You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
174 lines
4.8 KiB
174 lines
4.8 KiB
diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c |
|
--- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor 2015-04-21 17:42:18.702765856 +0200 |
|
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-21 17:42:18.742766794 +0200 |
|
@@ -60,6 +60,8 @@ |
|
#include <dlfcn.h> |
|
#include <stdio.h> |
|
#include <stdlib.h> |
|
+#include <unistd.h> |
|
+#include <errno.h> |
|
#include "fips_locl.h" |
|
|
|
#ifdef OPENSSL_FIPS |
|
@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l |
|
} |
|
|
|
# define HMAC_PREFIX "." |
|
-# define HMAC_SUFFIX ".hmac" |
|
+# ifndef HMAC_SUFFIX |
|
+# define HMAC_SUFFIX ".hmac" |
|
+# endif |
|
# define READ_BUFFER_LENGTH 16384 |
|
|
|
static char *make_hmac_path(const char *origpath) |
|
@@ -279,20 +283,14 @@ static int compute_file_hmac(const char |
|
return rv; |
|
} |
|
|
|
-static int FIPSCHECK_verify(const char *libname, const char *symbolname) |
|
+static int FIPSCHECK_verify(const char *path) |
|
{ |
|
- char path[PATH_MAX + 1]; |
|
- int rv; |
|
+ int rv = 0; |
|
FILE *hf; |
|
char *hmacpath, *p; |
|
char *hmac = NULL; |
|
size_t n; |
|
|
|
- rv = get_library_path(libname, symbolname, path, sizeof(path)); |
|
- |
|
- if (rv < 0) |
|
- return 0; |
|
- |
|
hmacpath = make_hmac_path(path); |
|
if (hmacpath == NULL) |
|
return 0; |
|
@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char * |
|
return 1; |
|
} |
|
|
|
+static int verify_checksums(void) |
|
+{ |
|
+ int rv; |
|
+ char path[PATH_MAX + 1]; |
|
+ char *p; |
|
+ |
|
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl |
|
+ are in the same directory */ |
|
+ |
|
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, |
|
+ "FIPS_mode_set", path, sizeof(path)); |
|
+ if (rv < 0) |
|
+ return 0; |
|
+ |
|
+ rv = FIPSCHECK_verify(path); |
|
+ if (!rv) |
|
+ return 0; |
|
+ |
|
+ /* replace libcrypto with libssl */ |
|
+ while ((p = strstr(path, "libcrypto.so")) != NULL) { |
|
+ p = stpcpy(p, "libssl"); |
|
+ memmove(p, p + 3, strlen(p + 2)); |
|
+ } |
|
+ |
|
+ rv = FIPSCHECK_verify(path); |
|
+ if (!rv) |
|
+ return 0; |
|
+ return 1; |
|
+} |
|
+ |
|
+# ifndef FIPS_MODULE_PATH |
|
+# define FIPS_MODULE_PATH "/etc/system-fips" |
|
+# endif |
|
+ |
|
+int FIPS_module_installed(void) |
|
+{ |
|
+ int rv; |
|
+ rv = access(FIPS_MODULE_PATH, F_OK); |
|
+ if (rv < 0 && errno != ENOENT) |
|
+ rv = 0; |
|
+ |
|
+ /* Installed == true */ |
|
+ return !rv; |
|
+} |
|
+ |
|
int FIPS_module_mode_set(int onoff, const char *auth) |
|
{ |
|
int ret = 0; |
|
@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons |
|
} |
|
# endif |
|
|
|
- if (!FIPSCHECK_verify |
|
- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) { |
|
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, |
|
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); |
|
- fips_selftest_fail = 1; |
|
- ret = 0; |
|
- goto end; |
|
- } |
|
- |
|
- if (!FIPSCHECK_verify |
|
- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) { |
|
+ if (!verify_checksums()) { |
|
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, |
|
FIPS_R_FINGERPRINT_DOES_NOT_MATCH); |
|
fips_selftest_fail = 1; |
|
diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h |
|
--- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor 2015-04-21 17:42:18.739766724 +0200 |
|
+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-21 17:42:18.743766818 +0200 |
|
@@ -74,6 +74,7 @@ extern "C" { |
|
|
|
int FIPS_module_mode_set(int onoff, const char *auth); |
|
int FIPS_module_mode(void); |
|
+ int FIPS_module_installed(void); |
|
const void *FIPS_rand_check(void); |
|
int FIPS_selftest(void); |
|
int FIPS_selftest_failed(void); |
|
diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c |
|
--- openssl-1.0.2a/crypto/o_init.c.fips-ctor 2015-04-21 17:42:18.732766559 +0200 |
|
+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:45:02.662613173 +0200 |
|
@@ -74,6 +74,9 @@ static void init_fips_mode(void) |
|
char buf[2] = "0"; |
|
int fd; |
|
|
|
+ /* Ensure the selftests always run */ |
|
+ FIPS_mode_set(1); |
|
+ |
|
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { |
|
buf[0] = '1'; |
|
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { |
|
@@ -85,8 +88,12 @@ static void init_fips_mode(void) |
|
* otherwise.. |
|
*/ |
|
|
|
- if (buf[0] == '1') { |
|
- FIPS_mode_set(1); |
|
+ if (buf[0] != '1') { |
|
+ /* drop down to non-FIPS mode if it is not requested */ |
|
+ FIPS_mode_set(0); |
|
+ } else { |
|
+ /* abort if selftest failed */ |
|
+ FIPS_selftest_check(); |
|
} |
|
} |
|
#endif |
|
@@ -96,13 +103,16 @@ static void init_fips_mode(void) |
|
* sets FIPS callbacks |
|
*/ |
|
|
|
-void OPENSSL_init_library(void) |
|
+void __attribute__ ((constructor)) OPENSSL_init_library(void) |
|
{ |
|
static int done = 0; |
|
if (done) |
|
return; |
|
done = 1; |
|
#ifdef OPENSSL_FIPS |
|
+ if (!FIPS_module_installed()) { |
|
+ return; |
|
+ } |
|
RAND_init_fips(); |
|
init_fips_mode(); |
|
if (!FIPS_mode()) {
|
|
|