isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/openssl-1.0.1e-fips-ctor.patch

a5ef24
diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
a5ef24
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor	2013-09-26 13:52:30.767885457 +0200
a5ef24
+++ openssl-1.0.1e/crypto/fips/fips.c	2013-09-26 14:01:29.406010187 +0200
a5ef24
@@ -60,6 +60,8 @@
a5ef24
 #include <dlfcn.h>
a5ef24
 #include <stdio.h>
a5ef24
 #include <stdlib.h>
a5ef24
+#include <unistd.h>
a5ef24
+#include <errno.h>
a5ef24
 #include "fips_locl.h"
a5ef24
 
a5ef24
 #ifdef OPENSSL_FIPS
a5ef24
@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
a5ef24
 	return hex;
a5ef24
 }
a5ef24
 
a5ef24
-#define HMAC_PREFIX "." 
a5ef24
-#define HMAC_SUFFIX ".hmac" 
a5ef24
+#define HMAC_PREFIX "."
a5ef24
+#ifndef HMAC_SUFFIX
a5ef24
+#define HMAC_SUFFIX ".hmac"
a5ef24
+#endif
a5ef24
 #define READ_BUFFER_LENGTH 16384
a5ef24
 
a5ef24
 static char *
a5ef24
@@ -279,19 +283,13 @@ end:
a5ef24
 }
a5ef24
 
a5ef24
 static int
a5ef24
-FIPSCHECK_verify(const char *libname, const char *symbolname)
a5ef24
+FIPSCHECK_verify(const char *path)
a5ef24
 {
a5ef24
-	char path[PATH_MAX+1];
a5ef24
-	int rv;
a5ef24
+	int rv = 0;
a5ef24
 	FILE *hf;
a5ef24
 	char *hmacpath, *p;
a5ef24
 	char *hmac = NULL;
a5ef24
 	size_t n;
a5ef24
-	
a5ef24
-	rv = get_library_path(libname, symbolname, path, sizeof(path));
a5ef24
-
a5ef24
-	if (rv < 0)
a5ef24
-		return 0;
a5ef24
 
a5ef24
 	hmacpath = make_hmac_path(path);
a5ef24
 	if (hmacpath == NULL)
a5ef24
@@ -341,6 +339,53 @@ end:
a5ef24
 	return 1;	
a5ef24
 }
a5ef24
 
a5ef24
+static int
a5ef24
+verify_checksums(void)
a5ef24
+    {
a5ef24
+	int rv;
a5ef24
+	char path[PATH_MAX+1];
a5ef24
+	char *p;
a5ef24
+
a5ef24
+	/* we need to avoid dlopening libssl, assume both libcrypto and libssl
a5ef24
+	   are in the same directory */
a5ef24
+
a5ef24
+	rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
a5ef24
+	if (rv < 0)
a5ef24
+		return 0;
a5ef24
+
a5ef24
+	rv = FIPSCHECK_verify(path);
a5ef24
+	if (!rv)
a5ef24
+		return 0;
a5ef24
+
a5ef24
+	/* replace libcrypto with libssl */
a5ef24
+	while ((p = strstr(path, "libcrypto.so")) != NULL)
a5ef24
+	    {
a5ef24
+		p = stpcpy(p, "libssl");
a5ef24
+                memmove(p, p+3, strlen(p+2));
a5ef24
+	    }
a5ef24
+
a5ef24
+	rv = FIPSCHECK_verify(path);
a5ef24
+	if (!rv)
a5ef24
+		return 0;
a5ef24
+	return 1;
a5ef24
+    }
a5ef24
+
a5ef24
+#ifndef FIPS_MODULE_PATH
a5ef24
+#define FIPS_MODULE_PATH "/etc/system-fips"
a5ef24
+#endif
a5ef24
+
a5ef24
+int
a5ef24
+FIPS_module_installed(void)
a5ef24
+    {
a5ef24
+    int rv;
a5ef24
+    rv = access(FIPS_MODULE_PATH, F_OK);
a5ef24
+    if (rv < 0 && errno != ENOENT)
a5ef24
+	rv = 0;
a5ef24
+
a5ef24
+    /* Installed == true */
a5ef24
+    return !rv;
a5ef24
+    }
a5ef24
+
a5ef24
 int FIPS_module_mode_set(int onoff, const char *auth)
a5ef24
     {
a5ef24
     int ret = 0;
a5ef24
@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
a5ef24
 	}
a5ef24
 #endif
a5ef24
 
a5ef24
-	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
a5ef24
-	    {
a5ef24
-	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
a5ef24
-	    fips_selftest_fail = 1;
a5ef24
-	    ret = 0;
a5ef24
-	    goto end;
a5ef24
-	    }
a5ef24
-
a5ef24
-	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
a5ef24
+	if(!verify_checksums())
a5ef24
 	    {
a5ef24
 	    FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
a5ef24
 	    fips_selftest_fail = 1;
a5ef24
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
a5ef24
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor	2013-09-26 13:52:30.814886515 +0200
a5ef24
+++ openssl-1.0.1e/crypto/fips/fips.h	2013-09-26 13:52:30.816886560 +0200
a5ef24
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
a5ef24
 
a5ef24
 int FIPS_module_mode_set(int onoff, const char *auth);
a5ef24
 int FIPS_module_mode(void);
a5ef24
+int FIPS_module_installed(void);
a5ef24
 const void *FIPS_rand_check(void);
a5ef24
 int FIPS_selftest(void);
a5ef24
 int FIPS_selftest_failed(void);
a5ef24
diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
a5ef24
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor	2013-09-26 13:52:30.807886357 +0200
a5ef24
+++ openssl-1.0.1e/crypto/o_init.c	2013-09-26 14:00:21.000000000 +0200
a5ef24
@@ -71,6 +71,9 @@ static void init_fips_mode(void)
a5ef24
 	char buf[2] = "0";
a5ef24
 	int fd;
a5ef24
 	
a5ef24
+	/* Ensure the selftests always run */
a5ef24
+	FIPS_mode_set(1);
a5ef24
+
a5ef24
 	if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
a5ef24
 		{
a5ef24
 		buf[0] = '1';
a5ef24
@@ -85,9 +88,15 @@ static void init_fips_mode(void)
a5ef24
 	 * otherwise. 
a5ef24
 	 */
a5ef24
 	
a5ef24
-	if (buf[0] == '1')
a5ef24
+	if (buf[0] != '1')
a5ef24
+		{
a5ef24
+		/* drop down to non-FIPS mode if it is not requested */
a5ef24
+		FIPS_mode_set(0);
a5ef24
+		}
a5ef24
+	else
a5ef24
 		{
a5ef24
-		FIPS_mode_set(1);
a5ef24
+		/* abort if selftest failed */
a5ef24
+		FIPS_selftest_check();
a5ef24
 		}
a5ef24
 	}
a5ef24
 #endif
a5ef24
@@ -96,13 +105,17 @@ static void init_fips_mode(void)
a5ef24
  * Currently only sets FIPS callbacks
a5ef24
  */
a5ef24
 
a5ef24
-void OPENSSL_init_library(void)
a5ef24
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
a5ef24
 	{
a5ef24
 	static int done = 0;
a5ef24
 	if (done)
a5ef24
 		return;
a5ef24
 	done = 1;
a5ef24
 #ifdef OPENSSL_FIPS
a5ef24
+	if (!FIPS_module_installed())
a5ef24
+		{
a5ef24
+		return;
a5ef24
+		}
a5ef24
 	RAND_init_fips();
a5ef24
 	init_fips_mode();
a5ef24
 	if (!FIPS_mode())