diff --git a/openssl-1.0.1e-fips-ctor.patch b/openssl-1.0.1e-fips-ctor.patch new file mode 100644 index 0000000..71205fd --- /dev/null +++ b/openssl-1.0.1e-fips-ctor.patch @@ -0,0 +1,102 @@ +diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c +--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-08-27 15:44:08.000000000 +0200 ++++ openssl-1.0.1e/crypto/fips/fips.c 2013-08-29 11:13:04.279245656 +0200 +@@ -60,6 +60,8 @@ + #include + #include + #include ++#include ++#include + #include "fips_locl.h" + + #ifdef OPENSSL_FIPS +@@ -341,6 +343,32 @@ end: + return 1; + } + ++int FIPS_module_installed(void) ++ { ++ char path[PATH_MAX+1]; ++ int rv; ++ char *hmacpath, *p; ++ char *hmac = NULL; ++ size_t n; ++ ++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); ++ ++ if (rv < 0) ++ return 0; ++ ++ hmacpath = make_hmac_path(path); ++ if (hmacpath == NULL) ++ return 0; ++ ++ rv = access(hmacpath, F_OK); ++ if (rv < 0 && errno != ENOENT) ++ rv = 0; ++ ++ free(hmacpath); ++ /* Installed == true */ ++ return !rv; ++ } ++ + int FIPS_module_mode_set(int onoff, const char *auth) + { + int ret = 0; +diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h +--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-08-27 15:44:08.000000000 +0200 ++++ openssl-1.0.1e/crypto/fips/fips.h 2013-08-29 11:41:04.233049349 +0200 +@@ -74,6 +74,7 @@ struct hmac_ctx_st; + + int FIPS_module_mode_set(int onoff, const char *auth); + int FIPS_module_mode(void); ++int FIPS_module_installed(void); + const void *FIPS_rand_check(void); + int FIPS_selftest(void); + int FIPS_selftest_failed(void); +diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c +--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-08-27 15:44:09.000000000 +0200 ++++ openssl-1.0.1e/crypto/o_init.c 2013-08-29 11:39:37.760101734 +0200 +@@ -73,6 +73,10 @@ static void init_fips_mode(void) + char buf[2] = "0"; + int fd; + ++ /* Ensure the selftests always run and abort on error */ ++ FIPS_mode_set(1); ++ FIPS_selftest_check(); ++ + if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) + { + buf[0] = '1'; +@@ -87,9 +91,10 @@ static void init_fips_mode(void) + * otherwise. + */ + +- if (buf[0] == '1') ++ if (buf[0] != '1') + { +- FIPS_mode_set(1); ++ /* drop down to non-FIPS mode if it is not requested */ ++ FIPS_mode_set(0); + } + } + #endif +@@ -98,13 +103,17 @@ static void init_fips_mode(void) + * Currently only sets FIPS callbacks + */ + +-void OPENSSL_init_library(void) ++void __attribute__ ((constructor)) OPENSSL_init_library(void) + { + static int done = 0; + if (done) + return; + done = 1; + #ifdef OPENSSL_FIPS ++ if (!FIPS_module_installed()) ++ { ++ return; ++ } + RAND_init_fips(); + init_fips_mode(); + if (!FIPS_mode()) diff --git a/openssl.spec b/openssl.spec index 68feaec..a067d75 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1e -Release: 16%{?dist} +Release: 17%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -70,6 +70,7 @@ Patch66: openssl-1.0.1-pkgconfig-krb5.patch Patch68: openssl-1.0.1e-secure-getenv.patch Patch69: openssl-1.0.1c-dh-1024.patch Patch71: openssl-1.0.1e-manfix.patch +Patch72: openssl-1.0.1e-fips-ctor.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch Patch82: openssl-1.0.1e-backports.patch @@ -189,6 +190,7 @@ OpenSSL FIPS module. %patch81 -p1 -b .padlock64 %patch82 -p1 -b .backports %patch71 -p1 -b .manfix +%patch72 -p1 -b .fips-ctor %patch83 -p1 -b .bad-mac %patch84 -p1 -b .trusted-first @@ -466,6 +468,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || : %changelog +* Thu Aug 29 2013 Tomas Mraz 1.0.1e-17 +- always perform the FIPS selftests in library constructor + if FIPS module is installed + * Tue Aug 27 2013 Tomas Mraz 1.0.1e-16 - add -fips subpackage that contains the FIPS module files