Disable FIPS mode
FIPS mode does not work on RHEL-9 since the selftests fail. OpenSSL 1.1 in FIPS mode will not be supported on RHEL-9, so disable it. Apply a minimal patch that keeps the library in the same state otherwise to avoid problems with binary compatibility. Resolves: rhbz#2013669 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
7618fdaea8
commit
e3dbb5a483
@ -50,7 +50,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
|
||||
Patch40: openssl-1.1.1-disable-ssl3.patch
|
||||
Patch41: openssl-1.1.1-system-cipherlist.patch
|
||||
Patch42: openssl-1.1.1-fips.patch
|
||||
Patch44: openssl-1.1.1-version-override.patch
|
||||
Patch45: openssl-1.1.1-weak-ciphers.patch
|
||||
Patch46: openssl-1.1.1-seclevel.patch
|
||||
Patch47: openssl-1.1.1-ts-sha256-default.patch
|
||||
@ -67,12 +66,16 @@ Patch67: openssl-1.1.1-kdf-selftest.patch
|
||||
Patch69: openssl-1.1.1-alpn-cb.patch
|
||||
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
|
||||
Patch71: openssl-1.1.1-new-config-file.patch
|
||||
# This modifies code that was patched before, but removing all FIPS patches
|
||||
# comes with a much greater risk of introducing regressions.
|
||||
Patch72: openssl-1.1.1-disable-fips.patch
|
||||
|
||||
# Backported fixes including security fixes
|
||||
Patch52: openssl-1.1.1-s390x-update.patch
|
||||
Patch53: openssl-1.1.1-fips-crng-test.patch
|
||||
Patch55: openssl-1.1.1-arm-update.patch
|
||||
Patch56: openssl-1.1.1-s390x-ecc.patch
|
||||
Patch72: openssl-1.1.1-cve-2022-0778.patch
|
||||
Patch73: openssl-1.1.1-cve-2022-0778.patch
|
||||
|
||||
License: OpenSSL and ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -120,7 +123,6 @@ cp %{SOURCE13} test/
|
||||
%patch40 -p1 -b .disable-ssl3
|
||||
%patch41 -p1 -b .system-cipherlist
|
||||
%patch42 -p1 -b .fips
|
||||
%patch44 -p1 -b .version-override
|
||||
%patch45 -p1 -b .weak-ciphers
|
||||
%patch46 -p1 -b .seclevel
|
||||
%patch47 -p1 -b .ts-sha256-default
|
||||
@ -141,7 +143,8 @@ cp %{SOURCE13} test/
|
||||
%patch69 -p1 -b .alpn-cb
|
||||
%patch70 -p1 -b .rewire-fips-drbg
|
||||
%patch71 -p1 -b .conf-new
|
||||
%patch72 -p1 -b .cve-2022-0778
|
||||
%patch72 -p1 -b .disable-fips
|
||||
%patch73 -p1 -b .cve-2022-0778
|
||||
|
||||
cp apps/openssl.cnf apps/openssl11.cnf
|
||||
|
||||
@ -313,6 +316,8 @@ install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl1
|
||||
* Mon May 30 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-4
|
||||
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
||||
Resolves: rhbz#2063148
|
||||
- Disable FIPS mode; it does not work and will not be certified
|
||||
Resolves: rhbz#2013669
|
||||
|
||||
* Tue Oct 05 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
|
||||
- updates OPENSSL_CONF to openssl11.cnf.
|
||||
|
125
openssl-1.1.1-disable-fips.patch
Normal file
125
openssl-1.1.1-disable-fips.patch
Normal file
@ -0,0 +1,125 @@
|
||||
Disable FIPS mode
|
||||
|
||||
FIPS mode is not supported for compat-openssl11. Apply a minimal patch
|
||||
that will reject explicit enabling of FIPS mode and disable automatic
|
||||
activation of FIPS mode.
|
||||
|
||||
To avoid regressions, keep the rest of the library as it was.
|
||||
|
||||
diff -up openssl-1.1.1k/crypto/fips/fips.c.disable-fips openssl-1.1.1k/crypto/fips/fips.c
|
||||
--- openssl-1.1.1k/crypto/fips/fips.c.disable-fips 2022-05-30 17:05:28.604500582 +0200
|
||||
+++ openssl-1.1.1k/crypto/fips/fips.c 2022-05-30 17:09:46.129110042 +0200
|
||||
@@ -405,13 +405,8 @@ static int verify_checksums(void)
|
||||
|
||||
int FIPS_module_installed(void)
|
||||
{
|
||||
- int rv;
|
||||
- rv = access(FIPS_MODULE_PATH, F_OK);
|
||||
- if (rv < 0 && errno != ENOENT)
|
||||
- rv = 0;
|
||||
-
|
||||
/* Installed == true */
|
||||
- return !rv || FIPS_module_mode();
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
int FIPS_module_mode_set(int onoff)
|
||||
diff -up openssl-1.1.1k/crypto/o_fips.c.disable-fips openssl-1.1.1k/crypto/o_fips.c
|
||||
--- openssl-1.1.1k/crypto/o_fips.c.disable-fips 2022-05-30 17:05:37.411658179 +0200
|
||||
+++ openssl-1.1.1k/crypto/o_fips.c 2022-05-30 17:06:25.279514707 +0200
|
||||
@@ -12,24 +12,14 @@
|
||||
|
||||
int FIPS_mode(void)
|
||||
{
|
||||
-#ifdef OPENSSL_FIPS
|
||||
- return FIPS_module_mode();
|
||||
-#else
|
||||
/* This version of the library does not support FIPS mode. */
|
||||
return 0;
|
||||
-#endif
|
||||
}
|
||||
|
||||
int FIPS_mode_set(int r)
|
||||
{
|
||||
-#ifdef OPENSSL_FIPS
|
||||
- if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
|
||||
- return 1;
|
||||
- return FIPS_module_mode_set(r);
|
||||
-#else
|
||||
if (r == 0)
|
||||
return 1;
|
||||
CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
|
||||
return 0;
|
||||
-#endif
|
||||
}
|
||||
diff -up openssl-1.1.1k/crypto/o_init.c.disable-fips openssl-1.1.1k/crypto/o_init.c
|
||||
--- openssl-1.1.1k/crypto/o_init.c.disable-fips 2022-05-30 17:06:58.250104676 +0200
|
||||
+++ openssl-1.1.1k/crypto/o_init.c 2022-05-30 17:17:12.369135344 +0200
|
||||
@@ -7,55 +7,9 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
-/* for secure_getenv */
|
||||
-#define _GNU_SOURCE
|
||||
#include "e_os.h"
|
||||
#include <openssl/err.h>
|
||||
#ifdef OPENSSL_FIPS
|
||||
-# include <sys/types.h>
|
||||
-# include <sys/stat.h>
|
||||
-# include <fcntl.h>
|
||||
-# include <unistd.h>
|
||||
-# include <errno.h>
|
||||
-# include <stdlib.h>
|
||||
-# include <openssl/rand.h>
|
||||
-# include <openssl/fips.h>
|
||||
-# include "crypto/fips.h"
|
||||
-
|
||||
-# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||
-
|
||||
-static void init_fips_mode(void)
|
||||
-{
|
||||
- char buf[2] = "0";
|
||||
- int fd;
|
||||
-
|
||||
- if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
- buf[0] = '1';
|
||||
- } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
- close(fd);
|
||||
- }
|
||||
-
|
||||
- if (buf[0] != '1' && !FIPS_module_installed())
|
||||
- return;
|
||||
-
|
||||
- /* Ensure the selftests always run */
|
||||
- /* XXX: TO SOLVE - premature initialization due to selftests */
|
||||
- FIPS_mode_set(1);
|
||||
-
|
||||
- /* Failure reading the fips mode switch file means just not
|
||||
- * switching into FIPS mode. We would break too many things
|
||||
- * otherwise..
|
||||
- */
|
||||
-
|
||||
- if (buf[0] != '1') {
|
||||
- /* drop down to non-FIPS mode if it is not requested */
|
||||
- FIPS_mode_set(0);
|
||||
- } else {
|
||||
- /* abort if selftest failed */
|
||||
- FIPS_selftest_check();
|
||||
- }
|
||||
-}
|
||||
|
||||
/*
|
||||
* Perform FIPS module power on selftest and automatic FIPS mode switch.
|
||||
@@ -63,11 +17,6 @@ static void init_fips_mode(void)
|
||||
|
||||
void __attribute__ ((constructor)) OPENSSL_init_library(void)
|
||||
{
|
||||
- static int done = 0;
|
||||
- if (done)
|
||||
- return;
|
||||
- done = 1;
|
||||
- init_fips_mode();
|
||||
}
|
||||
#endif
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1i/include/openssl/opensslv.h.version-override 2020-12-09 10:25:12.042374409 +0100
|
||||
+++ openssl-1.1.1i/include/openssl/opensslv.h 2020-12-09 10:26:00.362769170 +0100
|
||||
@@ -40,7 +40,7 @@ extern "C" {
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
# define OPENSSL_VERSION_NUMBER 0x101010bfL
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k FIPS 25 Mar 2021"
|
||||
|
||||
/*-
|
||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
Loading…
Reference in New Issue
Block a user