openssl-3/openssl-Force-FIPS.patch

From 22c5e2dc99406629b2c37c1ddf1151d6fb8ad7d1 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 22/53] FIPS: Force fips provider on

Patch-name: 0032-Force-fips.patch
Patch-id: 32
Patch-status: |
    # # We load FIPS provider and set FIPS properties implicitly
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
 crypto/provider_conf.c | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
index 5ec50f97e4..a2a9786e1c 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -10,6 +10,8 @@
 #include <string.h>
 #include <openssl/trace.h>
 #include <openssl/err.h>
+#include <openssl/evp.h>
+#include <unistd.h>
 #include <openssl/conf.h>
 #include <openssl/safestack.h>
 #include <openssl/provider.h>
@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
         if (path != NULL)
             ossl_provider_set_module_path(prov, path);
 
-        ok = provider_conf_params(prov, NULL, NULL, value, cnf);
+        ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
 
         if (ok == 1) {
             if (!ossl_provider_activate(prov, 1, 0)) {
@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
 
         if (ok <= 0)
             ossl_provider_free(prov);
+    } else {
+        ok = 1;
     }
     CRYPTO_THREAD_unlock(pcgbl->lock);
 
@@ -420,6 +424,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
             return 0;
     }
 
+    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
+        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
+#  define FIPS_LOCAL_CONF           OPENSSLDIR "/fips_local.cnf"
+
+        if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
+            CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
+            if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
+                return 0;
+
+            if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
+                NCONF_free(fips_conf);
+                return 0;
+            }
+            NCONF_free(fips_conf);
+        } else {
+            if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
+                return 0;
+        }
+        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
+            return 0;
+        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
+            return 0;
+    }
+
     return 1;
 }
 
-- 
2.49.0