Bug 2070550
| Summary: | Change FIPS module version to include hash of specfile, patches and sources | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Clemens Lang <cllang> | |
| Component: | openssl | Assignee: | Clemens Lang <cllang> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Stanislav Zidek <szidek> | |
| Severity: | low | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 9.0 | CC: | dbelyavs, ssorce | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openssl-3.0.1-29.el9 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2082585 (view as bug list) | Environment: | ||
| Last Closed: | 2023-06-05 16:06:43 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2082585 | |||
RHEL 9.1 contains openssl-3.0.1-43.el9_0. |
Description of problem: The FIPS module version should uniquely identify a build that we do, so that we can be sure which specific binary is being submitted for validation and was certified. At the moment, OpenSSL uses %{version}-%(date +%Y-%m-%d), which brings some risks w.r.t. build server timezone and differing build time on different architectures. The gnutls and libgcrypt specfiles came up with a nice solution for the problem that uses a hash over the specfile, all source files, and all patches. Since our infrastructure will never rebuild a package with the same NVR, a modification to the specfile is necessary to get a new build, and the FIPS module version will automatically change due to that. We should change to the method used by gnutls and libgcrypt, see https://gitlab.com/redhat/centos-stream/rpms/gnutls/-/blob/c9s/gnutls.spec#L1-13 and https://gitlab.com/redhat/centos-stream/rpms/libgcrypt/-/blob/c9s/libgcrypt.spec#L1-14. Version-Release number of selected component (if applicable): openssl-3.0.1-20.el9_0 How reproducible: Use openssl list -providers to list the FIPS module version Steps to Reproduce: 1. ft 9.0 + redhat.crypto.fips + ssh 2. openssl list -providers | grep -A1 FIPS Actual results: name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider version: 3.0.1-20220318 Expected results: name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider version: 3.0.1-[a-f0-9]{16}