194ef7464a
Resolves: CVE-2022-4203 Resolves: CVE-2022-4304 Resolves: CVE-2022-4450 Resolves: CVE-2023-0215 Resolves: CVE-2023-0216 Resolves: CVE-2023-0217 Resolves: CVE-2023-0286 Resolves: CVE-2023-0401
72 lines
2.0 KiB
Diff
72 lines
2.0 KiB
Diff
diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c
|
|
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
|
|
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
|
|
@@ -12,11 +12,46 @@
|
|
#include "crypto/ctype.h"
|
|
#include "crypto/rand.h"
|
|
|
|
+# include <sys/types.h>
|
|
+# include <sys/stat.h>
|
|
+# include <fcntl.h>
|
|
+# include <unistd.h>
|
|
+# include <openssl/evp.h>
|
|
+
|
|
struct ossl_lib_ctx_onfree_list_st {
|
|
ossl_lib_ctx_onfree_fn *fn;
|
|
struct ossl_lib_ctx_onfree_list_st *next;
|
|
};
|
|
|
|
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
|
+
|
|
+static int kernel_fips_flag;
|
|
+
|
|
+static void read_kernel_fips_flag(void)
|
|
+{
|
|
+ char buf[2] = "0";
|
|
+ int fd;
|
|
+
|
|
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
|
+ buf[0] = '1';
|
|
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
|
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
|
+ close(fd);
|
|
+ }
|
|
+
|
|
+ if (buf[0] == '1') {
|
|
+ kernel_fips_flag = 1;
|
|
+ }
|
|
+
|
|
+ return;
|
|
+}
|
|
+
|
|
+int ossl_get_kernel_fips_flag()
|
|
+{
|
|
+ return kernel_fips_flag;
|
|
+}
|
|
+
|
|
+
|
|
struct ossl_lib_ctx_st {
|
|
CRYPTO_RWLOCK *lock;
|
|
CRYPTO_EX_DATA data;
|
|
@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte
|
|
|
|
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
|
{
|
|
+ read_kernel_fips_flag();
|
|
return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
|
|
&& context_init(&default_context_int);
|
|
}
|
|
diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h
|
|
--- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100
|
|
+++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100
|
|
@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB
|
|
const OSSL_DISPATCH *in);
|
|
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
|
|
|
+/* FIPS flag access */
|
|
+int ossl_get_kernel_fips_flag(void);
|
|
+
|
|
# ifdef __cplusplus
|
|
}
|
|
# endif
|