forked from rpms/openssl
Re-apply "FIPS module installed state definition is modified"
This reverts commit1bc9545b38
and re-applies the previous change "FIPS module installed state definition is modified", commit89a24d69fc
. We have updated the builders to the newer nosync version that should work OK with this change now, so we can try it again.
This commit is contained in:
parent
87eaf879ac
commit
6e23655506
@ -2303,7 +2303,7 @@ diff -up openssl-1.1.1e/crypto/fips/fips.c.fips openssl-1.1.1e/crypto/fips/fips.
|
||||
+ rv = 0;
|
||||
+
|
||||
+ /* Installed == true */
|
||||
+ return !rv;
|
||||
+ return !rv || FIPS_module_mode();
|
||||
+}
|
||||
+
|
||||
+int FIPS_module_mode_set(int onoff)
|
||||
@ -9865,7 +9865,7 @@ diff -up openssl-1.1.1e/crypto/o_fips.c.fips openssl-1.1.1e/crypto/o_fips.c
|
||||
diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
|
||||
--- openssl-1.1.1e/crypto/o_init.c.fips 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/o_init.c 2020-03-17 17:30:52.052566939 +0100
|
||||
@@ -7,8 +7,68 @@
|
||||
@@ -7,8 +7,69 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
@ -9891,16 +9891,20 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
|
||||
+ char buf[2] = "0";
|
||||
+ int fd;
|
||||
+
|
||||
+ /* Ensure the selftests always run */
|
||||
+ /* XXX: TO SOLVE - premature initialization due to selftests */
|
||||
+ FIPS_mode_set(1);
|
||||
+
|
||||
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
+ buf[0] = '1';
|
||||
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
+ close(fd);
|
||||
+ }
|
||||
+
|
||||
+ if (buf[0] != '1' && !FIPS_module_installed())
|
||||
+ return;
|
||||
+
|
||||
+ /* Ensure the selftests always run */
|
||||
+ /* XXX: TO SOLVE - premature initialization due to selftests */
|
||||
+ FIPS_mode_set(1);
|
||||
+
|
||||
+ /* Failure reading the fips mode switch file means just not
|
||||
+ * switching into FIPS mode. We would break too many things
|
||||
+ * otherwise..
|
||||
@ -9925,9 +9929,6 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
|
||||
+ if (done)
|
||||
+ return;
|
||||
+ done = 1;
|
||||
+ if (!FIPS_module_installed()) {
|
||||
+ return;
|
||||
+ }
|
||||
+ init_fips_mode();
|
||||
+}
|
||||
+#endif
|
||||
|
Loading…
Reference in New Issue
Block a user