You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
compat-openssl11/SOURCES/openssl-1.1.1-disable-fips....

126 lines
3.4 KiB

Disable FIPS mode
FIPS mode is not supported for compat-openssl11. Apply a minimal patch
that will reject explicit enabling of FIPS mode and disable automatic
activation of FIPS mode.
To avoid regressions, keep the rest of the library as it was.
diff -up openssl-1.1.1k/crypto/fips/fips.c.disable-fips openssl-1.1.1k/crypto/fips/fips.c
--- openssl-1.1.1k/crypto/fips/fips.c.disable-fips 2022-05-30 17:05:28.604500582 +0200
+++ openssl-1.1.1k/crypto/fips/fips.c 2022-05-30 17:09:46.129110042 +0200
@@ -405,13 +405,8 @@ static int verify_checksums(void)
int FIPS_module_installed(void)
{
- int rv;
- rv = access(FIPS_MODULE_PATH, F_OK);
- if (rv < 0 && errno != ENOENT)
- rv = 0;
-
/* Installed == true */
- return !rv || FIPS_module_mode();
+ return 0;
}
int FIPS_module_mode_set(int onoff)
diff -up openssl-1.1.1k/crypto/o_fips.c.disable-fips openssl-1.1.1k/crypto/o_fips.c
--- openssl-1.1.1k/crypto/o_fips.c.disable-fips 2022-05-30 17:05:37.411658179 +0200
+++ openssl-1.1.1k/crypto/o_fips.c 2022-05-30 17:06:25.279514707 +0200
@@ -12,24 +12,14 @@
int FIPS_mode(void)
{
-#ifdef OPENSSL_FIPS
- return FIPS_module_mode();
-#else
/* This version of the library does not support FIPS mode. */
return 0;
-#endif
}
int FIPS_mode_set(int r)
{
-#ifdef OPENSSL_FIPS
- if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
- return 1;
- return FIPS_module_mode_set(r);
-#else
if (r == 0)
return 1;
CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
return 0;
-#endif
}
diff -up openssl-1.1.1k/crypto/o_init.c.disable-fips openssl-1.1.1k/crypto/o_init.c
--- openssl-1.1.1k/crypto/o_init.c.disable-fips 2022-05-30 17:06:58.250104676 +0200
+++ openssl-1.1.1k/crypto/o_init.c 2022-05-30 17:17:12.369135344 +0200
@@ -7,55 +7,9 @@
* https://www.openssl.org/source/license.html
*/
-/* for secure_getenv */
-#define _GNU_SOURCE
#include "e_os.h"
#include <openssl/err.h>
#ifdef OPENSSL_FIPS
-# include <sys/types.h>
-# include <sys/stat.h>
-# include <fcntl.h>
-# include <unistd.h>
-# include <errno.h>
-# include <stdlib.h>
-# include <openssl/rand.h>
-# include <openssl/fips.h>
-# include "crypto/fips.h"
-
-# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
-
-static void init_fips_mode(void)
-{
- char buf[2] = "0";
- int fd;
-
- if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
- buf[0] = '1';
- } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
- close(fd);
- }
-
- if (buf[0] != '1' && !FIPS_module_installed())
- return;
-
- /* Ensure the selftests always run */
- /* XXX: TO SOLVE - premature initialization due to selftests */
- FIPS_mode_set(1);
-
- /* Failure reading the fips mode switch file means just not
- * switching into FIPS mode. We would break too many things
- * otherwise..
- */
-
- if (buf[0] != '1') {
- /* drop down to non-FIPS mode if it is not requested */
- FIPS_mode_set(0);
- } else {
- /* abort if selftest failed */
- FIPS_selftest_check();
- }
-}
/*
* Perform FIPS module power on selftest and automatic FIPS mode switch.
@@ -63,11 +17,6 @@ static void init_fips_mode(void)
void __attribute__ ((constructor)) OPENSSL_init_library(void)
{
- static int done = 0;
- if (done)
- return;
- done = 1;
- init_fips_mode();
}
#endif