jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity
210c37e906
openssl/0009-Add-Kernel-FIPS-mode-flag-support.patch
Dmitry Belyavskiy 5c4e10ac26 FIPS provider auto activation 
When FIPS flag is on, we load fips provider and set properties to fips.
FIPS checksum is embedded in FIPS provider itself
Related: rhbz#1985362
2021-11-23 15:01:33 +01:00

72 lines
2.0 KiB
Diff
Raw Blame History

diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
@@ -12,11 +12,46 @@
#include "internal/bio.h"
#include "internal/provider.h"
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <fcntl.h>
+# include <unistd.h>
+# include <openssl/evp.h>
+
struct ossl_lib_ctx_onfree_list_st {
ossl_lib_ctx_onfree_fn *fn;
struct ossl_lib_ctx_onfree_list_st *next;
};
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static int kernel_fips_flag;
+
+static void read_kernel_fips_flag(void)
+{
+ char buf[2] = "0";
+ int fd;
+
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+
+ if (buf[0] == '1') {
+ kernel_fips_flag = 1;
+ }
+
+ return;
+}
+
+int ossl_get_kernel_fips_flag()
+{
+ return kernel_fips_flag;
+}
+
+
struct ossl_lib_ctx_st {
CRYPTO_RWLOCK *lock;
CRYPTO_EX_DATA data;
@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
{
+ read_kernel_fips_flag();
return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
&& context_init(&default_context_int);
}
diff -up openssl-3.0.0/include/internal/provider.h.embed-fips openssl-3.0.0/include/internal/provider.h
--- openssl-3.0.0/include/internal/provider.h.embed-fips 2021-11-12 12:18:36.215333452 +0100
+++ openssl-3.0.0/include/internal/provider.h 2021-11-12 12:22:41.298409269 +0100
@@ -109,6 +109,9 @@ int ossl_provider_init_as_child(OSSL_LIB
const OSSL_CORE_HANDLE *handle,
const OSSL_DISPATCH *in);
+/* FIPS flag access */
+int ossl_get_kernel_fips_flag(void);
+
# ifdef __cplusplus
}
# endif
View Git Blame Copy Permalink