Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-1_0_0 for openSUSE:Factory checked in at 2023-06-07 23:06:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_0_0 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.15902 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_0_0" Wed Jun 7 23:06:42 2023 rev:35 rq:1090920 version:1.0.2u Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-1_0_0.changes 2023-05-31 21:55:02.657199321 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.15902/openssl-1_0_0.changes 2023-06-07 23:07:15.615286999 +0200 @@ -1,0 +2,5 @@ +Mon Jun 5 07:12:06 UTC 2023 - Pedro Monreal <[email protected]> + +- FIPS: Merge libopenssl1_0_0-hmac package into the library [bsc#1185116] + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_0_0.spec ++++++ --- /var/tmp/diff_new_pack.fsbVMV/_old 2023-06-07 23:07:16.999295036 +0200 +++ /var/tmp/diff_new_pack.fsbVMV/_new 2023-06-07 23:07:17.003295059 +0200 @@ -151,8 +151,9 @@ License: OpenSSL Group: Productivity/Networking/Security Recommends: ca-certificates-mozilla -# install libopenssl and libopenssl-hmac close together (bsc#1090765) -Suggests: libopenssl1_0_0-hmac = %{version}-%{release} +# Merge back the hmac files bsc#1185116 +Provides: libopenssl1_0_0-hmac = %{version}-%{release} +Obsoletes: libopenssl1_0_0-hmac < %{version}-%{release} %description -n libopenssl1_0_0 OpenSSL is a software library to be used in applications that need to @@ -205,16 +206,6 @@ This subpackage contains header files for developing applications that want to make use of the OpenSSL C API. -%package -n libopenssl1_0_0-hmac -Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries -License: BSD-3-Clause -Group: Productivity/Networking/Security -Requires: libopenssl1_0_0 = %{version}-%{release} - -%description -n libopenssl1_0_0-hmac -The FIPS compliant operation of the openssl shared libraries is NOT -possible without the HMAC hashes contained in this package! - %package doc Summary: Additional Package Documentation License: OpenSSL @@ -491,6 +482,8 @@ %license LICENSE %{_libdir}/libssl.so.%{num_version} %{_libdir}/libcrypto.so.%{num_version} +%{_libdir}/.libssl.so.%{num_version}.hmac +%{_libdir}/.libcrypto.so.%{num_version}.hmac %dir %{_libdir}/engines-1.0 %{_libdir}/engines-1.0 @@ -506,10 +499,6 @@ /%{steamlibdir}/libssl.so.%{num_version} /%{steamlibdir}/libcrypto.so.%{num_version} -%files -n libopenssl1_0_0-hmac -%{_libdir}/.libssl.so.%{num_version}.hmac -%{_libdir}/.libcrypto.so.%{num_version}.hmac - %files -n libopenssl-1_0_0-devel %{_includedir}/%{_rname}/ %{_includedir}/ssl ++++++ README-FIPS.txt ++++++ --- /var/tmp/diff_new_pack.fsbVMV/_old 2023-06-07 23:07:17.139295849 +0200 +++ /var/tmp/diff_new_pack.fsbVMV/_new 2023-06-07 23:07:17.143295872 +0200 @@ -63,19 +63,14 @@ for 32bit. The .hmac files contain a HMAC for the internal integrity checking. They -are contained in the package libopenssl1_0_0-hmac, seperate from the -libopenssl1_0_0 package. These hashes are produced as one of the last steps -during the RPM build process. +are contained in the package libopenssl1_0_0. These hashes are produced as +one of the last steps during the RPM build process. If the library starts up in FIPS mode, the .hmac files are read, and the checksum is verified against a new self-measurement of the library. -Essentially, this means that the FIPS mode of operation is not possible -without the .hmac files from the corresponding -hmac package installed. If the library starts up in non-FIPS mode, it checks if the .hmac files exist, and if so, it runs through the self-tests as if it operates in FIPS mode. This self-test in non-FIPS mode is formally mandatory and comes with -a heavy CPU footprint. You can avoid this overhead by un-installing the -libopenssl1_0_0-hmac package (with the consequence that FIPS mode of -operation becomes unavailable). +a heavy CPU footprint. The openssl library operates in non-FIPS mode by default. @@ -86,20 +81,9 @@ The openssl library operates in non-FIPS mode by default. As noted above (* general information), the .hmac files for the integrity -self-check of the openssl library are contained in their own package. -Unfortunately, the self-test is mandatory even if the library runs in -non-FIPS mode, causing a significant CPU consumption during openssl's -initialization. You can avoid this overhead by de-installing the -hmac -package if you do not need FIPS mode of operation. - -If you DO need to run binaries that are linked against the openssl -cryptographic library that runs in FIPS mode, you MUST have the -libopenssl1_0_0-hmac package installed. - -!!! If you enable FIPS mode of operation with the methods below, you MUST -!!! have the libopenssl1_0_0-hmac package installed. Programs that runtime-link -!!! against openssl will abort if the FIPS self-tests (including the -!!! integrity check with the .hmac hashes) fail! +self-check of the openssl library. Unfortunately, the self-test is mandatory +even if the library runs in non-FIPS mode, causing a significant CPU +consumption during openssl's initialization. There are three ways to switch the shared libraries listed above to FIPS-140-2 compliant mode: @@ -204,9 +188,6 @@ /lib64/engines/libgmp.so /lib64/engines/libgost.so /lib64/engines/libpadlock.so - -libopenssl1_0_0-hmac -- files: /lib64/.libcrypto.so.1.0.0.hmac /lib64/.libssl.so.1.0.0.hmac @@ -215,9 +196,6 @@ The .so libraries are for the 32bit compatibility mode of the openssl library. -libopenssl1_0_0-hmac-32bit -- files as in package libopenssl1_0_0-hmac, but in /lib/. - libopenssl-devel - header files and static libraries for compiling applications with the openssl library. Please note that running binaries that are statically ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.fsbVMV/_old 2023-06-07 23:07:17.187296127 +0200 +++ /var/tmp/diff_new_pack.fsbVMV/_new 2023-06-07 23:07:17.191296150 +0200 @@ -1,4 +1,6 @@ libopenssl1_0_0 + provides "libopenssl1_0_0-hmac-<targettype> = <version>-%release" + obsoletes "libopenssl1_0_0-hmac-<targettype> < <version>-%release" libopenssl1_0_0-steam autoreqprov off libopenssl-1_0_0-devel @@ -6,6 +8,4 @@ conflicts "otherproviders(libopenssl-devel-<targettype>)" requires -"openssl-1_0_0-<targettype>" requires "libopenssl1_0_0-<targettype> = <version>" -libopenssl1_0_0-hmac - requires "libopenssl1_0_0-<targettype> = <version>-%release"
