diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 7a0580f..4fd1117 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -2303,7 +2303,7 @@ diff -up openssl-1.1.1e/crypto/fips/fips.c.fips openssl-1.1.1e/crypto/fips/fips. + rv = 0; + + /* Installed == true */ -+ return !rv; ++ return !rv || FIPS_module_mode(); +} + +int FIPS_module_mode_set(int onoff) @@ -9865,7 +9865,7 @@ diff -up openssl-1.1.1e/crypto/o_fips.c.fips openssl-1.1.1e/crypto/o_fips.c diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c --- openssl-1.1.1e/crypto/o_init.c.fips 2020-03-17 15:31:17.000000000 +0100 +++ openssl-1.1.1e/crypto/o_init.c 2020-03-17 17:30:52.052566939 +0100 -@@ -7,8 +7,68 @@ +@@ -7,8 +7,69 @@ * https://www.openssl.org/source/license.html */ @@ -9891,16 +9891,20 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c + char buf[2] = "0"; + int fd; + -+ /* Ensure the selftests always run */ -+ /* XXX: TO SOLVE - premature initialization due to selftests */ -+ FIPS_mode_set(1); -+ + if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; + close(fd); + } ++ ++ if (buf[0] != '1' && !FIPS_module_installed()) ++ return; ++ ++ /* Ensure the selftests always run */ ++ /* XXX: TO SOLVE - premature initialization due to selftests */ ++ FIPS_mode_set(1); ++ + /* Failure reading the fips mode switch file means just not + * switching into FIPS mode. We would break too many things + * otherwise.. @@ -9925,9 +9929,6 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c + if (done) + return; + done = 1; -+ if (!FIPS_module_installed()) { -+ return; -+ } + init_fips_mode(); +} +#endif diff --git a/openssl.spec b/openssl.spec index a3a2e23..e4c2cba 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1g -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -457,6 +457,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Fri May 15 2020 Tomáš Mráz 1.1.1g-2 +- FIPS module installed state definition is modified + * Thu Apr 23 2020 Tomáš Mráz 1.1.1g-1 - update to the 1.1.1g release