From df94661da5722bb446b456862cefd1fdf61bab3d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 23 Sep 2013 18:30:01 +0200 Subject: [PATCH] avoid dlopening libssl.so from libcrypto (#1010357) --- openssl-1.0.1e-fips-ctor.patch | 87 ++++++++++++++++++++++++++++++---- openssl.spec | 5 +- 2 files changed, 83 insertions(+), 9 deletions(-) diff --git a/openssl-1.0.1e-fips-ctor.patch b/openssl-1.0.1e-fips-ctor.patch index 093a7f4..0121dec 100644 --- a/openssl-1.0.1e-fips-ctor.patch +++ b/openssl-1.0.1e-fips-ctor.patch @@ -1,6 +1,6 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c ---- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-02 14:20:26.853925144 +0200 -+++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-02 14:22:18.082370680 +0200 +--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-23 18:05:15.731136863 +0200 ++++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-23 18:18:27.953969770 +0200 @@ -60,6 +60,8 @@ #include #include @@ -23,11 +23,65 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/ #define READ_BUFFER_LENGTH 16384 static char * -@@ -341,6 +345,32 @@ end: +@@ -279,19 +283,13 @@ end: + } + + static int +-FIPSCHECK_verify(const char *libname, const char *symbolname) ++FIPSCHECK_verify(const char *path) + { +- char path[PATH_MAX+1]; +- int rv; ++ int rv = 0; + FILE *hf; + char *hmacpath, *p; + char *hmac = NULL; + size_t n; +- +- rv = get_library_path(libname, symbolname, path, sizeof(path)); +- +- if (rv < 0) +- return 0; + + hmacpath = make_hmac_path(path); + if (hmacpath == NULL) +@@ -341,6 +339,64 @@ end: return 1; } -+int FIPS_module_installed(void) ++static int ++verify_checksums(void) ++ { ++ int rv; ++ char path[PATH_MAX+1]; ++ char *p; ++ ++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl ++ are in the same directory */ ++ ++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); ++ if (rv < 0) ++ return 0; ++ ++ rv = FIPSCHECK_verify(path); ++ if (!rv) ++ return 0; ++ ++ /* replace libcrypto with libssl */ ++ while ((p = strstr(path, "libcrypto.so")) != NULL) ++ { ++ p = stpcpy(p, "libssl"); ++ memmove(p, p+3, strlen(p+2)); ++ } ++ ++ rv = FIPSCHECK_verify(path); ++ if (!rv) ++ return 0; ++ return 1; ++ } ++ ++int ++FIPS_module_installed(void) + { + char path[PATH_MAX+1]; + int rv; @@ -56,9 +110,26 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/ int FIPS_module_mode_set(int onoff, const char *auth) { int ret = 0; +@@ -379,15 +435,7 @@ int FIPS_module_mode_set(int onoff, cons + } + #endif + +- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set")) +- { +- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); +- fips_selftest_fail = 1; +- ret = 0; +- goto end; +- } +- +- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new")) ++ if(!verify_checksums()) + { + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h ---- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-02 14:20:26.857925232 +0200 -+++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-02 14:20:26.915926507 +0200 +--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-23 18:05:15.734136931 +0200 ++++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-23 18:05:15.775137854 +0200 @@ -74,6 +74,7 @@ struct hmac_ctx_st; int FIPS_module_mode_set(int onoff, const char *auth); @@ -68,8 +139,8 @@ diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/ int FIPS_selftest(void); int FIPS_selftest_failed(void); diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c ---- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-02 14:20:26.894926046 +0200 -+++ openssl-1.0.1e/crypto/o_init.c 2013-09-02 14:20:26.916926529 +0200 +--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-23 18:05:15.762137561 +0200 ++++ openssl-1.0.1e/crypto/o_init.c 2013-09-23 18:05:15.776137876 +0200 @@ -73,6 +73,10 @@ static void init_fips_mode(void) char buf[2] = "0"; int fd; diff --git a/openssl.spec b/openssl.spec index 122e00d..942a28e 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1e -Release: 24%{?dist} +Release: 25%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -473,6 +473,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || : %changelog +* Mon Sep 23 2013 Tomáš Mráz 1.0.1e-25 +- avoid dlopening libssl.so from libcrypto (#1010357) + * Fri Sep 20 2013 Tomáš Mráz 1.0.1e-24 - fix small memory leak in FIPS aes selftest