/[smecontribs]/rpms/openssl3/contribs10/0034.fipsinstall_disable.patch
ViewVC logotype

Contents of /rpms/openssl3/contribs10/0034.fipsinstall_disable.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Wed Jan 31 17:24:37 2024 UTC (9 months, 3 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
2 --- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100
3 +++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100
4 @@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar
5 EVP_MAC *mac = NULL;
6 CONF *conf = NULL;
7
8 + BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
9 + return 1;
10 +
11 if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
12 goto end;
13
14 diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
15 --- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100
16 +++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100
17 @@ -158,10 +158,6 @@ Engine (loadable module) information and
18
19 Error Number to Error String Conversion.
20
21 -=item B<fipsinstall>
22 -
23 -FIPS configuration installation.
24 -
25 =item B<gendsa>
26
27 Generation of DSA Private Key from Parameters. Superseded by
28 diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
29 --- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100
30 +++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100
31 @@ -573,7 +573,6 @@ configuration files using that syntax wi
32 =head1 SEE ALSO
33
34 L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
35 -L<openssl-fipsinstall(1)>,
36 L<ASN1_generate_nconf(3)>,
37 L<EVP_set_default_properties(3)>,
38 L<CONF_modules_load(3)>,
39 diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
40 --- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100
41 +++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100
42 @@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
43
44 =head1 DESCRIPTION
45
46 -A separate configuration file, using the OpenSSL L<config(5)> syntax,
47 -is used to hold information about the FIPS module. This includes a digest
48 -of the shared library file, and status about the self-testing.
49 -This data is used automatically by the module itself for two
50 -purposes:
51 -
52 -=over 4
53 -
54 -=item - Run the startup FIPS self-test known answer tests (KATS).
55 -
56 -This is normally done once, at installation time, but may also be set up to
57 -run each time the module is used.
58 -
59 -=item - Verify the module's checksum.
60 -
61 -This is done each time the module is used.
62 -
63 -=back
64 -
65 -This file is generated by the L<openssl-fipsinstall(1)> program, and
66 -used internally by the FIPS module during its initialization.
67 -
68 -The following options are supported. They should all appear in a section
69 -whose name is identified by the B<fips> option in the B<providers>
70 -section, as described in L<config(5)/Provider Configuration Module>.
71 -
72 -=over 4
73 -
74 -=item B<activate>
75 -
76 -If present, the module is activated. The value assigned to this name is not
77 -significant.
78 -
79 -=item B<install-version>
80 -
81 -A version number for the fips install process. Should be 1.
82 -
83 -=item B<conditional-errors>
84 -
85 -The FIPS module normally enters an internal error mode if any self test fails.
86 -Once this error mode is active, no services or cryptographic algorithms are
87 -accessible from this point on.
88 -Continuous tests are a subset of the self tests (e.g., a key pair test during key
89 -generation, or the CRNG output test).
90 -Setting this value to C<0> allows the error mode to not be triggered if any
91 -continuous test fails. The default value of C<1> will trigger the error mode.
92 -Regardless of the value, the operation (e.g., key generation) that called the
93 -continuous test will return an error code if its continuous test fails. The
94 -operation may then be retried if the error mode has not been triggered.
95 -
96 -=item B<security-checks>
97 -
98 -This indicates if run-time checks related to enforcement of security parameters
99 -such as minimum security strength of keys and approved curve names are used.
100 -A value of '1' will perform the checks, otherwise if the value is '0' the checks
101 -are not performed and FIPS compliance must be done by procedures documented in
102 -the relevant Security Policy.
103 -
104 -=item B<module-mac>
105 -
106 -The calculated MAC of the FIPS provider file.
107 -
108 -=item B<install-status>
109 -
110 -An indicator that the self-tests were successfully run.
111 -This should only be written after the module has
112 -successfully passed its self tests during installation.
113 -If this field is not present, then the self tests will run when the module
114 -loads.
115 -
116 -=item B<install-mac>
117 -
118 -A MAC of the value of the B<install-status> option, to prevent accidental
119 -changes to that value.
120 -It is written-to at the same time as B<install-status> is updated.
121 -
122 -=back
123 -
124 -For example:
125 -
126 - [fips_sect]
127 - activate = 1
128 - install-version = 1
129 - conditional-errors = 1
130 - security-checks = 1
131 - module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
132 - install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
133 - install-status = INSTALL_SELF_TEST_KATS_RUN
134 -
135 -=head1 NOTES
136 -
137 -When using the FIPS provider, it is recommended that the
138 -B<config_diagnostics> option is enabled to prevent accidental use of
139 -non-FIPS validated algorithms via broken or mistaken configuration.
140 -See L<config(5)>.
141 -
142 -=head1 SEE ALSO
143 -
144 -L<config(5)>
145 -L<openssl-fipsinstall(1)>
146 +This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
147 +automatically loaded when the system is booted in FIPS mode, or when the
148 +environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
149 +for more information.
150
151 =head1 COPYRIGHT
152
153 diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
154 --- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
155 +++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100
156 @@ -388,7 +388,6 @@ A simple self test callback is shown bel
157
158 =head1 SEE ALSO
159
160 -L<openssl-fipsinstall(1)>,
161 L<fips_config(5)>,
162 L<OSSL_SELF_TEST_set_callback(3)>,
163 L<OSSL_SELF_TEST_new(3)>,
164 diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
165 --- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100
166 +++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100
167 @@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
168 =head1 SYNOPSIS
169
170 B<openssl fipsinstall>
171 -[B<-help>]
172 -[B<-in> I<configfilename>]
173 -[B<-out> I<configfilename>]
174 -[B<-module> I<modulefilename>]
175 -[B<-provider_name> I<providername>]
176 -[B<-section_name> I<sectionname>]
177 -[B<-verify>]
178 -[B<-mac_name> I<macname>]
179 -[B<-macopt> I<nm>:I<v>]
180 -[B<-noout>]
181 -[B<-quiet>]
182 -[B<-no_conditional_errors>]
183 -[B<-no_security_checks>]
184 -[B<-self_test_onload>]
185 -[B<-corrupt_desc> I<selftest_description>]
186 -[B<-corrupt_type> I<selftest_type>]
187 -[B<-config> I<parent_config>]
188
189 =head1 DESCRIPTION
190 -
191 -This command is used to generate a FIPS module configuration file.
192 -This configuration file can be used each time a FIPS module is loaded
193 -in order to pass data to the FIPS module self tests. The FIPS module always
194 -verifies its MAC, but optionally only needs to run the KAT's once,
195 -at installation.
196 -
197 -The generated configuration file consists of:
198 -
199 -=over 4
200 -
201 -=item - A MAC of the FIPS module file.
202 -
203 -=item - A test status indicator.
204 -
205 -This indicates if the Known Answer Self Tests (KAT's) have successfully run.
206 -
207 -=item - A MAC of the status indicator.
208 -
209 -=item - A control for conditional self tests errors.
210 -
211 -By default if a continuous test (e.g a key pair test) fails then the FIPS module
212 -will enter an error state, and no services or cryptographic algorithms will be
213 -able to be accessed after this point.
214 -The default value of '1' will cause the fips module error state to be entered.
215 -If the value is '0' then the module error state will not be entered.
216 -Regardless of whether the error state is entered or not, the current operation
217 -(e.g. key generation) will return an error. The user is responsible for retrying
218 -the operation if the module error state is not entered.
219 -
220 -=item - A control to indicate whether run-time security checks are done.
221 -
222 -This indicates if run-time checks related to enforcement of security parameters
223 -such as minimum security strength of keys and approved curve names are used.
224 -The default value of '1' will perform the checks.
225 -If the value is '0' the checks are not performed and FIPS compliance must
226 -be done by procedures documented in the relevant Security Policy.
227 -
228 -=back
229 -
230 -This file is described in L<fips_config(5)>.
231 -
232 -=head1 OPTIONS
233 -
234 -=over 4
235 -
236 -=item B<-help>
237 -
238 -Print a usage message.
239 -
240 -=item B<-module> I<filename>
241 -
242 -Filename of the FIPS module to perform an integrity check on.
243 -The path provided in the filename is used to load the module when it is
244 -activated, and this overrides the environment variable B<OPENSSL_MODULES>.
245 -
246 -=item B<-out> I<configfilename>
247 -
248 -Filename to output the configuration data to; the default is standard output.
249 -
250 -=item B<-in> I<configfilename>
251 -
252 -Input filename to load configuration data from.
253 -Must be used if the B<-verify> option is specified.
254 -
255 -=item B<-verify>
256 -
257 -Verify that the input configuration file contains the correct information.
258 -
259 -=item B<-provider_name> I<providername>
260 -
261 -Name of the provider inside the configuration file.
262 -The default value is C<fips>.
263 -
264 -=item B<-section_name> I<sectionname>
265 -
266 -Name of the section inside the configuration file.
267 -The default value is C<fips_sect>.
268 -
269 -=item B<-mac_name> I<name>
270 -
271 -Specifies the name of a supported MAC algorithm which will be used.
272 -The MAC mechanisms that are available will depend on the options
273 -used when building OpenSSL.
274 -To see the list of supported MAC's use the command
275 -C<openssl list -mac-algorithms>. The default is B<HMAC>.
276 -
277 -=item B<-macopt> I<nm>:I<v>
278 -
279 -Passes options to the MAC algorithm.
280 -A comprehensive list of controls can be found in the EVP_MAC implementation
281 -documentation.
282 -Common control strings used for this command are:
283 -
284 -=over 4
285 -
286 -=item B<key>:I<string>
287 -
288 -Specifies the MAC key as an alphanumeric string (use if the key contains
289 -printable characters only).
290 -The string length must conform to any restrictions of the MAC algorithm.
291 -A key must be specified for every MAC algorithm.
292 -If no key is provided, the default that was specified when OpenSSL was
293 -configured is used.
294 -
295 -=item B<hexkey>:I<string>
296 -
297 -Specifies the MAC key in hexadecimal form (two hex digits per byte).
298 -The key length must conform to any restrictions of the MAC algorithm.
299 -A key must be specified for every MAC algorithm.
300 -If no key is provided, the default that was specified when OpenSSL was
301 -configured is used.
302 -
303 -=item B<digest>:I<string>
304 -
305 -Used by HMAC as an alphanumeric string (use if the key contains printable
306 -characters only).
307 -The string length must conform to any restrictions of the MAC algorithm.
308 -To see the list of supported digests, use the command
309 -C<openssl list -digest-commands>.
310 -The default digest is SHA-256.
311 -
312 -=back
313 -
314 -=item B<-noout>
315 -
316 -Disable logging of the self tests.
317 -
318 -=item B<-no_conditional_errors>
319 -
320 -Configure the module to not enter an error state if a conditional self test
321 -fails as described above.
322 -
323 -=item B<-no_security_checks>
324 -
325 -Configure the module to not perform run-time security checks as described above.
326 -
327 -=item B<-self_test_onload>
328 -
329 -Do not write the two fields related to the "test status indicator" and
330 -"MAC status indicator" to the output configuration file. Without these fields
331 -the self tests KATS will run each time the module is loaded. This option could be
332 -used for cross compiling, since the self tests need to run at least once on each
333 -target machine. Once the self tests have run on the target machine the user
334 -could possibly then add the 2 fields into the configuration using some other
335 -mechanism.
336 -
337 -=item B<-quiet>
338 -
339 -Do not output pass/fail messages. Implies B<-noout>.
340 -
341 -=item B<-corrupt_desc> I<selftest_description>,
342 -B<-corrupt_type> I<selftest_type>
343 -
344 -The corrupt options can be used to test failure of one or more self tests by
345 -name.
346 -Either option or both may be used to select the tests to corrupt.
347 -Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
348 -values that can be used.
349 -
350 -=item B<-config> I<parent_config>
351 -
352 -Test that a FIPS provider can be loaded from the specified configuration file.
353 -A previous call to this application needs to generate the extra configuration
354 -data that is included by the base C<parent_config> configuration file.
355 -See L<config(5)> for further information on how to set up a provider section.
356 -All other options are ignored if '-config' is used.
357 -
358 -=back
359 -
360 -=head1 NOTES
361 -
362 -Self tests results are logged by default if the options B<-quiet> and B<-noout>
363 -are not specified, or if either of the options B<-corrupt_desc> or
364 -B<-corrupt_type> are used.
365 -If the base configuration file is set up to autoload the fips module, then the
366 -fips module will be loaded and self tested BEFORE the fipsinstall application
367 -has a chance to set up its own self test callback. As a result of this the self
368 -test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
369 -For normal usage the base configuration file should use the default provider
370 -when generating the fips configuration file.
371 -
372 -=head1 EXAMPLES
373 -
374 -Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
375 -for the module, and save the F<fips.cnf> configuration file:
376 -
377 - openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
378 -
379 -Verify that the configuration file F<fips.cnf> contains the correct info:
380 -
381 - openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
382 -
383 -Corrupt any self tests which have the description C<SHA1>:
384 -
385 - openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
386 - -corrupt_desc 'SHA1'
387 -
388 -Validate that the fips module can be loaded from a base configuration file:
389 -
390 - export OPENSSL_CONF_INCLUDE=<path of configuration files>
391 - export OPENSSL_MODULES=<provider-path>
392 - openssl fipsinstall -config' 'default.cnf'
393 -
394 -
395 -=head1 SEE ALSO
396 -
397 -L<config(5)>,
398 -L<fips_config(5)>,
399 -L<OSSL_PROVIDER-FIPS(7)>,
400 -L<EVP_MAC(3)>
401 +This command is disabled.
402 +Please consult Red Hat Enterprise Linux documentation to learn how to correctly
403 +enable FIPS mode on Red Hat Enterprise
404
405 =head1 COPYRIGHT
406

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed