rpms / openssl

Clone
Source Code
GIT

Blame openssl-1.0.0a-fipsmode.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_strcasecmp main minimize_test_skip no_engine openssl_rebase_308to311 rawhide
  1.   d91aea88902ba90fa95ee7539c8675be3a59ea20
  2.   openssl-1.0.0a-fipsmode.patch
Blob History Raw
1b4b1ea 
diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
1b4b1ea 
--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode	2009-07-01 16:55:58.000000000 +0200
1b4b1ea 
+++ openssl-1.0.0a/crypto/engine/eng_all.c	2010-06-04 13:32:13.000000000 +0200
bb917d4 
@@ -58,9 +58,23 @@
1d20b5f
bb917d4 
 #include "cryptlib.h"
bb917d4 
 #include "eng_int.h"
1d20b5f 
+#ifdef OPENSSL_FIPS
bb917d4 
+#include <openssl/fips.h>
1d20b5f 
+#endif
bb917d4
bb917d4 
 void ENGINE_load_builtin_engines(void)
bb917d4 
 	{
1d20b5f 
+#ifdef OPENSSL_FIPS
2ccfa6b 
+	OPENSSL_init_library();
bb917d4 
+	if (FIPS_mode()) {
bb917d4 
+		/* We allow loading dynamic engine as a third party
bb917d4 
+		   engine might be FIPS validated.
bb917d4 
+		   User is disallowed to load non-validated engines
bb917d4 
+		   by security policy. */
bb917d4 
+		ENGINE_load_dynamic();
bb917d4 
+		return;
bb917d4 
+	}
1d20b5f 
+#endif
2ccfa6b 
 #if 0
bb917d4 
 	/* There's no longer any need for an "openssl" ENGINE unless, one day,
bb917d4 
 	 * it is the *only* way for standard builtin implementations to be be
1b4b1ea 
diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
1b4b1ea 
--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode	2009-12-25 15:12:24.000000000 +0100
1b4b1ea 
+++ openssl-1.0.0a/crypto/evp/c_allc.c	2010-06-04 13:32:13.000000000 +0200
1d20b5f 
@@ -65,6 +65,11 @@
1d20b5f 
 void OpenSSL_add_all_ciphers(void)
1d20b5f 
 	{
1d20b5f
1d20b5f 
+#ifdef OPENSSL_FIPS
2ccfa6b 
+	OPENSSL_init_library();
1d20b5f 
+	if(!FIPS_mode())
1d20b5f 
+		{
1d20b5f 
+#endif
1d20b5f 
 #ifndef OPENSSL_NO_DES
1d20b5f 
 	EVP_add_cipher(EVP_des_cfb());
1d20b5f 
 	EVP_add_cipher(EVP_des_cfb1());
1b4b1ea 
@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
1d20b5f 
 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
1d20b5f 
 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
1d20b5f 
 #endif
1d20b5f 
+#ifdef OPENSSL_FIPS
1d20b5f 
+		}
1d20b5f 
+	else
1d20b5f 
+		{
1d20b5f 
+#ifndef OPENSSL_NO_DES
1d20b5f 
+	EVP_add_cipher(EVP_des_ede_cfb());
1d20b5f 
+	EVP_add_cipher(EVP_des_ede3_cfb());
1d20b5f 
+
1d20b5f 
+	EVP_add_cipher(EVP_des_ede_ofb());
1d20b5f 
+	EVP_add_cipher(EVP_des_ede3_ofb());
1d20b5f 
+
1d20b5f 
+	EVP_add_cipher(EVP_des_ede_cbc());
1d20b5f 
+	EVP_add_cipher(EVP_des_ede3_cbc());
1d20b5f 
+	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
1d20b5f 
+	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
1d20b5f 
+
1d20b5f 
+	EVP_add_cipher(EVP_des_ede());
1d20b5f 
+	EVP_add_cipher(EVP_des_ede3());
1d20b5f 
+#endif
1d20b5f 
+
1d20b5f 
+#ifndef OPENSSL_NO_AES
1d20b5f 
+	EVP_add_cipher(EVP_aes_128_ecb());
1d20b5f 
+	EVP_add_cipher(EVP_aes_128_cbc());
1d20b5f 
+	EVP_add_cipher(EVP_aes_128_cfb());
1d20b5f 
+	EVP_add_cipher(EVP_aes_128_cfb1());
1d20b5f 
+	EVP_add_cipher(EVP_aes_128_cfb8());
1d20b5f 
+	EVP_add_cipher(EVP_aes_128_ofb());
1d20b5f 
+#if 0
1d20b5f 
+	EVP_add_cipher(EVP_aes_128_ctr());
1d20b5f 
+#endif
1d20b5f 
+	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
1d20b5f 
+	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
1d20b5f 
+	EVP_add_cipher(EVP_aes_192_ecb());
1d20b5f 
+	EVP_add_cipher(EVP_aes_192_cbc());
1d20b5f 
+	EVP_add_cipher(EVP_aes_192_cfb());
1d20b5f 
+	EVP_add_cipher(EVP_aes_192_cfb1());
1d20b5f 
+	EVP_add_cipher(EVP_aes_192_cfb8());
1d20b5f 
+	EVP_add_cipher(EVP_aes_192_ofb());
1d20b5f 
+#if 0
1d20b5f 
+	EVP_add_cipher(EVP_aes_192_ctr());
1d20b5f 
+#endif
1d20b5f 
+	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
1d20b5f 
+	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
1d20b5f 
+	EVP_add_cipher(EVP_aes_256_ecb());
1d20b5f 
+	EVP_add_cipher(EVP_aes_256_cbc());
1d20b5f 
+	EVP_add_cipher(EVP_aes_256_cfb());
1d20b5f 
+	EVP_add_cipher(EVP_aes_256_cfb1());
1d20b5f 
+	EVP_add_cipher(EVP_aes_256_cfb8());
1d20b5f 
+	EVP_add_cipher(EVP_aes_256_ofb());
1d20b5f 
+#if 0
1d20b5f 
+	EVP_add_cipher(EVP_aes_256_ctr());
1d20b5f 
+#endif
1d20b5f 
+	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
1d20b5f 
+	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
1d20b5f 
+#endif
1d20b5f 
+		}
1d20b5f 
+#endif
2ccfa6b 
 	}
1b4b1ea 
diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
1b4b1ea 
--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode	2009-07-08 10:50:53.000000000 +0200
1b4b1ea 
+++ openssl-1.0.0a/crypto/evp/c_alld.c	2010-06-04 13:32:13.000000000 +0200
bb917d4 
@@ -64,6 +64,11 @@
bb917d4
bb917d4 
 void OpenSSL_add_all_digests(void)
bb917d4 
 	{
bb917d4 
+#ifdef OPENSSL_FIPS
2ccfa6b 
+	OPENSSL_init_library();
bb917d4 
+	if (!FIPS_mode())
bb917d4 
+		{
bb917d4 
+#endif
2ccfa6b 
 #ifndef OPENSSL_NO_MD4
2ccfa6b 
 	EVP_add_digest(EVP_md4());
bb917d4 
 #endif
1b4b1ea 
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
2ccfa6b 
 #ifndef OPENSSL_NO_WHIRLPOOL
2ccfa6b 
 	EVP_add_digest(EVP_whirlpool());
1b4b1ea 
 #endif
bb917d4 
+#ifdef OPENSSL_FIPS
bb917d4 
+		}
bb917d4 
+	else
bb917d4 
+		{
2ccfa6b 
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
bb917d4 
+	EVP_add_digest(EVP_sha1());
bb917d4 
+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
bb917d4 
+	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
bb917d4 
+#ifndef OPENSSL_NO_DSA
bb917d4 
+	EVP_add_digest(EVP_dss1());
bb917d4 
+	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
bb917d4 
+	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
bb917d4 
+	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
bb917d4 
+#endif
bb917d4 
+#ifndef OPENSSL_NO_ECDSA
bb917d4 
+	EVP_add_digest(EVP_ecdsa());
bb917d4 
+#endif
bb917d4 
+#endif
bb917d4 
+#ifndef OPENSSL_NO_SHA256
bb917d4 
+	EVP_add_digest(EVP_sha224());
bb917d4 
+	EVP_add_digest(EVP_sha256());
bb917d4 
+#endif
bb917d4 
+#ifndef OPENSSL_NO_SHA512
bb917d4 
+	EVP_add_digest(EVP_sha384());
bb917d4 
+	EVP_add_digest(EVP_sha512());
bb917d4 
+#endif
bb917d4 
+		}
1b4b1ea 
+#endif
bb917d4 
 	}
1b4b1ea 
diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
1b4b1ea 
--- openssl-1.0.0a/crypto/o_init.c.fipsmode	2010-06-04 13:32:13.000000000 +0200
1b4b1ea 
+++ openssl-1.0.0a/crypto/o_init.c	2010-06-04 13:32:13.000000000 +0200
2ccfa6b 
@@ -59,6 +59,43 @@
bb917d4 
 #include <e_os.h>
bb917d4 
 #include <openssl/err.h>
bb917d4
bb917d4 
+#ifdef OPENSSL_FIPS
bb917d4 
+#include <sys/types.h>
bb917d4 
+#include <sys/stat.h>
bb917d4 
+#include <fcntl.h>
bb917d4 
+#include <unistd.h>
bb917d4 
+#include <errno.h>
bb917d4 
+#include <stdlib.h>
bb917d4 
+#include <openssl/fips.h>
bb917d4 
+
bb917d4 
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
bb917d4 
+
bb917d4 
+static void init_fips_mode(void)
bb917d4 
+	{
bb917d4 
+	char buf[2] = "0";
bb917d4 
+	int fd;
bb917d4 
+
bb917d4 
+	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
bb917d4 
+		{
bb917d4 
+		buf[0] = '1';
bb917d4 
+		}
bb917d4 
+	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
bb917d4 
+		{
bb917d4 
+		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
bb917d4 
+		close(fd);
bb917d4 
+		}
bb917d4 
+	/* Failure reading the fips mode switch file means just not
bb917d4 
+	 * switching into FIPS mode. We would break too many things
bb917d4 
+	 * otherwise.
bb917d4 
+	 */
bb917d4 
+
bb917d4 
+	if (buf[0] == '1')
bb917d4 
+		{
bb917d4 
+		FIPS_mode_set(1);
bb917d4 
+		}
bb917d4 
+	}
bb917d4 
+#endif
bb917d4 
+
bb917d4 
 /* Perform any essential OpenSSL initialization operations.
bb917d4 
  * Currently only sets FIPS callbacks
bb917d4 
  */
2ccfa6b 
@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
bb917d4 
 #ifdef CRYPTO_MDEBUG
bb917d4 
 		CRYPTO_malloc_debug_init();
bb917d4 
 #endif
bb917d4 
+		init_fips_mode();
bb917d4 
 		done = 1;
bb917d4 
 		}
bb917d4 
 #endif
1b4b1ea 
diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
1b4b1ea 
--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode	2010-04-07 15:18:30.000000000 +0200
1b4b1ea 
+++ openssl-1.0.0a/ssl/ssl_algs.c	2010-06-04 13:32:48.000000000 +0200
2ccfa6b 
@@ -64,6 +64,12 @@
bb917d4 
 int SSL_library_init(void)
bb917d4 
 	{
bb917d4
bb917d4 
+#ifdef OPENSSL_FIPS
2ccfa6b 
+	OPENSSL_init_library();
2ccfa6b 
+	if (!FIPS_mode())
2ccfa6b 
+		{
bb917d4 
+#endif
bb917d4 
+
bb917d4 
 #ifndef OPENSSL_NO_DES
bb917d4 
 	EVP_add_cipher(EVP_des_cbc());
bb917d4 
 	EVP_add_cipher(EVP_des_ede3_cbc());
1b4b1ea 
@@ -127,6 +133,48 @@ int SSL_library_init(void)
2ccfa6b 
 	EVP_add_digest(EVP_sha());
2ccfa6b 
 	EVP_add_digest(EVP_dss());
2ccfa6b 
 #endif
2ccfa6b 
+#ifdef OPENSSL_FIPS
2ccfa6b 
+		}
2ccfa6b 
+	else
2ccfa6b 
+		{
2ccfa6b 
+#ifndef OPENSSL_NO_DES
2ccfa6b 
+	EVP_add_cipher(EVP_des_ede3_cbc());
2ccfa6b 
+#endif
2ccfa6b 
+#ifndef OPENSSL_NO_AES
2ccfa6b 
+	EVP_add_cipher(EVP_aes_128_cbc());
2ccfa6b 
+	EVP_add_cipher(EVP_aes_192_cbc());
2ccfa6b 
+	EVP_add_cipher(EVP_aes_256_cbc());
2ccfa6b 
+#endif
2ccfa6b 
+#ifndef OPENSSL_NO_MD5
2ccfa6b 
+	/* needed even in the FIPS mode for TLS MAC */
2ccfa6b 
+	EVP_add_digest(EVP_md5());
aabbc9a 
+	EVP_add_digest_alias(SN_md5,"ssl2-md5");
aabbc9a 
+	EVP_add_digest_alias(SN_md5,"ssl3-md5");
2ccfa6b 
+#endif
2ccfa6b 
+#ifndef OPENSSL_NO_SHA
2ccfa6b 
+	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
2ccfa6b 
+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
2ccfa6b 
+	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
2ccfa6b 
+#endif
1b4b1ea 
+#ifndef OPENSSL_NO_SHA256
1b4b1ea 
+	EVP_add_digest(EVP_sha224());
1b4b1ea 
+	EVP_add_digest(EVP_sha256());
1b4b1ea 
+#endif
1b4b1ea 
+#ifndef OPENSSL_NO_SHA512
1b4b1ea 
+	EVP_add_digest(EVP_sha384());
1b4b1ea 
+	EVP_add_digest(EVP_sha512());
1b4b1ea 
+#endif
2ccfa6b 
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
2ccfa6b 
+	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
2ccfa6b 
+	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
2ccfa6b 
+	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
2ccfa6b 
+	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
2ccfa6b 
+#endif
2ccfa6b 
+#ifndef OPENSSL_NO_ECDSA
2ccfa6b 
+	EVP_add_digest(EVP_ecdsa());
2ccfa6b 
+#endif
2ccfa6b 
+		}
2ccfa6b 
+#endif
2ccfa6b 
 #ifndef OPENSSL_NO_COMP
2ccfa6b 
 	/* This will initialise the built-in compression algorithms.
2ccfa6b 
 	   The value returned is a STACK_OF(SSL_COMP), but that can
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.