c	2013-09-02 14:20:26.916926529 +0200
+--- openssl-1.0.1e/crypto/o_init.c.fips-ctor	2013-09-23 18:05:15.762137561 +0200
+++ openssl-1.0.1e/crypto/o_init.c	2013-09-23 18:05:15.776137876 +0200
@@ -73,6 +73,10 @@ static void init_fips_mode(void)
 	char buf[2] = "0";
 	int fd;
--- a/openssl-1.0.1e-fips-ec.patch
+++ b/openssl-1.0.1e-fips-ec.patch
--- a/openssl-1.0.1e-fips.patch
+++ b/openssl-1.0.1e-fips.patch
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 23%{?dist}
+Release: 27%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -77,6 +77,7 @@ Patch82: openssl-1.0.1e-backports.patch
 Patch83: openssl-1.0.1e-bad-mac.patch
 Patch84: openssl-1.0.1e-trusted-first.patch
 Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
+Patch86: openssl-1.0.1e-fips-ec.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -197,6 +198,7 @@ OpenSSL FIPS module.
 %patch83 -p1 -b .bad-mac
 %patch84 -p1 -b .trusted-first
 %patch85 -p1 -b .armcap
+%patch86 -p1 -b .fips-ec

 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h

@ -251,7 +253,7 @@ sslarch=linux-ppc64
 ./Configure \
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
 	zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
-	enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa no-srp \
+	enable-cms enable-md2 no-mdc2 no-rc5 no-srp \
 	--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
 	--with-krb5-dir=/usr shared  ${sslarch} %{?!nofips:fips}

@ -473,6 +475,19 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || :

 %changelog
+* Mon Oct 14 2013 Tom Callaway <spot@fedoraproject.org> - 1.0.1e-27
+- resolve bugzilla 319901 (phew! only took 6 years & 9 days)
+
+* Fri Sep 27 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-26
+- make DTLS1 work in FIPS mode
+- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
+
+* Mon Sep 23 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-25
+- avoid dlopening libssl.so from libcrypto (#1010357)
+
+* Fri Sep 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-24
+- fix small memory leak in FIPS aes selftest
+
 * Thu Sep 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-23
 - fix segfault in openssl speed hmac in the FIPS mode

--- a/2
+++ b/2
@ -1 +1 @@
-641677c116865e60601677329b514e2d  openssl-1.0.1e-usa.tar.xz
+3b0845cfbbb2af350ef3b026f8dfcd5f  openssl-1.0.1e-usa.tar.xz