openssl-3/openssl-Add-Kernel-FIPS-mode-flag-support.patch

From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch

Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
Patch-status: |
    # Add check to see if fips flag is enabled in kernel
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
 crypto/context.c            | 36 ++++++++++++++++++++++++++++++++++++
 include/internal/provider.h |  3 +++
 2 files changed, 39 insertions(+)

Index: openssl-3.2.3/crypto/context.c
===================================================================
--- openssl-3.2.3.orig/crypto/context.c
+++ openssl-3.2.3/crypto/context.c
@@ -17,6 +17,40 @@
 #include "crypto/decoder.h"
 #include "crypto/context.h"
 
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <fcntl.h>
+# include <unistd.h>
+# include <openssl/evp.h>
+
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static int kernel_fips_flag;
+
+static void read_kernel_fips_flag(void)
+{
+    char buf[2] = "0";
+    int fd;
+
+    if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+        buf[0] = '1';
+    } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+        while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+        close(fd);
+    }
+
+    if (buf[0] == '1') {
+        kernel_fips_flag = 1;
+    }
+
+    return;
+}
+
+int ossl_get_kernel_fips_flag()
+{
+    return kernel_fips_flag;
+}
+
 struct ossl_lib_ctx_st {
     CRYPTO_RWLOCK *lock, *rand_crngt_lock;
     OSSL_EX_DATA_GLOBAL global;
@@ -368,6 +402,7 @@ static int default_context_inited = 0;
 
 DEFINE_RUN_ONCE_STATIC(default_context_do_init)
 {
+    read_kernel_fips_flag();
     if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
         goto err;
 
Index: openssl-3.2.3/include/internal/provider.h
===================================================================
--- openssl-3.2.3.orig/include/internal/provider.h
+++ openssl-3.2.3/include/internal/provider.h
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB
                                 const OSSL_DISPATCH *in);
 void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
 
+/* FIPS flag access */
+int ossl_get_kernel_fips_flag(void);
+
 # ifdef __cplusplus
 }
 # endif