[openssl] avoid dlopening libssl.so from libcrypto (#1010357)
Tomáš Mráz
tmraz at fedoraproject.org
Mon Sep 23 16:30:16 UTC 2013
commit df94661da5722bb446b456862cefd1fdf61bab3d
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Mon Sep 23 18:30:01 2013 +0200
avoid dlopening libssl.so from libcrypto (#1010357)
openssl-1.0.1e-fips-ctor.patch | 87 ++++++++++++++++++++++++++++++++++++----
openssl.spec | 5 ++-
2 files changed, 83 insertions(+), 9 deletions(-)
---
diff --git a/openssl-1.0.1e-fips-ctor.patch b/openssl-1.0.1e-fips-ctor.patch
index 093a7f4..0121dec 100644
--- a/openssl-1.0.1e-fips-ctor.patch
+++ b/openssl-1.0.1e-fips-ctor.patch
@@ -1,6 +1,6 @@
diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
---- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-02 14:20:26.853925144 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-02 14:22:18.082370680 +0200
+--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-23 18:05:15.731136863 +0200
++++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-23 18:18:27.953969770 +0200
@@ -60,6 +60,8 @@
#include <dlfcn.h>
#include <stdio.h>
@@ -23,11 +23,65 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/
#define READ_BUFFER_LENGTH 16384
static char *
-@@ -341,6 +345,32 @@ end:
+@@ -279,19 +283,13 @@ end:
+ }
+
+ static int
+-FIPSCHECK_verify(const char *libname, const char *symbolname)
++FIPSCHECK_verify(const char *path)
+ {
+- char path[PATH_MAX+1];
+- int rv;
++ int rv = 0;
+ FILE *hf;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+-
+- rv = get_library_path(libname, symbolname, path, sizeof(path));
+-
+- if (rv < 0)
+- return 0;
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+@@ -341,6 +339,64 @@ end:
return 1;
}
-+int FIPS_module_installed(void)
++static int
++verify_checksums(void)
++ {
++ int rv;
++ char path[PATH_MAX+1];
++ char *p;
++
++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
++ are in the same directory */
++
++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
++ if (rv < 0)
++ return 0;
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++
++ /* replace libcrypto with libssl */
++ while ((p = strstr(path, "libcrypto.so")) != NULL)
++ {
++ p = stpcpy(p, "libssl");
++ memmove(p, p+3, strlen(p+2));
++ }
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++ return 1;
++ }
++
++int
++FIPS_module_installed(void)
+ {
+ char path[PATH_MAX+1];
+ int rv;
@@ -56,9 +110,26 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/
int FIPS_module_mode_set(int onoff, const char *auth)
{
int ret = 0;
+@@ -379,15 +435,7 @@ int FIPS_module_mode_set(int onoff, cons
+ }
+ #endif
+
+- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
+- {
+- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+- fips_selftest_fail = 1;
+- ret = 0;
+- goto end;
+- }
+-
+- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
++ if(!verify_checksums())
+ {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
---- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-02 14:20:26.857925232 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-02 14:20:26.915926507 +0200
+--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-23 18:05:15.734136931 +0200
++++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-23 18:05:15.775137854 +0200
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
int FIPS_module_mode_set(int onoff, const char *auth);
@@ -68,8 +139,8 @@ diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
---- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-02 14:20:26.894926046 +0200
-+++ openssl-1.0.1e/crypto/o_init.c 2013-09-02 14:20:26.916926529 +0200
+--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-23 18:05:15.762137561 +0200
++++ openssl-1.0.1e/crypto/o_init.c 2013-09-23 18:05:15.776137876 +0200
@@ -73,6 +73,10 @@ static void init_fips_mode(void)
char buf[2] = "0";
int fd;
diff --git a/openssl.spec b/openssl.spec
index 122e00d..942a28e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.1e
-Release: 24%{?dist}
+Release: 25%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -473,6 +473,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
prelink -u %{_libdir}/libcrypto.so.%{version} %{_libdir}/libssl.so.%{version} 2>/dev/null || :
%changelog
+* Mon Sep 23 2013 Tomáš Mráz <tmraz at redhat.com> 1.0.1e-25
+- avoid dlopening libssl.so from libcrypto (#1010357)
+
* Fri Sep 20 2013 Tomáš Mráz <tmraz at redhat.com> 1.0.1e-24
- fix small memory leak in FIPS aes selftest
More information about the scm-commits
mailing list