SHA256
1
0
forked from pool/openssl-1_1
openssl-1_1/openssl-fips-selftests_in_nonfips_mode.patch
Tomáš Chvátal c29de1fbdc Accepting request 766865 from home:vitezslav_cizek:branches:security:tls
Add million FIPS and s390 patches

- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our
  layered FIPS initialization
  * openssl-fips-ignore_broken_atexit_test.patch

- Import FIPS patches from SLE-15
  * openssl-fips-dont_run_FIPS_module_installed.patch
  * openssl-fips_mode.patch
  * openssl-ship_fips_standalone_hmac.patch
  * openssl-fips-clearerror.patch
  * openssl-fips-selftests_in_nonfips_mode.patch

- Don't run FIPS power-up self-tests when the checksum files aren't
  installed (bsc#1042392)
  * add openssl-fips-run_selftests_only_when_module_is_complete.patch

- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553)
  * openssl-1.1.1-fips-crng-test.patch
  * openssl-1.1.1-fips-post-rand.patch
  * openssl-1.1.1-fips.patch
  * openssl-1.1.0-issuer-hash.patch
  * openssl-1.1.1-evp-kdf.patch
  * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch

- Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861]
- Add patches:
  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
  * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
  * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
  * openssl-s390xcpuid.pl-fix-comment.patch

OBS-URL: https://build.opensuse.org/request/show/766865
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 11:52:58 +00:00

75 lines
2.9 KiB
Diff

Index: openssl-1.1.1d/crypto/fips/fips.c
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.416634119 +0100
+++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:11.556634952 +0100
@@ -486,6 +486,44 @@ int FIPS_module_mode_set(int onoff)
return ret;
}
+/* In non-FIPS mode, the selftests must succeed if the
+ * checksum files are present
+ */
+void NONFIPS_selftest_check(void)
+{
+ int rv;
+ char *hmacpath;
+ char path[PATH_MAX+1];
+
+ if (fips_selftest_fail)
+ {
+ /* check if the checksum files are installed */
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
+
+ if (access(hmacpath, F_OK))
+ {
+ /* no hmac file is present, ignore the failed selftests */
+ if (errno == ENOENT)
+ {
+ free(hmacpath);
+ return;
+ }
+ /* we fail on any other error */
+ }
+ /* if the file exists, but the selftests failed
+ (eg wrong checksum), we fail too */
+ free(hmacpath);
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
+ }
+ /* otherwise ok, selftests were successful */
+}
+
static CRYPTO_THREAD_ID fips_threadid;
static int fips_thread_set = 0;
Index: openssl-1.1.1d/crypto/o_init.c
===================================================================
--- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.536634832 +0100
+++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:17.000667299 +0100
@@ -45,6 +45,8 @@ static void init_fips_mode(void)
*/
if (buf[0] != '1') {
+ /* abort if selftest failed and the module is complete */
+ NONFIPS_selftest_check();
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
} else {
Index: openssl-1.1.1d/include/openssl/fips.h
===================================================================
--- openssl-1.1.1d.orig/include/openssl/fips.h 2020-01-23 13:45:11.344633691 +0100
+++ openssl-1.1.1d/include/openssl/fips.h 2020-01-23 13:45:11.556634952 +0100
@@ -65,6 +65,7 @@ extern "C" {
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
int FIPS_selftest_drbg_all(void);
+ void NONFIPS_selftest_check(void);
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
const EVP_MD *evpmd, const unsigned char *seed_in,