PDA

View Full Version : fips openssl RPMs?



shawn_protsman
12-Apr-2013, 16:32
According to the README-FIPS.txt file (/usr/share/doc/packages/openssl/README-FIPS.txt) the openssl package includes libopenssl0_9_8-hmac. I've found reference to this being a separate RPM, but I'm unable to find it in the repositories.

According to the recently released security policy (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1930.pdf), the FIPS packages are:

libopenssl0_9_8-hmac-0.9.8j-0.44.1.x86_64.rpm
libopenssl0_9_8 0.9.8j-0.44.1.x86_64.rpm

The latest RPMs I have installed from the repositories are:
openssl-0.9.8j-0.50.1
libopenssl0_9_8-0.9.8j-0.50.1
libopenssl-devel-0.9.8j-0.50.1

Will the hmac RPM be added to the repositories?

Will it be updated to 0.50?

When I compile our apps & libraries I'd like to link to the FIPS certified module.

jmozdzen
12-Apr-2013, 16:49
Hi Shawn,

> the openssl package includes libopenssl0_9_8-hmac. I've found reference to this being a separate RPM, but I'm unable to find it in the repositories.

I see them in the regular update repositories:


jmozdzen@myhost:~> zypper se -s libopenssl0_9_8-hmac
Daten des Repositorys laden ...
Installierte Pakete lesen ...

S | Name | Typ | Version | Arch | Repository
--+----------------------------+-------+---------------+--------+-------------------
| libopenssl0_9_8-hmac | Paket | 0.9.8j-0.50.1 | x86_64 | SLES11-SP2-Updates
| libopenssl0_9_8-hmac | Paket | 0.9.8j-0.44.1 | x86_64 | SLES11-SP1-Updates
| libopenssl0_9_8-hmac-32bit | Paket | 0.9.8j-0.50.1 | x86_64 | SLES11-SP2-Updates
| libopenssl0_9_8-hmac-32bit | Paket | 0.9.8j-0.44.1 | x86_64 | SLES11-SP1-Updates
jmozdzen@myhost:~>

You have not stated your version of SLES - the above is from a SLES11SP2 machine, obviously.

Regards,
Jens

shawn_protsman
12-Apr-2013, 17:15
Hi Jens,

Sorry about that. My build system for SLES packages is a SLED 11SP2 installation.


sprotsman@sled-11sp2 ~$ zypper se -s libopenssl0_9_8-hmac
Loading repository data...
Reading installed packages...
No packages found.
sprotsman@sled-11sp2 ~$ cat /etc/SuSE-release
SUSE Linux Enterprise Desktop 11 (x86_64)
VERSION = 11
PATCHLEVEL = 2

jmozdzen
12-Apr-2013, 18:13
Hi Shawn,

> [building SLES packages on SLED]

would it be possible for you to switch to using a SLES build system? Once you install/register the SDK, much of what you need to build packages ought to be available - and an exact match of what you need for your live server.

Of course, you might try to install the according SLES packages on your SLED system. As I have never had to deal with SLED, I cannot tell what works and what doesn't, sorry I can't help with experience here.

Regards,
Jens

shawn_protsman
12-Apr-2013, 19:43
That is an option.

However, in the past, all the packages we needed to develop and build software for SLE was available on our SLED workstations. Running SLES was overkill and unnecessary (from a cost perspective too). I'm assuming that the hmac packages never got pushed to the SLED updates repositories. There is absolutely ZERO mention of these being SLES only. Which means they ought to be available from SLED repositories for our developers.

jmozdzen
12-Apr-2013, 20:03
Hi Shawn,

best I can do is go ask someone from SuSE - but that may take "a day or two" until I receive a reply. I'll post an update once I know more :)

Regards,
Jens

jmozdzen
12-Apr-2013, 20:11
Hi Shawn,

best I can do is go ask someone from SuSE

Ha - I can do better than that.

From https://www.suse.com/support/update/announcement/2012/suse-su-20120885-1.html:


This update adds libopenssl0_9_8-hmac packages, that, when
installed, will enforce FIPS 140-2 self-test being run
upon first use of the library.
[...]
Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
[...]
SUSE Linux Enterprise Desktop 11 SP2:
zypper in -t patch sledsp1-libopenssl-devel-6521

Could you please check if this solves your problem?

Regards,
Jens

shawn_protsman
15-Apr-2013, 20:23
Could you please check if this solves your problem?

Regards,
Jens

Jens, thank you for this. I'll check and get back to you.

HvdHeuvel
25-Apr-2013, 14:52
Hi shawn_protsman


Hi Shawn,

best I can do is go ask someone from SuSE - but that may take "a day or two" until I receive a reply. I'll post an update once I know more :)

Regards,
Jens

Apologies to chime in this late in the game.
I had promised Jens to report back here some time ago already, but things came in between.

The official answer is that this is not an oversight.

This appears to be described a little awkward I agree.

The libopenssl0_9_8-hmac files are required just for FIPS, and there's no plan currently to enable FIPS on SLED.
They are not required for generic SSL development.

So if you would require to develop FIPS on SLED, you need to get the SLES packages, they should install just fine.

If you would require FIPS support on SLED, I would suggest you send me a direct email at hvdheuvel [at] novell [dot] com with your details.
I can and will bring this to the attention of the appropriate product manager for SUSE Linux Enterprise Desktop.

Thanks and kind regards
Hans