Disable FIPS mode

FIPS mode does not work on RHEL-9 since the selftests fail. OpenSSL 1.1 in FIPS mode will not be supported on RHEL-9, so disable it. Apply a minimal patch that keeps the library in the same state otherwise to avoid problems with binary compatibility. Resolves: rhbz#2013669 Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-05-30 17:21:16 +02:00 · 2022-05-30 17:21:16 +02:00 · e3dbb5a483
parent 7618fdaea8
commit e3dbb5a483
3 changed files with 134 additions and 16 deletions
--- a/compat-openssl11.spec
+++ b/compat-openssl11.spec
@ -50,7 +50,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
 Patch40: openssl-1.1.1-disable-ssl3.patch
 Patch41: openssl-1.1.1-system-cipherlist.patch
 Patch42: openssl-1.1.1-fips.patch
-Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.1-weak-ciphers.patch
 Patch46: openssl-1.1.1-seclevel.patch
 Patch47: openssl-1.1.1-ts-sha256-default.patch
@ -67,12 +66,16 @@ Patch67: openssl-1.1.1-kdf-selftest.patch
 Patch69: openssl-1.1.1-alpn-cb.patch
 Patch70: openssl-1.1.1-rewire-fips-drbg.patch
 Patch71: openssl-1.1.1-new-config-file.patch
+# This modifies code that was patched before, but removing all FIPS patches
+# comes with a much greater risk of introducing regressions.
+Patch72: openssl-1.1.1-disable-fips.patch
+
 # Backported fixes including security fixes
 Patch52: openssl-1.1.1-s390x-update.patch
 Patch53: openssl-1.1.1-fips-crng-test.patch
 Patch55: openssl-1.1.1-arm-update.patch
 Patch56: openssl-1.1.1-s390x-ecc.patch
-Patch72: openssl-1.1.1-cve-2022-0778.patch
+Patch73: openssl-1.1.1-cve-2022-0778.patch

 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@ -120,7 +123,6 @@ cp %{SOURCE13} test/
 %patch40 -p1 -b .disable-ssl3
 %patch41 -p1 -b .system-cipherlist
 %patch42 -p1 -b .fips
-%patch44 -p1 -b .version-override
 %patch45 -p1 -b .weak-ciphers
 %patch46 -p1 -b .seclevel
 %patch47 -p1 -b .ts-sha256-default
@ -141,7 +143,8 @@ cp %{SOURCE13} test/
 %patch69 -p1 -b .alpn-cb
 %patch70 -p1 -b .rewire-fips-drbg
 %patch71 -p1 -b .conf-new
-%patch72 -p1 -b .cve-2022-0778
+%patch72 -p1 -b .disable-fips
+%patch73 -p1 -b .cve-2022-0778

 cp apps/openssl.cnf apps/openssl11.cnf

@ -313,6 +316,8 @@ install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl1
 * Mon May 30 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-4
 - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
  Resolves: rhbz#2063148
+- Disable FIPS mode; it does not work and will not be certified
+  Resolves: rhbz#2013669

 * Tue Oct 05 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
 - updates OPENSSL_CONF to openssl11.cnf.
--- a/openssl-1.1.1-disable-fips.patch
+++ b/openssl-1.1.1-disable-fips.patch
@ -0,0 +1,125 @@
+Disable FIPS mode
+
+FIPS mode is not supported for compat-openssl11. Apply a minimal patch
+that will reject explicit enabling of FIPS mode and disable automatic
+activation of FIPS mode.
+
+To avoid regressions, keep the rest of the library as it was.
+
+diff -up openssl-1.1.1k/crypto/fips/fips.c.disable-fips openssl-1.1.1k/crypto/fips/fips.c
+--- openssl-1.1.1k/crypto/fips/fips.c.disable-fips	2022-05-30 17:05:28.604500582 +0200
+++ openssl-1.1.1k/crypto/fips/fips.c	2022-05-30 17:09:46.129110042 +0200
+@@ -405,13 +405,8 @@ static int verify_checksums(void)
+ 
+ int FIPS_module_installed(void)
+ {
+-    int rv;
+-    rv = access(FIPS_MODULE_PATH, F_OK);
+-    if (rv < 0 && errno != ENOENT)
+-        rv = 0;
+-
+     /* Installed == true */
+-    return !rv || FIPS_module_mode();
+    return 0;
+ }
+ 
+ int FIPS_module_mode_set(int onoff)
+diff -up openssl-1.1.1k/crypto/o_fips.c.disable-fips openssl-1.1.1k/crypto/o_fips.c
+--- openssl-1.1.1k/crypto/o_fips.c.disable-fips	2022-05-30 17:05:37.411658179 +0200
+++ openssl-1.1.1k/crypto/o_fips.c	2022-05-30 17:06:25.279514707 +0200
+@@ -12,24 +12,14 @@
+ 
+ int FIPS_mode(void)
+ {
+-#ifdef OPENSSL_FIPS
+-    return FIPS_module_mode();
+-#else
+     /* This version of the library does not support FIPS mode. */
+     return 0;
+-#endif
+ }
+ 
+ int FIPS_mode_set(int r)
+ {
+-#ifdef OPENSSL_FIPS
+-    if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
+-        return 1;
+-    return FIPS_module_mode_set(r);
+-#else
+     if (r == 0)
+         return 1;
+     CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
+     return 0;
+-#endif
+ }
+diff -up openssl-1.1.1k/crypto/o_init.c.disable-fips openssl-1.1.1k/crypto/o_init.c
+--- openssl-1.1.1k/crypto/o_init.c.disable-fips	2022-05-30 17:06:58.250104676 +0200
+++ openssl-1.1.1k/crypto/o_init.c	2022-05-30 17:17:12.369135344 +0200
+@@ -7,55 +7,9 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
+-/* for secure_getenv */
+-#define _GNU_SOURCE
+ #include "e_os.h"
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
+-# include <sys/types.h>
+-# include <sys/stat.h>
+-# include <fcntl.h>
+-# include <unistd.h>
+-# include <errno.h>
+-# include <stdlib.h>
+-# include <openssl/rand.h>
+-# include <openssl/fips.h>
+-# include "crypto/fips.h"
+-
+-# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+-
+-static void init_fips_mode(void)
+-{
+-    char buf[2] = "0";
+-    int fd;
+-
+-    if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+-        buf[0] = '1';
+-    } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+-        while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+-        close(fd);
+-    }
+-
+-    if (buf[0] != '1' && !FIPS_module_installed())
+-        return;
+-
+-    /* Ensure the selftests always run */
+-    /* XXX: TO SOLVE - premature initialization due to selftests */
+-    FIPS_mode_set(1);
+-
+-    /* Failure reading the fips mode switch file means just not
+-     * switching into FIPS mode. We would break too many things
+-     * otherwise..
+-     */
+-
+-    if (buf[0] != '1') {
+-        /* drop down to non-FIPS mode if it is not requested */
+-        FIPS_mode_set(0);
+-    } else {
+-        /* abort if selftest failed */
+-        FIPS_selftest_check();
+-    }
+-}
+ 
+ /*
+  * Perform FIPS module power on selftest and automatic FIPS mode switch.
+@@ -63,11 +17,6 @@ static void init_fips_mode(void)
+ 
+ void __attribute__ ((constructor)) OPENSSL_init_library(void)
+ {
+-    static int done = 0;
+-    if (done)
+-        return;
+-    done = 1;
+-    init_fips_mode();
+ }
+ #endif
+ 
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@ -1,12 +0,0 @@
-diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h
--- openssl-1.1.1i/include/openssl/opensslv.h.version-override	2020-12-09 10:25:12.042374409 +0100
-+++ openssl-1.1.1i/include/openssl/opensslv.h	2020-12-09 10:26:00.362769170 +0100
-@@ -40,7 +40,7 @@ extern "C" {
-  *  major minor fix final patch/beta)
-  */
- # define OPENSSL_VERSION_NUMBER  0x101010bfL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1k  25 Mar 2021"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1k  FIPS 25 Mar 2021"
- 
- /*-
-  * The macros below are to be used for shared library (.so, .dll, ...)