From 061f3845e182b30093da1e5efbb16056c0313001 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov Date: Oct 12 2021 14:12:20 +0000 Subject: Fix FTBFS with OpenSSL 3.0 Signed-off-by: Peter Lemenkov --- diff --git a/erlang.spec b/erlang.spec index c00a925..e90db9b 100644 --- a/erlang.spec +++ b/erlang.spec @@ -64,7 +64,7 @@ Name: erlang Version: 24.1.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: General-purpose programming language and runtime environment License: ASL 2.0 @@ -104,6 +104,7 @@ Patch6: otp-0006-Do-not-install-erlang-sources.patch Patch7: otp-0007-Add-extra-search-directory.patch Patch8: otp-0008-Avoid-forking-sed-to-get-basename.patch Patch9: otp-0009-Load-man-pages-from-system-wide-directory.patch +Patch10: otp-0010-Allow-openssl-3.0.0-FIPS-compilation.patch # end of autogenerated patch tag list BuildRequires: gcc @@ -1902,6 +1903,9 @@ useradd -r -g epmd -d /dev/null -s /sbin/nologin \ %changelog +* Tue Oct 12 2021 Peter Lemenkov - 24.1.2-2 +- Fix FTBFS with OpenSSL 3.0 + * Tue Oct 5 2021 Peter Lemenkov - 24.1.2-1 - Ver. 24.1.2 diff --git a/otp-0010-Allow-openssl-3.0.0-FIPS-compilation.patch b/otp-0010-Allow-openssl-3.0.0-FIPS-compilation.patch new file mode 100644 index 0000000..13c41f7 --- /dev/null +++ b/otp-0010-Allow-openssl-3.0.0-FIPS-compilation.patch @@ -0,0 +1,75 @@ +From: Michele Baldessari +Date: Tue, 28 Sep 2021 17:26:16 +0200 +Subject: [PATCH] Allow openssl-3.0.0 FIPS compilation + +Openssl 3.0.0 dropped support for the old way of adding fips +and in particular it dropped support for FIPS_mode() and +FIPS_mode_set(). + +In RHEL9, openssl-3.0.0 ships a compat macro for FIPS_mode(), so +this change focuses on replacing FIPS_mode_set() + +Compiled erlang-erts-24.1-1.el9.x86_64 with this patch and then tested as follows: +A. Booted the system with fips enabled: +[root@rhel9 ~]# fips-mode-setup --check +FIPS mode is enabled. + +B. Set up a fips config file: +cat > fips.config< crypto:info_fips(). +not_enabled +2> crypto:enable_fips_mode(true). +true +3> crypto:info_fips(). +enabled + +D. Verified that the ciphers when using fips are a subset of the usual +ciphers: + +4> crypto:supports(). +[{hashs,[sha,sha224,sha256,sha384,sha512,sha3_224,sha3_256, + sha3_384,sha3_512,blake2b,blake2s]}, + {ciphers,[aes_cbc,aes_ccm,aes_cfb128,aes_cfb8,aes_ctr, + aes_ecb,aes_gcm,des_ede3_cfb,aes_128_cbc,aes_192_cbc, + aes_256_cbc,aes_128_cfb128,aes_192_cfb128,aes_256_cfb128, + aes_128_cfb8,aes_192_cfb8,aes_256_cfb8,aes_128_ecb, + aes_192_ecb,aes_256_ecb,aes_256_gcm,aes_256_ccm,aes_192_gcm, + aes_192_ccm,aes_128_gcm|...]}, + {public_keys,[rsa,dss,dh,ecdsa,ecdh]}, + {macs,[cmac,hmac,poly1305]}, + {curves,[]}, + {rsa_opts,[rsa_pkcs1_pss_padding,rsa_pss_saltlen, + rsa_mgf1_md,rsa_pkcs1_oaep_padding,rsa_oaep_label, + rsa_oaep_md,signature_md,rsa_pkcs1_padding,rsa_x931_padding, + rsa_no_padding]}] + +Note that we could probably just have patched out the FIPS_mode_set() +calls as FIPS gets enforced on the system. The automatism is going to +come with a version of openssl that is later than > openssl-3.0.0-2. + +Co-Authored-By: John Eckersberg +Co-Authored-By: Damien Ciabrini + +[1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module + +diff --git a/lib/crypto/c_src/openssl_config.h b/lib/crypto/c_src/openssl_config.h +index 9ef04fca3c..59f6e94b23 100644 +--- a/lib/crypto/c_src/openssl_config.h ++++ b/lib/crypto/c_src/openssl_config.h +@@ -427,6 +427,10 @@ do { \ + # undef FIPS_SUPPORT + #endif + ++#if defined(FIPS_SUPPORT) \ ++ && OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(3,0,0) & ~0xff) ++#define FIPS_mode_set(fips_mode) EVP_default_properties_enable_fips(NULL, fips_mode) ++#endif + + #ifdef FIPS_SUPPORT + /* In FIPS mode non-FIPS algorithms are disabled and return badarg. */