-config argument of openssl app should work properly

Resolves: rhbz#2083274
2022-05-12 13:24:59 +02:00 · 2022-05-12 13:24:59 +02:00 · b4d281e4de
commit b4d281e4de
parent 1b2d08b2c2
2 changed files with 15 additions and 7 deletions
--- a/0032-Force-fips.patch
+++ b/0032-Force-fips.patch
@ -4,13 +4,13 @@
 #ensure that you also add those changes to the provider_conf_activate() function.
 #additionally please add this check for cnf explicitly as shown below.
 #'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
-diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/provider_conf.c
--- openssl-3.0.1/crypto/provider_conf.c.fips-FORCE	2022-01-18 15:36:00.956141345 +0100
-+++ openssl-3.0.1/crypto/provider_conf.c	2022-01-18 15:42:36.345172203 +0100
+diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
+--- openssl-3.0.1/crypto/provider_conf.c.fipsact	2022-05-12 12:44:31.199034948 +0200
+++ openssl-3.0.1/crypto/provider_conf.c	2022-05-12 12:49:17.468318373 +0200
@@ -136,58 +136,18 @@ static int prov_already_activated(const
     return 0;
 }
-
+ 
 -static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
 -                              const char *value, const CONF *cnf)
 +static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
@ -83,8 +83,12 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/pr
 
             if (ok) {
                 if (!ossl_provider_activate(prov, 1, 0)) {
-@@ -246,6 +206,55 @@ static int provider_conf_load(OSSL_LIB_C
+@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
+             }
+             if (!ok)
                 ossl_provider_free(prov);
+        } else { /* No reason to activate the provider twice, returning OK */
+            ok = 1;
         }
         CRYPTO_THREAD_unlock(pcgbl->lock);
 +    return ok;
@ -139,7 +143,7 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/pr
     } else {
         OSSL_PROVIDER_INFO entry;
 
-@@ -306,6 +315,19 @@ static int provider_conf_init(CONF_IMODU
+@@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU
             return 0;
     }
 
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 28%{?dist}
+Release: 29%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -444,6 +444,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Thu May 12 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-29
+- `-config` argument of openssl app should work properly in FIPS mode
+- Resolves: rhbz#2083274
+
 * Fri May 06 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-28
 - OpenSSL should not accept custom elliptic curve parameters
 - Resolves rhbz#2066412