avoid dlopening libssl.so from libcrypto (#1010357)
This commit is contained in:
parent
372f3ac997
commit
df94661da5
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
|
diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
|
||||||
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-02 14:20:26.853925144 +0200
|
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-23 18:05:15.731136863 +0200
|
||||||
+++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-02 14:22:18.082370680 +0200
|
+++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-23 18:18:27.953969770 +0200
|
||||||
@@ -60,6 +60,8 @@
|
@@ -60,6 +60,8 @@
|
||||||
#include <dlfcn.h>
|
#include <dlfcn.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@ -23,11 +23,65 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/
|
|||||||
#define READ_BUFFER_LENGTH 16384
|
#define READ_BUFFER_LENGTH 16384
|
||||||
|
|
||||||
static char *
|
static char *
|
||||||
@@ -341,6 +345,32 @@ end:
|
@@ -279,19 +283,13 @@ end:
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-FIPSCHECK_verify(const char *libname, const char *symbolname)
|
||||||
|
+FIPSCHECK_verify(const char *path)
|
||||||
|
{
|
||||||
|
- char path[PATH_MAX+1];
|
||||||
|
- int rv;
|
||||||
|
+ int rv = 0;
|
||||||
|
FILE *hf;
|
||||||
|
char *hmacpath, *p;
|
||||||
|
char *hmac = NULL;
|
||||||
|
size_t n;
|
||||||
|
-
|
||||||
|
- rv = get_library_path(libname, symbolname, path, sizeof(path));
|
||||||
|
-
|
||||||
|
- if (rv < 0)
|
||||||
|
- return 0;
|
||||||
|
|
||||||
|
hmacpath = make_hmac_path(path);
|
||||||
|
if (hmacpath == NULL)
|
||||||
|
@@ -341,6 +339,64 @@ end:
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
+int FIPS_module_installed(void)
|
+static int
|
||||||
|
+verify_checksums(void)
|
||||||
|
+ {
|
||||||
|
+ int rv;
|
||||||
|
+ char path[PATH_MAX+1];
|
||||||
|
+ char *p;
|
||||||
|
+
|
||||||
|
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
|
||||||
|
+ are in the same directory */
|
||||||
|
+
|
||||||
|
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
|
||||||
|
+ if (rv < 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ rv = FIPSCHECK_verify(path);
|
||||||
|
+ if (!rv)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* replace libcrypto with libssl */
|
||||||
|
+ while ((p = strstr(path, "libcrypto.so")) != NULL)
|
||||||
|
+ {
|
||||||
|
+ p = stpcpy(p, "libssl");
|
||||||
|
+ memmove(p, p+3, strlen(p+2));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rv = FIPSCHECK_verify(path);
|
||||||
|
+ if (!rv)
|
||||||
|
+ return 0;
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+FIPS_module_installed(void)
|
||||||
+ {
|
+ {
|
||||||
+ char path[PATH_MAX+1];
|
+ char path[PATH_MAX+1];
|
||||||
+ int rv;
|
+ int rv;
|
||||||
@ -56,9 +110,26 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/
|
|||||||
int FIPS_module_mode_set(int onoff, const char *auth)
|
int FIPS_module_mode_set(int onoff, const char *auth)
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
@@ -379,15 +435,7 @@ int FIPS_module_mode_set(int onoff, cons
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
|
||||||
|
- {
|
||||||
|
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||||
|
- fips_selftest_fail = 1;
|
||||||
|
- ret = 0;
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
|
||||||
|
+ if(!verify_checksums())
|
||||||
|
{
|
||||||
|
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||||
|
fips_selftest_fail = 1;
|
||||||
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
|
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
|
||||||
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-02 14:20:26.857925232 +0200
|
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-23 18:05:15.734136931 +0200
|
||||||
+++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-02 14:20:26.915926507 +0200
|
+++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-23 18:05:15.775137854 +0200
|
||||||
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
|
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
|
||||||
|
|
||||||
int FIPS_module_mode_set(int onoff, const char *auth);
|
int FIPS_module_mode_set(int onoff, const char *auth);
|
||||||
@ -68,8 +139,8 @@ diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/
|
|||||||
int FIPS_selftest(void);
|
int FIPS_selftest(void);
|
||||||
int FIPS_selftest_failed(void);
|
int FIPS_selftest_failed(void);
|
||||||
diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
|
diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
|
||||||
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-02 14:20:26.894926046 +0200
|
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-23 18:05:15.762137561 +0200
|
||||||
+++ openssl-1.0.1e/crypto/o_init.c 2013-09-02 14:20:26.916926529 +0200
|
+++ openssl-1.0.1e/crypto/o_init.c 2013-09-23 18:05:15.776137876 +0200
|
||||||
@@ -73,6 +73,10 @@ static void init_fips_mode(void)
|
@@ -73,6 +73,10 @@ static void init_fips_mode(void)
|
||||||
char buf[2] = "0";
|
char buf[2] = "0";
|
||||||
int fd;
|
int fd;
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1e
|
Version: 1.0.1e
|
||||||
Release: 24%{?dist}
|
Release: 25%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -473,6 +473,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || :
|
prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 23 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-25
|
||||||
|
- avoid dlopening libssl.so from libcrypto (#1010357)
|
||||||
|
|
||||||
* Fri Sep 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-24
|
* Fri Sep 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-24
|
||||||
- fix small memory leak in FIPS aes selftest
|
- fix small memory leak in FIPS aes selftest
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user