rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

FIPS module installed state definition is modified

This commit is contained in:
Tomas Mraz 2020-05-15 17:45:44 +02:00
parent 0f4ce87941
commit 89a24d69fc
2 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
openssl-1.1.1-fips.patch
View File

@ -2303,7 +2303,7 @@ diff -up openssl-1.1.1e/crypto/fips/fips.c.fips openssl-1.1.1e/crypto/fips/fips.
+ rv = 0; + rv = 0;
+ +
+ /* Installed == true */ + /* Installed == true */
+ return !rv; + return !rv || FIPS_module_mode();
+} +}
+ +
+int FIPS_module_mode_set(int onoff) +int FIPS_module_mode_set(int onoff)
@ -9865,7 +9865,7 @@ diff -up openssl-1.1.1e/crypto/o_fips.c.fips openssl-1.1.1e/crypto/o_fips.c
diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
--- openssl-1.1.1e/crypto/o_init.c.fips 2020-03-17 15:31:17.000000000 +0100 --- openssl-1.1.1e/crypto/o_init.c.fips 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/o_init.c 2020-03-17 17:30:52.052566939 +0100 +++ openssl-1.1.1e/crypto/o_init.c 2020-03-17 17:30:52.052566939 +0100
@@ -7,8 +7,68 @@ @@ -7,8 +7,69 @@
* https://www.openssl.org/source/license.html * https://www.openssl.org/source/license.html
*/ */
@ -9891,16 +9891,20 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
+ char buf[2] = "0"; + char buf[2] = "0";
+ int fd; + int fd;
+ +
+ /* Ensure the selftests always run */
+ /* XXX: TO SOLVE - premature initialization due to selftests */
+ FIPS_mode_set(1);
+
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1'; + buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd); + close(fd);
+ } + }
+
+ if (buf[0] != '1' && !FIPS_module_installed())
+ return;
+
+ /* Ensure the selftests always run */
+ /* XXX: TO SOLVE - premature initialization due to selftests */
+ FIPS_mode_set(1);
+
+ /* Failure reading the fips mode switch file means just not + /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things + * switching into FIPS mode. We would break too many things
+ * otherwise.. + * otherwise..
@ -9925,9 +9929,6 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
+ if (done) + if (done)
+ return; + return;
+ done = 1; + done = 1;
+ if (!FIPS_module_installed()) {
+ return;
+ }
+ init_fips_mode(); + init_fips_mode();
+} +}
+#endif +#endif

5
openssl.spec
View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1g Version: 1.1.1g
Release: 1%{?dist} Release: 2%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -457,6 +457,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Fri May 15 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-2
- FIPS module installed state definition is modified
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1 * Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
- update to the 1.1.1g release - update to the 1.1.1g release