/[smecontribs]/rpms/openssl3/contribs10/0034.fipsinstall_disable.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0034.fipsinstall_disable.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:37 2024 UTC (8 months, 2 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
2     --- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100
3     +++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100
4     @@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar
5     EVP_MAC *mac = NULL;
6     CONF *conf = NULL;
7    
8     + BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
9     + return 1;
10     +
11     if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
12     goto end;
13    
14     diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
15     --- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100
16     +++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100
17     @@ -158,10 +158,6 @@ Engine (loadable module) information and
18    
19     Error Number to Error String Conversion.
20    
21     -=item B<fipsinstall>
22     -
23     -FIPS configuration installation.
24     -
25     =item B<gendsa>
26    
27     Generation of DSA Private Key from Parameters. Superseded by
28     diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
29     --- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100
30     +++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100
31     @@ -573,7 +573,6 @@ configuration files using that syntax wi
32     =head1 SEE ALSO
33    
34     L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
35     -L<openssl-fipsinstall(1)>,
36     L<ASN1_generate_nconf(3)>,
37     L<EVP_set_default_properties(3)>,
38     L<CONF_modules_load(3)>,
39     diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
40     --- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100
41     +++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100
42     @@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
43    
44     =head1 DESCRIPTION
45    
46     -A separate configuration file, using the OpenSSL L<config(5)> syntax,
47     -is used to hold information about the FIPS module. This includes a digest
48     -of the shared library file, and status about the self-testing.
49     -This data is used automatically by the module itself for two
50     -purposes:
51     -
52     -=over 4
53     -
54     -=item - Run the startup FIPS self-test known answer tests (KATS).
55     -
56     -This is normally done once, at installation time, but may also be set up to
57     -run each time the module is used.
58     -
59     -=item - Verify the module's checksum.
60     -
61     -This is done each time the module is used.
62     -
63     -=back
64     -
65     -This file is generated by the L<openssl-fipsinstall(1)> program, and
66     -used internally by the FIPS module during its initialization.
67     -
68     -The following options are supported. They should all appear in a section
69     -whose name is identified by the B<fips> option in the B<providers>
70     -section, as described in L<config(5)/Provider Configuration Module>.
71     -
72     -=over 4
73     -
74     -=item B<activate>
75     -
76     -If present, the module is activated. The value assigned to this name is not
77     -significant.
78     -
79     -=item B<install-version>
80     -
81     -A version number for the fips install process. Should be 1.
82     -
83     -=item B<conditional-errors>
84     -
85     -The FIPS module normally enters an internal error mode if any self test fails.
86     -Once this error mode is active, no services or cryptographic algorithms are
87     -accessible from this point on.
88     -Continuous tests are a subset of the self tests (e.g., a key pair test during key
89     -generation, or the CRNG output test).
90     -Setting this value to C<0> allows the error mode to not be triggered if any
91     -continuous test fails. The default value of C<1> will trigger the error mode.
92     -Regardless of the value, the operation (e.g., key generation) that called the
93     -continuous test will return an error code if its continuous test fails. The
94     -operation may then be retried if the error mode has not been triggered.
95     -
96     -=item B<security-checks>
97     -
98     -This indicates if run-time checks related to enforcement of security parameters
99     -such as minimum security strength of keys and approved curve names are used.
100     -A value of '1' will perform the checks, otherwise if the value is '0' the checks
101     -are not performed and FIPS compliance must be done by procedures documented in
102     -the relevant Security Policy.
103     -
104     -=item B<module-mac>
105     -
106     -The calculated MAC of the FIPS provider file.
107     -
108     -=item B<install-status>
109     -
110     -An indicator that the self-tests were successfully run.
111     -This should only be written after the module has
112     -successfully passed its self tests during installation.
113     -If this field is not present, then the self tests will run when the module
114     -loads.
115     -
116     -=item B<install-mac>
117     -
118     -A MAC of the value of the B<install-status> option, to prevent accidental
119     -changes to that value.
120     -It is written-to at the same time as B<install-status> is updated.
121     -
122     -=back
123     -
124     -For example:
125     -
126     - [fips_sect]
127     - activate = 1
128     - install-version = 1
129     - conditional-errors = 1
130     - security-checks = 1
131     - module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
132     - install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
133     - install-status = INSTALL_SELF_TEST_KATS_RUN
134     -
135     -=head1 NOTES
136     -
137     -When using the FIPS provider, it is recommended that the
138     -B<config_diagnostics> option is enabled to prevent accidental use of
139     -non-FIPS validated algorithms via broken or mistaken configuration.
140     -See L<config(5)>.
141     -
142     -=head1 SEE ALSO
143     -
144     -L<config(5)>
145     -L<openssl-fipsinstall(1)>
146     +This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
147     +automatically loaded when the system is booted in FIPS mode, or when the
148     +environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
149     +for more information.
150    
151     =head1 COPYRIGHT
152    
153     diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
154     --- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
155     +++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100
156     @@ -388,7 +388,6 @@ A simple self test callback is shown bel
157    
158     =head1 SEE ALSO
159    
160     -L<openssl-fipsinstall(1)>,
161     L<fips_config(5)>,
162     L<OSSL_SELF_TEST_set_callback(3)>,
163     L<OSSL_SELF_TEST_new(3)>,
164     diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
165     --- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100
166     +++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100
167     @@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
168     =head1 SYNOPSIS
169    
170     B<openssl fipsinstall>
171     -[B<-help>]
172     -[B<-in> I<configfilename>]
173     -[B<-out> I<configfilename>]
174     -[B<-module> I<modulefilename>]
175     -[B<-provider_name> I<providername>]
176     -[B<-section_name> I<sectionname>]
177     -[B<-verify>]
178     -[B<-mac_name> I<macname>]
179     -[B<-macopt> I<nm>:I<v>]
180     -[B<-noout>]
181     -[B<-quiet>]
182     -[B<-no_conditional_errors>]
183     -[B<-no_security_checks>]
184     -[B<-self_test_onload>]
185     -[B<-corrupt_desc> I<selftest_description>]
186     -[B<-corrupt_type> I<selftest_type>]
187     -[B<-config> I<parent_config>]
188    
189     =head1 DESCRIPTION
190     -
191     -This command is used to generate a FIPS module configuration file.
192     -This configuration file can be used each time a FIPS module is loaded
193     -in order to pass data to the FIPS module self tests. The FIPS module always
194     -verifies its MAC, but optionally only needs to run the KAT's once,
195     -at installation.
196     -
197     -The generated configuration file consists of:
198     -
199     -=over 4
200     -
201     -=item - A MAC of the FIPS module file.
202     -
203     -=item - A test status indicator.
204     -
205     -This indicates if the Known Answer Self Tests (KAT's) have successfully run.
206     -
207     -=item - A MAC of the status indicator.
208     -
209     -=item - A control for conditional self tests errors.
210     -
211     -By default if a continuous test (e.g a key pair test) fails then the FIPS module
212     -will enter an error state, and no services or cryptographic algorithms will be
213     -able to be accessed after this point.
214     -The default value of '1' will cause the fips module error state to be entered.
215     -If the value is '0' then the module error state will not be entered.
216     -Regardless of whether the error state is entered or not, the current operation
217     -(e.g. key generation) will return an error. The user is responsible for retrying
218     -the operation if the module error state is not entered.
219     -
220     -=item - A control to indicate whether run-time security checks are done.
221     -
222     -This indicates if run-time checks related to enforcement of security parameters
223     -such as minimum security strength of keys and approved curve names are used.
224     -The default value of '1' will perform the checks.
225     -If the value is '0' the checks are not performed and FIPS compliance must
226     -be done by procedures documented in the relevant Security Policy.
227     -
228     -=back
229     -
230     -This file is described in L<fips_config(5)>.
231     -
232     -=head1 OPTIONS
233     -
234     -=over 4
235     -
236     -=item B<-help>
237     -
238     -Print a usage message.
239     -
240     -=item B<-module> I<filename>
241     -
242     -Filename of the FIPS module to perform an integrity check on.
243     -The path provided in the filename is used to load the module when it is
244     -activated, and this overrides the environment variable B<OPENSSL_MODULES>.
245     -
246     -=item B<-out> I<configfilename>
247     -
248     -Filename to output the configuration data to; the default is standard output.
249     -
250     -=item B<-in> I<configfilename>
251     -
252     -Input filename to load configuration data from.
253     -Must be used if the B<-verify> option is specified.
254     -
255     -=item B<-verify>
256     -
257     -Verify that the input configuration file contains the correct information.
258     -
259     -=item B<-provider_name> I<providername>
260     -
261     -Name of the provider inside the configuration file.
262     -The default value is C<fips>.
263     -
264     -=item B<-section_name> I<sectionname>
265     -
266     -Name of the section inside the configuration file.
267     -The default value is C<fips_sect>.
268     -
269     -=item B<-mac_name> I<name>
270     -
271     -Specifies the name of a supported MAC algorithm which will be used.
272     -The MAC mechanisms that are available will depend on the options
273     -used when building OpenSSL.
274     -To see the list of supported MAC's use the command
275     -C<openssl list -mac-algorithms>. The default is B<HMAC>.
276     -
277     -=item B<-macopt> I<nm>:I<v>
278     -
279     -Passes options to the MAC algorithm.
280     -A comprehensive list of controls can be found in the EVP_MAC implementation
281     -documentation.
282     -Common control strings used for this command are:
283     -
284     -=over 4
285     -
286     -=item B<key>:I<string>
287     -
288     -Specifies the MAC key as an alphanumeric string (use if the key contains
289     -printable characters only).
290     -The string length must conform to any restrictions of the MAC algorithm.
291     -A key must be specified for every MAC algorithm.
292     -If no key is provided, the default that was specified when OpenSSL was
293     -configured is used.
294     -
295     -=item B<hexkey>:I<string>
296     -
297     -Specifies the MAC key in hexadecimal form (two hex digits per byte).
298     -The key length must conform to any restrictions of the MAC algorithm.
299     -A key must be specified for every MAC algorithm.
300     -If no key is provided, the default that was specified when OpenSSL was
301     -configured is used.
302     -
303     -=item B<digest>:I<string>
304     -
305     -Used by HMAC as an alphanumeric string (use if the key contains printable
306     -characters only).
307     -The string length must conform to any restrictions of the MAC algorithm.
308     -To see the list of supported digests, use the command
309     -C<openssl list -digest-commands>.
310     -The default digest is SHA-256.
311     -
312     -=back
313     -
314     -=item B<-noout>
315     -
316     -Disable logging of the self tests.
317     -
318     -=item B<-no_conditional_errors>
319     -
320     -Configure the module to not enter an error state if a conditional self test
321     -fails as described above.
322     -
323     -=item B<-no_security_checks>
324     -
325     -Configure the module to not perform run-time security checks as described above.
326     -
327     -=item B<-self_test_onload>
328     -
329     -Do not write the two fields related to the "test status indicator" and
330     -"MAC status indicator" to the output configuration file. Without these fields
331     -the self tests KATS will run each time the module is loaded. This option could be
332     -used for cross compiling, since the self tests need to run at least once on each
333     -target machine. Once the self tests have run on the target machine the user
334     -could possibly then add the 2 fields into the configuration using some other
335     -mechanism.
336     -
337     -=item B<-quiet>
338     -
339     -Do not output pass/fail messages. Implies B<-noout>.
340     -
341     -=item B<-corrupt_desc> I<selftest_description>,
342     -B<-corrupt_type> I<selftest_type>
343     -
344     -The corrupt options can be used to test failure of one or more self tests by
345     -name.
346     -Either option or both may be used to select the tests to corrupt.
347     -Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
348     -values that can be used.
349     -
350     -=item B<-config> I<parent_config>
351     -
352     -Test that a FIPS provider can be loaded from the specified configuration file.
353     -A previous call to this application needs to generate the extra configuration
354     -data that is included by the base C<parent_config> configuration file.
355     -See L<config(5)> for further information on how to set up a provider section.
356     -All other options are ignored if '-config' is used.
357     -
358     -=back
359     -
360     -=head1 NOTES
361     -
362     -Self tests results are logged by default if the options B<-quiet> and B<-noout>
363     -are not specified, or if either of the options B<-corrupt_desc> or
364     -B<-corrupt_type> are used.
365     -If the base configuration file is set up to autoload the fips module, then the
366     -fips module will be loaded and self tested BEFORE the fipsinstall application
367     -has a chance to set up its own self test callback. As a result of this the self
368     -test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
369     -For normal usage the base configuration file should use the default provider
370     -when generating the fips configuration file.
371     -
372     -=head1 EXAMPLES
373     -
374     -Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
375     -for the module, and save the F<fips.cnf> configuration file:
376     -
377     - openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
378     -
379     -Verify that the configuration file F<fips.cnf> contains the correct info:
380     -
381     - openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
382     -
383     -Corrupt any self tests which have the description C<SHA1>:
384     -
385     - openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
386     - -corrupt_desc 'SHA1'
387     -
388     -Validate that the fips module can be loaded from a base configuration file:
389     -
390     - export OPENSSL_CONF_INCLUDE=<path of configuration files>
391     - export OPENSSL_MODULES=<provider-path>
392     - openssl fipsinstall -config' 'default.cnf'
393     -
394     -
395     -=head1 SEE ALSO
396     -
397     -L<config(5)>,
398     -L<fips_config(5)>,
399     -L<OSSL_PROVIDER-FIPS(7)>,
400     -L<EVP_MAC(3)>
401     +This command is disabled.
402     +Please consult Red Hat Enterprise Linux documentation to learn how to correctly
403     +enable FIPS mode on Red Hat Enterprise
404    
405     =head1 COPYRIGHT
406    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed