always perform the FIPS selftests in library constructor
if FIPS module is installed
This commit is contained in:
parent
bb2f3882f2
commit
1465572e17
102
openssl-1.0.1e-fips-ctor.patch
Normal file
102
openssl-1.0.1e-fips-ctor.patch
Normal file
@ -0,0 +1,102 @@
|
||||
diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
|
||||
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-08-27 15:44:08.000000000 +0200
|
||||
+++ openssl-1.0.1e/crypto/fips/fips.c 2013-08-29 11:13:04.279245656 +0200
|
||||
@@ -60,6 +60,8 @@
|
||||
#include <dlfcn.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
+#include <unistd.h>
|
||||
+#include <errno.h>
|
||||
#include "fips_locl.h"
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
@@ -341,6 +343,32 @@ end:
|
||||
return 1;
|
||||
}
|
||||
|
||||
+int FIPS_module_installed(void)
|
||||
+ {
|
||||
+ char path[PATH_MAX+1];
|
||||
+ int rv;
|
||||
+ char *hmacpath, *p;
|
||||
+ char *hmac = NULL;
|
||||
+ size_t n;
|
||||
+
|
||||
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
|
||||
+
|
||||
+ if (rv < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ hmacpath = make_hmac_path(path);
|
||||
+ if (hmacpath == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ rv = access(hmacpath, F_OK);
|
||||
+ if (rv < 0 && errno != ENOENT)
|
||||
+ rv = 0;
|
||||
+
|
||||
+ free(hmacpath);
|
||||
+ /* Installed == true */
|
||||
+ return !rv;
|
||||
+ }
|
||||
+
|
||||
int FIPS_module_mode_set(int onoff, const char *auth)
|
||||
{
|
||||
int ret = 0;
|
||||
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
|
||||
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-08-27 15:44:08.000000000 +0200
|
||||
+++ openssl-1.0.1e/crypto/fips/fips.h 2013-08-29 11:41:04.233049349 +0200
|
||||
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
|
||||
|
||||
int FIPS_module_mode_set(int onoff, const char *auth);
|
||||
int FIPS_module_mode(void);
|
||||
+int FIPS_module_installed(void);
|
||||
const void *FIPS_rand_check(void);
|
||||
int FIPS_selftest(void);
|
||||
int FIPS_selftest_failed(void);
|
||||
diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
|
||||
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-08-27 15:44:09.000000000 +0200
|
||||
+++ openssl-1.0.1e/crypto/o_init.c 2013-08-29 11:39:37.760101734 +0200
|
||||
@@ -73,6 +73,10 @@ static void init_fips_mode(void)
|
||||
char buf[2] = "0";
|
||||
int fd;
|
||||
|
||||
+ /* Ensure the selftests always run and abort on error */
|
||||
+ FIPS_mode_set(1);
|
||||
+ FIPS_selftest_check();
|
||||
+
|
||||
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
||||
{
|
||||
buf[0] = '1';
|
||||
@@ -87,9 +91,10 @@ static void init_fips_mode(void)
|
||||
* otherwise.
|
||||
*/
|
||||
|
||||
- if (buf[0] == '1')
|
||||
+ if (buf[0] != '1')
|
||||
{
|
||||
- FIPS_mode_set(1);
|
||||
+ /* drop down to non-FIPS mode if it is not requested */
|
||||
+ FIPS_mode_set(0);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@@ -98,13 +103,17 @@ static void init_fips_mode(void)
|
||||
* Currently only sets FIPS callbacks
|
||||
*/
|
||||
|
||||
-void OPENSSL_init_library(void)
|
||||
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
|
||||
{
|
||||
static int done = 0;
|
||||
if (done)
|
||||
return;
|
||||
done = 1;
|
||||
#ifdef OPENSSL_FIPS
|
||||
+ if (!FIPS_module_installed())
|
||||
+ {
|
||||
+ return;
|
||||
+ }
|
||||
RAND_init_fips();
|
||||
init_fips_mode();
|
||||
if (!FIPS_mode())
|
@ -21,7 +21,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.1e
|
||||
Release: 16%{?dist}
|
||||
Release: 17%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -70,6 +70,7 @@ Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
||||
Patch68: openssl-1.0.1e-secure-getenv.patch
|
||||
Patch69: openssl-1.0.1c-dh-1024.patch
|
||||
Patch71: openssl-1.0.1e-manfix.patch
|
||||
Patch72: openssl-1.0.1e-fips-ctor.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
||||
Patch82: openssl-1.0.1e-backports.patch
|
||||
@ -189,6 +190,7 @@ OpenSSL FIPS module.
|
||||
%patch81 -p1 -b .padlock64
|
||||
%patch82 -p1 -b .backports
|
||||
%patch71 -p1 -b .manfix
|
||||
%patch72 -p1 -b .fips-ctor
|
||||
%patch83 -p1 -b .bad-mac
|
||||
%patch84 -p1 -b .trusted-first
|
||||
|
||||
@ -466,6 +468,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || :
|
||||
|
||||
%changelog
|
||||
* Thu Aug 29 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-17
|
||||
- always perform the FIPS selftests in library constructor
|
||||
if FIPS module is installed
|
||||
|
||||
* Tue Aug 27 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-16
|
||||
- add -fips subpackage that contains the FIPS module files
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user