jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

always perform the FIPS selftests in library constructor

Browse Source 
if FIPS module is installed
This commit is contained in:
Tomas Mraz 2013-08-29 11:45:04 +02:00
parent bb2f3882f2
commit 1465572e17
2 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
openssl-1.0.1e-fips-ctor.patch Normal file
View File

@ -0,0 +1,102 @@
diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-08-27 15:44:08.000000000 +0200
+++ openssl-1.0.1e/crypto/fips/fips.c 2013-08-29 11:13:04.279245656 +0200
@@ -60,6 +60,8 @@
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
#include "fips_locl.h"
#ifdef OPENSSL_FIPS
@@ -341,6 +343,32 @@ end:
return 1;
}
+int FIPS_module_installed(void)
+ {
+ char path[PATH_MAX+1];
+ int rv;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
+
+ if (rv < 0)
+ return 0;
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ return 0;
+
+ rv = access(hmacpath, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ free(hmacpath);
+ /* Installed == true */
+ return !rv;
+ }
+
int FIPS_module_mode_set(int onoff, const char *auth)
{
int ret = 0;
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-08-27 15:44:08.000000000 +0200
+++ openssl-1.0.1e/crypto/fips/fips.h 2013-08-29 11:41:04.233049349 +0200
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
int FIPS_module_mode_set(int onoff, const char *auth);
int FIPS_module_mode(void);
+int FIPS_module_installed(void);
const void *FIPS_rand_check(void);
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-08-27 15:44:09.000000000 +0200
+++ openssl-1.0.1e/crypto/o_init.c 2013-08-29 11:39:37.760101734 +0200
@@ -73,6 +73,10 @@ static void init_fips_mode(void)
char buf[2] = "0";
int fd;
+ /* Ensure the selftests always run and abort on error */
+ FIPS_mode_set(1);
+ FIPS_selftest_check();
+
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
{
buf[0] = '1';
@@ -87,9 +91,10 @@ static void init_fips_mode(void)
* otherwise.
*/
- if (buf[0] == '1')
+ if (buf[0] != '1')
{
- FIPS_mode_set(1);
+ /* drop down to non-FIPS mode if it is not requested */
+ FIPS_mode_set(0);
}
}
#endif
@@ -98,13 +103,17 @@ static void init_fips_mode(void)
* Currently only sets FIPS callbacks
*/
-void OPENSSL_init_library(void)
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
{
static int done = 0;
if (done)
return;
done = 1;
#ifdef OPENSSL_FIPS
+ if (!FIPS_module_installed())
+ {
+ return;
+ }
RAND_init_fips();
init_fips_mode();
if (!FIPS_mode())

8
openssl.spec
View File

@ -21,7 +21,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.1e Version: 1.0.1e
Release: 16%{?dist} Release: 17%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -70,6 +70,7 @@ Patch66: openssl-1.0.1-pkgconfig-krb5.patch
Patch68: openssl-1.0.1e-secure-getenv.patch Patch68: openssl-1.0.1e-secure-getenv.patch
Patch69: openssl-1.0.1c-dh-1024.patch Patch69: openssl-1.0.1c-dh-1024.patch
Patch71: openssl-1.0.1e-manfix.patch Patch71: openssl-1.0.1e-manfix.patch
Patch72: openssl-1.0.1e-fips-ctor.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch81: openssl-1.0.1-beta2-padlock64.patch Patch81: openssl-1.0.1-beta2-padlock64.patch
Patch82: openssl-1.0.1e-backports.patch Patch82: openssl-1.0.1e-backports.patch
@ -189,6 +190,7 @@ OpenSSL FIPS module.
%patch81 -p1 -b .padlock64 %patch81 -p1 -b .padlock64
%patch82 -p1 -b .backports %patch82 -p1 -b .backports
%patch71 -p1 -b .manfix %patch71 -p1 -b .manfix
%patch72 -p1 -b .fips-ctor
%patch83 -p1 -b .bad-mac %patch83 -p1 -b .bad-mac
%patch84 -p1 -b .trusted-first %patch84 -p1 -b .trusted-first
@ -466,6 +468,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || : prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || :
%changelog %changelog
* Thu Aug 29 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-17
- always perform the FIPS selftests in library constructor
if FIPS module is installed
* Tue Aug 27 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-16 * Tue Aug 27 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-16
- add -fips subpackage that contains the FIPS module files - add -fips subpackage that contains the FIPS module files