Index: openssl-1.0.1e/crypto/fips/fips.c =================================================================== --- openssl-1.0.1e.orig/crypto/fips/fips.c +++ openssl-1.0.1e/crypto/fips/fips.c @@ -60,6 +60,8 @@ #include #include #include +#include +#include #include "fips_locl.h" #ifdef OPENSSL_FIPS @@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len) return hex; } -#define HMAC_PREFIX "." -#define HMAC_SUFFIX ".hmac" +#define HMAC_PREFIX "." +#ifndef HMAC_SUFFIX +#define HMAC_SUFFIX ".hmac" +#endif #define READ_BUFFER_LENGTH 16384 static char * @@ -279,19 +283,13 @@ end: } static int -FIPSCHECK_verify(const char *libname, const char *symbolname) +FIPSCHECK_verify(const char *path) { - char path[PATH_MAX+1]; - int rv; + int rv = 0; FILE *hf; char *hmacpath, *p; char *hmac = NULL; size_t n; - - rv = get_library_path(libname, symbolname, path, sizeof(path)); - - if (rv < 0) - return 0; hmacpath = make_hmac_path(path); if (hmacpath == NULL) @@ -341,6 +339,53 @@ end: return 1; } +static int +verify_checksums(void) + { + int rv; + char path[PATH_MAX+1]; + char *p; + + /* we need to avoid dlopening libssl, assume both libcrypto and libssl + are in the same directory */ + + rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); + if (rv < 0) + return 0; + + rv = FIPSCHECK_verify(path); + if (!rv) + return 0; + + /* replace libcrypto with libssl */ + while ((p = strstr(path, "libcrypto.so")) != NULL) + { + p = stpcpy(p, "libssl"); + memmove(p, p+3, strlen(p+2)); + } + + rv = FIPSCHECK_verify(path); + if (!rv) + return 0; + return 1; + } + +#ifndef FIPS_MODULE_PATH +#define FIPS_MODULE_PATH "/etc/system-fips" +#endif + +int +FIPS_module_installed(void) + { + int rv; + rv = access(FIPS_MODULE_PATH, F_OK); + if (rv < 0 && errno != ENOENT) + rv = 0; + + /* Installed == true */ + return !rv; + } + int FIPS_module_mode_set(int onoff, const char *auth) { int ret = 0; @@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons } #endif - if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set")) - { - FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; - } - - if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new")) + if(!verify_checksums()) { FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); fips_selftest_fail = 1; Index: openssl-1.0.1e/crypto/fips/fips.h =================================================================== --- openssl-1.0.1e.orig/crypto/fips/fips.h +++ openssl-1.0.1e/crypto/fips/fips.h @@ -74,6 +74,7 @@ struct hmac_ctx_st; int FIPS_module_mode_set(int onoff, const char *auth); int FIPS_module_mode(void); +int FIPS_module_installed(void); const void *FIPS_rand_check(void); int FIPS_selftest(void); int FIPS_selftest_failed(void); Index: openssl-1.0.1e/crypto/o_init.c =================================================================== --- openssl-1.0.1e.orig/crypto/o_init.c +++ openssl-1.0.1e/crypto/o_init.c @@ -70,6 +70,9 @@ static void init_fips_mode(void) { char buf[2] = "0"; int fd; + + /* Ensure the selftests always run */ + FIPS_mode_set(1); if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { @@ -85,9 +88,15 @@ static void init_fips_mode(void) * otherwise. */ - if (buf[0] == '1') + if (buf[0] != '1') + { + /* drop down to non-FIPS mode if it is not requested */ + FIPS_mode_set(0); + } + else { - FIPS_mode_set(1); + /* abort if selftest failed */ + FIPS_selftest_check(); } } #endif @@ -96,13 +105,19 @@ static void init_fips_mode(void) * Currently only sets FIPS callbacks */ -void OPENSSL_init_library(void) +void __attribute__ ((constructor)) OPENSSL_init_library(void) { static int done = 0; if (done) return; done = 1; #ifdef OPENSSL_FIPS + /* this should be an option, comment it, temporarily */ + /* if (!FIPS_module_installed()) + { + return; + } + */ RAND_init_fips(); init_fips_mode(); if (!FIPS_mode())