Blame SOURCES/0032-Force-fips.patch

a74baf
#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
a74baf
#(partial) of the function provider_conf_load() under the 'if (activate) section.
a74baf
#If there is any change to this section, after deleting it in provider_conf_load()
a74baf
#ensure that you also add those changes to the provider_conf_activate() function.
a74baf
#additionally please add this check for cnf explicitly as shown below.
a74baf
#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
a74baf
diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/provider_conf.c
a74baf
--- openssl-3.0.1/crypto/provider_conf.c.fips-FORCE	2022-01-18 15:36:00.956141345 +0100
a74baf
+++ openssl-3.0.1/crypto/provider_conf.c	2022-01-18 15:42:36.345172203 +0100
a74baf
@@ -136,58 +136,18 @@ static int prov_already_activated(const
6ed7c9
     return 0;
6ed7c9
 }
a74baf
a74baf
-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
a74baf
-                              const char *value, const CONF *cnf)
a74baf
+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
a74baf
+                                  const char *value, const char *path,
6ed7c9
+                                  int soft, const CONF *cnf)
a74baf
 {
a74baf
-    int i;
a74baf
-    STACK_OF(CONF_VALUE) *ecmds;
a74baf
-    int soft = 0;
a74baf
-    OSSL_PROVIDER *prov = NULL, *actual = NULL;
a74baf
-    const char *path = NULL;
a74baf
-    long activate = 0;
a74baf
     int ok = 0;
a74baf
-
a74baf
-    name = skip_dot(name);
a74baf
-    OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
a74baf
-    /* Value is a section containing PROVIDER commands */
a74baf
-    ecmds = NCONF_get_section(cnf, value);
a74baf
-
a74baf
-    if (!ecmds) {
a74baf
-        ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
a74baf
-                       "section=%s not found", value);
a74baf
-        return 0;
a74baf
-    }
a74baf
-
a74baf
-    /* Find the needed data first */
a74baf
-    for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
a74baf
-        CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
a74baf
-        const char *confname = skip_dot(ecmd->name);
a74baf
-        const char *confvalue = ecmd->value;
a74baf
-
a74baf
-        OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
a74baf
-                    confname, confvalue);
a74baf
-
a74baf
-        /* First handle some special pseudo confs */
a74baf
-
a74baf
-        /* Override provider name to use */
a74baf
-        if (strcmp(confname, "identity") == 0)
a74baf
-            name = confvalue;
a74baf
-        else if (strcmp(confname, "soft_load") == 0)
a74baf
-            soft = 1;
a74baf
-        /* Load a dynamic PROVIDER */
a74baf
-        else if (strcmp(confname, "module") == 0)
a74baf
-            path = confvalue;
a74baf
-        else if (strcmp(confname, "activate") == 0)
a74baf
-            activate = 1;
a74baf
-    }
a74baf
-
a74baf
-    if (activate) {
a74baf
-        PROVIDER_CONF_GLOBAL *pcgbl
a74baf
-            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
a74baf
-                                    &provider_conf_ossl_ctx_method);
a74baf
+    OSSL_PROVIDER *prov = NULL, *actual = NULL;
a74baf
+    PROVIDER_CONF_GLOBAL *pcgbl
a74baf
+        = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
a74baf
+                                &provider_conf_ossl_ctx_method);
a74baf
 
a74baf
         if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
a74baf
-            ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
a74baf
+           ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
a74baf
             return 0;
a74baf
         }
a74baf
         if (!prov_already_activated(name, pcgbl->activated_providers)) {
a74baf
@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
a74baf
             if (path != NULL)
a74baf
                 ossl_provider_set_module_path(prov, path);
a74baf
 
a74baf
-            ok = provider_conf_params(prov, NULL, NULL, value, cnf);
a74baf
+            ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
a74baf
 
a74baf
             if (ok) {
a74baf
                 if (!ossl_provider_activate(prov, 1, 0)) {
a74baf
@@ -246,6 +206,55 @@ static int provider_conf_load(OSSL_LIB_C
a74baf
                 ossl_provider_free(prov);
a74baf
         }
a74baf
         CRYPTO_THREAD_unlock(pcgbl->lock);
a74baf
+    return ok;
a74baf
+}
a74baf
+
a74baf
+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
a74baf
+                              const char *value, const CONF *cnf)
6ed7c9
+{
a74baf
+    int i;
a74baf
+    STACK_OF(CONF_VALUE) *ecmds;
a74baf
+    int soft = 0;
a74baf
+    const char *path = NULL;
a74baf
+    long activate = 0;
6ed7c9
+    int ok = 0;
6ed7c9
+
a74baf
+    name = skip_dot(name);
a74baf
+    OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
a74baf
+    /* Value is a section containing PROVIDER commands */
a74baf
+    ecmds = NCONF_get_section(cnf, value);
a74baf
+
a74baf
+    if (!ecmds) {
a74baf
+        ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
a74baf
+                       "section=%s not found", value);
6ed7c9
+        return 0;
6ed7c9
+    }
6ed7c9
+
a74baf
+    /* Find the needed data first */
a74baf
+    for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
a74baf
+        CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
a74baf
+        const char *confname = skip_dot(ecmd->name);
a74baf
+        const char *confvalue = ecmd->value;
6ed7c9
+
a74baf
+        OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
a74baf
+                    confname, confvalue);
6ed7c9
+
a74baf
+        /* First handle some special pseudo confs */
6ed7c9
+
a74baf
+        /* Override provider name to use */
a74baf
+        if (strcmp(confname, "identity") == 0)
a74baf
+            name = confvalue;
a74baf
+        else if (strcmp(confname, "soft_load") == 0)
a74baf
+            soft = 1;
a74baf
+        /* Load a dynamic PROVIDER */
a74baf
+        else if (strcmp(confname, "module") == 0)
a74baf
+            path = confvalue;
a74baf
+        else if (strcmp(confname, "activate") == 0)
a74baf
+            activate = 1;
a74baf
+    }
6ed7c9
+
a74baf
+    if (activate) {
a74baf
+       ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
6ed7c9
     } else {
6ed7c9
         OSSL_PROVIDER_INFO entry;
6ed7c9
 
a74baf
@@ -306,6 +315,19 @@ static int provider_conf_init(CONF_IMODU
6ed7c9
             return 0;
6ed7c9
     }
6ed7c9
 
6ed7c9
+    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
6ed7c9
+        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
6ed7c9
+        PROVIDER_CONF_GLOBAL *pcgbl
6ed7c9
+            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
6ed7c9
+                                    &provider_conf_ossl_ctx_method);
a74baf
+        if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
6ed7c9
+            return 0;
a74baf
+        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
6ed7c9
+            return 0;
6ed7c9
+        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
6ed7c9
+            return 0;
6ed7c9
+    }
6ed7c9
+
6ed7c9
     return 1;
6ed7c9
 }
6ed7c9