You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
3.4 KiB
125 lines
3.4 KiB
Disable FIPS mode |
|
|
|
FIPS mode is not supported for compat-openssl11. Apply a minimal patch |
|
that will reject explicit enabling of FIPS mode and disable automatic |
|
activation of FIPS mode. |
|
|
|
To avoid regressions, keep the rest of the library as it was. |
|
|
|
diff -up openssl-1.1.1k/crypto/fips/fips.c.disable-fips openssl-1.1.1k/crypto/fips/fips.c |
|
--- openssl-1.1.1k/crypto/fips/fips.c.disable-fips 2022-05-30 17:05:28.604500582 +0200 |
|
+++ openssl-1.1.1k/crypto/fips/fips.c 2022-05-30 17:09:46.129110042 +0200 |
|
@@ -405,13 +405,8 @@ static int verify_checksums(void) |
|
|
|
int FIPS_module_installed(void) |
|
{ |
|
- int rv; |
|
- rv = access(FIPS_MODULE_PATH, F_OK); |
|
- if (rv < 0 && errno != ENOENT) |
|
- rv = 0; |
|
- |
|
/* Installed == true */ |
|
- return !rv || FIPS_module_mode(); |
|
+ return 0; |
|
} |
|
|
|
int FIPS_module_mode_set(int onoff) |
|
diff -up openssl-1.1.1k/crypto/o_fips.c.disable-fips openssl-1.1.1k/crypto/o_fips.c |
|
--- openssl-1.1.1k/crypto/o_fips.c.disable-fips 2022-05-30 17:05:37.411658179 +0200 |
|
+++ openssl-1.1.1k/crypto/o_fips.c 2022-05-30 17:06:25.279514707 +0200 |
|
@@ -12,24 +12,14 @@ |
|
|
|
int FIPS_mode(void) |
|
{ |
|
-#ifdef OPENSSL_FIPS |
|
- return FIPS_module_mode(); |
|
-#else |
|
/* This version of the library does not support FIPS mode. */ |
|
return 0; |
|
-#endif |
|
} |
|
|
|
int FIPS_mode_set(int r) |
|
{ |
|
-#ifdef OPENSSL_FIPS |
|
- if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ |
|
- return 1; |
|
- return FIPS_module_mode_set(r); |
|
-#else |
|
if (r == 0) |
|
return 1; |
|
CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); |
|
return 0; |
|
-#endif |
|
} |
|
diff -up openssl-1.1.1k/crypto/o_init.c.disable-fips openssl-1.1.1k/crypto/o_init.c |
|
--- openssl-1.1.1k/crypto/o_init.c.disable-fips 2022-05-30 17:06:58.250104676 +0200 |
|
+++ openssl-1.1.1k/crypto/o_init.c 2022-05-30 17:17:12.369135344 +0200 |
|
@@ -7,55 +7,9 @@ |
|
* https://www.openssl.org/source/license.html |
|
*/ |
|
|
|
-/* for secure_getenv */ |
|
-#define _GNU_SOURCE |
|
#include "e_os.h" |
|
#include <openssl/err.h> |
|
#ifdef OPENSSL_FIPS |
|
-# include <sys/types.h> |
|
-# include <sys/stat.h> |
|
-# include <fcntl.h> |
|
-# include <unistd.h> |
|
-# include <errno.h> |
|
-# include <stdlib.h> |
|
-# include <openssl/rand.h> |
|
-# include <openssl/fips.h> |
|
-# include "crypto/fips.h" |
|
- |
|
-# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" |
|
- |
|
-static void init_fips_mode(void) |
|
-{ |
|
- char buf[2] = "0"; |
|
- int fd; |
|
- |
|
- if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { |
|
- buf[0] = '1'; |
|
- } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { |
|
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; |
|
- close(fd); |
|
- } |
|
- |
|
- if (buf[0] != '1' && !FIPS_module_installed()) |
|
- return; |
|
- |
|
- /* Ensure the selftests always run */ |
|
- /* XXX: TO SOLVE - premature initialization due to selftests */ |
|
- FIPS_mode_set(1); |
|
- |
|
- /* Failure reading the fips mode switch file means just not |
|
- * switching into FIPS mode. We would break too many things |
|
- * otherwise.. |
|
- */ |
|
- |
|
- if (buf[0] != '1') { |
|
- /* drop down to non-FIPS mode if it is not requested */ |
|
- FIPS_mode_set(0); |
|
- } else { |
|
- /* abort if selftest failed */ |
|
- FIPS_selftest_check(); |
|
- } |
|
-} |
|
|
|
/* |
|
* Perform FIPS module power on selftest and automatic FIPS mode switch. |
|
@@ -63,11 +17,6 @@ static void init_fips_mode(void) |
|
|
|
void __attribute__ ((constructor)) OPENSSL_init_library(void) |
|
{ |
|
- static int done = 0; |
|
- if (done) |
|
- return; |
|
- done = 1; |
|
- init_fips_mode(); |
|
} |
|
#endif |
|
|
|
|