[openssl] always perform the FIPS selftests in library constructor

Thu Aug 29 09:45:21 UTC 2013

commit 1465572e177f769766ad0cc397bc344b086855c8
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Thu Aug 29 11:45:04 2013 +0200

    always perform the FIPS selftests in library constructor
    
      if FIPS module is installed

 openssl-1.0.1e-fips-ctor.patch |  102 ++++++++++++++++++++++++++++++++++++++++
 openssl.spec                   |    8 +++-
 2 files changed, 109 insertions(+), 1 deletions(-)
---

diff --git a/openssl-1.0.1e-fips-ctor.patch b/openssl-1.0.1e-fips-ctor.patch
new file mode 100644
index 0000000..71205fd
--- /dev/null
+++ b/openssl-1.0.1e-fips-ctor.patch
@@ -0,0 +1,102 @@
+diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
+--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor	2013-08-27 15:44:08.000000000 +0200
++++ openssl-1.0.1e/crypto/fips/fips.c	2013-08-29 11:13:04.279245656 +0200
+@@ -60,6 +60,8 @@
+ #include <dlfcn.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
+ #include "fips_locl.h"
+ 
+ #ifdef OPENSSL_FIPS
+@@ -341,6 +343,32 @@ end:
+ 	return 1;	
+ }
+ 
++int FIPS_module_installed(void)
++    {
++	char path[PATH_MAX+1];
++	int rv;
++	char *hmacpath, *p;
++	char *hmac = NULL;
++	size_t n;
++	
++	rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
++
++	if (rv < 0)
++		return 0;
++
++	hmacpath = make_hmac_path(path);
++	if (hmacpath == NULL)
++		return 0;
++
++	rv = access(hmacpath, F_OK);
++	if (rv < 0 && errno != ENOENT)
++		rv = 0;
++
++        free(hmacpath);
++	/* Installed == true */
++	return !rv;
++    }
++
+ int FIPS_module_mode_set(int onoff, const char *auth)
+     {
+     int ret = 0;
+diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
+--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor	2013-08-27 15:44:08.000000000 +0200
++++ openssl-1.0.1e/crypto/fips/fips.h	2013-08-29 11:41:04.233049349 +0200
+@@ -74,6 +74,7 @@ struct hmac_ctx_st;
+ 
+ int FIPS_module_mode_set(int onoff, const char *auth);
+ int FIPS_module_mode(void);
++int FIPS_module_installed(void);
+ const void *FIPS_rand_check(void);
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
+diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
+--- openssl-1.0.1e/crypto/o_init.c.fips-ctor	2013-08-27 15:44:09.000000000 +0200
++++ openssl-1.0.1e/crypto/o_init.c	2013-08-29 11:39:37.760101734 +0200
+@@ -73,6 +73,10 @@ static void init_fips_mode(void)
+ 	char buf[2] = "0";
+ 	int fd;
+ 	
++	/* Ensure the selftests always run and abort on error */
++	FIPS_mode_set(1);
++	FIPS_selftest_check();
++
+ 	if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ 		{
+ 		buf[0] = '1';
+@@ -87,9 +91,10 @@ static void init_fips_mode(void)
+ 	 * otherwise. 
+ 	 */
+ 	
+-	if (buf[0] == '1')
++	if (buf[0] != '1')
+ 		{
+-		FIPS_mode_set(1);
++		/* drop down to non-FIPS mode if it is not requested */
++		FIPS_mode_set(0);
+ 		}
+ 	}
+ #endif
+@@ -98,13 +103,17 @@ static void init_fips_mode(void)
+  * Currently only sets FIPS callbacks
+  */
+ 
+-void OPENSSL_init_library(void)
++void __attribute__ ((constructor)) OPENSSL_init_library(void)
+ 	{
+ 	static int done = 0;
+ 	if (done)
+ 		return;
+ 	done = 1;
+ #ifdef OPENSSL_FIPS
++	if (!FIPS_module_installed())
++		{
++		return;
++		}
+ 	RAND_init_fips();
+ 	init_fips_mode();
+ 	if (!FIPS_mode())
diff --git a/openssl.spec b/openssl.spec
index 68feaec..a067d75 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 16%{?dist}
+Release: 17%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -70,6 +70,7 @@ Patch66: openssl-1.0.1-pkgconfig-krb5.patch
 Patch68: openssl-1.0.1e-secure-getenv.patch
 Patch69: openssl-1.0.1c-dh-1024.patch
 Patch71: openssl-1.0.1e-manfix.patch
+Patch72: openssl-1.0.1e-fips-ctor.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.1-beta2-padlock64.patch
 Patch82: openssl-1.0.1e-backports.patch
@@ -189,6 +190,7 @@ OpenSSL FIPS module.
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .backports
 %patch71 -p1 -b .manfix
+%patch72 -p1 -b .fips-ctor
 %patch83 -p1 -b .bad-mac
 %patch84 -p1 -b .trusted-first
 
@@ -466,6 +468,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || :
 
 %changelog
+* Thu Aug 29 2013 Tomas Mraz <tmraz at redhat.com> 1.0.1e-17
+- always perform the FIPS selftests in library constructor
+  if FIPS module is installed
+
 * Tue Aug 27 2013 Tomas Mraz <tmraz at redhat.com> 1.0.1e-16
 - add -fips subpackage that contains the FIPS module files
 
